Page MenuHomePhabricator
Create Task
Maniphest T246991

Memcached keys sometimes outlive their TTL (affects MW rate limit)
Closed, ResolvedPublic
Actions

Description

See logstash, specifically the last one: it reports that the ratelimiter of 5.169.150.213 reached 17 (limit is 8) in 60 seconds. However, their contributions tell a different story.

Apparently, there are no SpamBlacklist or TitleBlacklist entries for the user, so that's not a possible explanation.

Impact

Some or all users are sometimes or always unable to make multiple edits in an unknown span of time. It would appear the rate limit functionality is loosing track of time. As such, it is observed numerous times that edit attempst by end users are rejected when in fact they have (far?) fewer edits and only over a long period of time.

Root cause as of yet is unknown. It could be in the Core ping limiter logic, it could be at a higher level in the API/Revision/PageUpdater layer, or it could be at a lower level e.g. in the BagOStuff abstraction, or perhaps lower still e.g. in Memcached itself and/or atomic particles somewhere in-between influenced by solar rays.

TBD.

Details

SubjectRepoBranchLines +/-
User: enforce pingLimiter() expiry timemediawiki/coreREL1_31+86 -22
User: enforce pingLimiter() expiry timemediawiki/coreREL1_34+168 -21
User: enforce pingLimiter() expiry timemediawiki/coreREL1_35+170 -23
User: enforce pingLimiter() expiry timemediawiki/coremaster+170 -23
User: Fix pingLimiter() to use makeGlobalKey() for global rate limitsmediawiki/coreREL1_31+9 -10
User: Move per-user logic in pingLimiter() closer togethermediawiki/coreREL1_31+17 -16
User: Move per-user logic in pingLimiter() closer togethermediawiki/coreREL1_34+17 -14
User: Fix pingLimiter() to use makeGlobalKey() for global rate limitsmediawiki/coreREL1_34+9 -10
User: Move per-user logic in pingLimiter() closer togethermediawiki/coremaster+17 -14
User: Fix pingLimiter() to use makeGlobalKey() for global rate limitsmediawiki/coremaster+8 -10
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Mar 5 2020, 2:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 5 2020, 2:36 PM
Daimona updated the task description. (Show Details)Mar 5 2020, 2:59 PM
Daimona updated the task description. (Show Details)Mar 5 2020, 3:10 PM
Urbanecm added a subscriber: Urbanecm.Mar 5 2020, 3:11 PM
Daimona added a comment.Mar 5 2020, 3:13 PM

This was discussed on IRC with @Urbanecm. We determined that captchas might have played a role (the user got several captchas), but it still doesn't explain how they could reach 8 total edits. It's interesting to note that the hit count was never reset for at least 6 minutes, which lead us to think that this might have to do with a rogue cache key.

DannyS712 added a subscriber: DannyS712.Mar 5 2020, 4:12 PM
sbassett added a project: Security-Team.Mar 5 2020, 5:55 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
Urbanecm added a project: MediaWiki-libs-BagOStuff.Mar 5 2020, 7:29 PM

Adding cache subproject, so watchers can comment on Daimona's above comment.

Krinkle added a subscriber: Krinkle.Mar 25 2020, 9:16 PM

@Urbanecm I'm trying to triage this on the MediaWiki-Cache board, but it's not clear to me what the suspected bug or general question is here with regards to the objectcache library, its BagOStuff classes, or another cache components in MW?

Urbanecm added a comment.Mar 25 2020, 9:28 PM

Hi @Krinkle, as you can see in Daimona's LogStash link, the editcount (stored in ObjectCache::getLocalClusterInstance()1) wasn't reset for at least 6 minutes. That suspects some part of MW's cache didn't remove the key, even the key should live only 60 seconds. This could be a bug in whatever part of MW purges cache keys, or, theoretically, by some weird way, the number read from config is not config. I suspect the former, but who knows :). I hope this helps.

Daimona added a comment.Mar 26 2020, 2:03 PM

Yeah, well, I think this could've been caused either by MW not setting the right expiry, or memcached not evicting the key.

Krinkle renamed this task from Apparently incorrect throttler count for a specific user to Memcached keys sometimes outlive their TTL (affects MW rate limit).Apr 13 2020, 4:27 PM
Krinkle moved this task from Library to libs/objectcache on the MediaWiki-libs-BagOStuff board.

Thanks, I've updated the task to summarise this observation. It makes sense under lib-objectcache indeed.

Onkoydenkovuldum edited projects, added Articles Needing links; removed MediaWiki-User-management.Jun 4 2020, 11:37 PM
Reedy edited projects, added MediaWiki-User-management; removed Articles Needing links.Jun 4 2020, 11:55 PM
JJMC89 moved this task from Backlog to Other on the MediaWiki-User-management board.Jun 6 2020, 5:10 AM
gerritbot added a comment.Jun 7 2020, 3:02 AM

Change 602935 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/602935

gerritbot added a project: Patch-For-Review.Jun 7 2020, 3:02 AM

Change 602936 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/602936

Krinkle added a comment.Jun 7 2020, 3:03 AM

The above two patches do not fix this issue, but they helped me better understand this code while investiging this bug hence tracking the relevant work here. I don't have an answer yet for why this is happening, or how to solve it.

gerritbot added a comment.Jun 22 2020, 10:01 PM

Change 602935 merged by jenkins-bot:
[mediawiki/core@master] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/602935

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.38; 2020-06-23).Jun 22 2020, 11:00 PM
gerritbot added a comment.Jul 8 2020, 7:25 AM

Change 602936 merged by jenkins-bot:
[mediawiki/core@master] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/602936

ReleaseTaggerBot edited projects, added MW-1.35-notes (1.35.0-wmf.41; 2020-07-14); removed MW-1.35-notes (1.35.0-wmf.38; 2020-06-23).Jul 8 2020, 8:00 AM
Maintenance_bot removed a project: Patch-For-Review.Jul 8 2020, 8:10 AM
Krinkle triaged this task as High priority.Jul 8 2020, 4:28 PM
Krinkle removed a project: MW-1.35-notes (1.35.0-wmf.41; 2020-07-14).

The above clean up was motivated by an attempt find the cause of this bug. However, they do not resolve this issue and I also have not uncovered any new information.

Krinkle added a project: Platform Engineering.Jul 8 2020, 4:32 PM
Krinkle updated the task description. (Show Details)
eprodromou edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Engineering.Jul 21 2020, 8:57 PM
Clarakosi edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Team Workboards (External Code Reviews).Aug 6 2020, 8:01 PM
Clarakosi moved this task from Inbox to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
daniel added a subscriber: daniel.Aug 18 2020, 9:29 PM

Can we include the expiry in the payload, and then just ignore any stale limiter info we may get from the cache?

Reedy renamed this task from Memcached keys sometimes outlive their TTL (affects MW rate limit) to Memcached keys sometimes outlive their TTL (affects MW rate limit).Aug 18 2020, 9:31 PM
taavi added a subscriber: taavi.Aug 19 2020, 4:57 PM
Krinkle added a comment.Aug 25 2020, 4:55 PM

That could work, although I'd use it as an investigative measure to log a warning in the ratelimit channel with trace for debugging; not as the general recommended best practice for Memcached in general.

gerritbot added a comment.Aug 26 2020, 11:21 AM

Change 622541 had a related patch set uploaded (by Daniel Kinzler; owner: Daniel Kinzler):
[mediawiki/core@master] pingLimiter: enforce expiry time

https://gerrit.wikimedia.org/r/622541

gerritbot added a project: Patch-For-Review.Aug 26 2020, 11:21 AM
daniel claimed this task.Aug 26 2020, 11:22 AM
daniel moved this task from Ready (WIP:5) to Waiting for Review on the Platform Team Workboards (Clinic Duty Team) board.
daniel moved this task from Waiting for Review to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.Aug 27 2020, 11:45 AM
daniel added a comment.Aug 27 2020, 12:40 PM

The reported behavior would also be consistent with a "creeping counter": if incrWithInit() applied the new expiry upon increment, rather than just on init, the TLL would be getting bumped forward, and the counter would keep increasing. I spend a couple of hours investigating this possibility, but the various BagOStuff implementations however seem to handle this correctly. I wasn't able to create "creeping counter" behavior locally.

daniel moved this task from Doing(WIP:5) to Waiting for Review on the Platform Team Workboards (Clinic Duty Team) board.Aug 27 2020, 12:41 PM
gerritbot added a comment.Sep 3 2020, 2:06 PM

Change 624074 had a related patch set uploaded (by Reedy; owner: Krinkle):
[mediawiki/core@REL1_34] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/624074

gerritbot added a comment.Sep 3 2020, 2:06 PM

Change 624075 had a related patch set uploaded (by Reedy; owner: Krinkle):
[mediawiki/core@REL1_34] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/624075

gerritbot added a comment.Sep 3 2020, 2:19 PM

Change 624083 had a related patch set uploaded (by Reedy; owner: Krinkle):
[mediawiki/core@REL1_31] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/624083

gerritbot added a comment.Sep 3 2020, 2:19 PM

Change 624084 had a related patch set uploaded (by Reedy; owner: Krinkle):
[mediawiki/core@REL1_31] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/624084

gerritbot added a comment.Sep 3 2020, 2:52 PM

Change 624074 merged by jenkins-bot:
[mediawiki/core@REL1_34] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/624074

ReleaseTaggerBot added a project: MW-1.34-notes.Sep 3 2020, 3:00 PM
gerritbot added a comment.Sep 3 2020, 3:01 PM

Change 624075 merged by jenkins-bot:
[mediawiki/core@REL1_34] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/624075

gerritbot added a comment.Sep 3 2020, 3:25 PM

Change 624083 merged by jenkins-bot:
[mediawiki/core@REL1_31] User: Fix pingLimiter() to use makeGlobalKey() for global rate limits

https://gerrit.wikimedia.org/r/624083

gerritbot added a comment.Sep 3 2020, 3:25 PM

Change 624084 merged by jenkins-bot:
[mediawiki/core@REL1_31] User: Move per-user logic in pingLimiter() closer together

https://gerrit.wikimedia.org/r/624084

ReleaseTaggerBot added a project: MW-1.31-release-notes.Sep 3 2020, 4:00 PM
daniel moved this task from Waiting for Review to Done on the Platform Team Workboards (Clinic Duty Team) board.Sep 3 2020, 4:09 PM

Seems complete from my side. Can this be closed, or is it needed for backports?

gerritbot added a comment.Sep 3 2020, 4:15 PM

Change 623901 had a related patch set uploaded (by Reedy; owner: Daniel Kinzler):
[mediawiki/core@REL1_35] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/623901

gerritbot added a comment.Sep 3 2020, 4:20 PM

Change 622541 merged by jenkins-bot:
[mediawiki/core@master] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/622541

gerritbot added a comment.Sep 3 2020, 4:34 PM

Change 624115 had a related patch set uploaded (by Reedy; owner: Daniel Kinzler):
[mediawiki/core@REL1_34] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/624115

gerritbot added a comment.Sep 3 2020, 4:44 PM

Change 624121 had a related patch set uploaded (by Reedy; owner: Daniel Kinzler):
[mediawiki/core@REL1_31] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/624121

gerritbot added a comment.Sep 3 2020, 4:48 PM

Change 623901 merged by jenkins-bot:
[mediawiki/core@REL1_35] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/623901

ReleaseTaggerBot added projects: MW-1.36-notes (1.36.0-wmf.8; 2020-09-08), MW-1.35-notes.Sep 3 2020, 5:00 PM
gerritbot added a comment.Sep 4 2020, 1:48 PM

Change 624115 merged by jenkins-bot:
[mediawiki/core@REL1_34] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/624115

gerritbot added a comment.Sep 4 2020, 4:46 PM

Change 624121 merged by jenkins-bot:
[mediawiki/core@REL1_31] User: enforce pingLimiter() expiry time

https://gerrit.wikimedia.org/r/624121

Reedy closed this task as Resolved.Dec 2 2020, 2:14 AM
Reedy mentioned this in T265479: BagOStuff.php: PHP Warning: Parameter 4 to User::{closure}() expected to be a reference, value given.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Dec 2 2020, 3:50 PM
sbassett removed a project: Patch-For-Review.
Krinkle mentioned this in T281931: Check whether User::pingLimiter can now use incr() and changeTTL() instead of the lock()/merge() workaround.May 4 2021, 11:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL