Address maxConcurrentStreams violation on write timeout

[jrhee17]

Background

Currently, armeria maintains a state HttpResponseDecoder#unfinishedResponses to check how many in-flight requests are being processed for a connection.

Armeria uses this value to check if all connections occupy too many concurrent streams, and creates a new connection if necessary.

On the other hand, netty maintains it's own state to check how many in-flight requests are being processed for a connection. (DefaultHttp2Connection.DefaultEndpoint#numActiveStreams)

Netty checks this value before creating a stream, and throws a Http2Exception$StreamException if MAX_CONCURRENT_STREAMS is unavailable.

Problem Statement

Currently, when a WriteTimeoutException is triggered, armeria decrements unfinishedResponses and removes the response. (A WriteTimeoutException is thrown when a request header isn't written within a predefined writeTimeoutMillis)
However, netty may not be aware that armeria has failed the response. Consequently, netty's numActiveStreams is greater than armeria's unfinishedResponses. This may cause a violation of MAX_CONCURRENT_STREAMS for additional requests on the connection.

Motivation
Netty always calls Http2ResponseDecoder.onStreamClosed before decrementing numActiveStreams.
If we want numActiveStreams to be in sync with unfinishedResponses, I propose that we modify the timing of decrementing unfinishedResponses to Http2ResponseDecoder.onStreamClosed.

In detail, when a WriteTimeoutException is scheduled

armeria/core/src/main/java/com/linecorp/armeria/client/HttpRequestSubscriber.java

Lines 171 to 173 in 117a21e

	timeoutFuture = ch.eventLoop().schedule(
	() -> failAndReset(WriteTimeoutException.get()),
	timeoutMillis, TimeUnit.MILLISECONDS);

the response is closed.

armeria/core/src/main/java/com/linecorp/armeria/client/HttpRequestSubscriber.java

Line 318 in 117a21e

responseWrapper.close(cause);

Consequently, after the stream processes the close event, whenComplete is triggered.

armeria/core/src/main/java/com/linecorp/armeria/client/Http2ResponseDecoder.java

Lines 83 to 90 in 117a21e

	resWrapper.whenComplete().handle((unused, cause) -> {
	if (eventLoop.inEventLoop()) {
	onWrapperCompleted(resWrapper, id, cause);
	} else {
	eventLoop.execute(() -> onWrapperCompleted(resWrapper, id, cause));
	}
	return null;
	});

And the response is removed (and unfinishedResponses is decremented)

armeria/core/src/main/java/com/linecorp/armeria/client/Http2ResponseDecoder.java

Line 101 in 117a21e

removeResponse(id);

However, as far as netty is concerned, the request may have been written and may still be processing.

Misc

Reproduced maxConcurrentStreams when WriteTimeoutException occurs at 225a684

Modifications

• Remove the removeResponse call from Http2ResponseDecoder. onWrapperCompleted, and rely on onStreamClosed to remove the response/decrement unfinishedResponses
• When receiving callbacks for onHeadersRead, onDataRead, onRstStreamRead, also check if resWrapper had been closed. This preserves behavior since res was previously removed on WriteTimeoutException, resulting in res == null.

Update

I realized that if we simply don't process values when headers/data/rst are received, then we might not send a GoAway and close the connection when disconnectWhenFinished = true due to df43379.

I've verified this behavior from test cases added in 8018da1

I've modified further such that:

• Only remove responses when onStreamClosed is called.
• Remove calls to channel().close(); if shouldSendGoAway() is true for onDataRead, onHeadersRead since onStreamClosed will handle this instead.
• Remove onStreamClosed to try to close the ResponseWrapper only if the underlying delegate is open.

d1183d8

There is a slight change of behavior, where a GoAway may be triggered from onRstStream as well. Let me know if this change shouldn't be made 🙏

Result:

• Closes Received a Maximum active streams violated for this endpoint. from client side #3858

[codecov]

Codecov Report

Merging #3908 (dca247c) into master (de88d77) will increase coverage by 0.03%.
The diff coverage is 80.00%.

@@             Coverage Diff              @@
##             master    #3908      +/-   ##
============================================
+ Coverage     73.29%   73.32%   +0.03%     
- Complexity    15548    15563      +15     
============================================
  Files          1365     1365              
  Lines         59863    59882      +19     
  Branches       7598     7606       +8     
============================================
+ Hits          43877    43909      +32     
+ Misses        12136    12120      -16     
- Partials       3850     3853       +3     

Impacted Files	Coverage Δ
...m/linecorp/armeria/client/HttpResponseDecoder.java	84.33% <ø> (-0.52%)	⬇️
.../linecorp/armeria/client/Http2ResponseDecoder.java	71.52% <80.00%> (+3.96%)	⬆️
...ecorp/armeria/server/LengthBasedServiceNaming.java	75.00% <0.00%> (-16.67%)	⬇️
.../linecorp/armeria/client/retrofit2/PipeBuffer.java	83.72% <0.00%> (-4.66%)	⬇️
...eria/client/eureka/EurekaEndpointGroupBuilder.java	31.25% <0.00%> (-1.65%)	⬇️
...ia/internal/common/stream/ByteBufDecoderInput.java	85.61% <0.00%> (-1.44%)	⬇️
...corp/armeria/client/RefreshingAddressResolver.java	75.00% <0.00%> (-1.43%)	⬇️
.../common/stream/DefaultStreamMessageDuplicator.java	77.56% <0.00%> (-1.26%)	⬇️
...com/linecorp/armeria/client/RedirectingClient.java	71.75% <0.00%> (-0.93%)	⬇️
... and 20 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4682d53...dca247c. Read the comment docs.

[minwoox]

What an awesome analysis! 😄

[minwoox]

revert?

[minwoox]

How about?

Suggested change

	// `unfinishedResponses` to match the timing where netty decrements {@code numActiveStreams}.
	// `unfinishedResponses` after Netty decrements `numActiveStreams` in `DefaultHttp2Connection` so that `unfinishedResponses` is never greater than `numActiveStreams`.

(We don't have to use {@code ...} in the comment. 😉 )

[ikhoon]

Thanks!

[jrhee17]

Sorry reviewers

While taking another look, I realized that the channel might not send a goAway frame when necessary.
Let me add a unit test and a revised commit soon 🙏

[jrhee17]

Sorry 😅 I've added 3 commits, I'd appreciate if you can take another look 🙏

[minwoox]

Thanks, left some questions. 😄

[minwoox]

The request doesn't seem to be closed unlike what the method name says?

I maybe miss something, but if the MAX_CONNECTION_AGE is two seconds and the response is sent after 4 seconds, shouldn't the connection should be closed forcefully? 🤔

[jrhee17]

Sorry about the late check

Maybe I'm misunderstanding the specification, but I thought that even if MAX_CONNECTION_AGE is reached, the client waits for requests to finish (so it doesn't forcefully fail long-running requests). I've updated the test name to better reflect this 😅

I've also organized how I think MAX_CONNECTION_AGE works

1. A timer is scheduled for MAX_CONNECTION_AGE, but is only respected if there are no running requests
   

   armeria/core/src/main/java/com/linecorp/armeria/internal/common/AbstractKeepAliveHandler.java

   Lines 436 to 440 in b77bfbb

   	if (!isServer && !hasRequestsInProgress(ctx)) {
   	logger.debug("{} Closing a {} connection exceeding the max age: {}ns",
   	ctx.channel(), name, maxConnectionAgeNanos);
   	ctx.channel().close();
   	}

2. Instead, every time a request may have finished, we check if MAX_CONNECTION_AGE has passed, and there are no running requests.

armeria/core/src/main/java/com/linecorp/armeria/client/Http2ResponseDecoder.java

Lines 153 to 155 in b77bfbb

	if (shouldSendGoAway()) {
	channel().close();
	}

armeria/core/src/main/java/com/linecorp/armeria/client/Http2ResponseDecoder.java

Lines 215 to 217 in b77bfbb

	if (shouldSendGoAway()) {
	channel().close();
	}

armeria/core/src/main/java/com/linecorp/armeria/client/Http2ResponseDecoder.java

Lines 275 to 279 in b77bfbb

	if (shouldSendGoAway()) {
	// The connection has reached its lifespan.
	// Should send a GOAWAY frame if it did not receive or send a GOAWAY frame.
	channel().close();
	}

3. At the same time, we don't allow future requests for connections where MAX_CONNECTION_AGE has passed.
   

   armeria/core/src/main/java/com/linecorp/armeria/client/HttpSessionHandler.java

   Line 163 in b77bfbb

   return active && !responseDecoder.needsToDisconnectWhenFinished();

[minwoox]

I've updated the test name to better reflect this 😅

Thanks for that. 😄

but I thought that even if MAX_CONNECTION_AGE is reached, the client waits for requests to finish (so it doesn't forcefully fail long-running requests)

Exactly. My memory was wrong. Thanks for checking it. 😄

[ikhoon]

Still LGTM!

[minwoox]

https://github.com/line/armeria/runs/4285541086?check_suite_focus=true#step:6:1154
@jrhee17 Could you check if the failure is related to the change, please?

[jrhee17]

I've tried force pushing to rerun the test.

Could you check if the failure is related to the change, please?

SessionProtocol[3] is H1, and this PR doesn't touch anything http1 related so I think this change probably isn't related.
Let me look into the source of flakiness separately 🙏 (unless the same test fails again with the re-run 😅 )

[ikhoon]

I've tried force pushing to rerun the test.

You might want to install @trustin's awesome script https://gist.github.com/trustin/05cbb70e22fc5e7c8b5ffbd1f0d99c8b

[minwoox]

Thanks for checking it. 😅

Let me look into the source of flakiness separately

We don't have to do it right now. I just wanted to make sure. 😄

[ikhoon]

line/armeria/runs/4285541086?check_suite_focus=true#step:6:1154 @jrhee17 Could you check if the failure is related to the change, please?

I guess The flaky test seems not related to this PR.

[minwoox]

Thanks a lot, @jrhee17 for fixing this bug which is really hard to find the cause. 😄