persist: register schema at write time, not writer open time

[teskje]

This PR changes persist clients to defer calling register_schema on a shard from write handle creation time to the time of the first append operation. The rationale is that we don't need to enforce a schema if we are not attempting to write to a shard.

The plan is for 0dt upgrades to make good use of the new, more lenient behavior. Read-only environments can open write handles with evolved schemas without having to durably write down the new schemas. This will allow us to back out of version upgrades without the risk of permanently poisoning the persist state for lower versions.

Motivation

• This PR adds a known-desirable feature.

Prepares for the design proposed in #33863.
Part of https://github.com/MaterializeInc/database-issues/issues/9793

Tips for reviewer

DataHandles::open_data_write_for_apply in txn-wal expects the given shard to have a schema registered. This PR ensures that by changing TxnsHandle::register to register the shard schema. This should be fine because according to this comment we can assume a shard is always registered (potentially by a previous envd version) prior to its ID being passed to open_data_write_for_apply.

Also, write handles currently only call ensure_schema_registered when doing a compare-and-append. I'm not sure this is the right place! Do we also need/want to register the schema when we write a batch?

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[teskje]

Removed this TODO because we need the Option now to support WriteHandles who haven't yet registered their schema.

[teskje]

Note that previously in open_writer we only soft-asserted that schema registration was successful. That seems dangerous to me. Presumably writing to a shard with an incompatible schema would lead to all kinds of issues? Perhaps it was fine because the CaA logic also performs validation.

Since ensure_schema_registered is only called when we know we will need the schema, it seems fine to panic here. Also fine to return an Option like register_schema does and then unwrap at the call site. Lmk which you prefer!

[bkirwi]

That seems dangerous to me.

Maybe! Note that prior to this stuff being added, the schema could change ~arbitrarily without Persist noticing, so it was a strict improvement in safety.

But anyways I don't think this assert has tripped at all in the year or so it's been in prod, so it seems safe to strengthen it now.

[teskje]

If we made this a panic/unwrap, the control flow would be a bit cleaner. But it's perhaps a bit scary and the surrounding code also only does soft panics.

[bkirwi]

Do we also need/want to register the schema when we write a batch?

I don't think it's necessary personally... the append-time check preserves the shard-level invariant, and I can imagine cases where you'd want to start building up batches at a new schema before actually evolving the shard. (If we shifted the self-correction buffer to Persist, for example, that would allow a read-only replica to start spilling to Persist even if the schema it was using wasn't yet registered.)

[bkirwi]

That seems dangerous to me.

Maybe! Note that prior to this stuff being added, the schema could change ~arbitrarily without Persist noticing, so it was a strict improvement in safety.

But anyways I don't think this assert has tripped at all in the year or so it's been in prod, so it seems safe to strengthen it now.

[bkirwi]

Are we confident that read-only replicas don't even register handles for existing shards, even though they'll never actually write to them?

[teskje]

Yes, based on the current code: TxnsHandle::register is only called by TxnsTableWorker, which is only instantiated in leader mode (read-only mode uses read_only_mode_table_worker instead).

We don't know what future code will want to do of course. That's why it would be nice to have some way to assert that "write" operations (e.g. CaA, schema registration) are only performed against shards that have been created by, or upgraded to the current version.

[bkirwi]

The new method seems good and looks safer to me - thanks for that!

One open thread about the dead code, but however that ends up getting resolved I think we're good to merge.

[bkirwi]

I was a little nervous about how this changed the semantics of the schema_id method... but it turns out that's only used by txn-wal in what looks like a safe pattern. Still a possible footgun, but hopefully one we can mitigate in the future...

[teskje]

TFTR!