You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2005/01/27 19:35:17 UTC

[jira] Commented: (GERONIMO-550) Functioning of Transaction Time out was not properly handled

     [ http://issues.apache.org/jira/browse/GERONIMO-550?page=comments#action_58176 ]
     
David Jencks commented on GERONIMO-550:
---------------------------------------

First of all, thank you for pointing out that the current transaction timeout implementation is not thread safe: I agree.

(4)  After thinking about this issue, I agree that we should set the thread tx timeout back to default after each transaction.  Anyone who is changing the tx timeout should set it for each transaction to be sure they are getting the value they want, so resetting it will avoid surprises.

(3) I would prefer to keep the extended interface because it avoids use of a thread local. Reviewing the current usage of the extended interface I notice that it doesn't make a lot of sense. However, I expect we will provide a way to specify the timeout for a container managed transaction which will be a more sensible use of the interface.

(2) I think the change to seconds rather than milliseconds depends on resolving (1).  If we are interrupting threads, then I think it is possible that fractional second timeout resolution could be useful in certain specialized situations.  If we do not interrupt threads then the finer resolution makes no sense.

(5) Thanks for the test case :-)

(1) This is clearly the most important part of the proposal.  Waiting until commit is called and checking the time is clearly a simpler, easier to understand, easier to implement, and spec compliant implementation.  It will also avoid possible bad side effects from badly written drivers.  However, I'm reluctant to adopt only this implementation without more research.

My understanding of the fundamental purpose of transaction timeouts is that they are a crude way to detect remote failures that could not be detected otherwise.  (JINI leases provide a considerably more sophisticated and transparent technique.)  I think timeouts are designed to protect not against "it took 2 minutes rather than 1  minute" but "it crashed and will never return".  As such, timing out should let the server clean up the resources used by the transaction, even though some remote calls have not returned.  In pre-jdk 1.4 times, there was no way to do this, since IO was not interruptible.  However in jdk 1.4 at least some IO and potentially all IO is interruptable, so interrupting a thread should allow the driver to realize there is a problem and signal a fatal error resulting in the connection getting destroyed.

On the other hand, it is entirely possible that a badly written driver could leave a connection in an inconsistent and unusable state after being interrupted, without signalling an error.  If actual popular commercial drivers do this, we should definitely provide a non-interrupting timeout implementation choice.  Do you know to what extent this is the case?  If most drivers do this, perhaps we should implement the non-interrupting approach now and work more on the interrupting approach after certification.

> Functioning of Transaction Time out was not properly handled
> ------------------------------------------------------------
>
>          Key: GERONIMO-550
>          URL: http://issues.apache.org/jira/browse/GERONIMO-550
>      Project: Apache Geronimo
>         Type: Bug
>   Components: transaction manager
>     Versions: 1.0-M4
>  Environment: All platforms and All JDK Version
>     Reporter: Sandip Ghayal
>     Assignee: David Jencks
>  Attachments: TransactionTimer.java, patches.out
>
> Currently operation for timeout for transaction is not thread safe

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

Re: [jira] Commented: (GERONIMO-550) Functioning of Transaction Time out was not properly handled

Posted by Sandip Ghayal <sg...@yahoo.com>.

Refer to SG>> Below

Cheers,

Sandip
--- "David Jencks (JIRA)" <de...@geronimo.apache.org>
wrote:

>      [
>
http://issues.apache.org/jira/browse/GERONIMO-550?page=comments#action_58176
> ]
>      
> David Jencks commented on GERONIMO-550:
> ---------------------------------------
> 
> First of all, thank you for pointing out that the
> current transaction timeout implementation is not
> thread safe: I agree.
> 
> (4)  After thinking about this issue, I agree that
> we should set the thread tx timeout back to default
> after each transaction.  Anyone who is changing the
> tx timeout should set it for each transaction to be
> sure they are getting the value they want, so
> resetting it will avoid surprises.

> 
> (3) I would prefer to keep the extended interface
> because it avoids use of a thread local. Reviewing
> the current usage of the extended interface I notice
> that it doesn't make a lot of sense. However, I
> expect we will provide a way to specify the timeout
> for a container managed transaction which will be a
> more sensible use of the interface.
SG>> I don't have any strong views on the either side,
Its just that we have to go thru extra layer. But sure
I will leave it up to you to make that decision.

> 
> (2) I think the change to seconds rather than
> milliseconds depends on resolving (1).  If we are
> interrupting threads, then I think it is possible
> that fractional second timeout resolution could be
> useful in certain specialized situations.  If we do
> not interrupt threads then the finer resolution
> makes no sense.

SG>> How about we do this leave it to seconds for now,
also the new class that I have provided ensures that
getting current time is efficient. So leave this fix
and we can revisit this after certification ? May be
create a Jira and attack it later.

> 
> (5) Thanks for the test case :-)
> 
> (1) This is clearly the most important part of the
> proposal.  Waiting until commit is called and
> checking the time is clearly a simpler, easier to
> understand, easier to implement, and spec compliant
> implementation.  It will also avoid possible bad
> side effects from badly written drivers.  However,
> I'm reluctant to adopt only this implementation
> without more research.
> 
> My understanding of the fundamental purpose of
> transaction timeouts is that they are a crude way to
> detect remote failures that could not be detected
> otherwise.  (JINI leases provide a considerably more
> sophisticated and transparent technique.)  I think
> timeouts are designed to protect not against "it
> took 2 minutes rather than 1  minute" but "it
> crashed and will never return".  As such, timing out
> should let the server clean up the resources used by
> the transaction, even though some remote calls have
> not returned.  In pre-jdk 1.4 times, there was no
> way to do this, since IO was not interruptible. 
> However in jdk 1.4 at least some IO and potentially
> all IO is interruptable, so interrupting a thread
> should allow the driver to realize there is a
> problem and signal a fatal error resulting in the
> connection getting destroyed.
> 
> On the other hand, it is entirely possible that a
> badly written driver could leave a connection in an
> inconsistent and unusable state after being
> interrupted, without signalling an error.  If actual
> popular commercial drivers do this, we should
> definitely provide a non-interrupting timeout
> implementation choice.  Do you know to what extent
> this is the case?  If most drivers do this, perhaps
> we should implement the non-interrupting approach
> now and work more on the interrupting approach after
> certification.

SG>> Lets go with non-interrupting approach for now as
interrupting approach is not very reliable to my
understanding. And JVM does not ensure that proper
exceptions etc are propogated when thread is
interrupted. A badly written code could actually end
up ignoring the I/O interrupts. Also from my
observation of remote failures usually the
communication will be borken on remote system failure,
and driver should send back appropriate response (or
exception) back. Only time this fails is when there is
some kind of dead lock happening on the remote side.
Low probability and when this happens entire system
will have bigger issues then a single transaction
failing. Again here we can create an issue in JIRA and
attack it after certification ?

> 
> > Functioning of Transaction Time out was not
> properly handled
> >
>
------------------------------------------------------------
> >
> >          Key: GERONIMO-550
> >          URL:
> http://issues.apache.org/jira/browse/GERONIMO-550
> >      Project: Apache Geronimo
> >         Type: Bug
> >   Components: transaction manager
> >     Versions: 1.0-M4
> >  Environment: All platforms and All JDK Version
> >     Reporter: Sandip Ghayal
> >     Assignee: David Jencks
> >  Attachments: TransactionTimer.java, patches.out
> >
> > Currently operation for timeout for transaction is
> not thread safe
> 
> -- 
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of
> the administrators:
>   
>
http://issues.apache.org/jira/secure/Administrators.jspa
> -
> If you want more information on JIRA, or have a bug
> to report see:
>    http://www.atlassian.com/software/jira
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com