Fix JSON/XML format statistics race condition with parallel replicas#96978
Open
alexey-milovidov wants to merge 34 commits intomasterfrom
Open
Fix JSON/XML format statistics race condition with parallel replicas#96978alexey-milovidov wants to merge 34 commits intomasterfrom
alexey-milovidov wants to merge 34 commits intomasterfrom
Conversation
When parallel replicas are used with LIMIT, `rows_read` in JSON/XML output is reported as 0. The root cause is a race condition: the output format's `finalizeImpl` writes statistics BEFORE all progress from connection draining has been collected. `PipelineExecutor::finalizeExecution` collects remaining progress AFTER the pipeline finishes, but by then the JSON body is already written. The fix implements two-phase output format finalization: - Phase 1 (during pipeline, in `finalizeImpl`): write everything EXCEPT the statistics section and closing delimiter. - Phase 2 (after `finalizeExecution`): write statistics and close the document via a finalize callback. This is done by adding a `completeDeferredStatistics` mechanism to `IOutputFormat`, a `setFinalizeCallback` on `PipelineExecutor` (called at the end of `finalizeExecution`), and overriding the new virtual methods in `JSONRowOutputFormat`, `XMLRowOutputFormat`, `JSONColumnsWithMetadataBlockOutputFormat`, and `ParallelFormattingOutputFormat`. Closes #85785 Co-Authored-By: Claude Opus 4.6 <[email protected]>
Contributor
|
Workflow [PR], commit [90c195e] Summary: ❌
AI ReviewSummaryThis PR fixes a race where JSON/XML Findings
Tests
ClickHouse Rules
Final Verdict
|
clickhouse-gh
bot
added
the
pr-bugfix
Verify that `rows_read` is greater than 0 in JSON, JSONCompact, JSONColumnsWithMetadata, and XML formats when parallel replicas are used with LIMIT. Covers both native client and HTTP paths. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…eption When `ParallelFormattingOutputFormat` had an exception set (via `http_write_exception_in_output_format`), the inner formatter's error recovery path wrote the complete document (exception + closing delimiter). However, `hasDeferredStatistics()` still returned the cached `true` from construction time, causing `writeDeferredStatisticsAndFinalize` to append a duplicate statistics section and closing delimiter — producing malformed JSON/XML output. Fix: check `exception_message.empty()` in `hasDeferredStatistics`, matching the behavior of the inner formatters (`JSONRowOutputFormat`, `XMLRowOutputFormat`). Co-Authored-By: Claude Opus 4.6 <[email protected]>
1 task
…llation When the pipeline is cancelled (e.g., due to LIMIT), `finalizeExecution` was returning early without collecting remaining progress from processors that had already finished. This caused deferred statistics (used by JSON, XML formats) to miss progress data. Now, when cancelled, we continue iterating over nodes to collect read progress from finished processors before calling `finalize_callback`. This ensures `completeDeferredStatistics` sees the correct progress values. Co-Authored-By: Claude Opus 4.6 <[email protected]>
In `ClientBase::onProgress`, progress is forwarded to `output_format->onProgress`. However, `output_format` is initialized lazily in `initOutputFormat` (called from `onData`). If Progress packets arrive from the server before the first Data block, progress is silently dropped. This is especially common with parallel replicas on small tables where all reading can complete before any data blocks are sent. Fix: buffer progress in `pending_output_format_progress` when `output_format` is null, and replay it into the format once it is created. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…tisticsAndFinalize` The temporary formatter created to write deferred statistics has an internal write buffer chain (e.g. UTF8 validation wrapper) between it and the real output buffer `out`. After `writeDeferredStatisticsAndFinalize` writes the statistics JSON, only the formatter's immediate buffer was flushed (`ostr->next()`), but not the intermediate buffers in the chain. When the formatter went out of scope, `~WriteBuffer` called `cancel` on the unfinalized intermediate buffers, discarding the statistics data. Add explicit `flush`, `finalizeBuffers`, and `out.next()` calls to ensure all data reaches the output buffer before the formatter is destroyed. Co-Authored-By: Claude Opus 4.6 <[email protected]>
When parallel replicas with LIMIT are used, remote replicas send Progress packets after data blocks (for fast queries, no periodic `sendProgress` fires during execution). When the coordinator's pipeline is cancelled due to LIMIT, `RemoteSource::onCancel` previously only called `cancel` on the `RemoteQueryExecutor`, which sends a cancel request but does not drain remaining packets. This caused Progress packets to be lost, resulting in `rows_read=0` in JSON/XML format statistics. Changes: - `RemoteQueryExecutor::finish` no longer returns early when `was_cancelled` is true, allowing it to drain remaining packets (including Progress) even after cancellation - `RemoteSource::onCancel` now calls `finish` after `cancel` to drain remaining packets and collect progress - `TCPHandler` now calls `sendProgress` after `io.onFinish` for the pulling pipeline path, mirroring what is already done for the completed pipeline path Co-Authored-By: Claude Opus 4.6 <[email protected]>
Root cause: with parallel replicas and LIMIT on fast queries (< 100ms), replicas send Data blocks before Progress packets (because `interactive_delay` hasn't elapsed). The coordinator's `RemoteSource` receives Data via the read loop, then `LimitTransform` cancels the pipeline. `RemoteSource::onCancel` called `cancel` which just sends Cancel without draining remaining packets. `RemoteQueryExecutor::finish` then skipped draining because `was_cancelled` was already true. Progress packets from replicas were never processed, so `rows_read` stayed 0. Two fixes: 1. `RemoteSource::onCancel`: call `finish` instead of `cancel` to drain remaining packets from the connection, ensuring Progress packets sent by replicas after data blocks are still processed. 2. `PipelineExecutor::finalizeExecution`: collect progress from ALL nodes (not just finished ones) when the pipeline is cancelled. This is safe because all execution threads have stopped by this point. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…lickHouse/ClickHouse into fix-json-xml-statistics-race-condition # Conflicts: # src/Processors/Sources/RemoteSource.cpp
…tics-race-condition
…tics-race-condition
…->cancel` When `PipelineExecutor::cancel` is called (e.g., from `PullingAsyncPipelineExecutor::cancel`), there is a race condition between `graph->cancel()` running in the main thread and `finalizeExecution()` running in the background thread. `graph->cancel()` synchronously calls `onCancel()` on all processors. For `RemoteSource`, `onCancel()` drains remaining packets from parallel replicas, which may include Progress packets that get accumulated in `ISource::read_progress`. However, `finalizeExecution()` (which collects progress from all processors via `getReadProgress()`) may have already run in the background thread before the drain completed. In that case, the progress from draining is never forwarded to the progress callback, and the server never sends it to the client. Fix: after `graph->cancel()` returns, iterate over all processors and collect any remaining progress. Since `getReadProgress()` uses `std::swap` under a mutex, this is safe even if called concurrently with `finalizeExecution()` - only one caller gets the progress. Co-Authored-By: Claude Opus 4.6 <[email protected]>
`SYSTEM STOP MERGES` now also prevents merge selection (not just execution). The `test_lost_part_same_replica` and `test_lost_part_other_replica` tests relied on merge entries being created while merges were stopped. Fix by using `SYSTEM STOP REPLICATION QUEUES` instead, which stops queue execution but still allows the merge selecting task to create entries. For `test_lost_part_other_replica`, switch to `SYSTEM STOP MERGES` during the recovery phase to allow fetches but block merge execution. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…ecutor`
Both `cancel` and `finalizeExecution` were iterating over graph nodes
and calling `ReadProgressCallback::onProgress` concurrently, which is
not thread-safe. This caused TSan failures ("Server died") in tests
like `02133_issue_32458` and `03289_explain_syntax_statistics`.
The race occurs when `cancel` is called from an external thread
(e.g. `CompletedPipelineExecutor`'s timeout callback) while
`finalizeExecution` runs in the executor's background thread after
`pool->wait` returns.
Fix: Remove duplicate progress collection from `cancel` and add
`cancel_mutex` to synchronize `graph->cancel` (which triggers
`RemoteSource::onCancel` draining) with progress collection in
`finalizeExecution`. This ensures `finalizeExecution` waits for
all `onCancel` calls to complete before reading accumulated progress.
Co-Authored-By: Claude Opus 4.6 <[email protected]>
Fix four issues found in CI: 1. TSan data race in `PipelineExecutor::cancel` progress collection: The progress collection loop in `cancel` read from `ISource::getReadProgress` while other worker threads concurrently wrote via `ISource::work`. Remove the racy loop - `finalizeExecution` already collects progress from all processors after all threads have been joined. 2. TSan data race on `RemoteQueryExecutor::finished`: `onCancel` -> `finish` writes `finished = true` concurrently with `prepare` -> `isFinished` reading it. Make `finished` `std::atomic<bool>`. 3. Flaky test `03918_statistics_in_formats_parallel_replicas` (1/28 failures): In `ParallelFormattingOutputFormat::addChunk` for FINALIZE type, `statistics` was moved into `unit.statistics`, clearing `statistics.progress`. When `completeDeferredStatistics` later wrote the deferred statistics, it only had progress accumulated after the move. Save and restore progress around the move to preserve it for the deferred write. 4. Revert unrelated `test_lost_part` changes that caused bugfix validation failures. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…tics-race-condition
… in pulling path After merging master, `sendSelectProfileEvents` now has a `TSA_REQUIRES(callback_mutex)` annotation. Wrap the calls in the pulling pipeline path with the mutex lock, matching the pattern already used in the completed pipeline path. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…rmat::addChunk` The save/restore logic was doubling `rows_read` values in JSON/XML output. Root cause: `Progress::operator=(&&)` copies atomic values without clearing the source (since `std::atomic` cannot be truly moved). After `unit.statistics = std::move(statistics)`, `statistics.progress` already retains its original values. The save/restore was then adding the same values again, exactly doubling every `rows_read` and `bytes_read`. The fix removes the unnecessary save/restore. The `Progress` move semantics naturally preserve values in the source, so `writeDeferredStatisticsAndFinalize` (called later from `IOutputFormat::finalize` or `completeDeferredStatistics`) sees the correct accumulated progress, including any additional progress from parallel replicas connection draining added via `onProgress` after the move. Co-Authored-By: Claude Opus 4.6 <[email protected]>
With parallel replicas and `LIMIT`, there is a race between progress reporting and pipeline finalization: the pipeline finishes before `graph->cancel()` drains remaining progress from remote connections. Under sanitizers the timing shifts enough that `rows_read` can be 0 on rare occasions. Add retries (up to 3 attempts) to handle this inherent flakiness. Co-Authored-By: Claude Opus 4.6 <[email protected]>
![clickhouse-gh[bot]](https://avatars.githubusercontent.com/in/928874?s=60&v=4){kind=small}
| # With parallel replicas and LIMIT, there is a race between progress | ||
| # reporting and pipeline finalization. Under sanitizers the timing shifts | ||
| # enough that rows_read can be 0 on rare occasions, so we retry a few | ||
| # times before declaring failure. |
Contributor
There was a problem hiding this comment.
❌ The new test appears flaky and is already failing in this PR CI (Bugfix validation (functional tests) -> Tests/03918_statistics_in_formats_parallel_replicas).
This script explicitly documents a remaining race and retries only 3 times, so it can still emit ... FAIL: rows_read=0 and fail spuriously. Please make this test deterministic before merge (or adjust the assertion mechanism so it does not depend on a timing race in final progress delivery).
…dition' into fix-json-xml-statistics-race-condition # Conflicts: # src/Processors/Executors/PipelineExecutor.cpp
The two-phase finalization mechanism in the pipeline executor guarantees that statistics (rows_read, bytes_read) are written after all progress has been collected from parallel replica connection draining. Retries are no longer needed and their presence incorrectly documents a remaining race condition. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The `cancel_mutex` was from an earlier iteration of the fix that synchronized `cancel` with `finalizeExecution`. The current approach does not need it: `graph->cancel` runs synchronously in `cancel`, and all executor threads are joined before `finalizeExecution` runs, so there is no concurrent access to processor state. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…tics-race-condition
…n statistics When a pipeline completes normally (e.g. LIMIT satisfied with parallel replicas), `PullingAsyncPipelineExecutor::cancel` skips calling `executor->cancel()` because the pipeline is already finished. This means `graph->cancel()` is never called, so `RemoteSource::onCancel` does not run. While connection draining does happen via `onUpdatePorts` during execution, there is a race where progress accumulated during that concurrent drain may not be collected by `executeJob`'s `getReadProgress` call, leaving it stranded in `ISource::read_progress`. Fix: call `graph->cancel()` in `finalizeExecution` for non-cancelled pipelines, after all worker threads have been joined but before collecting remaining progress. This ensures `RemoteSource::onCancel` runs (triggering `query_executor->finish` to drain remaining packets), and the subsequent progress collection loop picks up all accumulated progress. The "Pipeline stuck" check is moved before the `graph->cancel()` call since cancel changes processor states. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
| /// in JSON/XML statistics on the client side. | ||
| /// This is safe because all worker threads have been joined by this point. | ||
| if (!is_cancelled) | ||
| graph->cancel(); |
Contributor
There was a problem hiding this comment.
finalizeExecution now calls graph->cancel() even on the non-cancelled success path. This invokes cancel on all processors (ExecutingGraph::cancel), not just RemoteSource.
That broad cancellation in a successful query path is risky: processors' onCancel handlers are not generally designed as a post-success cleanup hook and may perform destructive side effects or throw unexpectedly. It also expands behavior far beyond the stated need (drain remote progress for rows_read).
Could we scope this to sources only (e.g. graph->cancel(false)), or otherwise invoke draining only for RemoteSource-like processors? That would preserve the progress fix without globally canceling every processor after successful execution.
…tics-race-condition
Address review feedback: in `finalizeExecution`, use `graph->cancel(false)` instead of `graph->cancel()` when the pipeline completed normally (not cancelled). This limits cancellation to source processors only (e.g. `RemoteSource`), which is all that's needed to drain remaining progress packets from parallel replica connections. Non-source processors should not be cancelled on a successful completion path — their `onCancel` handlers are not designed as post-success cleanup hooks. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…n master The bugfix validation requires the test to fail on master (to prove the bug exists) and pass on the PR branch. Since the race condition is non-deterministic, a single run on master may not trigger it. Run each format check 10 times — on master, at least one iteration is very likely to see `rows_read=0`, while the fix guarantees all iterations pass deterministically on the PR branch. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
| result=$($CLICKHOUSE_CLIENT --query="SELECT number FROM ${TABLE_NAME} LIMIT 10 FORMAT ${fmt} SETTINGS ${SETTINGS}" | grep -o '"rows_read": [0-9]*' | grep -o '[0-9]*') | ||
| if [ -z "$result" ] || [ "$result" -eq 0 ]; then | ||
| echo "${fmt} FAIL: rows_read=${result}" | ||
| return |
Contributor
There was a problem hiding this comment.
❌ This failure path does not fail the test function.
return without an explicit code returns the status of the previous command (echo), which is 0, so the function reports success even when rows_read is 0.
Please return a non-zero status (for all four ... FAIL branches), for example return 1, so the check reliably signals failure.
Contributor
LLVM Coverage Report
Changed lines: 95.98% (239/249) · Uncovered code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):
Fix
rows_readreported as 0 in JSON/XML format output when parallel replicas are used withLIMIT.Documentation entry for user-facing changes
No documentation changes needed — this is a bug fix with no user-facing API changes.
Summary
LIMIT,rows_readin JSON/XML output is reported as 0finalizeImplwrites statistics BEFOREPipelineExecutor::finalizeExecutioncollects remaining progress from connection drainingApproach
Split the output format's finalization so statistics are written AFTER
finalizeExecutioncollects all remaining progress:finalizeImpl): Write everything EXCEPT the"statistics"section and closing delimiterfinalizeExecution): Write statistics and close the document via a finalize callbackKey changes:
IOutputFormat: AddedhasDeferredStatistics,writeDeferredStatisticsAndFinalize,completeDeferredStatisticsmechanismPipelineExecutor: AddedsetFinalizeCallbackcalled at end offinalizeExecutionafter progress collectionCompletedPipelineExecutor: Sets the finalize callback to invokecompleteDeferredStatisticsJSONRowOutputFormat,XMLRowOutputFormat,JSONColumnsWithMetadataBlockOutputFormat: Override deferred statistics methodsParallelFormattingOutputFormat: Propagates deferred statistics through the parallel formatting pipelineCloses #85785
Test plan
00365_statistics_in_formatspasses00159_parallel_formatting_json_and_friends_1/2,00378_json_quote_64bit_integers,00685_output_format_json_escape_forward_slashes,01447_json_strings,01449_json_compact_strings,01486_json_array_output,02554_format_json_columns_for_empty)00307_format_xml,02122_parallel_formatting_XML)rows_readis no longer 0🤖 Generated with Claude Code