close quic streams on Dispose #54798
Conversation
|
Tagging subscribers to this area: @dotnet/ncl Issue DetailsThis change has multiple parts: Primarily this changes Dispose behavior to flush all pending data via gracefully shutdown (contributes to #756). On reading side we may way for graceful shutdown or rest but that can also take long time and it can possibly lead to DoS. I look and for NetwrkStream we call shutdown for both directions. So I decided to call read abort. In ideal case the application (like H/3) know when to stop reading/writing so peer can gracefully close the stream before Dispose e.g. the dispose is just measure to avoid internal reset with code 0. With this in place we may not safely cleanup all the handles in Dispose method. To deal with this I added simple atomic state so it can be alternatively deferred to HandleEventShutdownComplete(). I feel there is opportunity to perhaps simplify the logic more but I wanted more testing and experiment while I wanted to get this change above out. To make debug easier I set the safe handled to IntPtr.Zero during release so when called twice or after I get nice SafeHandle exception instead of possibly corrupting memory and getting native crash. We have conformance test expect that stream.CanRead and CanWrite would reflect state of the stream. So they are no longer readonly. With the change the WaitForAvailable*Stream tests started to fail. It turned out they made incorrect assumption that the limit would increase when the stream is disposed locally. Big thanks to @nibanks who helped me to debug the fact that we need to release it on the other side as well to get predicable behavior. I feel some H/3 tests may have similar issue but I did not dig deeper. With this all the conformance tests are passing with exception of parallel IO.
|
There was a problem hiding this comment.
I'm not fully on board with _canRead/Write change as well as ShutdownDone. To me, it's another state to check on every step. I'd rather combine those in their respective state fields.
I also ran the tests, H/3 still intermittently crashes, and some cookie tests were failing for me. Those are being handled by Geoff AFAIK.
| @@ -70,7 +70,7 @@ internal sealed class State | |||
| SingleWriter = true, | |||
| }); | |||
|
|
|||
| public void RemoveStream(MsQuicStream stream) | |||
| public void RemoveStream(MsQuicStream? stream) | |||
There was a problem hiding this comment.
Why are we even passing in the stream? Doesn't seem to be used at all.
There was a problem hiding this comment.
I was going back and forth on this one. When debugging it is very nice to have the stream here so one can emit traces from single location. This is basically same for the AddStream.
There was a problem hiding this comment.
I'm trying to understand why we need this at all... It seems like we are deferring Dispose of the connection until all streams in use on it are completed. Is that correct? Why do we want to do this? Can we just get rid of this tracking completely?
There was a problem hiding this comment.
yes, that is the intend. We saw crashes without it but it can perhaps be done in different way. If so I would do it in separate PR. The reason why this was touches is that the HandleEventShutdownComplete does not have access to the Stream itself so it would pass NULL.
I'm OK removing the parameter completely as it is not use for product or perhaps using it Debug builds only and for example dump the Stream info if we are on path to Assert.
There was a problem hiding this comment.
I agree, we should consider for a separate PR.
Mostly I want to make sure we are making an intentional decision about behavior here.
There was a problem hiding this comment.
When chatting with @nibanks he sad we would not get HandleEventShutdownComplete with pending streams. So if we delay cleanup in Dispose and if we can relay on that we could perhaps remove to logic. It would be nice to have stress tests up at that time so we can verify the impact.
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs
Outdated
Show resolved
Hide resolved
| @@ -650,6 +650,14 @@ private async Task FlushAcceptQueue() | |||
| _state.AcceptQueue.Writer.TryComplete(); | |||
| await foreach (MsQuicStream item in _state.AcceptQueue.Reader.ReadAllAsync().ConfigureAwait(false)) | |||
| { | |||
| if (item.CanRead) | |||
| { | |||
| item.AbortRead(0xffffffff); | |||
There was a problem hiding this comment.
This hard-coded error-code is not probably something we would want here, isn't it? All the error codes should come from user app since there aren't any officially defined in QUIC protocol.
There was a problem hiding this comment.
Agreed. If necessary we should hard code the appropriate H3 error code here, for now. But ideally this would not be H3 specific.
There was a problem hiding this comment.
Do you have suggestion for value and name @geoffkizer? I agree this should preferably not be H3 specific so I picked the MaxValue instead.
Good behaving app would probably shutdown the Listener and accept and dispose all the pending streams.
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs
Outdated
Show resolved
Hide resolved
...libraries/System.Net.Quic/tests/FunctionalTests/QuicStreamConnectedStreamConformanceTests.cs
Show resolved
Hide resolved
| @@ -252,7 +252,7 @@ private static uint HandleEventShutdownComplete(State state, ref ConnectionEvent | |||
| state.ShutdownTcs.SetResult(MsQuicStatusCodes.Success); | |||
|
|
|||
| // Stop accepting new streams. | |||
| state.AcceptQueue.Writer.Complete(); | |||
| state.AcceptQueue.Writer.TryComplete(); | |||
There was a problem hiding this comment.
It seems like there are a bunch of places now where we either call Writer.Complete or Writer.TryComplete. Are all of these necessary? I would assume we only have to do this in a limited number of places, e.g. HandleEventShutdownInitiatedByTransport and HandleEventShutdownInitiatedByPeer, and maybe one other for when we initiate shutdown ourselves.
I always get nervous when we do stuff like call TryComplete instead of Complete, because it seems like we don't have a clean handling of exactly when the Complete operation needs to happen. I'd prefer to see the TryComplete calls changed to either Complete or to assert that it's already completed.
There was a problem hiding this comment.
In this case I was getting exception when when the connection was already Disposed and that triggered flush of events and ShutdownComplete. I could wrap it with if (_disposed == 0) but changing it to Try look better to me. Since this only means we will not put more items to the queue.
There was a problem hiding this comment.
I look at the cases @geoffkizer and it is not that we would not know if the Complete operation should happen. We just don't know if happened before. Like in this case the shutdown may be initiated by peer or somebody may Dispose the connection but than we get this final event and it will throw if we try to complete it again. Unless I missed something I did not find API on the Writer to know if it was completed or not.
One option I can think of you we making this nullable and set it to null after completion. Or we can add yet another state. Let me know what you want me to do.
There was a problem hiding this comment.
I think it's fine for this PR, but we should revisit the logic here moving forward.
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| // We already got final event. | ||
| releaseHandles = Interlocked.Exchange(ref _state.ShutdownDone, 1) == 2; |
There was a problem hiding this comment.
If we already got a final event, then do we actually need to call shutdown/abort below?
There was a problem hiding this comment.
The way how it currently work is that ShutdownComplete will not release everything if Dispose was not called. See note bellow. We could change that but then from example Shutdown and/or Rest can throw if handle is gone.
| @@ -824,6 +899,18 @@ private static uint HandleEventShutdownComplete(State state, ref StreamEvent evt | |||
| state.ShutdownCompletionSource.SetResult(); | |||
| } | |||
|
|
|||
| // Dispose was called before complete event. | |||
| bool releaseHandles = Interlocked.Exchange(ref state.ShutdownDone, 2) == 1; | |||
There was a problem hiding this comment.
Isn't it the case that we always get this ShutdownComplete event? So then can't we always release the handles here?
There was a problem hiding this comment.
I was thinking about it. However in some cases when can ShutdownComplete without us asking for it .e.g. Disposing. With that, attempt to shutdown/reset will throw. So we would need careful synchronization before (and perhaps during) every operation.
There was a problem hiding this comment.
It seems like the handle is only needed for event callbacks, right? I don't think other code should be accessing it. So I don't think there's any real synchronization needed here, is there?
There was a problem hiding this comment.
I'm not sure I understand the comment. The cleanup does more than just handle and we also pass the handle in functions like Shutdown().
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Show resolved
Hide resolved
|
Related: #55044 |
|
I addressed most feedback and left some questions/comments. It would be great if you can take another look @geoffkizer @ManickaP |
|
I did a run of the current code and neither Http nor Quic errors. 🥳 |
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicStream.cs
Show resolved
Hide resolved
src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs
Outdated
Show resolved
Hide resolved
...libraries/System.Net.Quic/tests/FunctionalTests/QuicStreamConnectedStreamConformanceTests.cs
Show resolved
Hide resolved
|
@wfurt please let me know when you'll want me to re-review. I see some open discussion with @geoffkizer so I'm not sure whether you plan to do more changes here. |
|
contributes to #49157 |
ghost
locked as resolved and limited conversation to collaborators
This change has multiple parts:
Primarily this changes Dispose behavior to flush all pending data via gracefully shutdown (contributes to #756).
This can possibly block if the connection is up but receiver would stop reading and we exceed sending window.
We may solve this via shutdown API taking Cancellation token.
This behavior is essential for all failing stream conformance tests.
On reading side we may way for graceful shutdown or rest but that can also take long time and it can possibly lead to DoS. I look and for NetwrkStream we call shutdown for both directions. So I decided to call read abort. In ideal case the application (like H/3) know when to stop reading/writing so peer can gracefully close the stream before Dispose e.g. the dispose is just measure to avoid internal reset with code 0.
With this in place we may not safely cleanup all the handles in Dispose method. To deal with this I added simple atomic state so it can be alternatively deferred to HandleEventShutdownComplete(). I feel there is opportunity to perhaps simplify the logic more but I wanted more testing and experiment while I wanted to get this change above out.
The tricky part is that the state can often change during Dispose when calling shutdown/reset so I use simple state to cleanup on either place.
To make debug easier I set the safe handled to IntPtr.Zero during release so when called twice or after I get nice SafeHandle exception instead of possibly corrupting memory and getting native crash.
We have conformance test expect that stream.CanRead and CanWrite would reflect state of the stream. So they are no longer readonly.
With the change the WaitForAvailable*Stream tests started to fail. It turned out they made incorrect assumption that the limit would increase when the stream is disposed locally. Big thanks to @nibanks who helped me to debug the fact that we need to release it on the other side as well to get predicable behavior. I feel some H/3 tests may have similar issue but I did not dig deeper.
With this all the conformance tests are passing with exception of parallel IO.
I'm still running tests in loop and looking for odd failures.
This may need some more adjustments but I wanted to get it out for some feedback.