Skip to content

binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures#12283

Merged
jdcormie merged 7 commits intogrpc:masterfrom
HyunsangHan:fix-binder-deadlock-12190
Oct 14, 2025
Merged

binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures#12283
jdcormie merged 7 commits intogrpc:masterfrom
HyunsangHan:fix-binder-deadlock-12190

Conversation

@HyunsangHan
Copy link
Copy Markdown
Contributor

@HyunsangHan HyunsangHan commented Aug 16, 2025

Move future cancellation outside of synchronized block in BinderClientTransport.notifyTerminated() to prevent deadlock if AsyncSecurityPolicy uses directExecutor() for callbacks.

Fixes #12190

@HyunsangHan
binder: Avoid potential deadlock when canceling AsyncSecurityPolicy f…
c54cfff 
…utures

Move future cancellation outside of synchronized block in
BinderClientTransport.notifyTerminated() to prevent deadlock if
AsyncSecurityPolicy uses directExecutor() for callbacks.

Fixes grpc#12190
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented Aug 16, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@jdcormie
Copy link
Copy Markdown
Member

jdcormie commented Aug 18, 2025

Help me understand the change here? All those cancel() calls still appear to come from inside the @GuardedBy("this") method notifyTerminated() method ...

@HyunsangHan
Merge branch 'master' of https://github.com/HyunSangHan/grpc-java int…
9111970 
…o fix-binder-deadlock-12190

Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunsangHan
binder: Fix potential deadlock in BinderClientTransport.notifyTermina…
7138614 
…ted()

Move future cancellation to offloadExecutor to avoid deadlock when
AsyncSecurityPolicy uses directExecutor() for callbacks.

Fixes grpc#12190

Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunsangHan
Copy link
Copy Markdown
Contributor Author

HyunsangHan commented Aug 24, 2025

Help me understand the change here? All those cancel() calls still appear to come from inside the @GuardedBy("this") method notifyTerminated() method ...

OMG! Sorry. I realized that I missed committing the actual fix!
I've just pushed the missing commit with the proper solution.

@jdcormie Could you please check the latest commit?

HyunsangHan
HyunsangHan commented Aug 24, 2025
View reviewed changes
Comment thread binder/src/main/java/io/grpc/binder/internal/BinderClientTransport.java Outdated
jdcormie
jdcormie reviewed Aug 27, 2025
View reviewed changes
Comment thread binder/src/main/java/io/grpc/binder/internal/BinderClientTransport.java Outdated
jdcormie
jdcormie reviewed Aug 27, 2025
View reviewed changes
Comment thread binder/src/main/java/io/grpc/binder/internal/BinderClientTransport.java Outdated
@HyunsangHan
binder: Extract cancelAsync method with isDone optimization
4d7ed66 
Extract future cancellation logic into cancelAsync method and only cancel
futures that are not already done for better performance.

Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunsangHan HyunsangHan requested a review from jdcormie August 27, 2025 23:52
@jdcormie jdcormie added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
jdcormie
jdcormie reviewed Aug 28, 2025
View reviewed changes
Comment thread binder/src/main/java/io/grpc/binder/internal/BinderClientTransport.java Outdated
jdcormie
jdcormie reviewed Aug 28, 2025
View reviewed changes
Comment thread binder/src/main/java/io/grpc/binder/internal/BinderClientTransport.java Outdated
@HyunsangHan HyunsangHan requested a review from jdcormie August 28, 2025 15:24
@HyunsangHan
binder: Rename method, relocate calls, and remove null assignments
fc77da4 
Rename cancelAsync to cancelAsyncIfNeeded, move future cancellation
next to readyTimeoutFuture, and remove unnecessary null assignments.

Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunsangHan
Copy link
Copy Markdown
Contributor Author

HyunsangHan commented Sep 2, 2025

@jdcormie
I’ve addressed the review comments. :)

@jdcormie jdcormie added the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Sep 3, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Sep 3, 2025
@jdcormie
Copy link
Copy Markdown
Member

jdcormie commented Sep 3, 2025
edited
Loading

Woke up this morning with a small new concern: Would this PR cause us to declare the Channel terminated before all work we've enqueued on the offload Executor is complete (or cancelled) ? Take a look at how releaseExecutors() is called right after notifyTerminated() (the site of your changes) returns. Would this need to move into the shutdown path instead?

@HyunsangHan
Copy link
Copy Markdown
Contributor Author

HyunsangHan commented Sep 8, 2025

Woke up this morning with a small new concern: Would this PR cause us to declare the Channel terminated before all work we've enqueued on the offload Executor is complete (or cancelled) ? Take a look at how releaseExecutors() is called right after notifyTerminated() (the site of your changes) returns. Would this need to move into the shutdown path instead?

I agree with your concern. That's a very good point.
Since cancellation is enqueued on a separate thread, there's no guarantee that previously enqueued tasks have completed by the time we declare the Channel as terminated.
To address this fundamentally, notifyTerminated should ideally only be called once those tasks have finished.

That said, while thinking about ways to improve the code, two questions came up 🤔 :

  1. Because cancellation itself is enqueued onto the executor and then handled asynchronously, even if we enqueue it earlier there's still no guarantee that the cancel operation will finish before notifyTerminated is invoked. The probability might be higher, but the guarantee isn't there.
  2. Looking at releaseExecutors more closely, it does attempt to gracefully release resources once queued tasks complete. However, the method itself seems to return immediately without waiting for that completion. If that's correct, then simply moving releaseExecutors before notifyTerminated wouldn't necessarily solve the problem either.

Could you elaborate a bit more on what you meant by "move into the shutdown path instead"? I want to make sure I understand your idea fully.

@jdcormie
Copy link
Copy Markdown
Member

jdcormie commented Sep 29, 2025

Regarding (1), You're right that enqueuing it earlier, in shutdown() say, doesn't solve anything. My suggestion here wasn't a good one.

Regarding (2), You're right that releaseExecutors really has nothing to do with this. We do promise not to put any new work on an Executor after releasing it, but you never proposed doing this so I don't know why I mentioned it.

I do still think we should cancel any internally scheduled Runnables and any in-flight work behind our calls to SecurityPolicy.checkAuthorization() before declaring termination. Otherwise, the application might be surprised when calling shutdownNow() on its own Executor returns one of our Runnable that it doesn't know what to do with. And if that Runnable is your proposed call to ListenableFuture#cancel which never gets run(), some AsyncSecurityPolicy resource might never get cleaned up.

The simplest way to achieve cancel() before notifyTerminate() is just to do one before the other in the same thread like today. We know calling cancel while holding a lock is problematic but putting this work on an executor is hard too because now we've got to somehow wait for it to finish, which is kind of the same problem we started with. Instead, what if we collected outstanding futures with the lock, but called cancel after releasing it? This would be similar to how shutdownInternal cleans up ongoingCalls when forceTerminate is true. Have a look at jdcormie@d0bcf4b and LMK what you think.

@HyunsangHan
Copy link
Copy Markdown
Contributor Author

HyunsangHan commented Oct 1, 2025

@jdcormie
Thanks for sharing your opinion!

I’ve reviewed your commit and I agree this "collect with lock, cancel without lock" pattern is a much cleaner solution. It avoids both the race condition and the deadlock scenario while staying consistent with the existing cleanup logic.

The only trade-off I see is that the logic might feel a bit less cohesive, but overall I think it’s the right direction :)

@jdcormie
Copy link
Copy Markdown
Member

jdcormie commented Oct 1, 2025

Great! Can you update your PR to take that approach and I'll merge it?

@jdcormie jdcormie mentioned this pull request Oct 1, 2025
Closed
@HyunsangHan HyunsangHan requested a review from jdcormie October 8, 2025 06:55
@jdcormie jdcormie added the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Oct 8, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Oct 8, 2025
@jdcormie jdcormie merged commit 4725ced into grpc:master Oct 14, 2025
16 of 17 checks passed
@HyunsangHan
Copy link
Copy Markdown
Contributor Author

HyunsangHan commented Oct 15, 2025

@jdcormie
Thanks for merging this! I really enjoyed discussing it with you. It was both fun and meaningful.

jdcormie added a commit to jdcormie/grpc-java that referenced this pull request Oct 20, 2025
@jdcormie
Cancel owned Futures *before* declaring termination.
539cd2b 
Fixes BinderClientTransportTest which has been flaky since grpc#12283.
@jdcormie jdcormie mentioned this pull request Oct 20, 2025
Merged
jdcormie added a commit that referenced this pull request Oct 21, 2025
@jdcormie
Cancel owned Futures *before* declaring termination. (#12426)
ab20a12 
Fixes BinderClientTransportTest#testAsyncSecurityPolicyCancelledUponExternalTermination
and others which have been flaky since #12283. @HyunsangHan
AgraVator pushed a commit to AgraVator/grpc-java that referenced this pull request Nov 3, 2025
@HyunsangHan @AgraVator
binder: Avoid potential deadlock when canceling AsyncSecurityPolicy f…
864b9df 
…utures (grpc#12283)

Move future cancellation outside of synchronized block in
`BinderClientTransport.notifyTerminated()` to prevent deadlock if
`AsyncSecurityPolicy` uses `directExecutor()` for callbacks.

Fixes grpc#12190

---------

Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
AgraVator pushed a commit to AgraVator/grpc-java that referenced this pull request Nov 3, 2025
@jdcormie @AgraVator
Cancel owned Futures *before* declaring termination. (grpc#12426)
07d8df4 
Fixes BinderClientTransportTest#testAsyncSecurityPolicyCancelledUponExternalTermination
and others which have been flaky since grpc#12283. @HyunsangHan
@HyunsangHan HyunsangHan mentioned this pull request Dec 28, 2025
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jdcormie jdcormie Awaiting requested review from jdcormie

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

binder: BinderTransport should avoid canceling AsyncSecurityPolicy futures while holding its lock

3 participants

@HyunsangHan @jdcormie @grpc-kokoro