fix: prevent schema refresh deadlock when newInstance() or agreement check fails

dkropachev · dkropachev · commit e30a07d8bc19 · 2026-03-19T11:59:42.000-04:00
When SchemaQueries.newInstance() throws or schema agreement check fails, the cleanup code (resetting currentSchemaRefresh, completing firstSchemaRefreshFuture, draining queuedSchemaRefresh) was never executed, permanently blocking all future schema refreshes for the session. Extract cleanup into onSchemaRefreshComplete() and call it from all three completion paths: agreement error, newInstance() exception, and normal completion. Fixes: #841
diff --git a/core/src/main/java/com/datastax/oss/driver/internal/core/metadata/MetadataManager.java b/core/src/main/java/com/datastax/oss/driver/internal/core/metadata/MetadataManager.java
@@ -446,6 +446,7 @@ private void startSchemaRequest(CompletableFuture<RefreshSchemaResult> refreshFu
                 (schemaInAgreement, agreementError) -> {
                   if (agreementError != null) {
                     refreshFuture.completeExceptionally(agreementError);
+                    onSchemaRefreshComplete();
                   } else {
                     try {
                       schemaQueriesFactory
@@ -460,21 +461,12 @@ private void startSchemaRequest(CompletableFuture<RefreshSchemaResult> refreshFu
                                   refreshFuture.complete(
                                       new RefreshSchemaResult(newMetadata, schemaInAgreement));
                                 }
-
-                                firstSchemaRefreshFuture.complete(null);
-
-                                currentSchemaRefresh = null;
-                                // If another refresh was enqueued during this one, run it now
-                                if (queuedSchemaRefresh != null) {
-                                  CompletableFuture<RefreshSchemaResult> tmp =
-                                      this.queuedSchemaRefresh;
-                                  this.queuedSchemaRefresh = null;
-                                  startSchemaRequest(tmp);
-                                }
+                                onSchemaRefreshComplete();
                               });
                     } catch (Throwable t) {
                       LOG.debug("[{}] Exception getting new metadata", logPrefix, t);
                       refreshFuture.completeExceptionally(t);
+                      onSchemaRefreshComplete();
                     }
                   }
                 });
@@ -486,6 +478,18 @@ private void startSchemaRequest(CompletableFuture<RefreshSchemaResult> refreshFu
       }
     }
 
+    private void onSchemaRefreshComplete() {
+      assert adminExecutor.inEventLoop();
+      firstSchemaRefreshFuture.complete(null);
+      currentSchemaRefresh = null;
+      // If another refresh was enqueued during this one, run it now
+      if (queuedSchemaRefresh != null) {
+        CompletableFuture<RefreshSchemaResult> tmp = this.queuedSchemaRefresh;
+        this.queuedSchemaRefresh = null;
+        startSchemaRequest(tmp);
+      }
+    }
+
     // To query schema tables, we need the control connection.
     // Normally that the topology monitor has already initialized it to query node tables. But if a
     // custom topology monitor is in place, it might not use the control connection at all.
diff --git a/core/src/test/java/com/datastax/oss/driver/internal/core/metadata/MetadataManagerTest.java b/core/src/test/java/com/datastax/oss/driver/internal/core/metadata/MetadataManagerTest.java
@@ -38,6 +38,7 @@
 import com.datastax.oss.driver.internal.core.metadata.schema.parsing.SchemaParserFactory;
 import com.datastax.oss.driver.internal.core.metadata.schema.queries.SchemaQueriesFactory;
 import com.datastax.oss.driver.internal.core.metrics.MetricsFactory;
+import com.datastax.oss.driver.internal.core.util.concurrent.CompletableFutures;
 import com.datastax.oss.driver.shaded.guava.common.collect.ImmutableList;
 import com.datastax.oss.driver.shaded.guava.common.collect.ImmutableSet;
 import io.netty.channel.DefaultEventLoopGroup;
@@ -313,6 +314,97 @@ public void refreshSchema_should_work() {
     assertThatStage(result).isFailed(t -> assertThat(t).isEqualTo(expectedException));
   }
 
+  @Test
+  public void refreshSchema_should_recover_after_newInstance_failure() {
+    // Given
+    IllegalStateException expectedException = new IllegalStateException("Error we're testing");
+    when(schemaQueriesFactory.newInstance()).thenThrow(expectedException);
+    when(topologyMonitor.refreshNodeList())
+        .thenReturn(CompletableFuture.completedFuture(ImmutableList.of(mock(NodeInfo.class))));
+    when(topologyMonitor.checkSchemaAgreement())
+        .thenReturn(CompletableFuture.completedFuture(Boolean.TRUE));
+    when(controlConnection.init(anyBoolean(), anyBoolean(), anyBoolean()))
+        .thenReturn(CompletableFuture.completedFuture(null));
+    metadataManager.refreshNodes();
+    waitForPendingAdminTasks(() -> metadataManager.refreshes.size() == 1);
+
+    // First refresh fails
+    CompletionStage<MetadataManager.RefreshSchemaResult> result1 =
+        metadataManager.refreshSchema("foo", true, true);
+    waitForPendingAdminTasks(() -> result1.toCompletableFuture().isDone());
+    assertThatStage(result1).isFailed(t -> assertThat(t).isEqualTo(expectedException));
+
+    // When - second refresh should not be stuck (uses same throwing mock)
+    CompletionStage<MetadataManager.RefreshSchemaResult> result2 =
+        metadataManager.refreshSchema("bar", true, true);
+
+    // Then - should complete (not hang forever), proving currentSchemaRefresh was cleared
+    waitForPendingAdminTasks(() -> result2.toCompletableFuture().isDone());
+    assertThatStage(result2).isFailed(t -> assertThat(t).isEqualTo(expectedException));
+  }
+
+  @Test
+  public void refreshSchema_should_recover_after_agreement_error() {
+    // Given
+    RuntimeException agreementException = new RuntimeException("Agreement check failed");
+    when(topologyMonitor.refreshNodeList())
+        .thenReturn(CompletableFuture.completedFuture(ImmutableList.of(mock(NodeInfo.class))));
+    when(topologyMonitor.checkSchemaAgreement())
+        .thenReturn(CompletableFutures.failedFuture(agreementException));
+    when(controlConnection.init(anyBoolean(), anyBoolean(), anyBoolean()))
+        .thenReturn(CompletableFuture.completedFuture(null));
+    metadataManager.refreshNodes();
+    waitForPendingAdminTasks(() -> metadataManager.refreshes.size() == 1);
+
+    // First refresh fails due to agreement error
+    CompletionStage<MetadataManager.RefreshSchemaResult> result1 =
+        metadataManager.refreshSchema("foo", true, true);
+    waitForPendingAdminTasks(() -> result1.toCompletableFuture().isDone());
+    assertThatStage(result1).isFailed();
+
+    // When - second refresh should not be stuck (uses same failing mock)
+    CompletionStage<MetadataManager.RefreshSchemaResult> result2 =
+        metadataManager.refreshSchema("bar", true, true);
+
+    // Then - should complete (not hang forever), proving currentSchemaRefresh was cleared
+    waitForPendingAdminTasks(() -> result2.toCompletableFuture().isDone());
+    assertThatStage(result2).isFailed();
+  }
+
+  @Test
+  public void refreshSchema_should_drain_queued_refresh_after_newInstance_failure() {
+    // Given
+    IllegalStateException expectedException = new IllegalStateException("Error we're testing");
+    when(schemaQueriesFactory.newInstance()).thenThrow(expectedException);
+    when(topologyMonitor.refreshNodeList())
+        .thenReturn(CompletableFuture.completedFuture(ImmutableList.of(mock(NodeInfo.class))));
+    // Use a future we control to introduce a delay in schema agreement check
+    CompletableFuture<Boolean> agreementFuture = new CompletableFuture<>();
+    when(topologyMonitor.checkSchemaAgreement()).thenReturn(agreementFuture);
+    when(controlConnection.init(anyBoolean(), anyBoolean(), anyBoolean()))
+        .thenReturn(CompletableFuture.completedFuture(null));
+    metadataManager.refreshNodes();
+    waitForPendingAdminTasks(() -> metadataManager.refreshes.size() == 1);
+
+    // Start first refresh (it will block on agreement check)
+    CompletionStage<MetadataManager.RefreshSchemaResult> result1 =
+        metadataManager.refreshSchema("foo", true, true);
+
+    // Queue a second refresh while the first is in progress
+    CompletionStage<MetadataManager.RefreshSchemaResult> result2 =
+        metadataManager.refreshSchema("bar", true, true);
+
+    // Now complete the agreement check - first refresh will fail at newInstance(),
+    // and onSchemaRefreshComplete should drain the queued second refresh
+    agreementFuture.complete(true);
+
+    // Then both requests should complete (not hang forever)
+    waitForPendingAdminTasks(
+        () -> result1.toCompletableFuture().isDone() && result2.toCompletableFuture().isDone());
+    assertThatStage(result1).isFailed(t -> assertThat(t).isEqualTo(expectedException));
+    assertThatStage(result2).isFailed(t -> assertThat(t).isEqualTo(expectedException));
+  }
+
   private static class TestMetadataManager extends MetadataManager {
 
     private List<MetadataRefresh> refreshes = new CopyOnWriteArrayList<>();
