Centralize exception handling and fix behavior for RequestTimeoutException

[engechas]

When a request hits an Armeria server and cannot be processed within the request_timeout, a RequestTimeoutException occurs. Currently this case returns a 503 to the client. This PR fixes that by adding a custom exception handler to the push-based sources that properly handles RequestTimeoutExceptions.

As part of this work, I stumbled upon a couple other issues/quirks of the Armeria servers

• Requests that are queued in the backend service's BlockingTaskExecutor will still be executed even if the request has already timed out. This adds unnecessary load to the pipeline by trying to process requests that have already returned a 503 (now 408/429 depending on http vs grpc) to the client. Added a check that a request is not timed out before attempting to process it.
• The HTTP source gives 80% of the request_timeout to write to the buffer. This makes sense as there is additional work necessary after the write finishes that needs to complete before returning a 200 back to the client. The OTEL sources did not follow this pattern and instead gave 100% of the request_timeout to write to the buffer. Adjusted this to be 80% to align with HTTP source. I also noticed that the Armeria requests don't timeout exactly at the request_timeout so there's no apparent benefit in terms of unnecessary work reduction by having the buffer write timeout and request_timeout match as requests that will timeout still get picked up.
• The OTEL sources have nearly identical exception handling and metric emission. Pulled that out into a central class for code reuse

Check List

• New functionality includes testing.
• [N/A] New functionality has been documented.
  • [N/A] New functionality has javadoc added
• Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[chenqi0805]

QUES: Is there reason to favor throwing exception rather than responseObserver.onError?

[engechas]

If the request times out at the Armeria level, the request is terminated before the responseObserver has a chance to be populated. I wanted to centralize the logic for exception handling + metrics as well as cover all cases with a single pattern. Throwing the exception and then handling it in the GrpcRequestExceptionHandler allows for that.

The other caveat is that there is an edge case where we end up emitting both a requestTimeout metric and a badRequest/second requestTimeout/internalServerException/successRequest metric if we only handle the Armeria timeouts and continue to have the original metric/error handling here. This happens if we start serving the request before it times out but it times out before the request is fully served.

[chenqi0805]

Makes sense. I did not realize it is captured by the exception handler.

[chenqi0805]

Similar question as above

[dlvenable]

What is the difference between TimeoutException and RequestTimeoutException?

[engechas]

TimeoutException is thrown by the BlockingBuffer, RequestTimeoutException is thrown by Armeria when the requestTimeout has expired

[dlvenable]

Is there any particular reason this is empty? Should we have something generic like "Internal Server Error"?

[engechas]

I'm not sure. I just pulled this out into a constant from the original implementation. This empty string could be populated for non-5XX exceptions as well so I'm not sure if there's a good generic message. Open to suggestions

[dlvenable]

I understand you are saying this was the default behavior.

[dlvenable]

Is this the fix you were referring to here?

Requests that are queued in the backend service's BlockingTaskExecutor will still be executed even if the request has already timed out. This adds unnecessary load to the pipeline by trying to process requests that have already returned a 503 (now 408/429 depending on http vs grpc) to the client. Added a check that a request is not timed out before attempting to process it.

[engechas]

Yes

[dlvenable]

This DEFAULT_MESSAGE could possibly be improved since the handleExceptions method already determines what type it is. So we can probably remove DEFAULT_MESSAGE and derive it from the Status.

Assuming that Status::toString returns a useful string, this could be:

message = e.getMessage() == null ? status.toString() : e.getMessage();

[engechas]

This one's a little trickier. The toString method is

return MoreObjects.toStringHelper(this)
        .add("code", code.name())
        .add("description", description)
        .add("cause", cause != null ? getStackTraceAsString(cause) : cause)
        .toString();

The cause and description are null by default. We could add the whole exception as the cause but I don't think we want to return the stacktrace in the HTTP response.

[engechas]

We could add something generic like Unexpected exception encountered: <exception class>. Let me know what your thoughts are

[dlvenable]

How about just code.name() instead of Status.toString()?

[dlvenable]

That is, status.getCode.name()

[engechas]

Good call, will do

[dlvenable]

I understand you are saying this was the default behavior.

[dlvenable]

I think the default message issue can be resolved here.

This private handleException method could be refactored to return HttpStatus. All the return values appear to generate the same HttpResponse aside from the status.

Then this line here becomes:

HttpStatus status = handleException(cause, /*message no longer needed*/);
return HttpResponse.of(status, MediaType.ANY_TYPE, cause.getMessage() == null ? status.toString() : cause.getMessage());

[engechas]

Makes sense. Will refactor

[dlvenable]

Thanks!