EXmatcher: Order Indexing Before Persistence - Potential Issue

Hey guys! Today, we're diving deep into a potential consistency issue within the eXmatcher project, specifically concerning the order indexing process in relation to data persistence. This article is all about understanding the problem, its context, and some suggested solutions to make our system more robust. Let's get started!

Understanding the Issue: Order Indexing Precedes Persistence

In the eXmatcher's matching engine, specifically within the place_order function in crates/match-engine/module/src/matching.rs (lines 142-219), it appears that order indexing occurs before the actual order data is persisted to the database. This means functions like add_to_expiry_index, add_order_to_price_level, and add_stop_order are called to index the order before the order is saved. The persistence to the database happens later on, when the calling function invokes save_order in match_engine.rs (line 506). The flow goes like this:

1. Index the order: The order is first added to various indices, making it searchable and accessible based on different criteria like expiry time, price level, or stop price.
2. Save the order: The order data is then saved to the database. This is where the order becomes a permanent part of the system's state.

The crucial problem here is that this sequence creates a consistency window. During this window, an index entry can point to an order that doesn't yet exist in the database. While the load_order function is designed to gracefully handle missing orders, and the caller diligently enforces persistence with error handling, the fundamental design introduces an unnecessary risk. Imagine a scenario where the system crashes between the indexing and saving steps. The index would be left in an inconsistent state, potentially leading to errors or unexpected behavior when trying to retrieve the order later.

This inconsistency, even though handled gracefully, adds complexity to the system and could potentially lead to subtle bugs that are hard to track down. Furthermore, it makes reasoning about the system's state more difficult, as developers need to be aware of this two-phase process and its implications. Remember, robust systems are not just about handling errors; they are also about preventing them in the first place.

Diving Deeper: Context and Implications

Let's break down the context to understand the implications of this design choice better. As mentioned before, the critical area of concern is within the place_order function inside the matching.rs file. This function is at the heart of the matching engine, responsible for taking incoming orders and integrating them into the order book. Any issues here can have a ripple effect on the entire system.

• File: crates/match-engine/module/src/matching.rs
• Lines: 142-219
• Function: place_order

The current design necessitates careful error handling in both load_order and the caller of place_order. load_order must be able to gracefully handle the case where it attempts to retrieve an order that is indexed but not yet saved. The caller of place_order must ensure that save_order is always called after place_order and that any errors during the saving process are properly handled. This adds extra layers of complexity to the code and increases the risk of overlooking a critical error case. In distributed systems, this can cause a real problem, so we must be very careful about it.

The place_order function has to consider these points:

• Error Handling: Every interaction, be it adding to an index or saving to the database, needs robust error handling. If any of these operations fail, the system needs to revert to a consistent state.
• Concurrency: In a high-throughput environment, concurrency adds another layer of complexity. Multiple threads or processes might be trying to place orders simultaneously, which could exacerbate the consistency issues if not handled correctly.
• Recovery: If the system crashes, there needs to be a mechanism to recover and ensure that the index and database are consistent. This could involve replaying logs or running consistency checks.

Potential Solutions: Strengthening Consistency

So, what can we do to address this potential consistency gap? Here are a couple of solutions to consider.

1. Defensive Save: Persist Before Indexing

The most straightforward approach is to ensure that the order is saved before any indexing operations are performed. This eliminates the consistency window altogether. We can achieve this by calling save_order(&order) within the place_order function itself, before any of the add_to_expiry_index, add_order_to_price_level, or add_stop_order functions are called. Critically, the Result from save_order must be handled appropriately. If the save operation fails, the indexing operations should be skipped, and an error should be returned.

This approach offers the strongest consistency guarantees. If the save_order call succeeds, we know that the order is safely stored in the database, and any subsequent indexing operations will be pointing to a valid order. If the save_order call fails, we can be confident that no indexing operations have been performed, and the system remains in a consistent state. However, this approach adds extra overhead, as every order must be saved to the database before it can be indexed. In certain scenarios, where performance is extremely critical, this overhead might be a concern.

Here's a basic illustration of how this would look:

fn place_order(order: &Order) -> Result<(), Error> {
    // First, save the order to the database
    save_order(order)?;

    // Now, index the order
    add_to_expiry_index(order);
    add_order_to_price_level(order);
    add_stop_order(order);

    Ok(())
}

2. Explicit Documentation: Clarifying the Two-Phase Design

If changing the order of operations is not feasible due to performance or other constraints, another option is to explicitly document the two-phase (index-then-save) design and its consistency guarantees. This documentation should clearly explain the potential for inconsistency and the mechanisms in place to mitigate it.

This approach doesn't eliminate the consistency window, but it does make developers aware of it and provides guidance on how to handle it properly. The documentation should cover the following points:

• The order of operations: Clearly state that indexing occurs before saving.
• The consistency window: Explain the potential for inconsistency during this window.
• Error handling: Describe how load_order and the caller of place_order handle missing orders.
• Concurrency: Discuss any concurrency considerations and how they are addressed.
• Recovery: Explain how the system recovers from crashes and ensures consistency.

This approach is less invasive than the first one and doesn't require any code changes. However, it relies on developers reading and understanding the documentation, which is not always guaranteed. It also doesn't prevent inconsistencies; it just provides guidance on how to handle them. Therefore, this option should only be considered if the first option is not feasible.

References and Further Reading

For those who want to dive even deeper, here are some relevant resources:

• PR: https://github.com/gassayy/eXmatcher/pull/4
• Comment: https://github.com/gassayy/eXmatcher/pull/4#discussion_r2703176279
• Requested by: @gassayy

Conclusion: Ensuring Data Integrity

In conclusion, the current design of the eXmatcher system introduces a potential consistency gap by indexing orders before they are persisted to the database. While the system includes mechanisms to handle this inconsistency, it adds complexity and increases the risk of subtle bugs. By either saving the order before indexing it or providing explicit documentation about the two-phase design, we can make the system more robust and easier to reason about. Choosing the right approach depends on the specific constraints and priorities of the project.

Alright, folks! That's it for today's deep dive. Hope you found this insightful. Let me know your thoughts and suggestions in the comments below!