kvserver: don't proceed with unsafe replication changes after 10s

tbg · tbg · commit 06edb41c8dcb · 2025-10-29T15:51:46.000+01:00
`within10s` is called from within the change replicas txn as a last layer of defense against replication changes that would lose quorum. While looking into cases in which precisely this happened, I wondered why this last line of defense couldn't block these ill-advised changes. It turns out that within10s had a bug: it would return without an error. In effect, it wasn't doing anything except delay the problematic change. This bug is mine - introduced almost five years ago in #57564. Consequently, it's present in "all" versions of CockroachDB. Release note(bug fix): A mechanism that blocks replication changes that would result in a loss of quorum was ineffective. It now works as intended.
diff --git a/pkg/kv/kvserver/replica_command.go b/pkg/kv/kvserver/replica_command.go
@@ -2402,6 +2402,9 @@ func within10s(ctx context.Context, fn func() error) error {
 			return nil
 		}
 	}
+	if err != nil {
+		return err
+	}
 	return ctx.Err()
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2402,6 +2402,9 @@ func within10s(ctx context.Context, fn func() error) error {`
`2402`	`2402`	`return nil`
`2403`	`2403`	`}`
`2404`	`2404`	`}`
	`2405`	`+ if err != nil {`
	`2406`	`+ return err`
	`2407`	`+ }`
`2405`	`2408`	`return ctx.Err()`
`2406`	`2409`	`}`
`2407`	`2410`