JAVA-5950 Update Transactions Convenient API with exponential backoff on retries

[nhachicha]

Original PR accidentally closed #1852, it has outstanding review comments for @stIncMale to go over when re-reviewing.

Relevant specification changes:

• DRIVERS-1934: withTransaction API retries too frequently (#1851)
• DRIVERS-1934: clarify drivers back off before all transaction retries (#1868)
• DRIVERS-3364: Fix Retry Backoff is Enforced prose test.
• DRIVERS-3391: Clarify withTransaction CSOT timeout error with backoff+jitter
• DRIVERS-3370: Retry backoff jitter interval may include 1.0 (#1905)
• DRIVERS-3436: Refine withTransaction timeout error wrapping semantics and label propagation in spec and prose tests
  JAVA-5950, JAVA-6046, JAVA-6093, JAVA-6113 (only the part about transactions-convenient-api)

AI review

Review generated by Claude Opus 4.6 as of commit `4a3d1ae1` on 2026-04-01.

Findings Table — Diff-Only Review vs. PR Context

#	Finding	Verdict	Rationale
1	Non-volatile testJitterSupplier static field — data race risk across threads	Valid, tracked	Multiple reviewers flagged. Test-only, deferred to JAVA-6079. Should be volatile at minimum.
2	Thread.sleep(backoffMs) may overshoot remaining timeout	False positive	shortenBy(...).onExpired(...) checks before sleeping; next iteration fails fast if expired. Overshoot bounded by
500ms cap.
3	clearTransactionContextOnError(e) call removed	False positive	@stIncMale confirmed: commitTransaction calls it internally; the outer call was redundant.
4	Error wrapping obscures original exception type	Valid, intentional	Spec-mandated (DRIVERS-3391). Labels are now copied from cause to wrapper. Tests verify.
5	Visibility widening of CommandOperationHelper + constants	False positive	Everything under com.mongodb.internal is internal by definition. Enables cross-package dedup.
6	@VisibleForTesting on timeoutOrAlternative	Resolved	@stIncMale requested removal; addressed in cherry-picked refactor (60acf51d).
7	TRANSACTION_MAX_MS package-private; hardcoded expected values in test	Minor nit	Iteration bounds now based on EXPECTED_BACKOFFS_MAX_VALUES.length (adopted). Hardcoded array is an
independent oracle — acceptable.
8	TODO comments in production code	Valid, accepted	Will be resolved before backpressure → main merge. Blocked on docs PR.
9	testRetryBackoffIsEnforced wall-clock timing sensitivity	Valid, mitigated	Jitter controlled via setTestJitterSupplier. 500ms tolerance. Spec-mandated prose test.
10	Deleted copyTimeoutContext() — verify no other callers	False positive	Explicitly requested by @stIncMale. Private constructor also removed as dead code.

Summary: 4 false positives, 2 resolved, 1 valid+intentional, 1 tracked, 1 accepted, 1 minor nit.

---

Additional Findings from PR Reviewers (not caught in diff-only review)

#	Finding	Source	Status
A	calculateTransactionBackoffMs Javadoc said 0-based but implementation is 1-based	Copilot, @stIncMale	Fixed
B	Error labels not copied from wrapped cause to MongoTimeoutException	@stIncMale	Fixed (d4bc4c70)
C	applyMajorityWriteConcernToTransactionOptions called on outer retry	@stIncMale	Fixed (60acf51d)
D	withTransaction code structure doesn't follow spec algorithm ordering	@stIncMale	Fixed (60acf51d)
E	Spec submodule not updated to latest spec tests	@stIncMale	Deferred — main updated separately
F	AI-generated comments cluttering test code	@stIncMale	Fixed
G	MongoTimeoutException message inconsistency (missing period)	Copilot	Fixed
H	timeoutOrAlternative removal + timeoutMsConfigured renaming	@stIncMale	Fixed (60acf51d)

---

Remaining Issues to Address

#	Issue	Severity	File(s)	Status	Tracking
1	testJitterSupplier should be volatile — mutable static read/written across threads without memory visibility guarantee	Low (test-only)	ExponentialBackoff.java	Open — deferred	JAVA-6079

|
| 2 | Spec "Note 1" about error propagation needs rework — spec language around propagation/raising is inconsistent | Medium | Spec-side | Open — spec change needed | DRIVERS-3436 |
| 3 | TODO-BACKPRESSURE comments in production code — must be resolved before merging backpressure → main | Low | MongoException.java, ExponentialBackoff.java | Open — blocked on docs PR
(10gen/docs-mongodb-internal#17281) | Implicit |
| 4 | Spec submodule not pointing to latest spec tests — new transactions-convenient-api JSON tests not included | Medium | testing/resources/specifications (submodule) | Open — main updated
(55e1861) but not merged into backpressure | TODO-BACKPRESSURE |
| 5 | Verify spec test withTransaction surfaces a timeout after exhausting transient transaction retries is run | Medium | Test runner config | Open — reminder in PR comments | — |
| 6 | Verify prose tests assert all error labels are copied to wrapping exception | Medium | WithTransactionProseTest.java | Partially addressed — labels copied in code, test coverage completeness not
confirmed | — |
| 7 | OTel tracing terminology inconsistency (finalize vs finish vs stop) | Low (orthogonal) | ClientSessionImpl.java tracing code | Open — no ticket yet | — |

Priority Summary

• Must resolve before merge to backpressure: Items 5, 6
• Must resolve before merge to main: Items 3 (TODOs), 4 (submodule)
• Tracked for future work: Items 1 (JAVA-6079), 2 (DRIVERS-3436), 7

---

What Looks Good

• Exponential backoff formula (base=5ms, growth=1.5x, cap=500ms) with jitter is well-designed for transaction retries
• Replacing ClientSessionClock singleton with SystemNanoTime + Mockito is a significant test infrastructure improvement
• ExponentialBackoffTest has good coverage of boundary conditions (jitter=0, jitter=1, cap enforcement)
• backpressure: true handshake flag is a clean protocol extension
• Error label propagation through timeout wrapping preserves diagnostic information
• abortIfInTransaction() extraction reduces duplication and improves clarity
• @stIncMale's refactor of withTransaction (60acf51d) now aligns the code with the spec algorithm, making correctness easier to verify
• New prose tests (testRetryBackoffIsEnforced, testExponentialBackoffOnTransientError) provide functional validation of backoff behavior

---

[stIncMale]

The last reviewed commit is 43dab53.

Most if not all of the outstanding comments have reactions/replies suggesting that they were agreed with and addressed, but I did not find the corresponding changes. I suspect, the changes were not pushed.

[stIncMale]

this is orthogonal to this PR

It is unrelated, indeed, but I noticed all that while trying to make our withTransaction method to look like it follows the spec. The open telemetry implementation we have is recent, as far as I know, and its state does not seem good. That is surprising, given that it's not some old code that went out of shape as a result of having been modified many times without ever having been refactored to make sense again.

1.

Our tracing layer uses Micrometer as the OTel reference implementation, and the APIs use different terminology. e.g. Micrometer's uses stop whereas OTel uses end

So we have
a) The two APIs mentioned use the terms "stop" and "end"
b) The drivers specification uses "finish", the Java driver implementation uses "finalize".

I fail to see how b) reasonably follows from a).

It's worth aligning with the spec

How did we end up unaligned, when we authored both?

2, 3

The open telemetry specification "defines requirements for drivers' OpenTelemetry integration and behavior". I am guessing, that is to ensure that different drivers emit the same telemetry in the same way. However, how will other drivers know how to emit it for withTransaction, when none of the behavior you described above is in the specification? (I still don't really know what the behavior is supposed to be).

Testing

Many open telemetry specification tests were skipped in the Java driver, with a reference to https://jira.mongodb.org/browse/JAVA-5991, and then the ticket was closed. But nothing in the ticket explains why they are skipped and whether that is supposed to change (@rozza reopened the ticket as a result). This is especially surprising given that we were the authors of the open telemetry specification.

[stIncMale]

Assuming 👍 was meant to express that you agree with the comment and it is addressed, I can't find the corresponding requested comment in #1918. Could you please add it?

[stIncMale]

I don't think that the change in d4bc4c7 is the proper way of addressing this. Most of what I wrote previously in this thread was not addressed.

The following thoughts won't add anything new to what I expressed above, but they will be clearer than before, because now there is less uncertainty/questions:

1. The spec changes made in DRIVERS-3391 need more work/fixes (such a new change requires a new DRIVERS ticket):
   • The Note 1 should be changed such that it instructs to add all the error labels from the wrapped error, regardless of what the wrapped error is¹.
   • The spec currently says "report a timeout error wrapping the last error", but then refers to the wrapped error as "underlying error". The spec should say "wrapped error" instead of introducing another word that is supposed to have the same meaning.
   • The "Note 1" in the Retry Timeout is Enforced prose tests should be updated to instruct the drivers to assert that the timeout error has the same labels as the error it wraps.
2. It seems that constructors of MongoException should be responsible for copying labels. However, MongoException(@Nullable final String msg, @Nullable final Throwable t) does not do that, while MongoException(final int code, final String msg, final Throwable t) does. We should figure out whether this was clearly intentional and copying labels in the aforementioned constructor will be a bug, or if the current situation is a bug, and the constructor must have been copying labels.

---

¹ Strictly speaking, we need to copy only the labels the driver exposes for applications to use (those are exposed via constants in MongoException). However, given that no driver, including ours, hides other labels, there is no reason to complicate the logic or the specification here.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.