Add retry limiter support

[friscoMad]

Motivation:

As we discussed over discord there is currently no support for add proper retry limiting, this PR adds it with a couple of working retry limiter implementations, one based on GRPC logic and another that uses a RateLimiter.

Modifications:

• Added some methods to be able to set a RetryLimiter while building a RetryConfig
• Hooked the retry limiter inside RetryClient
• Created a RetryLimiter interface and a couple of implementations.

Result:

• Closes Enable retry throttling #6282
• There are changes in public APIs in RetryConfig constructor and protected getNextDelay methods in AbstractRetryingClient
• It will allow clients to add a retry throttling logic if needed.

[github-actions]

🔍 Build Scan® (commit: ed307b2)

Job name	Status	Build Scan®

[friscoMad]

It would be nice to have metrics about this but afaik it does not seem easy to add metrics here, maybe we could add some debug logging?

[friscoMad]

I am not sure if this is the correct place to hook; it seems to work, but the logic is convoluted so maybe there is a better place to do it.
In fact I think that this should be in the handle of the aggregate but not 100%.

[schiemon]

I agree with that being convoluted; I am about to clean the retrying clients here: #6292 (on halt atm because I have exams)
So I think we can let that PR tackle this

In the end we want to have only one single call to onCompletedAttempt/ have it centralized

[schiemon]

@friscoMad At this point where you put the onCompletedAttempt we just initiated the request. It is almost always not finished at this point. As it should be

Invoked when an attempt completes

we may want to put it as a listener to the whenCompleted future on the attempt response

[friscoMad]

During tests I found out that throwing inside the RateLimiter methods caused the client to never return anything; it just was blocked waiting on the future. This fixes the issue maybe we should do the same for the Retry filter functions.

[schiemon]

Note: AbstractRetryingClient is public so this and the change above are breaking changes. Let us note it in the PR description.

[friscoMad]

But these are protected methods, do they also count as public api?

[schiemon]

As this class is also not final people could inherit from it and use those methods. I cannot think of a use-case for it but theoretically it is possible. In the doc comments we are also not advising against it 🤷

[schiemon]

Why not increasing type safety by demanding a Set<Status> with Status from the gRPC package? You could get it by first getting the Status.Code with valueOf: https://grpc.github.io/grpc-java/javadoc/io/grpc/Status.Code.html#valueOf(java.lang.String). Then you can get the status with Status.fromCode.

[friscoMad]

This lives in the core package that does not depend on gRPC, and I think we want it that way. I could move the implementation to the grpc package, but then we can not have a RetryLimiter.ofGrpc, to me it makes more sense, but I tried to follow the pattern of the gRPC retry rule.

[schiemon]

@friscoMad Maybe we can move GrpcRetryLimiter to the gRPC package and offer a static GrpcRetryLimiter.of factory method?

[friscoMad]

We can do that, but I would like to hear from @ikhoon as he was the one asking for the builders on RetryLimiter class.
For example grpc retry rule is in core instead of the grpc package, which makes more sense, so I was not sure what to do.

[schiemon]

I think in Armeria it is a convention to put the ctx as the first argument

[schiemon]

This and the change below are also breaking

[schiemon]

This fact should also be documented in the constructor and class doc IMHO

[friscoMad]

Added in the class doc and updated here, not included in the constructor as it should be an implementation detail.

[schiemon]

Yeah I misunderstood the scaling part: #6318 (comment)

[schiemon]

As far as I can see Armeria uses Preconditions and Objects.requireNonNull for null and range checks

[friscoMad]

Thanks, I didn't know about this, so I'll change it.

[schiemon]

How about also attaching numAttemptsSoFar and RetryLimiter.toString() (yet to be implemented) for providing more context? See also other method

[schiemon]

AFAIU the whole purpose of scaling up is for accepting floats right?

https://github.com/grpc/grpc-java/blob/94532a6b56076c56fb9278e9195bba1190a9260d/core/src/main/java/io/grpc/internal/RetriableStream.java#L1486-L1492

Then I think we need to

1. accept float
2. scale up everything
3. convert to int
4. then divide by 2

[friscoMad]

I missed the float on the constructors, ok, I will need to split the constructors and update some tests. I will do that tomorrow. Thanks for the heads up, I totally missed that part.

[friscoMad]

Ok, it should be fixed now!

[friscoMad]

This implementation tries to mimic gRPC Java as much as possible. There are 2 points that are not implemented.
gRPC java has support for pushback header, as that is not implemented in the RetryingClient, I have not added support for it here.

The other difference is that gRPC Java considers errors (for reducing tokens) every status defined in the hedging policy as nonFatalStatusCodes. We don't have hedging implemented, but the same behaviour can be replicated with the extended constructor passing the complete list of statuses.

[codecov]

Codecov Report

❌ Patch coverage is 96.49123% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.13%. Comparing base (8150425) to head (ed307b2).
⚠️ Report is 201 commits behind head on main.

Files with missing lines	Patch %	Lines
...ecorp/armeria/client/retry/RetryConfigBuilder.java	75.00%	2 Missing ⚠️
...armeria/client/retry/limiter/GrpcRetryLimiter.java	98.21%	0 Missing and 1 partial ⚠️
...orp/armeria/client/retry/limiter/RetryLimiter.java	75.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #6318      +/-   ##
============================================
- Coverage     74.46%   74.13%   -0.33%     
- Complexity    22234    23030     +796     
============================================
  Files          1963     2065     +102     
  Lines         82437    86225    +3788     
  Branches      10764    11326     +562     
============================================
+ Hits          61385    63924    +2539     
- Misses        15918    16882     +964     
- Partials       5134     5419     +285     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[schiemon]

:)

[friscoMad]

🤦 Why is this not breaking the build? It should fail to compile

[schiemon]

The conversion from int to float is actually legal:
https://onecompiler.com/jshell/43rjpddqw

https://www.baeldung.com/java-primitive-conversions#widening-primitive-conversions

[schiemon]

:))

[schiemon]

Did another pass and only have a few nits

[schiemon]

Let us make the error message different from the one below so user can easily separate them they filter their errors:

Suggested change

	"Failed to execute retry limiter, limiter: " + limiter + " attempts: " + numAttemptsSoFar,
	"Failed to execute RetryLimiter.onCompletedAttempt: limiter={}, attempts={}", limiter, numAttemptsSoFar,

[schiemon]

For that we need implemented toString() methods for the limiters:

@Override
public String toString() {
   return MoreObjects.toStringHelper(this)
           .add("maxTokens", maxTokens)
           .add("threshold", threshold)
           .add("tokenRatio", tokenRatio)
           .add("retryableStatuses", retryableStatuses)
           .add("currentTokenCount", tokenCount.get())
           .toString();
}

@Override
public String toString() {
    return MoreObjects.toStringHelper(this)
            .add("permitsPerSecond", rateLimiter.getRate())
            .toString();
}

(did not test it)

[schiemon]

Let us be explicit here and check for permitsPerSecond being positive ourselves

[schiemon]

(see comment above)

Suggested change

	"Failed to execute retry limiter, limiter: " + limiter + " attempts: " + numAttemptsSoFar,
	"Failed to execute RetryLimiter.shouldRetry: limiter={}, attempts={}", limiter, numAttemptsSoFar,

[schiemon]

Suggested change

	// Wait for 0.5 seconds to allow rate limiter to refill (2 permits per second = 0.5 seconds per permit)
	Thread.sleep(600);
	// Wait for 0.5 seconds + some tolerance to allow rate limiter to refill (2 permits per second = 0.5 seconds per permit)
	Thread.sleep(500 + 100);

[schiemon]

Suggested change

	// Wait for 2 seconds to allow rate limiter to refill (0.5 permits per second = 2 seconds per permit)
	try {
	Thread.sleep(2100);
	// Wait for 2 seconds + some tolerance to allow rate limiter to refill (0.5 permits per second = 2 seconds per permit)
	try {
	Thread.sleep(2000 + 100);

[schiemon]

I would not increase the API surface with this class, i.e. would remove public

[friscoMad]

Fixed

[schiemon]

If we are accepting the breaking changes then we should release this PR together with #6292 to prevent two successive breaking API changes of the same API after each other

[schiemon]

As an implementor I would want to have clarity how thread-safe my implementation needs to be
https://faithlife.codes/blog/2008/03/degrees_of_thread_safety/

[friscoMad]

I think I made it more splicit, let me know if it is better now

[schiemon]

Why +2?

[friscoMad]

Most of the tests were generated with AI support, and even when I reviewed and changed several parts, I skipped some of those eccentricities 😄
But addressed.

[schiemon]

Sorry for the incremental reviews but found a few important points here😆

[schiemon]

If the request log does not have trailers, we will throw an RequestLogAvailabilityException and not return null. You can check for its existence with log.isAvailable(RequestLogProperty.RESPONSE_HEADERS, RequestLogProperty.RESPONSE_TRAILERS). Then you can also remove the cause check above.

ref: https://javadoc.io/doc/com.linecorp.armeria/armeria-javadoc/latest/com/linecorp/armeria/common/logging/RequestLog.html#responseTrailers()

[friscoMad]

Changed 👍

[schiemon]

nit: If you put !updated in the while-loop head then you can remove this if here.

[friscoMad]

Makes sense 👍

[schiemon]

@friscoMad At this point where you put the onCompletedAttempt we just initiated the request. It is almost always not finished at this point. As it should be

Invoked when an attempt completes

we may want to put it as a listener to the whenCompleted future on the attempt response

[schiemon]

You can do this but then you also have to cover the exceptional case with handleException

[schiemon]

A test case for this would be great

[jrhee17]

Sorry about the late review, some rough thoughts I had while taking an initial look:

• RetryConfig#requiresResponseTrailers dictates whether to wait for trailers before deciding whether to retry or not. Given the current implementation, I'm unsure if GrpcRetryLimiter will be able to consistently retrieve grpc trailers for streaming responses. (e.g. If RetryRule.RetryRule.onUnprocessed() is used, RetryLimiter#onCompletedAttempt may be invoked before the trailers arrive for a streaming response). In general (and not just gRPC), I guess users will have to keep track of what properties will be available at RetryLimiter based on how the RetryConfig#requiresResponseTrailers is set.

• When determining whether a retry should be done or not, if users would like to retry on a certain grpc-status, it seems like he/she should set both the GrpcRetryLimiter and the RetryRule since they seem to have an AND relationship. (if they would like to use GrpcRetryLimiter). In general, I'm still trying to organize the exact distinction RetryRule and RetryLimiter.

e.g.

RetryRule.builder()
                 .onGrpcTrailers((ctx, trailers) -> trailers.containsInt("grpc-status", 15))
...
new GrpcRetryLimiter(0, 0, 0, List.of(15))

• Maybe nit, but it seems like RetryLimiter#shouldRetry may be called even if a retry won't actually execute (e.g. due to setResponseTimeout checks, request abortion, etc.). While it may not be a big deal, this may be a little awkward for the RetryRateLimiter implementation which acquires.

I'm nitpicking because I'm still trying to grasp the full picture at the moment.
I would also like to do some research on gRPC's implementation (as well as envoy's) to have a better idea on retry budgets in general before leaving more comments.

[friscoMad]

Sorry about the late review, some rough thoughts I had while taking an initial look:

* `RetryConfig#requiresResponseTrailers` dictates whether to wait for trailers before deciding whether to retry or not. Given the current implementation, I'm unsure if `GrpcRetryLimiter` will be able to consistently retrieve grpc trailers for streaming responses. (e.g. If `RetryRule.RetryRule.onUnprocessed()` is used, `RetryLimiter#onCompletedAttempt` may be invoked before the trailers arrive for a streaming response). In general (and not just gRPC), I guess users will have to keep track of what properties will be available at `RetryLimiter` based on how the `RetryConfig#requiresResponseTrailers` is set.

Yes, and this is difficult even for me trying to understand how the code works, I am not sure if there is a reason for having a gRPC retry limiter without a gRPC retry rule, but maybe we can make some changes to make that decision explicit in RetryLimiter and enable requiresResponseTrailers if the limiter wants it.

* When determining whether a retry should be done or not, if users would like to retry on a certain `grpc-status`, it seems like he/she should set both the `GrpcRetryLimiter` and the `RetryRule` since they seem to have an AND relationship. (if they would like to use `GrpcRetryLimiter`). In general, I'm still trying to organize the exact distinction `RetryRule` and `RetryLimiter.`

RetryRule decides if a retry shoud be done, retry limiter can block a retry based on whatever rules are implemented (like max retries in flight, max retries per minute, token bucket...) the retry limiter only is triggered if a retry is going to be done.
GrpcRetryLimiter tries to mimic the Grpc retry throttling logic defined here: https://github.com/grpc/proposal/blob/master/A6-client-retries.md#throttling-retry-attempts-and-hedged-rpcs it is expected to be used with a GrpcRetry rule, but the rule only covers the retriable statuses of the grpc retry policy. Everything else is included in parts of the armeria retry config.

e.g.

RetryRule.builder()
                 .onGrpcTrailers((ctx, trailers) -> trailers.containsInt("grpc-status", 15))
...
new GrpcRetryLimiter(0, 0, 0, List.of(15))

* Maybe nit, but it seems like `RetryLimiter#shouldRetry` may be called even if a retry won't actually execute (e.g. due to `setResponseTimeout` checks, request abortion, etc.). While it may not be a big deal, this may be a little awkward for the `RetryRateLimiter` implementation which acquires.

This is a valid concern and I am happy to move the check to another point in the timeline, I have a lot of difficulties to fully understand the flow and find where to add the 2 hooks (shouldRetry and onCompletedAttempt), it is true that we want to check only when we are going to do the retry but also waiting for the backoff just to cancel the retry is a bit weird. I think that as long as abortions and errors are flows that are exceptional and not frequently used, I think it is fine to miscount by 1 from time to time. But I have not an strong opinion we can move the check to be done as late as possible and that will be fine for me too.

I'm nitpicking because I'm still trying to grasp the full picture at the moment. I would also like to do some research on gRPC's implementation (as well as envoy's) to have a better idea on retry budgets in general before leaving more comments.
No worries, it is a very niche topic, and my feeling is that with all the edge cases that can happen with IO, delays... we can only expect to do it "good enough".

[jrhee17]

I'm still organizing my thoughts, but I think overall looks good. Left some minor comments (mostly to show that I'm not forgetting about this PR)

[jrhee17]

I think it makes sense to add a callback method onStartAttempt to RateLimiter which indicates a request will be sent.
For each invocation of onStartAttempt a matching onCompletedAttempt is guaranteed to be called.

I think shouldRetry is best left stateless - I imagine this will be useful not only in retries, but hedging later on as well since we'll need to check asynchronously.

The additional onStartAttempt would also help implement generic rate limiting retry budgets like done in envoy.
ref: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/circuit_breaker.proto#config-cluster-v3-circuitbreakers-thresholds-retrybudget

[jrhee17]

nit; GrpcRetryLimiter and its ctors can be package-private

[jrhee17]

Note) Understood the reason behind having a separate set of conditions here is because RetryDecision can't convey if a retry should count as being limited or not.

e.g. in pseudocode

if cause instanceOf UnprocessedRequestException
  -> RetryDecision(backoff), should transparently retry without updating `RetryLimiter`
if grpc header received
  -> RetryDecision#NoRetry, should update `RetryLimiter#onSuccess`
if trailers-only
  -> RetryDecision(backoff), should retry and update `RetryLimiter#onFailure`

An alternative design could be to add a throttlingDecision flag to RetryDecision.

e.g.

class RetryDecision {

    enum ThrottleDecision {
        THROTTLE,
        NO_THROTTLE,
        IGNORE,
    }

    private final ThrottleDecision throttleDecision;

By doing so, the boundary between each interface could be clearer:

1. RetryRule: responsible for retry rules (whether to retry/throttle depending no a set of rules)
2. RetryLimiter: responsible for providing the throttling algorithm (time-based, bucket-based, etc..)

This seems like a design choice, and I'm fine with the current design as well - but wanted to at least mention options before moving forward.

[friscoMad]

We can not decide on throttling at the same time as we are deciding if we are going to retry or not, as we could be cancelling the retry later and we don't want to "lock/waste" resources.
Ideally throttling check should be done at the very last possible point in time before sending the retry.

[jrhee17]

The idea wasn't to implement throttling based on RetryRule - RetryLimiter#canRetry can still determine whether a retry should be throttled or not.

The idea was rather to add a property to RetryDecision which allows users to specify whether a retryDecision should affect throttling

final Set<String> retryableStatusCodes = ImmutableSet.of("14");
RetryRule rule = new RetryRule() {
    @Override
    public CompletionStage<RetryDecision> shouldRetry(ClientRequestContext ctx,
                                                      @Nullable Throwable cause) {
        final RequestLog headers = ctx.log().getIfAvailable(RequestLogProperty.RESPONSE_HEADERS);
        if (cause instanceof UnprocessedRequestException || headers == null) {
            return RetryDecision.of(backoff, NO_THROTTLE);
        }
        final String status = headers.responseHeaders().get("grpc-status");
        if (status == null) {
            return RetryDecision.noRetry(THROTTLE_SUCCESS);
        } else if (!retryableStatusCodes.contains(status)) {
            return RetryDecision.of(backoff, NO_THROTTLE);
        } else {
            return RetryDecision.of(backoff, THROTTLE_FAILURE);
        }
    }
};

and users can still decide on how to limit retries based on the throttling decision

interface RetryLimiter {
  boolean shouldRetry(ClientRequestContext ctx, int numAttemptsSoFar);
  default void onCompletedAttempt(RetryDecision decision, ClientRequestContext ctx, RequestLog requestLog, int numAttemptsSoFar);
}

---

Updated API idea

RetryConfig.builder(RetryRule.builder().onUnprocessed().thenBackoff(backoff, ThrottleDecision.NONE)
                             .orElse(RetryRule.builder()
                                              .onResponseHeaders(noGrpcStatus)
                                              .thenNoRetry(ThrottleDecision.SUCCESS))
                             .orElse(RetryRule.builder()
                                              .onGrpcTrailers(isRetriableGrpcStatus)
                                              .thenBackoff(backoff, ThrottleDecision.FAILURE)))
           .build();

[friscoMad]

Ohh Ok, I understand your idea, but it seems more complex and require more coupling.
Afaik, usually both subsystems can be configured independently, and while in general solutions only provide a single algorithm for retry and retry budget/throttling, so there is more space for coupling, but in Armeria it seems that you are open to creating custom implementations, so I think decoupling is better, that said I understand the benefits of doing something like that for the gRPC rule/limitter as the official implementation is more complex than other limiters, maybe we can fix that (checking the status twice, setting retriable statuses in both cases) by using some context magic?

[jrhee17]

maybe we can fix that (checking the status twice, setting retriable statuses in both cases) by using some context magic?

I don't have an idea to do this with the current APIs, but if users can specify retryableStatusCodes once and have it applied to both the retry rule and limiter, I have no issue with the current API proposal.

e.g. users don't have to specify statuses in both RetryRule and RetryLimiter

Set<Integer> retriableStatuses = ImmutableSet.of();
RetryRule customRetryRule = RetryRule.onUnprocessed()
        .orElse(RetryRule.builder()
                         .onGrpcTrailers((ctx, headers) -> retriableStatuses.contains(headers.getInt("grpc-status")))
                         .thenBackoff());
RetryConfig.builder(customRetryRule)
           .limiter(RetryLimiter.ofGrpc(1, 1, 1, retriableStatuses)).build();

In general (not just gRPC), I think it's possible that users will want to apply throttling for only a subset of responses (e.g. 429 too many requests, 503 gateway error, etc..) so I think if there is a general solution for this, it would be great as well so RetryRateLimiter can also benefit from this.

Also, I'm not sure if we'll want the flexibility for users to also throttle based on response content (e.g. imagining cases where server returns the exception in the response {"error": "ConflictException"}, {"error": "ThrottledException"}) which I think is slightly less common. I'm curious if the current proposed API can support this use-case (or if it should be supported at all)

[jrhee17]

The other maintainers suggested that @ikhoon review this PR first. Since he'll be back next week, let me hold further reviews until he comes back

[ikhoon]

I slightly lean toward making RetryLimiter work independently to achieve decoupling.

RetryRule customRetryRule = RetryRule.onUnprocessed()
        .orElse(RetryRule.builder()
                         .onGrpcTrailers((ctx, headers) -> > retriableStatuses.contains(headers.getInt("grpc-status")))
                         .thenBackoff());
RetryConfig.builder(customRetryRule)
           .limiter(RetryLimiter.ofGrpc(1, 1, 1, retriableStatuses)).build();

In general (not just gRPC), I think it's possible that users will want to apply throttling for only a subset of responses (e.g. 429 too many requests, 503 gateway error, etc..) so I think if there is a general solution for this, it would be great as well so RetryRateLimiter can also benefit from this.

In this case, the default implementation, which decreases the quota for each attempt, may cover it.

// The default `RetryLimiter` respects the retry decision made in customRetryRule
RetryConfig.builder(customRetryRule)
           .limiter(RetryLimiter.ofDefault(maxTokens, ...)).build();

[jrhee17]

I see, if you don't think this is inconvenient for users, feel free to proceed with the current implementation. Let me revisit this PR later once my review comments are addressed