Hi Tom,

for interest - will be the scenario discussed in this bz https://bugzilla.redhat.com/show_bug.cgi?id=1009981 influenced by this change?

I mean will be still need to set different values of `com.arjuna.ats.jta.orphanSafetyInterval`for  system under heavy load or the clash of the titans scenario will be avoided?

Thanks

Ondra

Trying to make a distributed system look and work like a local system is something that can never really be accomplished and often leads to misunderstandings by developers and users who expect one thing and get something very different. If you feel that adding this feature helps users then go for it and just make sure the edge cases are well documented. Since this represents a difference in public interface/behaviour, it should also not be the default in EAP 6.x so you may want to consider an "enable" option - make it false for any TS version that goes into EAP 6.x and true for EAP 7.x so people can go back to the old behaviour if they really really want to

tomjenkinson: Ok, I see the point here only and understand that orphanSafetyInterval can't be avoided totally. But  mentioning " For the purely local case orphanSafetyInterval should be able to be disabled." the EAP case is the purerly local isn't it? The recovery manager is always expected to be run in the same JVM as TM does, right?

Btw. is the option will be set to true in EAP7 by default then TSM will be enabled by default as well, right?

I'm not convinced this should be the default in EAP 7 either - there's an argument to be made in either direction. However, as long as it is documented and flagged as a difference in behaviour ...

I see, thank you for clarification.

This issue (JBTM-2583) is marked as fixed in 5.2.17, while the latest EAP 7.1 contains 5.5.30 (as documented here). However the latest EAP 7.1 documentation under Limitations of the XA Recovery Process still has an entry

"Periodic recovery can occur on committed transactions" and provides link to this thread.

Is it an issue with the EAP documentation being outdated, or this is really fixed now in EAP 7.1?

Also, the above raised question seems to be unanswered: if this fix is included and enabled, whether orphanSafetyInterval is still needed in the EAP case (purely local)?

Also, this fix includes XAResourceOrphanFilter implementation called JTAActionStatusServiceXAResourceOrphanFilter. Is it enabled by default in EAP 7.1 or has to be manually configured?

Thanks

Hi Tom,

having these spurious warnings in the log is definitely not ideal.

Here is my understanding:

Without JTAActionStatusServiceXAResourceOrphanFilter (introduced in JBTM-2583) enabled, recovery manager orphan detection only checks transaction log and can thus incorrectly rollback transactions not yet written to the log, which happens if the time it takes to prepare all XAResources is greater than orphanSafetyInterval. Since Narayana writes transaction log entry (TxLog.write_committed) only once after all XA resources finished prepare operation, chance of violation happening increases with the number of enlisted XAResources, and the time each resource takes to finish prepare operation.

Increasing orphanSafetyInterval only reduces chance of data integrity violation, while also increasing data unavailability after recovering from crash (XAResource's data is locked for longer time)

With JTAActionStatusServiceXAResourceOrphanFilter enabled, increasing orphanSafetyInterval now only affects a chance of spurious warnings on rollback happening (while still of course affecting lock time after crash)

I would be glad to work on a PR for this issue.

Apart from fixing the issue with the approach you described where recovery manager would know that XID doesn't exist anymore, the question is why we issue warning in the first place? Basically we're telling XAResource: do rollback if this XID exists. So receiving XAER_NOTA is not really an error and could be logged with debug level instead of warning? Currently [XARecoveryModule.java#L849] the warning is issued for all return codes.

Then the approach you described would be only an optimization to avoid network call and load on RM.

Also, regarding JTAActionStatusServiceXAResourceOrphanFilter, while this filter is by default present in EAP and Wildfly there are still quick-start examples [transaction.xml#L117] or default configurations, like in Spring Boot [NarayanaProperties.java#L102] that don't use it.

Given the chances of data integrity issues in the absence of JTAActionStatusServiceXAResourceOrphanFilter, there is no reason not to include it by default?