add shutdown and start mechanics to windmill streams

[m-trieu]

Start and closing Windmill streams are currently via halfClose() and on stream creation. Implementations were previously created and returned in a "started" state usually after the stream has already sent the initial headers to open the connection to the backend servers.

Starting in the current state prevents us from being able to start the stream "lazily". And closing allows other blocking stream operations to prevent streams from being able to be closed (stalling at times up to 10-20 minutes).

• Add start() flexibility to the WindmillStream API by allowing external callers to start the stream themselves.
• Add shutdown() capability to allow the stream to receive a shutdown signal, that is idempotent and does not block (or is blocked by) other blocking stream operations.

This is especially important in direct path mode where the user worker manages the fan out to the backend.

in terms of implementation, similar to WindmillStream.shutdown(), WindmillStream.start()'s behavior will only execute once during the lifetime of the WindmillStream object. Subsequent calls to start() and shutdown() will do nothing.

R: @arunpandianp @scwhittle

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

[github-actions]

Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment assign set of reviewers

[m-trieu]

assign set of reviewers

[github-actions]

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @damccorm added as fallback since no labels match configuration

Available commands:

• stop reviewer notifications - opt out of the automated review tooling
• remind me after tests pass - tag the comment author after tests pass
• waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

[arunpandianp]

assign the future to a variable named unusedFuture and remove the suppression?

[m-trieu]

done

[arunpandianp]

does anything prevent us from creating the stream here and starting it in start?

[m-trieu]

Don't want to start and do too much (make an RPC call) in the constructor

We also need the metadata stub (dispatcher stub), which we don't have until we call start in StreamingDataflowWorker. Can fix this by making start() be asynchronous here but I still think that might be doing too much in the constructor.

Will have to suppress a warning (reference to 'this' in constructor) but i can create the stream here and just start the stream in start() instead of assigning.

[arunpandianp]

Suggested change

	getWorkStream.adjustBudget(adjustment);
	getWorkStream.setBudget(newBudget);

[m-trieu]

rebased onto #32775

[arunpandianp]

it doesn't look like any of the method calls inside flushInternal are throwing InterruptedException. Can we remove the throws from here?

[m-trieu]

removed

[arunpandianp]

can we initialize delegateRequestObserver with requestObserverSupplier.get() here and remove the null checks in delegate()?

[m-trieu]

we need some initial state to not allow sends() or other stream operations w/o a call to startStream/start

we can use null or a dummy observer that will throw if any of the methods are called before startStream/start is called?

[arunpandianp]

requestObserver is now created in constructor, we don't need the null check here.

[arunpandianp]

bump

[m-trieu]

done

[arunpandianp]

executor.execute won't propagate the IllegalStateException from closed stream to here.

[m-trieu]

we don't ever do anything with the IllegalStateException anyways except LOG so I think this is ok

[arunpandianp]

can we move shutdownTime.set(DateTime.now()); to line 354 before calling requestObserver().onError?

[m-trieu]

done

[arunpandianp]

when is the VerifyException thrown?

[m-trieu]

throughout the class when we insert/remove into the pending map we call verify(map operation)
so that might get thrown here

[arunpandianp]

Since VerifyException is not expected when things are working as expected, why not throw it upstream as it is? Converting it to WindmillStreamShutdownException will mask the real failure and the worker will be operating in an unknown state.

[m-trieu]

If it is thrown and we are shutdown, the verify exception is invalid because any ongoing responses/requests are invalid. We clear the pending + requests fields so some of the map operations are looking for things that are no longer there.

An alternative is instead of just verify, we add a check for isShutdown ontop of the boolean condition being checked and either return or throw if isShutdown. The issue here is we start checking for isShutdown every vs letting the exception just get thrown and handled here.

If the stream is not shutdown, the VerifyException will still be thrown. I can add a test for this?

[arunpandianp]

If we see VerifyException, that means there is a logic bug and we need to correct code to fix them.

One case I see is, on shutdown we do batches.clear(), this could happen in the middle of the batch sending. There is verify(batch == batches.peekFirst()); inside send that will throw after shutdown.

from https://github.com/google/guava/wiki/ConditionalFailuresExplained#kinds-of-conditional-failures

A verification check is used when you lack high confidence that an API you consume will meet its (real or implied) specification. It's easiest to understand this type of check as "like an assertion in almost every way, but we'll never want to disable them."

Can we make sure Verify exceptions are not thrown unless there is a bug?

[m-trieu]

added checks to isShutdown

[arunpandianp]

do we need this? only the parseFn.parse above was reading the responseStream and nothing should be blocked on the response stream at this point?

[m-trieu]

not needed, just wanted to cancel the stream incase there was anything dangling

[arunpandianp]

If it is not needed, lets remove it. To catch anything dangling, we can add a check and throw

[m-trieu]

removed

[m-trieu]

back to you @scwhittle @arunpandianp thanks!

[arunpandianp]

Suggested change

	handleShutdown(request);
	throw shutdownException(request);

throwing here would be more readable, than relying on handleShutdown to throw.

[m-trieu]

done

[arunpandianp]

This might log on every shutdown. We could remove this and rely on logging unexpected exceptions upstream

[m-trieu]

done

[m-trieu]

back to you @arunpandianp @scwhittle thanks

[scwhittle]

add a comment:

Indicates that the logical stream has been half-closed and is waiting for clean server shutdown.

[m-trieu]

done

[scwhittle]

Would be good to compare to clarify versus clientClosed.
This is more about the specific physical stream

Maybe add "Separate from clientClosed as this is specific to the requestObserver and is initially false on retry."

[m-trieu]

done

[scwhittle]

this is getting to be a lot of atomics. Most are just atomic for status page.

I think it could be less confusing to have some MonitoringInfo object which has synchronized methods like noteRestart(...), sleepUntil(sleeper, time), noteSend, noteResponse to make it clearer what is just monitoring stuff and what is part of the state machine.

For state machine things like isShutdown, clientClosed it woudl be nice if we could move away from atomics to variables marked with GuardedBy. In some cases that might lead to duplication with the monitoring state but I think it could still help with analyzing the locking correctness or races within this class. For example for shutdown, I think we could have boolean guardedby shutdown mutex, and a method on MonitoringState like noteShutdown() which would internally have it's own boolean and time the shutdown occurred.

[m-trieu]

done

[scwhittle]

this seems racy since start sets started to true before startStream calls requestObserver.reset() initially, or it could happen that startStream resets the observer after we call onError here and the new one doesn't have an error called.

how about adding a RequestObserver.poison which permanently puts the request observer in a poisoned state, calling onError on the current one or any future made ones? you can remove the started check and the requestobserver handles the synchronization within itself.

[m-trieu]

done
also moved ResettableRequestObserver to its own file, and added tests

[m-trieu]

back to you thanks @scwhittle

[scwhittle]

move comment next to poison method?

[m-trieu]

done

[scwhittle]

can these just be synchronized ints as well instead of atomic? WE're not doing anything expensive under lock so it doesn't seem like it needs separate consideration.

[m-trieu]

done

[scwhittle]

getStartTimeMs?

ditto for lastSendTimeMs

[m-trieu]

done

[scwhittle]

if you acquire this before (this) lock, then this mutex could be blocked by I/O because we perform IO beneath this lock.

If this is supposed to be lightweight it seems like it should be acquired after (this) to avoid that.

[m-trieu]

done

[scwhittle]

can this be guarded by shutdown lock? the accessor method can synchronize

[m-trieu]

done

[scwhittle]

can this be guarded by one of hte locks instead of volatile?

[m-trieu]

done

[m-trieu]

back to you @scwhittle thank you!

[scwhittle]

I would remove this since it seems likely expensive.
Instead you could verify with a test:

• setup requestObserver that blocks until notified
• one thread calls send and starts blocking
• main test thread calls shutdown() and verifies the method returns
• main test thread unblocks the requestObserver

[m-trieu]

done

[scwhittle]

nit: how about a builder for this since we won't want to add exceptions in other places.

then the final line of method can be

builder.throwIfNonEmpty();
and interrnally it builds exception and throws if needed?

[m-trieu]

done

[scwhittle]

I was thinking the builder would not be an exception itself, and then the exception would just be a simple class without mutating methods.

[m-trieu]

done

[scwhittle]

can we remove? it is handled in stream methods already and doing it here leaves a gap between shutdown check and flush anyway.

[m-trieu]

done

[scwhittle]

remove? above send will fail if shutdown
though I think we can also guarantee at higher level that onNewStream isn't called if shutdown

[m-trieu]

done

[scwhittle]

just make a synchronized method?

[m-trieu]

fixed by moving it out of the inner class
GuardedBy check was failing since reference to this was ambiguous

[scwhittle]

why doesn't just "this" work?

[m-trieu]

fixed by moving it out of the inner class
GuardedBy check was failing since reference to this was ambiguous

[scwhittle]

mark nullable and above

I think you still need to fix the over exemption of windmill classes from checker.
#30183

[m-trieu]

done

[scwhittle]

nit. I would maybe keep this in the onError case, as the other stuff is more just logs/debug page and this is more functional.

[m-trieu]

done

[scwhittle]

rm? below needs to handle it anyway

[m-trieu]

done

[scwhittle]

batch usage should be syncrhonized on this

should shutdownInternal be marked synchronized? It is currently in sycnrhonzied shutdown block anyhway

[m-trieu]

done

[scwhittle]

nit: name throwIfShutdown?

[m-trieu]

done

[scwhittle]

can this be removed? it seems you have shutdown check first in cases I see (and if not I think it would be clearer to have it as part of the check where it is than hidden in method that doesn't sound like it examines shutdown)

[m-trieu]

done

[scwhittle]

rm if you remove above

[m-trieu]

dpne

[scwhittle]

some of previous comments were not resolved, please look through them too. Thanks!

[scwhittle]

we should remove this (and the suppress)

shouldn't the poison prevent the blocking beneath the mutex? and then the below lock will be acquired soon?

Setting it to true outside the mutex will break invariants that are easier to think about if it is strictly guarded by. (and it breaks logic below we'll never run shutdownInternal)

if we do need it for something it seems like we could have a separate volatile shutdownRequested boolean. But I'd prefer to figure out what gets stuck with the current code and fix it instead because it is confusing to have two.

[m-trieu]

cleaneed up was supposed to stay within the sync block

[scwhittle]

if you want to submit, log this instead. We've used things liek StringUtils.arrayToNewlines(Thread.currentThread().getStackTrace(), 10); elsehwere to get a string to log

[m-trieu]

removed this waas for debugging

[scwhittle]

rm debug logs

[m-trieu]

removed this waas for debugging

[scwhittle]

also check isClosed to ensure that we don't call onNext on something that we called onFinish or onError on.

We need it here since the locking in the ResettableStreamObserver isn't sufficient as it sends without lock held. You might be able to remove it from that class if we're just relying on this one to provide enforcement that the underlying stream observer is used correctly (ie locked, just one terminal method, no other methods after it)

[m-trieu]

added checks under lock to onError and onComplete all onNext calls are already guarded by lock

[scwhittle]

ie if (!isClosed) check to all of these

[m-trieu]

still need to add some more tests to DirectStreamObserverTest
addressed the other comments

thanks!
@scwhittle

[scwhittle]

add the ignored to the exception too? just in case we catch something unexpected and it helps debugging?

[m-trieu]

done

[scwhittle]

avoid synchronizing if not necessary and you need to handle the null case or you will just get an exception in following line.

if (responseStream == null) {
sychronized (this) { verify(isShutdown); }
continue;
}

[m-trieu]

done

[scwhittle]

just make method synchronized (though with suggestion below, probably easier to just duplicate in onCompleted/onError and use the same if block.

[m-trieu]

done

[scwhittle]

this is going to throw if we have sequence

T1: onNext()
T2: terminate()
T1: onError()

It seems like that could happen if we're terminating from other threads than the one driving the observer generally. We could have a separate bool tracking if userClosed or not, and change this exception to be based upon that as that is using the class wrong. having a terminate before/during a onCompleted/onError doesn't necessarily seem like misuse and I think we should avoid throwing an exception.

[m-trieu]

done

[scwhittle]

sleep for less, 100ms maybe? Tests take long enough already

[m-trieu]

done

[scwhittle]

ditto how about 100ms

[m-trieu]

done

[scwhittle]

ditto less

[m-trieu]

done

[scwhittle]

assert(!isClosed);
since we terminate before closing seems like it is guaranteed but clearer to reader to assert I think

[m-trieu]

done

[scwhittle]

assert(!isClosed);
since we terminate before closing seems like it is guaranteed but clearer to reader to assert I think

[m-trieu]

done

[scwhittle]

assert(!isClosed);
since we terminate before grabbing synchronized to close it is guaranteed but clearer to reader to assert I think

[m-trieu]

done