Fix possible split brain and consequent crash due to assertion failure

[freeekanayaka]

Fixes #386. Please see the individual commit messages and code comments for a detailed explanation.

[codecov]

Codecov Report

Merging #429 (a54636b) into master (628a743) will increase coverage by 0.08%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##           master     #429      +/-   ##
==========================================
+ Coverage   76.62%   76.71%   +0.08%     
==========================================
  Files          51       51              
  Lines        9597     9597              
  Branches     2444     2443       -1     
==========================================
+ Hits         7354     7362       +8     
+ Misses       1171     1161      -10     
- Partials     1072     1074       +2     

Impacted Files	Coverage Δ
src/election.c	79.08% <50.00%> (+0.65%)	⬆️

... and 4 files with indirect coverage changes

[cole-miller]

Thanks! I agree that this change is needed, since the formal description of Raft views the log as always being stored persistently, and our in-memory log is just an optimization against that that should never affect the core protocol implementation.

[cole-miller]

There's a server 4 implicit in all this, right?

[freeekanayaka]

Not entirely sure what you mean, the test has 4 servers, indexed from 0 to 3, with IDs from 1 to 4 (the off-by-one difference between indexes and IDs is a unfortunate, I'd like to fix that eventually, but it's the current convention).

[cole-miller]

I thought clusters with an even number of servers weren't allowed? Okay, I was confused because I'm not used to seeing cluster with an even number of servers, I forgot that one of them is not a voter and so two votes is enough to win an election.

[freeekanayaka]

You can have any number of servers, with any role combination you wish. An even number of (voting) servers is not recommended because having 4 servers (all voters) doesn't make the cluster more "available" than having 3, since with 4 servers to have a majority you need 3 votes, so you can afford to lose at most 1 server, exactly like when you have 3 servers.

Note that the test sets up 4 servers, but only 3 of them are meant to be voting at any given time (the test mimics automatic roles management in that regard, by demoting an offline voter node and promoting a standby to replace it).

[freeekanayaka]

Thanks! I agree that this change is needed, since the formal description of Raft views the log as always being stored persistently, and our in-memory log is just an optimization against that that should never affect the core protocol implementation.

Right, the in-memory log is basically a cache (in the sense that it saves a disk round-trip when a leader needs to fetch entries in order to send them to followers) and a buffer (in the sense that it's where we store entries that we receive, waiting for them to be asynchronously persisted on disk).