grpc: Fix cardinality violations in client streaming RPCs #8278
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #8278 +/- ##
==========================================
- Coverage 82.29% 82.25% -0.05%
==========================================
Files 417 419 +2
Lines 41356 42053 +697
==========================================
+ Hits 34035 34590 +555
- Misses 5907 5996 +89
- Partials 1414 1467 +53
🚀 New features to boost your workflow:
|
stream.go
Outdated
| return io.EOF // indicates successful end of stream. | ||
| } | ||
|
|
||
| return toRPCErr(err) | ||
| } | ||
| if cs.desc.ClientStreams { | ||
| cs.recvMsg = true |
There was a problem hiding this comment.
Can we set this boolean without the check? Otherwise we would need to document the variable in a way to make it obvious that this is set only for client streaming RPCs. Even then users may accidentally use it for other types of RPCs.
There was a problem hiding this comment.
Changed it to !cs.desc.ServerStreams, so that it will mark cs.recvFirstMsg=true for both unary and clientStreaming RPCs.
|
Do we need a similar check on the server side also, i.e. change the status to internal if the server attempts to close without writing a message? |
stream.go
Outdated
| @@ -1134,11 +1136,17 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) { | |||
| if statusErr := a.transportStream.Status().Err(); statusErr != nil { | |||
| return statusErr | |||
| } | |||
| if !cs.desc.ServerStreams && !cs.recvFirstMsg { | |||
| return status.Errorf(codes.Internal, "client streaming cardinality violation") | |||
There was a problem hiding this comment.
Let's be more specific about what happened here so that a user could understand what's happening when they see the error.
"received no response message from non-streaming RPC"?
| return io.EOF // indicates successful end of stream. | ||
| } | ||
|
|
||
| return toRPCErr(err) | ||
| } | ||
| if !cs.desc.ServerStreams { | ||
| cs.recvFirstMsg = true |
There was a problem hiding this comment.
Should there also be something here that fails if recvFirstMsg is already set? (That would indicate we received multiple messages in a unary RPC.)
There was a problem hiding this comment.
For both unary and client-streaming RPCs, client.recvmsg() will wait for the trailers after receiving its first msg over here .
I'll change the status code here from UNKNOWN to INTERNAL in upcoming PR with tests. It will handle the case when trailers are not send from server side for unary and client-streaming RPCs.
There was a problem hiding this comment.
I see. So why do you need this new field, then?
If the above recv ever returns io.EOF, then we already know there was never a message read from the stream. Either that, or the user called Recv after receiving an error from a previous call to Recv, which is illegal and undefined.
There was a problem hiding this comment.
Yeah, make sense.
So for non-server streaming rpcs, we can directly return INTERNAL error if the first recv() call gets EOF.
if !cs.desc.ServerStreams {
return status.Errorf(codes.Internal, "client streaming cardinality violation")
}
There was a problem hiding this comment.
Yes, I think that should work and avoids adding new state to track.
There was a problem hiding this comment.
Ping - I think we can remove recvFirstMsg now?
There was a problem hiding this comment.
I had reverted that in this commit bbd8366.
But than @arjan-bal pointed out that in case of successful RPC, if user call RecvMsg() twice, the second RecvMsg() call should return with io.EOF instead of cardinality violation.
That's why I reverted back to the older code to fulfill that condition.
There was a problem hiding this comment.
As I mentioned before, it's not defined what happens if RecvMsg is called after returning an error.
There are other scenarios where calling recvMsg repeatedly will not cause the previously returned error to occur. E.g. if a received message is too large, recv will return an error. But I believe a subsequent call to RecvMsg would actually return the next message from the stream, or io.EOF at the end of the stream.
stream.go
Outdated
| @@ -1134,11 +1136,17 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) { | |||
| if statusErr := a.transportStream.Status().Err(); statusErr != nil { | |||
| return statusErr | |||
| } | |||
| if !cs.desc.ServerStreams && !cs.recvFirstMsg { | |||
| return status.Errorf(codes.Internal, "client streaming cardinality violation") | |||
test/end2end_test.go
Outdated
| return | ||
| } | ||
| defer conn.Close() | ||
| framer := http2.NewFramer(conn, conn) |
There was a problem hiding this comment.
Realistically this test shouldn't need low level framer access. You should be able to implement it with a grpc.Server that has its EmptyCall handler configured as a streaming handling, and with an implementation that just returns nil immediately without sending a message.
I do think that would be preferable, because the framing stuff is tedious and error prone, and it makes the test much more complex. If you're having too much trouble with that approach, let me know and I can try to help, or if it somehow turns out to be a lot more work than I was expecting, feel free to push back.
There was a problem hiding this comment.
Initially, I attempted to resolve this by returning nil from EmptyCall. However, this approach resulted in an empty, successful response rather than a failure, which wasn't the desired outcome.
The scenario that sends no response cannot be replicated within grpc-go itself, as the framework requires a response to be sent.
This test aims to verify behavior in a cross-language context, where a unary client might interact with a unary server implemented in a different language, potentially allowing the server to send no response.
Please let me know if that is not the case or I overlook something.
There was a problem hiding this comment.
I think @dfawley is saying that we can register a streaming handler for a unary method on the server. The client will call EmptyCall, but the server will call a streaming handler.
srv := grpc.NewServer()
serviceDesc := grpc.ServiceDesc{
ServiceName: "grpc.testing.TestService",
HandlerType: (*any)(nil),
Methods: []grpc.MethodDesc{},
Streams: []grpc.StreamDesc{
{
StreamName: "EmptyCall",
Handler: func(any, grpc.ServerStream) error {
return nil
},
ClientStreams: true,
},
},
Metadata: "grpc/testing/test.proto",
}
srv.RegisterService(&serviceDesc, &testServer{})
go srv.Serve(lis)
defer srv.Stop()There was a problem hiding this comment.
Thanks for clarifying. I had made the changes.
There was a problem hiding this comment.
Another option (maybe easier, but no need to change now) is to use the unknown service handler, and don't register anything on the server: https://pkg.go.dev/google.golang.org/grpc#UnknownServiceHandler
There was a problem hiding this comment.
UnknownServiceHandler uses bidirectional streaming[desc.clientstreams:true, desc.serverstreams:true].
Will it work with the changes I made to addresses cardinality violations?
if !cs.desc.ServerStreams && !cs.recvFirstMsg {
return status.Errorf(codes.Internal, "cardinality violation: received no response message from non-streaming RPC")
}
stream.go
Outdated
| @@ -1134,11 +1136,17 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) { | |||
| if statusErr := a.transportStream.Status().Err(); statusErr != nil { | |||
| return statusErr | |||
| } | |||
| if !cs.desc.ServerStreams && !cs.recvFirstMsg { | |||
| return status.Errorf(codes.Internal, "client streaming cardinality violation") | |||
stream.go
Outdated
| @@ -1134,6 +1134,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) { | |||
| if statusErr := a.transportStream.Status().Err(); statusErr != nil { | |||
| return statusErr | |||
| } | |||
| // received no msg and status ok for non-server streaming rpcs. | |||
| if !cs.desc.ServerStreams { | |||
There was a problem hiding this comment.
If a user calls RecvMsg twice for a unary RPC and the server sends 1 response message, I believe they should receive io.EOF for the second .RecvMsg call. Is this still the case or will they receive a cardinality violation?
There was a problem hiding this comment.
In that case user will receive cardinality violation. This change is made in #8330 .
There was a problem hiding this comment.
I think the expected behaviour is to keep returning the same error with which the RPC ended. That seems to be the intention of lines just above this.
if statusErr := a.transportStream.Status().Err(); statusErr != nil {
return statusErr
}So if the RPC was successful, the caller should keep getting io.EOF on successive calls to RecvMsg(). This change is breaking that expectation. The following code asserts this behaviour:
stream, err := cc.NewStream(ctx, &grpc.StreamDesc{
ServerStreams: false,
ClientStreams: false,
}, testgrpc.TestService_EmptyCall_FullMethodName)
if err != nil {
t.Fatal(err)
}
if err := stream.SendMsg(&testpb.Empty{}); err != nil {
t.Fatal(err)
}
if err := stream.RecvMsg(&testpb.Empty{}); err != nil {
t.Fatal(err)
}
// Returning internal error now.
if err := stream.RecvMsg(&testpb.Empty{}); err != io.EOF {
t.Fatal(err)
}There was a problem hiding this comment.
If we are expecting second RecvMsg() to get io.EOF for successful non-server streaming RPCs, I can go back to the previous implementation by having a variable recvFirstmsg and set it to true in first RecvMsg() call.
And only return INTERNAL error if EOF is received in first RecvMsg() call.
if !cs.desc.ServerStreams && !recvFirstMsg {
return status.Errorf(codes.Internal, "cardinality violation: received no response message from non-streaming RPC")
}
Let me know your thoughts on this.
There was a problem hiding this comment.
I think what the above comment from Doug mentioned was for returning an error when calling recv returns a message successfully. gRPC should probably return a cardinality violation in that case.
Line 1136 in 4cab0e6
We should discuss this in the team meeting.
There was a problem hiding this comment.
For non-streaming RPCs:
Server can't send more than one msg, as mentioned in this comment.
For successful RPC, Client can call RecvMsg() twice. Second RecvMsg() call will return with a io.EOF and close the stream.
It will never be the case for non-streaming RPCs, that recvFirstMsg is already set.
stream.go
Outdated
| @@ -1134,6 +1134,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) { | |||
| if statusErr := a.transportStream.Status().Err(); statusErr != nil { | |||
| return statusErr | |||
| } | |||
| // received no msg and status ok for non-server streaming rpcs. | |||
| if !cs.desc.ServerStreams { | |||
There was a problem hiding this comment.
There is a similar method on addrConnStream that also needs to be updated.
There was a problem hiding this comment.
I'll made the similar changes once the changes made in client.RecvMsg() gets finalized.
arjan-bal
changed the title
Partially addresses: #7286
Client should ensure an "Internal" error is returned for client-streaming RPCs if the server doesn't send a message before returning status OK.
Currently it is returning "EOF", which should not be the case for cardinality violations.
RELEASE NOTES: