Improve request cancelation handling. #103
Conversation
- Provide stronger thread safety guarantees by locking access to any variable which can be mutated during the processing of a request (i.e. by the CacheDispatcher/NetworkDispatcher threads) and dispatching response callbacks while holding the same lock that is held when setting mCanceled. Unfortunately there's not much we can do about alternative ResponseDelivery mechanisms, which are hopefully rare. - Add a cancel listener interface and use it to prevent RequestFuture from blocking for the complete timeout (or indefinitely) if a request is canceled. - Since listeners are often Android component classes like Activitys, clear them upon cancellation. Unfortunately, this must be done in each Request subclass to work, assuming the subclass follows the standard pattern of holding the response listener as a member. But this enables concerned apps to resolve this leak. Fixes google#15 Fixes google#85
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
|
@googlebot is apparently having issues right now; the above comment can be ignored and I'll request a re-check once it's resolved. |
|
I appreciate the concern, but given the volume of reports of the leak in #15 and duped reports, I'd like to get this resolved as well in the next release. I also find the bug with RequestFuture hanging forever in wait() to be pretty severe in nature - it caused thread pool exhaustion in one of our internal apps. The DiskBasedCache bug is severe as well when it does happen, but has been present for quite some time already. This does happen to be the last planned change on the roadmap for 1.0.1, though. I wouldn't anticipate other changes being merged before release unless they fix regressions introduced since 1.0.0. So hopefully we'll have an RC build ready soon. |
| @@ -56,6 +56,12 @@ | |||
| int PATCH = 7; | |||
| } | |||
|
|
|||
| /** Callback interface to notify listeners when a request has been canceled. */ | |||
| public interface CancelListener { | |||
There was a problem hiding this comment.
The names seems odd. Ideas for a better name:
- OnRequestCanceledListener
- CancellationListener
- OnCancelListener
There was a problem hiding this comment.
CancellationListener makes sense - the intent is to be consistent with "ErrorListener", so the prefixes should both be nouns describing what happened.
| // To uphold the contract of cancel(), we hold the same lock here around both the check of | ||
| // isCanceled() as well as the actual response delivery. This ensures that after a call | ||
| // to cancel() returns, we will never deliver the response. | ||
| synchronized (mLock) { |
There was a problem hiding this comment.
The change from open calls (without lock held) to closed calls makes me nervous about deadlock.
There was a problem hiding this comment.
@jpd236 Then I suggest making the minimal change to alleviate the memory retention. Similar to the mcxiaoke fix, which has been in use for a while.
Table the lock changes for another release.
| @@ -96,9 +105,11 @@ | |||
| private boolean mShouldCache = true; | |||
|
|
|||
| /** Whether or not this request has been canceled. */ | |||
| // GuardedBy(mLock) | |||
There was a problem hiding this comment.
If you're OK with importing android.support.annotation.GuardedBy you could use @GuardedBy("mLock").
There was a problem hiding this comment.
We don't have a dependency on the support lib yet, so for now I'm holding off on this. At some point later on we might add it to cover things like this, @VisibleForTesting, etc.
| @@ -96,9 +105,11 @@ | |||
| private boolean mShouldCache = true; | |||
|
|
|||
| /** Whether or not this request has been canceled. */ | |||
| // GuardedBy(mLock) | |||
| private boolean mCanceled = false; | |||
|
|
|||
There was a problem hiding this comment.
Instead of guarding this by a lock, would it be sufficient to make this volatile? Since we don't have a mechanism to un-cancel a request, we know that once isCancelled returns true, it will always return true, so we mainly have to make sure that once one thread cancels, all other threads see that.
There was a problem hiding this comment.
It's not sufficient as it stands due to holding mLock around the response dispatching below; it might be sufficient if we change that, but I'm not sure that n volatile variables is necessarily more performant than a simple lock, and it's certainly more tricky to reason about :)
There was a problem hiding this comment.
Looking at this a little closer, I see that synchronization is being added to methods that are likely to be called on the main thread. This should be avoided. In particular, Request.cancel() is waiting for a lock held by the ExecutorDelivery.
| mCanceled = true; | ||
| synchronized (mLock) { | ||
| mCanceled = true; | ||
| onCanceledInternal(); |
There was a problem hiding this comment.
Since we don't know what happens in onCancelled, should we maybe check here if the request is already cancelled and avoid double-cancellation? Especially if you make mCanceled volatile as suggested above rather than guarded, but I think it's safer either way.
There was a problem hiding this comment.
That's a fair point; I could change this to avoid double-cancellation.
| if (mRunnable != null) { | ||
| mRunnable.run(); | ||
| } | ||
| mRequest.deliverResponse(mResponse, mRunnable); |
There was a problem hiding this comment.
Could you call that something different, maybe handleResponse or prepareResponseDelivery of maybeDeliverResponse or something? It was a bit confusing to read for me since there are now 2 deliverResponse with different arguments and having different jobs.
There was a problem hiding this comment.
Yeah, agreed this is confusing; I couldn't come up with a better name. If we end up keeping this (per my other comment) then maybe deliverResponseAndFinish() or something to indicate the additional work that this method is responsible for doing.
| // To uphold the contract of cancel(), we hold the same lock here around both the check of | ||
| // isCanceled() as well as the actual response delivery. This ensures that after a call | ||
| // to cancel() returns, we will never deliver the response. | ||
| synchronized (mLock) { |
There was a problem hiding this comment.
That's a lot of stuff behind this lock, I'm not sure that's needed. I think instead we could add a check whether finish() has been called (addMarker() after finish() leads to IllegalStateException). Since this method (and finish) are package-private it is anyway not possible for users to access them without using ExecutorDelivery. And as long as ExecutorDelivery always runs them on the same thread, we can't have conflicts here as far as I can tell. What do you think?
There was a problem hiding this comment.
@joebowbeer I acknowledge the concern, but I don't see a way to properly implement the guarantees that are advertised by cancel() without ensuring that the same lock is held for both cancel() and for the response dispatching itself. Without this lock, it's possible for someone to call cancel() and still have the callbacks called (if we've already checked isCanceled() here).
@uhager It doesn't seem to me like finish() is always called (in the response.intermediate case) so I'm not sure that works in every case, right? And the assumption about ExecutorDelivery running on the same thread is the one this locking is intended to resolve.
Another option might be to weaken the guarantee by stating that you must call cancel() from the same thread as the ResponseDelivery being used (typically the main thread) in order to guarantee that the callbacks aren't invoked. If you call cancel() from another thread, and the main thread is in the process of delivering responses, it may still end up delivering the response. In this case we could leave the dispatching as it was and just accept the risk of a post-cancel dispatch. However, this would mean needing to lock writes to the error listener / response listener.
@jjoslin - any thoughts?
There was a problem hiding this comment.
AFAICT the same lock needs to be held during cancel() and response dispatching to uphold the cancel() contract as @jpd236 states. I feel like this is a reasonable thing to do but also acknowledge that it does create the potential for deadlock (although I think it will be rare in practice). I support/prefer the current implementation but I wouldn't be opposed to weakening the guarantee either.
There was a problem hiding this comment.
Thank you both for the prompt reviews!
Regarding keeping the scope small: I'm not sure what the other proposed fix would be but the memory retention is only one of the two issues being resolved here, the other being the RequestFuture cancellation bug. Note that just the minimal fix of clearing listeners in cancel() can only safely be done if cancel invocation is thread-safe.
I also think the ship has already sailed re: small bug fixes; the Apache header changes and soft TTL tweaks that recently landed are just as large if not more so. Volley's 1.0.0 release has been out for some time and I believe the vast majority of clients are not running into issues, so I don't see a strong reason to rush a release prematurely. We'll get there soon, and affected clients may use SNAPSHOT builds in the mean time (and can pin to a specific snapshot if they're concerned about picking up less-tested changes).
| @@ -56,6 +56,12 @@ | |||
| int PATCH = 7; | |||
| } | |||
|
|
|||
| /** Callback interface to notify listeners when a request has been canceled. */ | |||
| public interface CancelListener { | |||
There was a problem hiding this comment.
CancellationListener makes sense - the intent is to be consistent with "ErrorListener", so the prefixes should both be nouns describing what happened.
| if (mRunnable != null) { | ||
| mRunnable.run(); | ||
| } | ||
| mRequest.deliverResponse(mResponse, mRunnable); |
There was a problem hiding this comment.
Yeah, agreed this is confusing; I couldn't come up with a better name. If we end up keeping this (per my other comment) then maybe deliverResponseAndFinish() or something to indicate the additional work that this method is responsible for doing.
| @@ -96,9 +105,11 @@ | |||
| private boolean mShouldCache = true; | |||
|
|
|||
| /** Whether or not this request has been canceled. */ | |||
| // GuardedBy(mLock) | |||
There was a problem hiding this comment.
We don't have a dependency on the support lib yet, so for now I'm holding off on this. At some point later on we might add it to cover things like this, @VisibleForTesting, etc.
| @@ -96,9 +105,11 @@ | |||
| private boolean mShouldCache = true; | |||
|
|
|||
| /** Whether or not this request has been canceled. */ | |||
| // GuardedBy(mLock) | |||
| private boolean mCanceled = false; | |||
|
|
|||
There was a problem hiding this comment.
It's not sufficient as it stands due to holding mLock around the response dispatching below; it might be sufficient if we change that, but I'm not sure that n volatile variables is necessarily more performant than a simple lock, and it's certainly more tricky to reason about :)
| mCanceled = true; | ||
| synchronized (mLock) { | ||
| mCanceled = true; | ||
| onCanceledInternal(); |
There was a problem hiding this comment.
That's a fair point; I could change this to avoid double-cancellation.
| // To uphold the contract of cancel(), we hold the same lock here around both the check of | ||
| // isCanceled() as well as the actual response delivery. This ensures that after a call | ||
| // to cancel() returns, we will never deliver the response. | ||
| synchronized (mLock) { |
There was a problem hiding this comment.
@joebowbeer I acknowledge the concern, but I don't see a way to properly implement the guarantees that are advertised by cancel() without ensuring that the same lock is held for both cancel() and for the response dispatching itself. Without this lock, it's possible for someone to call cancel() and still have the callbacks called (if we've already checked isCanceled() here).
@uhager It doesn't seem to me like finish() is always called (in the response.intermediate case) so I'm not sure that works in every case, right? And the assumption about ExecutorDelivery running on the same thread is the one this locking is intended to resolve.
Another option might be to weaken the guarantee by stating that you must call cancel() from the same thread as the ResponseDelivery being used (typically the main thread) in order to guarantee that the callbacks aren't invoked. If you call cancel() from another thread, and the main thread is in the process of delivering responses, it may still end up delivering the response. In this case we could leave the dispatching as it was and just accept the risk of a post-cancel dispatch. However, this would mean needing to lock writes to the error listener / response listener.
@jjoslin - any thoughts?
|
@jpd236 I meant that ExecutorDelivery always sends deliverResponse on the same Handler. So deliverResponse can't be called simultaneously, since - as far as I can tell - no other class calls it and it's not accessible to users. Or does RequestFuture change that behaviour in ExecutorDelivery? |
|
Thinking about this some more, wouldn't it make more sense to synchronize access to mErrorListener? Where it is set to null when cancelled and then in deliverResponse around deliverError? Check if it's non-null and then synchronize using it? |
|
CLAs look good, thanks! |
|
|
||
| private void onCanceledInternal() { | ||
| mErrorListener = null; | ||
| if (mCancelListener != null) { |
There was a problem hiding this comment.
I think you need to synchronize access to mCancelListener because setCancelListener() could be called on a different thread. Or pass it in through the ctor and make it volatile.
| } | ||
|
|
||
| /** Sets a {@link CancelListener} which will be notified when the request is canceled. */ | ||
| public void setCancelListener(CancelListener listener) { |
There was a problem hiding this comment.
Why not add another ctor to accommodate this?
| } | ||
|
|
||
| private void onCanceledInternal() { | ||
| mErrorListener = null; |
There was a problem hiding this comment.
mErrorListener needs to be volatile (or access to it needs to be synchronized) to ensure getErrorListener() returns the correct value. Same for mCancelListener.
| private void onCanceledInternal() { | ||
| mErrorListener = null; | ||
| if (mCancelListener != null) { | ||
| mCancelListener.onRequestCanceled(); |
There was a problem hiding this comment.
The other callbacks run on the same thread as the ResponseDelivery being used whereas this runs on the calling thread. I realize in most cases those threads will be the same (main thread) but what do you think about providing a stronger guarantee about the thread onRequestCanceled() runs on?
| // To uphold the contract of cancel(), we hold the same lock here around both the check of | ||
| // isCanceled() as well as the actual response delivery. This ensures that after a call | ||
| // to cancel() returns, we will never deliver the response. | ||
| synchronized (mLock) { |
There was a problem hiding this comment.
AFAICT the same lock needs to be held during cancel() and response dispatching to uphold the cancel() contract as @jpd236 states. I feel like this is a reasonable thing to do but also acknowledge that it does create the potential for deadlock (although I think it will be rare in practice). I support/prefer the current implementation but I wouldn't be opposed to weakening the guarantee either.
| @@ -96,9 +105,11 @@ | |||
| private boolean mShouldCache = true; | |||
|
|
|||
| /** Whether or not this request has been canceled. */ | |||
| // GuardedBy(mLock) | |||
| private boolean mCanceled = false; | |||
|
|
|||
There was a problem hiding this comment.
Looking at this a little closer, I see that synchronization is being added to methods that are likely to be called on the main thread. This should be avoided. In particular, Request.cancel() is waiting for a lock held by the ExecutorDelivery.
| @@ -51,9 +52,10 @@ | |||
| * | |||
| * @param <T> The type of parsed response this future expects. | |||
| */ | |||
| public class RequestFuture<T> implements Future<T>, Response.Listener<T>, | |||
| Response.ErrorListener { | |||
| public class RequestFuture<T> implements Future<T>, Response.Listener<T>, Response.ErrorListener, | |||
There was a problem hiding this comment.
I'm not sure how much difference this makes, but the pattern I like to use for classes that implement Future is to have them wrap an internal FutureTask instance to handle the synchronization. For example, see BackgroundTask in JCiP (Ch. 9 ). This makes it easier to get the synchronization correct, and makes it more apparent that it is.
|
OK - this PR seems too contentious to try and merge all at once :) Let me try to split it into more reasonable chunks so it's more manageable; I'll send them out separately. First of all, thanks all for the detailed comments; I really do appreciate it. For the leak, I need to think it through a bit more but I think you're probably right that we can just synchronize access to mErrorListener/mListener in Request and each of the toolbox subclasses, and then clear them on cancel. This doesn't guarantee that deliverResponse()/deliverError() won't be called after calling cancel(), but calling them should just no-op if the respective listener hasn't been nulled out, so we should be okay just updating the Javadoc to note this limitation - there are no guarantees if cancel() is called from a different thread than the response delivery. It also leaves this locking up to the Request subclass which isn't ideal, but there's not much we can do about that without holding our own lock for code we don't control. Please note that grabbing a lock on the main thread should not be a problem; it should finish in microseconds. It's only an issue if that lock is contentious or if the work performed inside the lock can take a non-trivial amount of time. Certainly if it's safe to avoid it's better, as with anything on the main thread, but I don't think it's a concern here when necessary. For the cancel listener - it'll be a bit more involved, but a possible option here is to add a postCancel to ResponseDelivery and plumb cancel events through there, so for our default implementation it'll run on the main thread. The main issue is that ResponseDelivery is an interface, so as we did with the Apache HTTP refactoring for HttpStack, we'd need to add a new interface and continue to support the old one (dropping cancellation events) for anyone using it. I may punt on this for a while given the complexity and uncertainty about the API, and instead just update RequestFuture to warn about using wait(0) in some form. I think that covers the higher level open questions. For the nitty-gritty we can cover that on each PR. |
|
Leak/thread-safety: #105 |
Provide stronger thread safety guarantees by locking access to any
variable which can be mutated during the processing of a request (i.e.
by the CacheDispatcher/NetworkDispatcher threads) and dispatching
response callbacks while holding the same lock that is held when
setting mCanceled. Unfortunately there's not much we can do about
alternative ResponseDelivery mechanisms, which are hopefully rare.
Add a cancel listener interface and use it to prevent RequestFuture
from blocking for the complete timeout (or indefinitely) if a request
is canceled.
Since listeners are often Android component classes like Activitys,
clear them upon cancellation. Unfortunately, this must be done in each
Request subclass to work, assuming the subclass follows the standard
pattern of holding the response listener as a member. But this enables
concerned apps to resolve this leak.
Fixes #15
Fixes #85