Because we can : Pitfalls with Inherited Transactions

Tuesday, April 26, 2005 9:37 PM by malx

Pitfalls with Inherited Transactions

Yesterday I demonstrated how a Transaction can be inherited by processes. This means that a process never designed for Transactions can run in a Transacted mode. Clearly, this has profound implications. Some applications may exhibit odd or unexpected behavior if run in this way. It isn't really possible to enumerate every possible case where odd things will happen; the best approach is to use caution. Let's consider a few cases.

Suppose a non-transactionally aware application recorded a simple log file. When run from within a transaction, those log records become isolated from other processes, and can be completely rolled back, possibly defeating the purpose of the log. Applications that record log accesses should be aware of this possibility, and may choose to ensure that they switch out of a Transacted state before performing logging.

Isolating applications that use temporary files into Transactions has the side-effect that it becomes virtually impossible to recover data in event of failure. Suppose you ran Microsoft Word in a transaction; Word will create a temporary file of your document, which is isolated from public view. If Word were to fail, the temporary file remains inaccessible and Word can't be invoked to recover that lost data in event of a crash. Depending on how Transactions are managed in this case, the Transaction may even be rolled back, purging the temporary file forever, and losing data in the process.

The most interesting case, in my opinion, involves launching an application with incomplete Transaction support from within a Transaction. The test application in my previous post is a good example: what happens if test itself is run from within a Transaction? It will blindly create a second, completely independent transaction, do some work, and commit that Transaction. Now the application which called the test application wants to rollback its Transaction - which it does, successfully - but all of the changes made by the test application remain committed to disk.

Inheritable Transactions are a powerful user tool, but are also another case that application developers should be aware of. Well-behaved applications should firstly check if they are being executed within a Transaction and make appropriate ajustments. What an application should do next depends in part upon what the application was intended to do in the first place. Maybe the application should simply exit (with an appropriate error message, of course.) Maybe the semantics of an application could be changed - instead of a Service Pack installer maintaining its own Transaction, it could instead rely on its inherited Transaction and not duplicate Transactional logic. A well behaved application should never silently ignore the existence of an inherited Transaction; doing this only leads to confusing, potentially inconsistent results.

The test application does ensure that the child process has completed before commiting the Transaction. This code is particularly important. If the test application commits the Transaction while a child process is still using it, filesystem calls made by the child will begin to fail. This includes both reads and writes: all filesystem calls made by the child are made in the context of an invalid Transaction. The child may not be designed to handle this case elegantly. When inheriting Transactions, an application should make sure that no process is still running within that Transaction before committing or rolling back.

So what happens if the process being executed is intending to remain executing permanently? Bluntly: don't do this. That process will eventually exhaust all the resources for recording Transactional changes, and will invariably fail eventually, possibly failing other processes as well. If a server is to run with Transaction support, it should be designed to support Transactions natively.

In each case of using Transactions, the first question to ask yourself is always: what does this mean? What should I expect? The implications of Transactions may easily break existing applications, so use caution doing this. However, Transactional inheritance when used correctly enables you to leverage this new technology without heavy reinvestment in new applications.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Pitfalls with Inherited Transactions

Tuesday, April 26, 2005 11:24 PM by Anonymous

I have one question: is there any way for server process's to participate in transactions when doing IO for client process's?

For example consider a client/server application (on the same machine for now): what happens if the client starts a transaction and then calls into the server (lets using LRPC) which in turn ends up doing some IO on behalf of the client. Is there any way for the server to make all its IO be part of the clients transaction?

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 2:28 AM by Pierre Chalamet

> Well-behaved applications should firstly
> check if they are being executed within a
> Transaction and make appropriate ajustments

That's a major breaking change from previous version if activated by default.

IMHO, at the transaction creation time, you should be able to tell if the transaction can span across processes. After all, only the caller is able to really tell the goal it want to achieve.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 9:35 AM by Mike

I think this elaboration displays the inherent limits, nay dangers, with the current design.

Wouldn't this, instead of creating the unmanagable mess you displayed, be a non-issue should nested transactions have been present?

Let me rephrase that: If you are to allow creation and usage of transactions inside a running transaction, then you must also implement nested transaction support. At least if your transactions are to be trusted.

Transactions are nowadays quite widely accepted to provide ACID (http://en.wikipedia.org/wiki/ACID). The scenario you presented completely removed isolation - a "child" (say a child process) has now been given the powers to control the isolation level, the parent process behaviour and as a result possibly the whole system.

This I find scary, and a Very Bad Thing(tm).

A piece of code (e.g. a child process) should not have to be aware it could potentially be running inside a transaction, and take action (different code-paths) depending on this to (continue to) function properly. If it needs to, you have failed in providing the correct isolation. This I think should be obvious. A transaction is started for a reason - to have the (child) results isolated until such a time the transaction owner decides to commit or rollback. The one creating the transaction owns the transaction and should obviously be the only one in control of the transaction, unless it explicitly gives away ownership of the transaction at which point it no longer should have control of the transaction.

Let me repeat that crucial word: Isolation.

You explicitly violated, even suggested (!) violating this crucial principle:
"Applications that record log accesses should be aware of this possibility, and may choose to ensure that they switch out of a Transacted state before performing logging".

Isn't this a bit like giving a prisoner in jail the power to decide whether it wants to stay in jail or not?

The child shall not have the power to veto or override the parent, controlling process' decision. Allowing this open such a large can of worms you simply don't want to go there. You have already yourself displayed a small subset of the inherent errors in this approach. It's almost like Microsoft hasn't learned anything from previous security disasters.

For comparison: what would happen if a user process would be allowed to change global page-table entries for the kernel? The brown stuff would hit the fan, fast. The reason this isn't possible is because the user process runs in isolation from the kernel. The kernel sets the rules, and the child should not be able to break them. Isolation.

I'm not going to say "Trust me, it's a dead end. Really. I've been there. It's a dark, complex, spaghetti-filled scary place where code and products goes to die", even if it is true. Instead I will only ask you to use common sense, and compare a few nested scenarios with and without nested transactions. I hope you come to realize that without keeping the isolation-level the parent explicitly requested, you might consider not implementing this at all.

If this can, as I expect, be solved simply by implementing nested transactions, then please do. Do not release a half-finished implementation, but please do take the time to for once in Microsofts lifetime do something right the first time. Nested transaction management really isn't that hard - I've done it myself a number of times for different software systems. If you currently don't have the experience in-house, could you please consider trying to find someone that has experience in the area? I would really hate to see such a good idea become crippled to the point of possibly uselessness by the incomplete implementation it seems you are currently aiming for.

If on the other hand you for whatever reason are unwilling or unable to provide proper isolation, then I'm sure many would appreciate if you stated so right now.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 3:17 PM by ReuvenLax

Mike,

There's something basic you're missing. Transactional NTFS _does_ provide isolation, the only question is what the unit of isolation should be. One possibility is that the isolation unit should be the thread, and another possibility (the one you seem to think necessary) is that the isolation unit should be the process. The way things are implemented, the unit of isolation is neither the unit is the transaction context. Isolation semantics are preserved between transaction contexts, however a single transaction context can be shared between multiple processes.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 3:23 PM by AdiOltean

>>> Transactions are nowadays quite widely accepted to provide ACID (http://en.wikipedia.org/wiki/ACID). The scenario you presented completely removed isolation - a "child" (say a child process) has now been given the powers to control the isolation level, the parent process behaviour and as a result possibly the whole system.

>>> This I find scary, and a Very Bad Thing(tm).

>>> A piece of code (e.g. a child process) should not have to be aware it could potentially be running inside a transaction, and take action (different code-paths) depending on this to (continue to) function properly. If it needs to, you have failed in providing the correct isolation. This I think should be obvious. A transaction is started for a reason - to have the (child) results isolated until such a time the transaction owner decides to commit or rollback. The one creating the transaction owns the transaction and should obviously be the only one in control of the transaction, unless it explicitly gives away ownership of the transaction at which point it no longer should have control of the transaction.

Mike,

You are confusing transaction isolation boundary with process boundary. They are quite different concepts. Note that transaction contexts can span multiple processes - in fact this is a very old concept that can be found in most two-phase commit implementations. Also, multiple threads in the same process can participate in multiple transactions at the same time.

In this respect, TxF brings nothing new. The fact that a process participates in a transaction doesn't mean that other processes must not participate in the same transaction.

The fact that the same context spans multiple processes was also present for almost ten years in Microsoft software, starting with MTS (that allowed SQL sharing the same transaction with other resource managers) and then COM+.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 4:48 PM by Mike

I like to think I have not missed the boat.

What I might have missed to explain was that I argued in the context of a process creating a transaction and then trying to restrict a created process (exactly as displayed in the previous top-level post) from doing any modifications outside this transaction. If it, or any of its potential child processes, could do modifications outside of this transaction, it would obviously defeat the purpose of the transaction, and make it in effect useless.

I don't think I can put it in a more obvious and blunt wording.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 10:09 PM by Dean Harding

But that's not the purpose of transactions at all. Even with a database, if you have distributed transactions, there's no reason a "child" of your transaction can't simply open a different connection to the database and do stuff outside the transaction.

I do have a question though: what's the performance impact of constantly switching in/out of transactional mode, or of switching transactions? You mention that a process writing to a log file would want to switch out of transactional mode to write to the log, and that seems very sensible, but what's the cost of switching out of transactional mode and back in all the time - especially if you're doing it many times per seconds?

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 10:45 PM by malx

Firstly, I haven't done any benchmarks on this, and I'm still a little limited in what I'm allowed to talk about.

The cost of a SetCurrentTransaction() should be exceedingly cheap. All it has to do is record which Transaction to do future operations with.

The cost of *using* a Transaction, particularly in write cases, will be more expensive than a non-transacted case. To give you some *very early* figures that could change radically by release, that app I just posted about created 110,000 files in 32 minutes. That's an average of 57.3 creates per second. They're certainly not prohibitively expensive, but think carefully if your application is performance critical and write-bound.

# re: Pitfalls with Inherited Transactions

Wednesday, April 27, 2005 11:07 PM by Dean Harding

Ah, that sounds like good news. I had assumed it'd be a non-trivial perf hit to actually *use* the transactions, but as long as switching is cheap, I'd say that's what's important.

# re: Pitfalls with Inherited Transactions

Thursday, May 12, 2005 3:30 AM by Qflash

http://www.yeyan.cn/Programming/InheritedTransactions.aspx

# Because we can Pitfalls with Inherited Transactions | Wood TV Stand

Sunday, May 31, 2009 9:00 PM by Because we can Pitfalls with Inherited Transactions | Wood TV Stand

PingBack from http://woodtvstand.info/story.php?id=5751

Name (required)
Your URL (optional)
Comments (required)

Enter Code Here: Required
Remember Me?

Because we can

Tags

Archives

Pitfalls with Inherited Transactions

Comment Notification

Comments

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# re: Pitfalls with Inherited Transactions

# Because we can Pitfalls with Inherited Transactions | Wood TV Stand

Leave a Comment