Serialize Cursors

[sambostock]

TL;DR

This is a redo of #73, but using a deprecation warning instead of raising an error. The error is deferred until 2.0.

Details

It is unsafe to use cursors which cannot be serialized using JSON.dump and deserialized again using JSON.parse. Such cursors may result in a different cursor being deserialized, or in serialization failing entirely, which may result in incorrect behaviour in iterative jobs.

Starting in 2.0, usage of such cursors will raise an ArgumentError. Until then, a deprecation warning will be logged.

#73 contains more context on the change, and #80 contains information as to the motivation for this alternative approach.

To facilitate migration, this also adds

• a global enforce_serializable_cursors config which can force the error 2.0 will introduce
  • a per-job-class enforce_serializable_cursors inheritable override config

⚠️ Before Merging

• Rebase after Add headings & formatting to Custom Enumerator guide #439 is merged.
• Rebase after Add JobIteration::Deprecation #441 is merged.

---

Closes #80

[sambostock]

I originally used ActiveSupport::Deprecation.warn directly, that labelled deprecations as coming from Rails. This uses our own object, but does mean that the host app's settings for ActiveSupport::Deprecation do not propagate (e.g. disallowed_deprecations).

[sambostock]

I put this in to ensure the change makes it into 2.0

[sambostock]

Likewise here. We can't bump to 2.0 without also making unsafe cursors an error.

[sambostock]

I originally looked at using deprecation_warning (as mentioned here), which has a much richer built in message. However, it is method oriented, and we aren't getting rid of any method.

[GustavoCaso]

Should we also allow to pass Symbol as part of the cursor?

Yesterday we noticed that having a Hash with keys as symbols also broke. Hash with symbols should be accepted as well 😄

[sambostock]

No. Symbols are not safe to serialize as JSON, because they are deserialized as Strings:

$ ruby -rjson -e 'p JSON.parse(JSON.dump(:symbol))'
"symbol"

cursor_position is serialized by the queue adapter (Resque/Sidekiq), not by ActiveJob itself, so none of Rails' magic symbol serialization happens.

[GustavoCaso]

Thanks for the explanation

[GustavoCaso]

Could we simplify this test assertion with something like:

JobIteration::Deprecation.any_instance.expects(:warn)

Feels that the current implementation is quite complex

[sambostock]

We could, I just wanted to make sure the deprecation message was formatted correctly.

[sambostock]

I'll simplify the deprecation warning message 👍

[sambostock]

I've updated the description to be simpler, and slightly tweaked the test helpers. Should be good for final review.

CI on Ruby 2.5 will start passing again once sorbet/sorbet#4281 is merged and a new version of sorbet-runtime is released; it is not related to these changes.

[sambostock]

I've circled back to this and made some changes. This PR still introduces the deprecation warning, however it also introduces a config to force the new behavior. This config can be set globally and/or per-job, allowing consumers to globally opt-in to enforcement ahead of 2.0, and optionally opt-out per job until they are made compliant, or alternatively opt-in per compliant job until they are able to opt-in globally.

This should allow for a smoother transition. Version 2.0 would simply delete (or no-op & deprecate) the config and instruct consumers to remove it from their code.

I've also added documentation about this, which applies regardless of the deprecation/error.

[bdewater]

Does it have to be only these built-in primitives? Active Job allows custom serializers to be defined for parameters, like we use in our Money gem. Would be nice if we can piggyback on top of this.

[sambostock]

Hmm... Good question. If Active Job performs a serialization step before handing off the job to the backend, and if we can test that an object is serializable by it, then that should work. I shall have to look into this.

Indeed my goal is not to be restrictive, but to prevent foot-guns, as my team encountered.

[sambostock]

Okay, so with the code as-is, no, we couldn't rely on this behavior, as Active Job only serializes arguments, and doesn't bother with the rest of the job data.

However, an alternative approach might be to serialize and deserialize the cursor ourselves, since we do already override those methods:

job-iteration/lib/job-iteration/iteration.rb

Lines 79 to 92 in 17e6ec5

	def serialize # @private
	super.merge(
	"cursor_position" => cursor_position,
	"times_interrupted" => times_interrupted,
	"total_time" => total_time,
	)
	end
	def deserialize(job_data) # @private
	super
	self.cursor_position = job_data["cursor_position"]
	self.times_interrupted = job_data["times_interrupted"] || 0
	self.total_time = job_data["total_time"] || 0
	end

It's a bit awkward because the serialization API expects an Array of arguments, but we could conceivably do something like

    def serialize # @private
      super.merge(
        "cursor_position" => ActiveJob::Arguments.serialize([cursor_position]).first,
        "times_interrupted" => times_interrupted,
        "total_time" => total_time,
      )
    end

    def deserialize(job_data) # @private
      super
      self.cursor_position = ActiveJob::Arguments.deserialize([job_data["cursor_position"]]).first
      self.times_interrupted = job_data["times_interrupted"] || 0
      self.total_time = job_data["total_time"] || 0
    end

Another consideration is that the enforcement API here happens on every cursor, regardless of if the job is interrupted, which has pros and cons compared to the serialization approach:

• Checking every cursor involves more computations than only serializing as needed (and blowing up if it fails)
• Checking every cursor gives you instant feedback immediately after the enumerator produces an unserializable cursor (usually before the first call to each_iteration), rather than only if the job is interrupted and the cursor requires serialization

I suppose we could keep cursor serializability enforced for each cursor by simply attempting to serialize it, but I'm not sure how much more expensive that is compared to the naive class checking approach.

[sambostock]

I've opened #252 branching off this PR to explore this idea, and it seems to work nicely. @Mangara, @bdewater any thoughts on it?

[sambostock]

Alright, I've updated the branch again, this time to leverage ActiveJob::Arguments to support cursors of any type it supports.

[sambostock]

Should probably update this to "Serialize cursors"

[sambostock]

This used to wrap the error in a custom CursorError, but I figure it might be adequate to just re-raise the ActiveJob::SerializationError.

[sambostock]

Since we're getting all of ActiveJob's serialization now, we have to explicitly create an object that cannot be serialized. BasicObject doesn't work though, because that straight up blows up ActiveJob because it doesn't respond to respond_to? 😅

[sambostock]

Alternatively, I could make it work with GlobalID.

[sambostock]

I've updated this so if a serialized cursor is found, it should always be deserializable.

[sambostock]

I'm not sure if I'm missing something, but I wasn't able to find any tests that actually exercise resuming jobs. Everything seems to be testing running or interrupting jobs, but no tests actually resume anything. So this happens to add test coverage for that 😅

[bdewater]

Some suggestions to polish things up, but overall this looks good!

[sambostock]

Sidekiq 7 has been released, and it now errors if job arguments contain objects that don't round trip as JSON, so this PR is now not only desirable to avoid bugs, but also improves compatibility with Sidekiq.

I'll see if I can get it over the finish line this week.

[sambostock]

Looks like CI is broken for Rails edge due to the removal of ActiveRecord::SchemaMigration.table_name, as described in
DatabaseCleaner/database_cleaner-active_record#83.

[adrianna-chang-shopify]

Nice work on this Sam, I know it's been a long time coming! 🙌

A couple minor nits / comments, but nothing blocking.

[adrianna-chang-shopify]

I love the thoroughness of your tests, but I'm wondering about the value of this test (and the similar one below). Technically how the cursors are stored is private to JobIteration::Iteration. IMHO it feels like we're testing the implementation too much here vs the expected behaviour.

I think that testing whether we can interrupt + resume jobs that are using unserializable cursors is covered by test_job_interrupted_with_only_cursor_position_should_resume.

I wonder if test_jobs_using_serializable_cursor_when_interrupted_should_store_both_legacy_cursor_and_serialized_cursor and test_job_interrupted_with_serialized_cursor_position_should_ignore_unserialized_cursor_position could be combined into one test that , rather than explicitly checking how the cursors are being stored and read, simply checks that a job can be interrupted + resumed with a serializable cursor as expected?

Let me know if that makes sense 😅

[sambostock]

I's been a while since I wrote these, but IIRC the reason for testing this in so much detail is that we want to ensure dequeuing works across gem versions. During the upgrade (or downgrade), jobs may be:

• interrupted on an old replica, and
  • resumed on an old replica, or
  • resumed on an new replica, or
• interrupted on a new replica, and
  • resumed on a new replica, or
  • resumed on an old replica

Because we can't actually test those scenarios (without significant effort), we test:

• what happens given various inputs arguments we might encounter in such scenarios, and
• what the output arguments are in such scenarios.

[adrianna-chang-shopify]

Yeah, skimming through these tests now, they make sense to me. I probably just wasn't thinking about needing to make sure we test forwards / backwards compatibility with job workers running the new vs old version of the code 🤷‍♀️

We should be able to remove some of these test cases for the 2.0 release that enforces serializable cursors, right?

[sambostock]

Yeah. 2.0 should be able to safely stop reading (and writing) to the old argument, and we can (at least) drop all the tests that use it as an input/output, if not drop all the tests on the implementation and just test the resumption behavior.

[sambostock]

Rebased on latest main, and made some small changes, the main one being that we're defining the instance reader for job_iteration_enforce_serializable_cursors ourselves, to use the per-class setting if non-nil?, and otherwise fallback to the global setting. @Mangara and I 🎩'd on a test app and can confirm the deprecation warning shows up, and enabling serializable cursor enforcement works.

[sambostock]

I's been a while since I wrote these, but IIRC the reason for testing this in so much detail is that we want to ensure dequeuing works across gem versions. During the upgrade (or downgrade), jobs may be:

• interrupted on an old replica, and
  • resumed on an old replica, or
  • resumed on an new replica, or
• interrupted on a new replica, and
  • resumed on a new replica, or
  • resumed on an old replica

Because we can't actually test those scenarios (without significant effort), we test:

• what happens given various inputs arguments we might encounter in such scenarios, and
• what the output arguments are in such scenarios.

[Mangara]

Did we add this test?

[sambostock]

Good catch – yes, test_global_max_job_runtime_with_updated_value

[Mangara]

Then we should remove the TODO 🙂

[sambostock]

This needs to match the heading we added.

Suggested change

	See https://github.com/Shopify/job-iteration/blob/main/guides/custom-enumerator.md#cursor-types
	See https://github.com/Shopify/job-iteration/blob/main/guides/custom-enumerator.md#cursor-serialization

[adrianna-chang-shopify]

Yeah, skimming through these tests now, they make sense to me. I probably just wasn't thinking about needing to make sure we test forwards / backwards compatibility with job workers running the new vs old version of the code 🤷‍♀️

We should be able to remove some of these test cases for the 2.0 release that enforces serializable cursors, right?