Race caused by static cache in DefaultSessionFactory (QFJ-971)

[AndreyNudko]

I think there's a race condition caused by static cache in DefaultSessionFactory, which sometimes effectively corrupts the message.

This can happen when:

• there are 2 sessions each with it's own IO thread
• both session use same dictionary file
• both sessions receive first message of a particular type around the same time

Long story:
We use QuickFIX to stub FIX API-s in acceptance tests. Stub is a separate process, and acceptors are dynamically created and destroyed during tests execution. Each acceptor runs it's own IO thread.
Recently we added support for an API which requires sending same message to 2 endpoints for redundancy purposes. So the test starts 2 sessions with the same dictionary file, and verifies that both received expected message.
However now we occasionally see very strange FieldNotFound exceptions when trying to access a field of repeating group, although raw fix logs clearly shows the tag is present.

After some poking around I think there is a race condition caused by interplay of static cache in DefaultSessionFactory:

private static final SimpleCache<String, DataDictionary> dictionaryCache = new SimpleCache<>(path -> {
        try {
            return new DataDictionary(path);
        } catch (ConfigError e) {
            throw new QFJException(e);
        }
    });

and DataDictionary::getOrderedFields:

    public int[] getOrderedFields() {
        if (orderedFieldsArray == null) {
            orderedFieldsArray = new int[fields.size()];
            int i = 0;
            for (Integer field : fields) {
                orderedFieldsArray[i++] = field;
            }
        }

        return orderedFieldsArray;
    }

My reconstruction of events is this:

• 2 sessions receive same message; because of the static cache they inadvertently share same instance of DataDictionary
• when parsing message both threads descend into repeating groups and call DataDictionary::getOrderedFields
• first thread starts lazy initialisation and updates orderedFieldsArray
• now second thread may see partially constructed array before first thread finished building it
• second thread passes this partially constructed array to FieldOrderComparator and now we have effectively mutable comparator; which gives one result before first thread finished building array, and different resut later
• so if message is parsed before array is built but accessed after, internal structure of a field map is inconsistent with what comparator tells - hence FieldNotFound

The simple fix would be to make getOrderedFields idempotent like that:

    public int[] getOrderedFields() {
        if (orderedFieldsArray == null) {
            orderedFieldsArray = toIntArray(fields); 
        }

        return orderedFieldsArray;
    }
    
    private static int[] toIntArray(Collection<Integer> intCollection)
    {
        int result[] = new int[intCollection.size()];
        int i = 0;
        for (Integer field : intCollection) {
            result[i++] = field;
        }
        return result;
    }

However I wonder if there are other possible dangers of sharing dictionary? We certainly saw cases when dictionary validation properties were accidentally modified because of this static cache (although it was bad session configuration on our part).

[chrjohn]

Hi @AndreyNudko ,
congratulations, I think you found the missing piece to a bug that has been troubling some users. The key piece seems to be that identical messages must be received on distinct sessions that use the same data dictionary. See this JIRA issue for reference: https://www.quickfixj.org/jira/browse/QFJ-971
Funny enough it always seems to be field 447 that is "missing" (probably it is one of the first ordered fields). Did you observe the same?

As for the dictionary sharing: we are aware of the problems with the validation settings and there is this JIRA issue: https://www.quickfixj.org/jira/browse/QFJ-982

If you could make this problem reproducible in a unit test (and possibly also fix it) then that would be great. Otherwise I could try to put a unit test together. However, it could take some time.

Anyway, many thanks for reporting this! 👍

Cheers,
Chris.

[AndreyNudko]

Very difficult to construct reliable test for this...

For now we put a workaround to make a defensive copy of the dictionary on session creation, and update Session::dataDictionaryProvider with the copy. I'll let you know if that improved our test stability.

Generally, I think it would be best if DataDictionary was not modified after it's loaded - especially if it's intentionally shared between sessions to lower memory footprint. As far as I can tell, almost all structural data are never updated - except orderedFieldsArray. Which should be easy to calculate on load rather than lazily, with a small side benefit of taking this out of critical path. Happy to submit PR for that - this is a minimal change and hopefully there's enough tests for message parsing to prevent any possible regression.

[chrjohn]

Yes, please submit PR for the change. I think I found a way to make this problem reproducible.
Thanks in advance!

[chrjohn]

Hi @AndreyNudko ,

I tried to reproduce this but until now did not succeed. Based on your description I forged a message with an incomplete orderedFieldsArray but couldn't provoke the error.
I am certain that your changes are sensible but I cannot see how the original error could be caused by the incomplete array.
E.g. when the error appears QFJ reports this as

quickfix.FieldException: Required tag missing, field=447

This is thrown by DataDictionary.checkHasRequired()

quickfixj/quickfixj-core/src/main/java/quickfix/DataDictionary.java

Lines 809 to 813 in 44ca433

	for (int field : requiredFieldsForMessage) {
	if (!fields.isSetField(field)) {
	throw new FieldException(SessionRejectReason.REQUIRED_TAG_MISSING, field);
	}
	}

So the FieldMap of the message (or in this example the repeating group) lacks a field. But I don't see how this is caused by the incomplete orderedFieldsArray.

Looking at the code and the cache it could also be possible that an partially initialized dictionary is handed to one thread, right? E.g. the DataDictionary.load() method could not have been completed. But then it is strange that always field 447 is affected (regardless of whether I got the report from a client or e.g. in https://www.quickfixj.org/jira/browse/QFJ-971).

However, this method from SimpleCache does not seem to be thread-safe with regard to checking whether there already is a DD present:

quickfixj/quickfixj-core/src/main/java/org/quickfixj/SimpleCache.java

Lines 36 to 42 in 44ca433

	public V computeIfAbsent(K key) {
	/*
	* We could computeIfAbsent directly but for CPUs < 32 pre-scanning is faster.
	*/
	final V value = get(key);
	return value != null ? value : computeIfAbsent(key, loadingFunction);
	}

IMHO the "pre-scanning" is not atomic (as opposed to computeIfAbsent()) and could cause problems.

What do you think? Or did I miss something?
Thanks in advance,
Chris.

[chrjohn]

What I said about the thread safety of the DD initialization also does not explain why the FieldMap is lacking a field, though.

[AndreyNudko]

Interesting point about SimpleCache... according to javadoc of ConcurrentHashMap::computeIfAbsent (which it eventually invokes): The entire method invocation is performed atomically, so the function is applied at most once per key. It does not specify the effect on get - but I will be really surprised if that would allow partially constructed object to be seen (how do you even return partially constructed object from function?). It seems that calling get() first is just an optimisation to minimise locking, but in the case of cache miss even if multiple threads will try to load same key concurrently only one will actually update the map.

Based on your description I forged a message with an incomplete orderedFieldsArray but couldn't provoke the error.

This gave me an idea for a 'cheating' test - I'll try a quick experiment and let you know in a bit

[AndreyNudko]

Here we go. The scenario is this:

• parsing thread sees orderedFieldsArray which is initialized but not yet filled (all elements are 0)
• the other thread fills the array
• application tries to read the field after array content has changed
  result - quickfix.FieldNotFound: Field was not found in message, field=447

package quickfix;

import org.junit.Test;
import quickfix.field.NoPartyIDs;
import quickfix.field.PartyIDSource;
import quickfix.fix44.ExecutionReport;
import quickfix.fix44.MessageFactory;

import java.util.Arrays;

import static org.junit.Assert.assertEquals;

public class DataDictionaryRace240Test {

    @Test
    public void cheatingReproducer() throws Exception
    {
        final String data = "8=FIX.4.4\0019=309\00135=8\00149=ASX\00156=CL1_FIX44\00134=4\001" +
            "52=20060324-01:05:58\00117=X-B-WOW-1494E9A0:58BD3F9D-1109\001150=D\001" +
            "39=0\00111=184271\00138=200\001198=1494E9A0:58BD3F9D\001526=4324\001" +
            "37=B-WOW-1494E9A0:58BD3F9D\00155=WOW\00154=1\001151=200\00114=0\00140=2\001" +
            "44=15\00159=1\0016=0\001453=3\001448=AAA35791\001447=D\001452=3\001448=8\001" +
            "447=D\001452=4\001448=FIX11\001447=D\001452=36\00160=20060320-03:34:29\00110=169\001";


        final MessageFactory messageFactory = new MessageFactory();
        final DataDictionary dictionary = new DataDictionary("FIX44.xml");
        final DataDictionary partyDictionary = dictionary.getGroup(ExecutionReport.MSGTYPE, NoPartyIDs.FIELD).getDataDictionary();
        int[] originalOrder = Arrays.copyOf(partyDictionary.getOrderedFields(), partyDictionary.getOrderedFields().length);

        // Check we parse message OK
        Message message = MessageUtils.parse(messageFactory, dictionary, data);
        Group partyGroup = message.getGroups(NoPartyIDs.FIELD).get(0);
        String partyIdSource = partyGroup.getString(PartyIDSource.FIELD);
        assertEquals("D", partyIdSource);

        // Zero out field order for the party dictionary and parse the message.
        // This is what parser thread could see when another thread initialised array,
        // but haven't filled the data yet.
        Arrays.fill(partyDictionary.getOrderedFields(), 0);
        message = MessageUtils.parse(messageFactory, dictionary, data);

        // Put the right field order and try to read the tag.
        // This is what someone accessing the message would see
        // after another thread has filled the array.
        System.arraycopy(originalOrder, 0, partyDictionary.getOrderedFields(), 0, originalOrder.length);
        partyGroup = message.getGroups(NoPartyIDs.FIELD).get(0);
        partyIdSource = partyGroup.getString(PartyIDSource.FIELD);
        assertEquals("D", partyIdSource);
    }

}

[AndreyNudko]

And here's modified version with multithreaded test which actually triggers the race. Not 100% reliable and quite expensive test to run - but on my machine I could see it failing 3 times in a row before my changes, and happily passing after.
Still a cheating test, since it uses simplified model rather than properly wired QuickFIX )

package quickfix;

import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import quickfix.field.NoPartyIDs;
import quickfix.field.PartyIDSource;
import quickfix.fix44.ExecutionReport;
import quickfix.fix44.MessageFactory;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.Callable;
import java.util.concurrent.CyclicBarrier;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;

import static org.junit.Assert.assertEquals;

public class DataDictionaryRace240Test {

    private static final int NUM_CONCURRENT_PARSERS = 2;

    private ExecutorService parserExecutor;


    @Before
    public void setUp() {
        parserExecutor = Executors.newFixedThreadPool(NUM_CONCURRENT_PARSERS);
    }

    @After
    public void tearDown() {
        parserExecutor.shutdownNow();
    }

    @Test
    public void cheatingReproducer() throws Exception {
        final String data = "8=FIX.4.4\0019=309\00135=8\00149=ASX\00156=CL1_FIX44\00134=4\001" +
                "52=20060324-01:05:58\00117=X-B-WOW-1494E9A0:58BD3F9D-1109\001150=D\001" +
                "39=0\00111=184271\00138=200\001198=1494E9A0:58BD3F9D\001526=4324\001" +
                "37=B-WOW-1494E9A0:58BD3F9D\00155=WOW\00154=1\001151=200\00114=0\00140=2\001" +
                "44=15\00159=1\0016=0\001453=3\001448=AAA35791\001447=D\001452=3\001448=8\001" +
                "447=D\001452=4\001448=FIX11\001447=D\001452=36\00160=20060320-03:34:29\00110=169\001";


        final MessageFactory messageFactory = new MessageFactory();
        final DataDictionary dictionary = new DataDictionary("FIX44.xml");

        final DataDictionary partyDictionary = dictionary.getGroup(ExecutionReport.MSGTYPE, NoPartyIDs.FIELD).getDataDictionary();
        int[] originalOrder = Arrays.copyOf(partyDictionary.getOrderedFields(), partyDictionary.getOrderedFields().length);

        // Check we parse message OK
        Message message = MessageUtils.parse(messageFactory, dictionary, data);
        Group partyGroup = message.getGroups(NoPartyIDs.FIELD).get(0);
        String partyIdSource = partyGroup.getString(PartyIDSource.FIELD);
        assertEquals("D", partyIdSource);

        // Zero out field order for the party dictionary and parse the message.
        // This is what parser thread could see when another thread initialised array,
        // but haven't filled the data yet.
        Arrays.fill(partyDictionary.getOrderedFields(), 0);
        message = MessageUtils.parse(messageFactory, dictionary, data);

        // Put the right field order and try to read the tag.
        // This is what someone accessing the message would see
        // after another thread has filled the array.
        System.arraycopy(originalOrder, 0, partyDictionary.getOrderedFields(), 0, originalOrder.length);
        partyGroup = message.getGroups(NoPartyIDs.FIELD).get(0);
        partyIdSource = partyGroup.getString(PartyIDSource.FIELD);
        assertEquals("D", partyIdSource);
    }

    @Test
    public void threadedCheatingReproducer() throws Exception {
        final String data = "8=FIX.4.4\0019=309\00135=8\00149=ASX\00156=CL1_FIX44\00134=4\001" +
                "52=20060324-01:05:58\00117=X-B-WOW-1494E9A0:58BD3F9D-1109\001150=D\001" +
                "39=0\00111=184271\00138=200\001198=1494E9A0:58BD3F9D\001526=4324\001" +
                "37=B-WOW-1494E9A0:58BD3F9D\00155=WOW\00154=1\001151=200\00114=0\00140=2\001" +
                "44=15\00159=1\0016=0\001453=3\001448=AAA35791\001447=D\001452=3\001448=8\001" +
                "447=D\001452=4\001448=FIX11\001447=D\001452=36\00160=20060320-03:34:29\00110=169\001";

        final MessageFactory messageFactory = new MessageFactory();

        for (int i = 0; i < 10000; i++) {
            // Need fresh dictionary on every iteration - race happens on first access!
            final DataDictionary dictionary = new DataDictionary("FIX44.xml");

            // Parse message in the background in multiple threads sharing the dictionary.
            // Barrier is synchronisation point so all parsers start as close to each other
            // as possible - to maximise the chance of exposing race.
            final CyclicBarrier barrier = new CyclicBarrier(NUM_CONCURRENT_PARSERS + 1);
            final List<Future<Message>> futureList = new ArrayList<>(NUM_CONCURRENT_PARSERS);

            for (int j = 0; j < NUM_CONCURRENT_PARSERS; j++) {
                Future<Message> future =
                        parserExecutor.submit(new Callable<Message>() {
                            @Override
                            public Message call() throws Exception {
                                barrier.await();
                                return MessageUtils.parse(messageFactory, dictionary, data);
                            }
                        });
                futureList.add(future);
            }

            // Unleash the parsers
            barrier.await();

            // Check that messages from all parsers can be accessed normally
            for (Future<Message> future : futureList) {
                Message message = future.get();
                Group partyGroup = message.getGroups(NoPartyIDs.FIELD).get(0);
                String partyIdSource = partyGroup.getString(PartyIDSource.FIELD);
                assertEquals("D", partyIdSource);
            }
        }

    }

}

[chrjohn]

Thank you for your efforts, I will have a look at this. I tried to reproduce it in a similar way, using PausableThreadPoolExecutor (that we employed for other concurrent tests in QFJ as well), but to no avail. I must have been missing something.
Will report back.

https://github.com/quickfix-j/quickfixj/blob/master/quickfixj-core/src/test/java/quickfix/PausableThreadPoolExecutor.java

[chrjohn]

After looking at your test I figured out why I could not reproduce it. I thought the issue occurs right on parsing/validating the message but actually shows up when accessing fields on the message. :)