Address possible mis-behavior due to pointer-to-exchange members being null when they did not use to be #21632
Comments
|
#21586 is a manifestation of this seemingly? (albeit, not quite, since it isn't happening in the synchronous call-path of a message processing call chain...) |
Yeah - specifically, |
|
To clarify, in the pre-exchange-holder world, there was an expectation that exchange delegates held on to their exchange for the duration of the |
|
Is that the expectation we want going forward? |
Exploring this a bit, what about implementors of Looking at some existing examples, |
|
Same goes for |
Yes, I think this is the most sensible option. Anything else just feels like it's yanking the rug from under-neath the callee, for the above stated examples. |
|
So, I think there are two details worth noting here:
|
Yes, in terms of the exchange pointer becoming null.... But the session could have gone away in the past too.
That is the big question. I'm not sure what the best options are here, honestly, but I think we need to make the expectations, whatever they are, clear and then make sure that all the consumer code follows the expectations.
There weren't really any, so it was not very defined.... But yes,
Yes.
Does it? The only places under its OnMessageReceived where it can close the exchange are the error cases when we
Where does it touch
I agree that this seems like the simplest thing for consumers to deal with. We just need to make sure we set the right flags.... and we still have a problem if someone tries to touch state that would reach into the session. That's assuming that a session can get evicted during processing of a message on one of its exchanges, which I'm not sure it can right now, though we have nothing specific preventing it. It just happens that nothing on those codepaths evicts that specific session....
That seems like a good summary. I am less clear on how the proposed solution inside ExchangeHolder itself for item 2 works.... |
This makes some key fixes to the management of the ExchangeContext, specifically around how the WillSendMessage flag is set/cleared, as well as dealing with clean-up of the exchange in OnSessionReleased(). It also fixes some key bugs in ExchangeHolder around failure to release the ref on the exchange in certain scenarios as outlined in project-chip#21544 and project-chip#21632. Notably, the following fixes have been made to ExchangeContext: - Setting the WillSendMessage flag immediately in SendMessage and only clearing the WillSendMessage flag on actually having successfully sent a message in SendMessage. Otherwise, the holder is not able to infer that the ownership still resides with it on a SendMessage failure. - Not clearing the WillSendMessage flag in OnSessionReleased. This ensures the holder again can infer that it still has the ref and needs to give it up when OnExchangeClosing is called there-after. - Avoiding a double call of DoClose by checking if it is already closed. - Cleaning up OnSessionReleased logic to now correctly call Abort() in both the case where we're waiting for a response AND we're in the middle of received message dispatch (i.e we're in the middle of OnMessageReceived). This is a pre-existing bug where the closure of the exchange resulted in a leak due to MessageHandled() not quite cleaning up the EC later when the call unwinds. Tests: TestExchangeHolder has been buffed up to now exhaustively test permutations of send failure, session closure (both before and after message transmission) and calling WillSendMessage at all points along a 3 message transmission.
This makes some key fixes to the management of the ExchangeContext, specifically around how the WillSendMessage flag is set/cleared, as well as dealing with clean-up of the exchange in OnSessionReleased(). It also fixes some key bugs in ExchangeHolder around failure to release the ref on the exchange in certain scenarios as outlined in project-chip#21544 and project-chip#21632. Notably, the following fixes have been made to ExchangeContext: - Setting the WillSendMessage flag immediately in SendMessage and only clearing the WillSendMessage flag on actually having successfully sent a message in SendMessage. Otherwise, the holder is not able to infer that the ownership still resides with it on a SendMessage failure. - Not clearing the WillSendMessage flag in OnSessionReleased. This ensures the holder again can infer that it still has the ref and needs to give it up when OnExchangeClosing is called there-after. - Avoiding a double call of DoClose by checking if it is already closed. - Cleaning up OnSessionReleased logic to now correctly call Abort() in both the case where we're waiting for a response AND we're in the middle of received message dispatch (i.e we're in the middle of OnMessageReceived). This is a pre-existing bug where the closure of the exchange resulted in a leak due to MessageHandled() not quite cleaning up the EC later when the call unwinds. Tests: TestExchangeHolder has been buffed up to now exhaustively test permutations of send failure, session closure (both before and after message transmission) and calling WillSendMessage at all points along a 3 message transmission.
This makes some key fixes to the management of the ExchangeContext, specifically around how the WillSendMessage flag is set/cleared, as well as dealing with clean-up of the exchange in OnSessionReleased(). It also fixes some key bugs in ExchangeHolder around failure to release the ref on the exchange in certain scenarios as outlined in project-chip#21544 and project-chip#21632. Notably, the following fixes have been made to ExchangeContext: - Setting the WillSendMessage flag immediately in SendMessage and only clearing the WillSendMessage flag on actually having successfully sent a message in SendMessage. Otherwise, the holder is not able to infer that the ownership still resides with it on a SendMessage failure. - Not clearing the WillSendMessage flag in OnSessionReleased. This ensures the holder again can infer that it still has the ref and needs to give it up when OnExchangeClosing is called there-after. - Avoiding a double call of DoClose by checking if it is already closed. - Cleaning up OnSessionReleased logic to now correctly call Abort() in both the case where we're waiting for a response AND we're in the middle of received message dispatch (i.e we're in the middle of OnMessageReceived). This is a pre-existing bug where the closure of the exchange resulted in a leak due to MessageHandled() not quite cleaning up the EC later when the call unwinds. Tests: TestExchangeHolder has been buffed up to now exhaustively test permutations of send failure, session closure (both before and after message transmission) and calling WillSendMessage at all points along a 3 message transmission.
This makes some key fixes to the management of the ExchangeContext, specifically around how the WillSendMessage flag is set/cleared, as well as dealing with clean-up of the exchange in OnSessionReleased(). It also fixes some key bugs in ExchangeHolder around failure to release the ref on the exchange in certain scenarios as outlined in project-chip#21544 and project-chip#21632. Notably, the following fixes have been made to ExchangeContext: - Setting the WillSendMessage flag immediately in SendMessage and only clearing the WillSendMessage flag on actually having successfully sent a message in SendMessage. Otherwise, the holder is not able to infer that the ownership still resides with it on a SendMessage failure. - Not clearing the WillSendMessage flag in OnSessionReleased. This ensures the holder again can infer that it still has the ref and needs to give it up when OnExchangeClosing is called there-after. - Avoiding a double call of DoClose by checking if it is already closed. - Cleaning up OnSessionReleased logic to now correctly call Abort() in both the case where we're waiting for a response AND we're in the middle of received message dispatch (i.e we're in the middle of OnMessageReceived). This is a pre-existing bug where the closure of the exchange resulted in a leak due to MessageHandled() not quite cleaning up the EC later when the call unwinds. Tests: TestExchangeHolder has been buffed up to now exhaustively test permutations of send failure, session closure (both before and after message transmission) and calling WillSendMessage at all points along a 3 message transmission.
Problem
After #21081 and #20237 the semantics of the exchange context member of various interaction model objects changed in a subtle but important way.
Before that change, the member could only become null in the following cases:
Importantly: while we are processing an incoming message, the member could not become null until we tried to send a response. That means any logic that used the member could rely on it being there while processing an incoming message.
After #21081 and #20237 that changes: now if the session goes away (as one possible trigger for the behavior) the member becomes null immediately. This means that any methods/getters that use the exchange context can start mis-behaving while we are trying to process an incoming message, including things like not being able to determine the accessing fabric (or it changing in mid-processing!). At least the following things might be affected:
Proposed Solution
We need to think a little bit about whether this is a problem in practice or not. Maybe something guarantees that the session can't be evicted while we are processing an incoming message on it, but I don't see obvious such guarantees.
Maybe an attempt to close an exchange while it's processing an incoming message (including due to session eviction) should simply set a flag (which would prevent any more sending of non-ack messages; need to think about what happens here if the closure is due to session going away) and do the actual closing + notification of the delegate once we unwind the stack? But note that some of the state we are interested in from exchanges actually comes from the session, so it might have mis-behaved before anyway if the session went away but the exchange remained non-null...
Another option would be for the IM objects to snapshot anything they need from the exchange except message-sending services before they start calling out to consumers for an incoming message. But that would require those objects to get bigger, which might be an issue.
Any other bright ideas @mrjerryjohns?
The text was updated successfully, but these errors were encountered: