changefeedccl/resolvedspan: update assertion for forwarding boundary

This patch adds an assertion that the frontier will not forward the
boundary to a different type at the same time. This assertion is
important because if it's violated, the changefeed processors will not
shut down correctly during a schema change. One potential way this
could be violated in the future is a change to how boundary types are
determined on aggregators causing different boundaries to be sent from
aggregators in a mixed-version cluster for the same schema change.

Release note: None

Author: andyyang890

pkg/ccl/changefeedccl/resolvedspan/BUILD.bazel

@@ -15,7 +15,6 @@ go_library(
         "//pkg/roachpb",
         "//pkg/settings",
         "//pkg/util/hlc",
-        "//pkg/util/log",
         "//pkg/util/span",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_redact//:redact",

pkg/ccl/changefeedccl/resolvedspan/frontier.go

@@ -15,7 +15,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/util/hlc"
-	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/span"
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/redact"
@@ -51,7 +50,7 @@ func (f *AggregatorFrontier) ForwardResolvedSpan(
 		// Boundary resolved events should be ingested from the schema feed
 		// serially, where the changefeed won't ever observe a new schema change
 		// boundary until it has progressed past the current boundary.
-		if err := f.assertBoundaryNotEarlier(ctx, r); err != nil {
+		if err := f.assertBoundaryNotEarlierOrDifferent(r); err != nil {
 			return false, err
 		}
 	default:
@@ -102,21 +101,22 @@ func (f *CoordinatorFrontier) ForwardResolvedSpan(
 		// it is a BACKFILL we have already seen, then it is fine for it to be
 		// an earlier timestamp than the latest boundary.
 		boundaryTS := r.Timestamp
-		_, ok := slices.BinarySearchFunc(f.backfills, boundaryTS, func(elem hlc.Timestamp, ts hlc.Timestamp) int {
-			return elem.Compare(ts)
-		})
-		if ok {
+		if _, ok := slices.BinarySearchFunc(f.backfills, boundaryTS,
+			func(elem hlc.Timestamp, ts hlc.Timestamp) int {
+				return elem.Compare(ts)
+			},
+		); ok {
 			break
 		}
-		if err := f.assertBoundaryNotEarlier(ctx, r); err != nil {
+		if err := f.assertBoundaryNotEarlierOrDifferent(r); err != nil {
 			return false, err
 		}
 		f.backfills = append(f.backfills, boundaryTS)
 	case jobspb.ResolvedSpan_EXIT, jobspb.ResolvedSpan_RESTART:
 		// EXIT and RESTART are final boundaries that cause the changefeed
 		// processors to all move to draining and so should not be followed
 		// by any other boundaries.
-		if err := f.assertBoundaryNotEarlier(ctx, r); err != nil {
+		if err := f.assertBoundaryNotEarlierOrDifferent(r); err != nil {
 			return false, err
 		}
 	default:
@@ -129,9 +129,10 @@ func (f *CoordinatorFrontier) ForwardResolvedSpan(
 	// If the frontier changed, we check if the frontier has advanced past any known backfills.
 	if frontierChanged {
 		frontier := f.Frontier()
-		i, _ := slices.BinarySearchFunc(f.backfills, frontier, func(elem hlc.Timestamp, ts hlc.Timestamp) int {
-			return elem.Compare(ts)
-		})
+		i, _ := slices.BinarySearchFunc(f.backfills, frontier,
+			func(elem hlc.Timestamp, ts hlc.Timestamp) int {
+				return elem.Compare(ts)
+			})
 		f.backfills = f.backfills[i:]
 	}
 	return frontierChanged, nil
@@ -144,10 +145,11 @@ func (f *CoordinatorFrontier) ForwardResolvedSpan(
 // happening at different timestamps.
 func (f *CoordinatorFrontier) InBackfill(r jobspb.ResolvedSpan) bool {
 	boundaryTS := r.Timestamp
-	_, ok := slices.BinarySearchFunc(f.backfills, boundaryTS, func(elem hlc.Timestamp, ts hlc.Timestamp) int {
-		return elem.Next().Compare(ts)
-	})
-	if ok {
+	if _, ok := slices.BinarySearchFunc(f.backfills, boundaryTS,
+		func(elem hlc.Timestamp, ts hlc.Timestamp) int {
+			return elem.Next().Compare(ts)
+		},
+	); ok {
 		return true
 	}
 
@@ -160,11 +162,12 @@ func (f *CoordinatorFrontier) All() iter.Seq[jobspb.ResolvedSpan] {
 		for resolvedSpan := range f.resolvedSpanFrontier.All() {
 			// Check if it's at an earlier backfill boundary.
 			if resolvedSpan.BoundaryType == jobspb.ResolvedSpan_NONE {
-				for _, b := range f.backfills {
-					if b.Equal(resolvedSpan.Timestamp) {
-						resolvedSpan.BoundaryType = jobspb.ResolvedSpan_BACKFILL
-						break
-					}
+				if _, ok := slices.BinarySearchFunc(f.backfills, resolvedSpan.Timestamp,
+					func(elem hlc.Timestamp, ts hlc.Timestamp) int {
+						return elem.Compare(ts)
+					},
+				); ok {
+					resolvedSpan.BoundaryType = jobspb.ResolvedSpan_BACKFILL
 				}
 			}
 			if !yield(resolvedSpan) {
@@ -295,23 +298,26 @@ func (f *resolvedSpanFrontier) InBackfill(r jobspb.ResolvedSpan) bool {
 	return false
 }
 
-// assertBoundaryNotEarlier is a helper method provided to assert that a
-// resolved span does not have an earlier boundary than the existing one.
-func (f *resolvedSpanFrontier) assertBoundaryNotEarlier(
-	ctx context.Context, r jobspb.ResolvedSpan,
-) error {
+// assertBoundaryNotEarlierOrDifferent is a helper method that asserts that a
+// resolved span does not have an earlier boundary than the existing one
+// nor is it at the same time as the existing one with a different type.
+func (f *resolvedSpanFrontier) assertBoundaryNotEarlierOrDifferent(r jobspb.ResolvedSpan) error {
 	boundaryType := r.BoundaryType
 	if boundaryType == jobspb.ResolvedSpan_NONE {
-		return errors.AssertionFailedf("assertBoundaryNotEarlier should not be called for NONE boundary")
+		return errors.AssertionFailedf(
+			"assertBoundaryNotEarlierOrDifferent should not be called for NONE boundary")
 	}
 	boundaryTS := r.Timestamp
+	newBoundary := newResolvedSpanBoundary(boundaryTS, boundaryType)
 	if f.boundary.After(boundaryTS) {
-		newBoundary := newResolvedSpanBoundary(boundaryTS, boundaryType)
-		err := errors.AssertionFailedf("received resolved span for %s "+
+		return errors.AssertionFailedf("received resolved span for %s "+
 			"with %v, which is earlier than previously received %v",
 			r.Span, newBoundary, f.boundary)
-		log.Errorf(ctx, "error while forwarding boundary resolved span: %v", err)
-		return err
+	}
+	if atBoundary, typ := f.boundary.At(boundaryTS); atBoundary && boundaryType != typ {
+		return errors.AssertionFailedf("received resolved span for %s "+
+			"with %v, which has a different type from previously received %v with same timestamp",
+			r.Span, newBoundary, f.boundary)
 	}
 	return nil
 }

pkg/ccl/changefeedccl/resolvedspan/frontier_test.go

@@ -6,7 +6,6 @@
 package resolvedspan_test
 
 import (
-	"context"
 	"iter"
 	"testing"
 
@@ -24,8 +23,6 @@ func TestAggregatorFrontier(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	defer log.Scope(t).Close(t)
 
-	ctx := context.Background()
-
 	// Create a fresh frontier with no progress.
 	statementTime := makeTS(10)
 	var initialHighwater hlc.Timestamp
@@ -38,32 +35,37 @@ func TestAggregatorFrontier(t *testing.T) {
 	require.Equal(t, initialHighwater, f.Frontier())
 
 	// Forward spans representing initial scan.
-	testBackfillSpan(t, ctx, f, "a", "b", statementTime, initialHighwater)
-	testBackfillSpan(t, ctx, f, "b", "f", statementTime, statementTime)
+	testBackfillSpan(t, f, "a", "b", statementTime, initialHighwater)
+	testBackfillSpan(t, f, "b", "f", statementTime, statementTime)
 
 	// Forward spans signalling a backfill is required.
 	backfillTS := makeTS(20)
-	testBoundarySpan(t, ctx, f, "a", "b", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
-	testBoundarySpan(t, ctx, f, "b", "c", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
-	testBoundarySpan(t, ctx, f, "c", "d", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
-	testBoundarySpan(t, ctx, f, "d", "e", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
-	testBoundarySpan(t, ctx, f, "e", "f", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, backfillTS.Prev())
+	testBoundarySpan(t, f, "a", "b", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "b", "c", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "c", "d", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "d", "e", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "e", "f", backfillTS.Prev(), jobspb.ResolvedSpan_BACKFILL, backfillTS.Prev())
 
-	// Confirm that attempting to signal an earlier boundary causes an assertion error.
+	// Verify that attempting to signal an earlier boundary causes an assertion error.
 	illegalBoundaryTS := makeTS(15)
-	testIllegalBoundarySpan(t, ctx, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_BACKFILL)
-	testIllegalBoundarySpan(t, ctx, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_RESTART)
-	testIllegalBoundarySpan(t, ctx, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_EXIT)
+	testIllegalBoundarySpan(t, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_BACKFILL)
+	testIllegalBoundarySpan(t, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_RESTART)
+	testIllegalBoundarySpan(t, f, "a", "f", illegalBoundaryTS, jobspb.ResolvedSpan_EXIT)
+
+	// Verify that attempting to signal a boundary at the latest boundary time with a different
+	// boundary type causes an assertion error.
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS.Prev(), jobspb.ResolvedSpan_RESTART)
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS.Prev(), jobspb.ResolvedSpan_EXIT)
 
 	// Forward spans representing actual backfill.
-	testBackfillSpan(t, ctx, f, "d", "e", backfillTS, backfillTS.Prev())
-	testBackfillSpan(t, ctx, f, "e", "f", backfillTS, backfillTS.Prev())
-	testBackfillSpan(t, ctx, f, "a", "d", backfillTS, backfillTS)
+	testBackfillSpan(t, f, "d", "e", backfillTS, backfillTS.Prev())
+	testBackfillSpan(t, f, "e", "f", backfillTS, backfillTS.Prev())
+	testBackfillSpan(t, f, "a", "d", backfillTS, backfillTS)
 
 	// Forward spans signalling a restart is required.
 	restartTS := makeTS(30)
-	testBoundarySpan(t, ctx, f, "a", "b", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, backfillTS)
-	testBoundarySpan(t, ctx, f, "b", "f", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, restartTS.Prev())
+	testBoundarySpan(t, f, "a", "b", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, backfillTS)
+	testBoundarySpan(t, f, "b", "f", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, restartTS.Prev())
 
 	// Simulate restarting by creating a new frontier with the initial highwater
 	// set to the previous frontier timestamp.
@@ -76,21 +78,19 @@ func TestAggregatorFrontier(t *testing.T) {
 	require.NoError(t, err)
 
 	// Forward spans representing post-restart backfill.
-	testBackfillSpan(t, ctx, f, "a", "b", restartTS, initialHighwater)
-	testBackfillSpan(t, ctx, f, "e", "f", restartTS, initialHighwater)
-	testBackfillSpan(t, ctx, f, "b", "e", restartTS, restartTS)
+	testBackfillSpan(t, f, "a", "b", restartTS, initialHighwater)
+	testBackfillSpan(t, f, "e", "f", restartTS, initialHighwater)
+	testBackfillSpan(t, f, "b", "e", restartTS, restartTS)
 
 	// Forward spans signalling an exit is required.
 	exitTS := makeTS(40)
-	testBoundarySpan(t, ctx, f, "a", "f", exitTS.Prev(), jobspb.ResolvedSpan_EXIT, exitTS.Prev())
+	testBoundarySpan(t, f, "a", "f", exitTS.Prev(), jobspb.ResolvedSpan_EXIT, exitTS.Prev())
 }
 
 func TestCoordinatorFrontier(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	defer log.Scope(t).Close(t)
 
-	ctx := context.Background()
-
 	// Create a fresh frontier with no progress.
 	statementTime := makeTS(10)
 	var initialHighwater hlc.Timestamp
@@ -103,35 +103,40 @@ func TestCoordinatorFrontier(t *testing.T) {
 	require.Equal(t, initialHighwater, f.Frontier())
 
 	// Forward spans representing initial scan.
-	testBackfillSpan(t, ctx, f, "a", "b", statementTime, initialHighwater)
-	testBackfillSpan(t, ctx, f, "b", "f", statementTime, statementTime)
+	testBackfillSpan(t, f, "a", "b", statementTime, initialHighwater)
+	testBackfillSpan(t, f, "b", "f", statementTime, statementTime)
 
 	// Forward span signalling a backfill is required.
 	backfillTS1 := makeTS(15)
-	testBoundarySpan(t, ctx, f, "a", "b", backfillTS1.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "a", "b", backfillTS1.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
 
 	// Forward span signalling another backfill is required (simulates multiple
 	// aggregators progressing at different speeds).
 	backfillTS2 := makeTS(20)
-	testBackfillSpan(t, ctx, f, "a", "b", backfillTS1, statementTime)
-	testBoundarySpan(t, ctx, f, "a", "b", backfillTS2.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBackfillSpan(t, f, "a", "b", backfillTS1, statementTime)
+	testBoundarySpan(t, f, "a", "b", backfillTS2.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
 
 	// Verify that spans signalling backfills at earlier timestamp are allowed.
-	testBoundarySpan(t, ctx, f, "b", "c", backfillTS1.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
+	testBoundarySpan(t, f, "b", "c", backfillTS1.Prev(), jobspb.ResolvedSpan_BACKFILL, statementTime)
 
 	// Verify that no other boundary spans at earlier timestamp are allowed.
-	testIllegalBoundarySpan(t, ctx, f, "a", "f", backfillTS1.Prev(), jobspb.ResolvedSpan_RESTART)
-	testIllegalBoundarySpan(t, ctx, f, "a", "f", backfillTS1.Prev(), jobspb.ResolvedSpan_EXIT)
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS1.Prev(), jobspb.ResolvedSpan_RESTART)
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS1.Prev(), jobspb.ResolvedSpan_EXIT)
+
+	// Verify that attempting to signal a boundary at the latest boundary time with a different
+	// boundary type causes an assertion error.
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS2.Prev(), jobspb.ResolvedSpan_RESTART)
+	testIllegalBoundarySpan(t, f, "a", "f", backfillTS2.Prev(), jobspb.ResolvedSpan_EXIT)
 
 	// Forward spans completing first backfill and signalling and completing second backfill.
-	testBackfillSpan(t, ctx, f, "b", "f", backfillTS1, backfillTS1)
-	testBoundarySpan(t, ctx, f, "b", "f", backfillTS2.Prev(), jobspb.ResolvedSpan_BACKFILL, backfillTS2.Prev())
-	testBackfillSpan(t, ctx, f, "a", "f", backfillTS2, backfillTS2)
+	testBackfillSpan(t, f, "b", "f", backfillTS1, backfillTS1)
+	testBoundarySpan(t, f, "b", "f", backfillTS2.Prev(), jobspb.ResolvedSpan_BACKFILL, backfillTS2.Prev())
+	testBackfillSpan(t, f, "a", "f", backfillTS2, backfillTS2)
 
 	// Forward spans signalling a restart is required.
 	restartTS := makeTS(30)
-	testBoundarySpan(t, ctx, f, "a", "b", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, backfillTS2)
-	testBoundarySpan(t, ctx, f, "b", "f", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, restartTS.Prev())
+	testBoundarySpan(t, f, "a", "b", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, backfillTS2)
+	testBoundarySpan(t, f, "b", "f", restartTS.Prev(), jobspb.ResolvedSpan_RESTART, restartTS.Prev())
 
 	// Simulate restarting by creating a new frontier with the initial highwater
 	// set to the previous frontier timestamp.
@@ -144,13 +149,13 @@ func TestCoordinatorFrontier(t *testing.T) {
 	require.NoError(t, err)
 
 	// Forward spans representing post-restart backfill.
-	testBackfillSpan(t, ctx, f, "a", "b", restartTS, initialHighwater)
-	testBackfillSpan(t, ctx, f, "e", "f", restartTS, initialHighwater)
-	testBackfillSpan(t, ctx, f, "b", "e", restartTS, restartTS)
+	testBackfillSpan(t, f, "a", "b", restartTS, initialHighwater)
+	testBackfillSpan(t, f, "e", "f", restartTS, initialHighwater)
+	testBackfillSpan(t, f, "b", "e", restartTS, restartTS)
 
 	// Forward spans signalling an exit is required.
 	exitTS := makeTS(40)
-	testBoundarySpan(t, ctx, f, "a", "f", exitTS.Prev(), jobspb.ResolvedSpan_EXIT, exitTS.Prev())
+	testBoundarySpan(t, f, "a", "f", exitTS.Prev(), jobspb.ResolvedSpan_EXIT, exitTS.Prev())
 }
 
 type frontier interface {
@@ -162,12 +167,7 @@ type frontier interface {
 }
 
 func testBackfillSpan(
-	t *testing.T,
-	ctx context.Context,
-	f frontier,
-	start, end string,
-	ts hlc.Timestamp,
-	frontierAfterSpan hlc.Timestamp,
+	t *testing.T, f frontier, start, end string, ts hlc.Timestamp, frontierAfterSpan hlc.Timestamp,
 ) {
 	backfillSpan := makeResolvedSpan(start, end, ts, jobspb.ResolvedSpan_NONE)
 	require.True(t, f.InBackfill(backfillSpan))
@@ -178,7 +178,6 @@ func testBackfillSpan(
 
 func testBoundarySpan(
 	t *testing.T,
-	ctx context.Context,
 	f frontier,
 	start, end string,
 	boundaryTS hlc.Timestamp,
@@ -213,7 +212,6 @@ func testBoundarySpan(
 
 func testIllegalBoundarySpan(
 	t *testing.T,
-	ctx context.Context,
 	f frontier,
 	start, end string,
 	boundaryTS hlc.Timestamp,