[SPARK-11424] Guard against double-close() of RecordReaders #9382
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
Contributor
|
LGTM. |
Contributor
|
+1. |
|
Test build #44694 has finished for PR 9382 at commit
|
Contributor
Author
|
Jenkins, retest this please. |
Contributor
Author
|
Flaky SQL test? |
|
Test build #44703 has finished for PR 9382 at commit
|
Contributor
|
test this please |
|
Test build #44716 has finished for PR 9382 at commit
|
Contributor
Contributor
Author
|
@yhuai, here's the source code of the failing test: test("InputFileName") {
withTempPath { dir =>
val data = sparkContext.parallelize(0 to 10).toDF("id")
data.write.parquet(dir.getCanonicalPath)
val answer = sqlContext.read.parquet(dir.getCanonicalPath).select(inputFileName())
.head.getString(0)
assert(answer.contains(dir.getCanonicalPath))
checkAnswer(data.select(inputFileName()).limit(1), Row(""))
}
}Is the original assertion supposed to be checking that |
Contributor
Author
There was a problem hiding this comment.
Whoops, this is why the test was failing.
Contributor
Author
|
Spotted the problem: I accidentally deleted a |
Contributor
Author
There was a problem hiding this comment.
By the way, this use of nextIterator() explains why this bug was able to occur on 1.4.x: the first close() call, which throws an exception, comes from NextIterator, and the second comes from the task completion listener.
Contributor
Author
|
Due to the |
|
Test build #44727 has finished for PR 9382 at commit
|
Contributor
Author
|
Alright, fixed the tests and proofread this a second time, so I'm going to merge this to master and branch-1.5. |
asfgit
pushed a commit
that referenced
this pull request
Oct 31, 2015
**TL;DR**: We can rule out one rare but potential cause of input stream corruption via defensive programming. ## Background [MAPREDUCE-5918](https://issues.apache.org/jira/browse/MAPREDUCE-5918) is a bug where an instance of a decompressor ends up getting placed into a pool multiple times. Since the pool is backed by a list instead of a set, this can lead to the same decompressor being used in different places at the same time, which is not safe because those decompressors will overwrite each other's buffers. Sometimes this buffer sharing will lead to exceptions but other times it will might silently result in invalid / garbled input. That Hadoop bug is fixed in Hadoop 2.7 but is still present in many Hadoop versions that we wish to support. As a result, I think that we should try to work around this issue in Spark via defensive programming to prevent RecordReaders from being closed multiple times. So far, I've had a hard time coming up with explanations of exactly how double-`close()`s occur in practice, but I do have a couple of explanations that work on paper. For instance, it looks like #7424, added in 1.5, introduces at least one extremely~rare corner-case path where Spark could double-close() a LineRecordReader instance in a way that triggers the bug. Here are the steps involved in the bad execution that I brainstormed up: * [The task has finished reading input, so we call close()](https://github.com/apache/spark/blob/v1.5.1/core/src/main/scala/org/apache/spark/rdd/NewHadoopRDD.scala#L168). * [While handling the close call and trying to close the reader, reader.close() throws an exception]( https://github.com/apache/spark/blob/v1.5.1/core/src/main/scala/org/apache/spark/rdd/NewHadoopRDD.scala#L190) * We don't set `reader = null` after handling this exception, so the [TaskCompletionListener also ends up calling NewHadoopRDD.close()](https://github.com/apache/spark/blob/v1.5.1/core/src/main/scala/org/apache/spark/rdd/NewHadoopRDD.scala#L156), which, in turn, closes the record reader again. In this hypothetical situation, `LineRecordReader.close()` could [fail with an exception if its InputStream failed to close](https://github.com/apache/hadoop/blob/release-1.2.1/src/mapred/org/apache/hadoop/mapred/LineRecordReader.java#L212). I googled for "Exception in RecordReader.close()" and it looks like it's possible for a closed Hadoop FileSystem to trigger an error there: [SPARK-757](https://issues.apache.org/jira/browse/SPARK-757), [SPARK-2491](https://issues.apache.org/jira/browse/SPARK-2491) Looking at [SPARK-3052](https://issues.apache.org/jira/browse/SPARK-3052), it seems like it's possible to get spurious exceptions there when there is an error reading from Hadoop. If the Hadoop FileSystem were to get into an error state _right_ after reading the last record then it looks like we could hit the bug here in 1.5. ## The fix This patch guards against these issues by modifying `HadoopRDD.close()` and `NewHadoopRDD.close()` so that they set `reader = null` even if an exception occurs in the `reader.close()` call. In addition, I modified `NextIterator. closeIfNeeded()` to guard against double-close if the first `close()` call throws an exception. I don't have an easy way to test this, since I haven't been able to reproduce the bug that prompted this patch, but these changes seem safe and seem to rule out the on-paper reproductions that I was able to brainstorm up. Author: Josh Rosen <[email protected]> Closes #9382 from JoshRosen/hadoop-decompressor-pooling-fix and squashes the following commits: 5ec97d7 [Josh Rosen] Add SqlNewHadoopRDD.unsetInputFileName() that I accidentally deleted. ae46cf4 [Josh Rosen] Merge remote-tracking branch 'origin/master' into hadoop-decompressor-pooling-fix 087aa63 [Josh Rosen] Guard against double-close() of RecordReaders. (cherry picked from commit ac4118d) Signed-off-by: Josh Rosen <[email protected]>
asfgit
pushed a commit
that referenced
this pull request
Nov 2, 2015
….4 backport) This is a branch-1.4 backport of #9382, a fix for SPARK-11424. Author: Josh Rosen <[email protected]> Closes #9388 from JoshRosen/hadoop-decompressor-pooling-fix-branch-1.4.
JoshRosen
added a commit
to JoshRosen/spark
that referenced
this pull request
Nov 3, 2015
….4 backport) This is a branch-1.4 backport of apache#9382, a fix for SPARK-11424. Author: Josh Rosen <[email protected]> Closes apache#9388 from JoshRosen/hadoop-decompressor-pooling-fix-branch-1.4.
asfgit
pushed a commit
that referenced
this pull request
Nov 3, 2015
….3 backport) This is a branch-1.3 backport of #9382, a fix for SPARK-11424. Author: Josh Rosen <[email protected]> Closes #9423 from JoshRosen/hadoop-decompressor-pooling-fix-branch-1.3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR: We can rule out one rare but potential cause of input stream corruption via defensive programming.
Background
MAPREDUCE-5918 is a bug where an instance of a decompressor ends up getting placed into a pool multiple times. Since the pool is backed by a list instead of a set, this can lead to the same decompressor being used in different places at the same time, which is not safe because those decompressors will overwrite each other's buffers. Sometimes this buffer sharing will lead to exceptions but other times it will might silently result in invalid / garbled input.
That Hadoop bug is fixed in Hadoop 2.7 but is still present in many Hadoop versions that we wish to support. As a result, I think that we should try to work around this issue in Spark via defensive programming to prevent RecordReaders from being closed multiple times.
So far, I've had a hard time coming up with explanations of exactly how double-
close()s occur in practice, but I do have a couple of explanations that work on paper.For instance, it looks like #7424, added in 1.5, introduces at least one extremely~rare corner-case path where Spark could double-close() a LineRecordReader instance in a way that triggers the bug. Here are the steps involved in the bad execution that I brainstormed up:
reader = nullafter handling this exception, so the TaskCompletionListener also ends up calling NewHadoopRDD.close(), which, in turn, closes the record reader again.In this hypothetical situation,
LineRecordReader.close()could fail with an exception if its InputStream failed to close.I googled for "Exception in RecordReader.close()" and it looks like it's possible for a closed Hadoop FileSystem to trigger an error there: SPARK-757, SPARK-2491
Looking at SPARK-3052, it seems like it's possible to get spurious exceptions there when there is an error reading from Hadoop. If the Hadoop FileSystem were to get into an error state right after reading the last record then it looks like we could hit the bug here in 1.5.
The fix
This patch guards against these issues by modifying
HadoopRDD.close()andNewHadoopRDD.close()so that they setreader = nulleven if an exception occurs in thereader.close()call. In addition, I modifiedNextIterator. closeIfNeeded()to guard against double-close if the firstclose()call throws an exception.I don't have an easy way to test this, since I haven't been able to reproduce the bug that prompted this patch, but these changes seem safe and seem to rule out the on-paper reproductions that I was able to brainstorm up.