Implement determine_timestamp using constraints

[frankmcsherry]

This PR explores what it would look like to pilot the determine_timestamp functions using constraints, rather than the current interwoven arguments with .. at least unclear-to-me semantics. The implementation reverses out some of the intents from the settings of QueryWhen, the optional oracle timestamp, the isolation level, and the timeline, and translates them to constraints with associated "reasons".

The intent is to nudge the implementation to one that starts with actual constraints with reasons, ideally pushing those constraints up the stack to the moment they are expressed. There are also surprising (to me) moments called out in the code where e.g. we avoid choosing the freshest timestamp as a function of QueryWhen rather than our isolation (presumably elsewhere the isolation results in a setting of the QueryWhen?).

The logic around StrongSessionSerializable is interesting, and the Preference enum isn't rich enough to represent it. I think this is because it is the only logic at the moment that intentionally trades off freshness and responsiveness; the other code paths sort of end up being wired to do reasonable things, as a result of the contexts in which we call the function with various arguments.

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• This PR includes the following user-facing behavior changes:

[jkosh44]

Yes

[maddyblue]

This is great! So much improved clarity around constraints and preferences. I am in favor of getting it into non-draft readiness and merged.

Getting this information into EXPLAIN TIMESTAMP seems also super useful and it's very amenable to printing.

[maddyblue]

The since here and for compute below is over the entire bundle, so could be over stating its needs. It perhaps makes sense to teach ReadHoldsInner about these separately so this constraint is more accurately expressed.

[ParkMyCar]

By and large this looks great! Really excited to get it merged!

The two things I would love to see before merging are:

1. Moving the constraint based solved to an error-able function, this way we can make as many asserts as we would like, but expose them as errors, without disrupting existing users.
2. A dyncfg to toggle between disabled, validate, and enabled.

[ParkMyCar]

I'm not super familiar with Antichain, but I'm assuming that the FromIterator impl is doing the bulk of the work to get the "greatest lower bound"?

[DAlperin]

According to frank, this is so

[frankmcsherry]

Yup. For better or worse, Antichain tracks the lower bound of inserted elements, and so blatting everything down and collecting it results in the lower bound of all the elements, which is the greatest lower bound of all the input antichains.

[ParkMyCar]

Adding some more detail to these comments explaining how these reasons link to more user facing concepts would be great. e.g. right now I'm assuming a ComputeInput means some collection that is maintained on a replica, like an index? But I'm not totally sure

[frankmcsherry]

It may also be that for the moment we aren't sure either. The PR only takes the arguments to determine_timestamp_for and projects out the "reasons", and they show up as "compute ids" without clearer identities or reasons attached to them.

[ParkMyCar]

Ahhh yeah true, we can definitely further improve the documentation as a follow-up!

Just thinking out loud, attaching a "reason" to the constraints would dovetail well with moving the constraints up a layer, like you mentioned previously @DAlperin

[ParkMyCar]

Given the concept of a "shadow/validation rollout", assert-ing in this code seems bad since it can panic environmentd?

Could we move this logic to a separate error-able function and when validation is enabled, log the possible error?

[ParkMyCar]

Looks like we're still assert!-ing here?

[ParkMyCar]

Also, can we add at least one SLT test so we can exercise the printed format of the new output to EXPLAIN TIMESTAMP

Edit: Ignore this! I raced with your most recent push

[frankmcsherry]

Nit, but it's hard to locally think about this. It reads a bit like the other methods, in that it is instructions for code elsewhere, and the should_ prefix indicates some obligation of someone to do something. Is there a way to dig us out of that hole a bit? Maybe "no; let's just aim to delete this enum entirely". But at the moment the comment and the method name seem redundant and not super clear about what needs to be true about this function.

[frankmcsherry]

Is this the right file for this? It seems less like "timestamp oracle" material and more "timestamp selection" material, which uses the oracle as input, but uses various other things as input as well. Would timestamp_selection.rs be more appropriate, or is there a reason to put it here?

[DAlperin]

The reason is I misread it and thought it did say timestamp selection :) will fix

[frankmcsherry]

It wasn't clear while reading this what role this oracle read timestamp had. I can imagine it has one, but I could also imagine various other arguments play a role too. Not sure what to conclude, but if there is an intent for the type, to be more than a bag of arguments, we should record that. I foresee it growing to look a lot like TimestampDetermination (apropos: should this be RawTimestampDetermination, or is the Selection signifying an important distinction?).

[frankmcsherry]

This seems like a thing we'll want to revisit, as afaict this is a "preference" rather than a "constraint". My sense is that it is easiest to introduce behavior using constraints, and .. no harm navigating this using constraints for the moment, but does it sound right that this is less a constraint and more a preference?

[frankmcsherry]

This is perhaps future work, but the way that determine_timestamp calls in to this method might be appropriate to blend in with this logic (iirc, it calls this method up to twice, with different isolation levels, to judge what would happen if you relaxed the isolation level). That logic was incorrect when last I looked at it (it had an await between the calls, so the two determinations might be unrelated). But, flagging for near future thoughts.

[frankmcsherry]

I cannot "approve" the PR on account of I created it. Which is fine, but I wanted to flag that I would have, modulo the various comments which are mostly nits, style thoughts, and near future work.

[ParkMyCar]

Nice!! Thanks for making the changes!

[ParkMyCar]

Looks like we're still assert!-ing here?

[ParkMyCar]

Ahhh yeah true, we can definitely further improve the documentation as a follow-up!

Just thinking out loud, attaching a "reason" to the constraints would dovetail well with moving the constraints up a layer, like you mentioned previously @DAlperin

[antiguru]

Added some nits!

[antiguru]

In Verify, we probably don't want to error the call if the constraints-based determination fails, rather log the error (instead of ?).

[antiguru]

Could implement this as TryFrom instead, but totally up to you. It would have the benefit that the caller needs to worry about the error path, not the implementation.

[ParkMyCar]

Dov originally used TryFrom but I recommended he push the error handling into this method so the caller doesn't have to worry about it :) In my experience the caller would generally just fallback to some default, unifying that across all callers seemed like a good idea