JAVA-5949 preserve connection pool on backpressure errors when establishing connections#1900
Conversation
|
Assigned |
|
Added the following to the description of the PR (a new piece of work to be done within the PR): DRIVERS-3394: adjust spec test description (#1894)(JAVA-6095). |
| boolean terminated = executor.awaitTermination(20, SECONDS); | ||
| assertTrue("Executor did not terminate within timeout", terminated); | ||
|
|
||
| // Assert at least 10 ConnectionCheckOutFailedEvents occurred |
There was a problem hiding this comment.
Do we need this comment? The assertion message already explains the intent (e.g., “Expected at least 10 ConnectionCheckOutFailedEvents, but got …”).
| assertTrue("Expected at least 10 ConnectionCheckOutFailedEvents, but got " + connectionCheckOutFailedEventCount.get(), | ||
| connectionCheckOutFailedEventCount.get() >= 10); | ||
|
|
||
| // Assert 0 PoolClearedEvents occurred |
There was a problem hiding this comment.
| // Teardown: sleep 1 second and reset rate limiter | ||
| Thread.sleep(1000); | ||
| adminDatabase.runCommand(new Document("setParameter", 1) | ||
| .append("ingressConnectionEstablishmentRateLimiterEnabled", false)); |
There was a problem hiding this comment.
This cleanup is currently conditional on the code above completing successfully. If an assertion or exception happens earlier, this teardown won’t run, which can leak state into subsequent tests.
We should move it this cleanup into @AfterEach/afterEach so it runs reliably regardless of how the test exits.
There was a problem hiding this comment.
It's wrapped under a finally block now
| AtomicInteger connectionCheckOutFailedEventCount = new AtomicInteger(0); | ||
| AtomicInteger poolClearedEventCount = new AtomicInteger(0); | ||
|
|
||
| ConnectionPoolListener connectionPoolListener = new ConnectionPoolListener() { | ||
| @Override | ||
| public void connectionCheckOutFailed(final ConnectionCheckOutFailedEvent event) { | ||
| connectionCheckOutFailedEventCount.incrementAndGet(); | ||
| } | ||
|
|
||
| @Override | ||
| public void connectionPoolCleared(final ConnectionPoolClearedEvent event) { | ||
| poolClearedEventCount.incrementAndGet(); | ||
| } | ||
| }; |
There was a problem hiding this comment.
Instead of introducing a new anonymous listener with counters, we can reuse the existing test listener:
TestConnectionPoolListener connectionPoolListener = new TestConnectionPoolListener();
It already provides await helpers that double as assertions and helpers to assert that zero PoolClearedEvents happened, e.g.:
connectionPoolListener.waitForEvent(ConnectionPoolClearedEvent.class, 1, 110, SECONDS);
This keeps the test more concise and reuses established utilities for clarity/consistency.
| // clear the pool as they're not related to overload. | ||
| // TLS configuration errors (certificate validation, protocol mismatches) should also clear the pool | ||
| // as they indicate configuration issues, not server overload. | ||
| if (beforeHandshake && !sdamIssue.relatedToAuth() && !sdamIssue.relatedToTlsConfigurationError()) { |
There was a problem hiding this comment.
Currently we attach SystemOverloadedError and RetryableError labels in the SDAM error-handling path (effectively only for DefaultServer). In load-balanced mode, SDAM isn’t involved: the LB code path invalidates the pool directly (e.g., connectionPool.invalidate(serviceId, generation)), so the labeling logic is bypassed.
This means users running the driver in LB mode (behind an NLB) can still hit network errors, TLS handshake failures, timeouts during connection establishment or hello, but won’t get the labels.
However, these labels are a CMAP requirement, not SDAM. The CMAP spec states: “The pool MUST add the error labels SystemOverloadedError and RetryableError to network errors or network timeouts it encounters during the connection establishment or the hello message.”
Since this is defined as a pool behavior (topology-agnostic), it seems we should implement the labeling in the connection pool layer so it applies consistently in both default and load-balanced modes.
| // clear the pool as they're not related to overload. | ||
| // TLS configuration errors (certificate validation, protocol mismatches) should also clear the pool | ||
| // as they indicate configuration issues, not server overload. | ||
| if (beforeHandshake && !sdamIssue.relatedToAuth() && !sdamIssue.relatedToTlsConfigurationError()) { |
There was a problem hiding this comment.
Currently we don’t distinguish DNS lookup failures (UnknownHostException) from other connection-establishment network errors. As a result, a DNS failure goes through the generic path (same as connection reset/timeout) and gets SystemOverloadedError/RetryableError labels.
The CMAP spec excludes DNS failures from backpressure labeling: `“For errors that the driver can distinguish as never occurring due to server overload, such as DNS lookup failures […] the driver MUST NOT add backpressure error labels for these error types.”.
Proposed change: detect DNS failure by walking the exception cause chain for UnknownHostException (it’s wrapped as MongoSocketException from ServerAddressHelper.getSocketAddresses()), and when present, skipping backpressure label attachment so SDAM follows the normal path (clear the pool and mark the server Unknown).
In that case, we should add coverage to assert that labeling and pool clearing behaviour. If the driver ever changes the wrapper exception type MongoSocketException (or stops wrapping UnknownHostException this way) and starts adding labels the test should fail.
There was a problem hiding this comment.
Pull request overview
This PR updates SDAM/backpressure handling so that connection-establishment failures caused by server-side backpressure do not clear the connection pool, and adds/updates tests and matchers to align with the SDAM spec test expectations.
Changes:
- Adjust SDAM exception handling to avoid invalidating the pool on certain pre-handshake network failures, and add TLS-configuration-error classification.
- Add new error label constants (
SystemOverloadedError,RetryableError) and apply them for backpressure-related failures. - Extend unified event matching for additional server types and add a prose test for connection pool backpressure behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| driver-sync/src/test/functional/com/mongodb/client/unified/EventMatcher.java | Extends server type matching for SDAM serverDescriptionChangedEvent expectations. |
| driver-sync/src/test/functional/com/mongodb/client/ServerDiscoveryAndMonitoringProseTests.java | Adds a prose test intended to validate connection pool backpressure behavior via server rate limiter parameters. |
| driver-core/src/test/unit/com/mongodb/internal/connection/DefaultServerSpecification.groovy | Updates unit tests to expect pool preservation on network errors during connection establishment (sync/async). |
| driver-core/src/main/com/mongodb/internal/connection/SdamServerDescriptionManager.java | Adds TLS configuration error detection helper on SDAM issues. |
| driver-core/src/main/com/mongodb/internal/connection/DefaultSdamServerDescriptionManager.java | Changes SDAM exception handling to preserve pool/server description for certain pre-handshake failures and apply labels. |
| driver-core/src/main/com/mongodb/MongoException.java | Introduces new public error label constants used by the backpressure handling path. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * An error label indicating that the server is overloaded. | ||
| * | ||
| * @see #hasErrorLabel(String) | ||
| * @since 5.7 | ||
| */ | ||
| public static final String SYSTEM_OVERLOADED_ERROR_LABEL = "SystemOverloadedError"; | ||
|
|
||
| /** | ||
| * An error label indicating that the operation is safely retryable. | ||
| * | ||
| * @see #hasErrorLabel(String) | ||
| * @since 5.7 | ||
| */ | ||
| public static final String RETRYABLE_ERROR_LABEL = "RetryableError"; | ||
|
|
There was a problem hiding this comment.
I introduced these constants in #1918. There is more to this than the change do in the current PR. Let's revert the change in the current PR to resolve the conflict with backpressure.
| // Backpressure spec: Don't clear pool or mark server unknown for connection establishment failures | ||
| // (network errors or timeouts during handshake). Authentication errors after handshake should still | ||
| // clear the pool as they're not related to overload. | ||
| // TLS configuration errors (certificate validation, protocol mismatches) should also clear the pool | ||
| // as they indicate configuration issues, not server overload. |
There was a problem hiding this comment.
We don't usually copy the specification prose into code as comments. I suspect, this comment was left by the AI.
Let's remove this comment, unless there is a good reason to leave it, which was not applicable to the rest of the code in this file that existed before the current PR.
| // Don't update server description to Unknown | ||
| // Don't invalidate the connection pool | ||
| // Apply error labels for backpressure |
There was a problem hiding this comment.
We don't usually copy the specification prose into code as comments. I suspect, this comment was left by the AI.
Let's remove this comment, unless there is a good reason to leave it, which was not applicable to the rest of the code in this file that existed before the current PR.
There was a problem hiding this comment.
[this comment is left on a file, but has nothing to do with the file; this is done so that we could reply to the comment; commenting on a PR does not allow replies - horrendous GitHub functionality]
The current PR seemingly depends on #1856 (see the description of the current PR). We need to decide what to do with that.
P.S. I originally left my thoughts in the description of this PR, but I don't know if that's what we are going to do.
There was a problem hiding this comment.
We no longer depend on this PR see #1900 (comment)
There was a problem hiding this comment.
[this comment is left on a file, but has nothing to do with the file; this is done so that we could reply to the comment; commenting on a PR does not allow replies - horrendous GitHub functionality]
- Could you please confirm that all the specification changes listed in the "Specification changes" part of the description of the current PR have been addressed in the PR?
- If they have been addressed, let's update the description correspondingly.
There was a problem hiding this comment.
Description updated. All specs are implemented
There was a problem hiding this comment.
[this comment is left on a file, but has nothing to do with the file; this is done so that we could reply to the comment; commenting on a PR does not allow replies - horrendous GitHub functionality]
JAVA-5949 has an old comment, which instructs to re-enable some tests that were previously disabled when we updated the testing/resources/specifications submodule in main. Those tests were not enabled. Let's enable them and make sure they pass.
There was a problem hiding this comment.
This PR no longer depends on #1856. Spec PR mongodb/specifications#1880 rewrote the backpressure-network-*-fail.yml tests to wait on serverDescriptionChangedEvent instead of serverHeartbeatSucceededEvent.
…establishing connections
- Fixing static check analysis
nhachicha
force-pushed
the
nh/backpressure/preserve_connection_pool
branch
from
0be0250 to
bce97d4
Compare
…handshake network timeout
…veryAndMonitoringProseTests.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JAVA-6141
- Deprioritize sharded clusters on any error, all other topologies only on SystemOverloadedError. - Pass ClusterType to updateCandidate so onAttemptFailure can distinguish topology types. - Add retryable reads prose tests 3.1 and 3.2. - Change ServerSelectionSelectionTest to use BaseCluster server selection chain. JAVA-6105 JAVA-6021 JAVA-6074 --------- Co-authored-by: Valentin Kovalenko <valentin.male.kovalenko@gmail.com> Co-authored-by: Ross Lawley <ross.lawley@gmail.com>
The relevant spec changes: - https://github.com/mongodb/specifications/blob/8a8a7c56429c80b51ec62268dcafc5e5e3c477ef/source/client-backpressure/tests/README.md JAVA-5956, JAVA-6117, JAVA-6113, JAVA-6119, JAVA-6141
- Add enableOverloadRetargeting boolean option to MongoClientSettings and ConnectionString to allow the driver to route requests to a different replica set member on retries when the previously used server is overloaded - Add prose test 3.3 to verify that overload errors are retried on the same server when retargeting is disabled JAVA-6167 --------- Co-authored-by: Ross Lawley <ross.lawley@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ntMatcher.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| MongoClientSettings clientSettings = getMongoClientSettingsBuilder() | ||
| .applyToConnectionPoolSettings(builder -> builder | ||
| .maxConnecting(100) | ||
| .addConnectionPoolListener(connectionPoolListener)) | ||
| .build(); | ||
|
|
||
| try (MongoClient adminClient = MongoClients.create(getMongoClientSettingsBuilder().build()); | ||
| MongoClient client = MongoClients.create(clientSettings)) { | ||
|
|
There was a problem hiding this comment.
testConnectionPoolBackpressure uses getMongoClientSettingsBuilder() (no direct connection) and then runs setParameter against admin. In sharded/load-balanced test environments this client may be connected to a mongos/LB endpoint, where these ingressConnectionEstablishment* parameters are not expected to be configurable, causing the test to fail or not exercise the intended server behavior. Consider either skipping the test when ClusterFixture.isSharded()/ClusterFixture.isLoadBalanced() or forcing a direct connection to a mongod (e.g., via applyToClusterSettings(ClusterFixture::setDirectConnection) / connecting to the primary address explicitly).
There was a problem hiding this comment.
Rejected: deviate from the spec
| private static boolean isTlsConfigurationError(final Throwable t) { | ||
| Throwable cause = t.getCause(); | ||
| while (cause != null) { | ||
| if (cause instanceof CertificateException | ||
| || cause instanceof CertPathBuilderException | ||
| || cause instanceof CertPathValidatorException | ||
| || cause instanceof SSLPeerUnverifiedException | ||
| || cause instanceof SSLProtocolException) { | ||
| return true; | ||
| } | ||
| if (cause instanceof SSLHandshakeException) { | ||
| String message = cause.getMessage(); | ||
| if (message != null) { | ||
| String lowerMessage = message.toLowerCase(Locale.ROOT); | ||
| if (lowerMessage.contains("certificate") | ||
| || lowerMessage.contains("verify") | ||
| || lowerMessage.contains("trust") | ||
| || lowerMessage.contains("hostname") | ||
| || lowerMessage.contains("protocol") | ||
| || lowerMessage.contains("cipher") | ||
| || lowerMessage.contains("handshake_failure")) { | ||
| return true; | ||
| } | ||
| } | ||
| } | ||
| cause = cause.getCause(); | ||
| } | ||
| return false; |
There was a problem hiding this comment.
The TLS-configuration-error exclusion logic in isTlsConfigurationError is new, but there is no unit test asserting that common TLS misconfiguration failures (e.g., certificate validation / handshake failures) are not labeled as SystemOverloadedError and therefore still lead to normal pool invalidation. Adding a focused unit test similar to the DNS lookup failure test would help prevent regressions in this classification logic.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| case "connectionClosedEvent": | ||
| case "connectionCheckedInEvent": | ||
| context.getEventMatcher().waitForConnectionPoolEvents(clientId, event, count, entities.getConnectionPoolListener(clientId)); |
There was a problem hiding this comment.
executeWaitForEvent now supports waiting for connectionClosedEvent / connectionCheckedInEvent, but executeAssertEventCount (and EventMatcher.assertConnectionPoolEventCount) still only supports poolClearedEvent / poolReadyEvent. If any unified tests use assertEventCount for these new connection events, they will throw UnsupportedOperationException. Please extend executeAssertEventCount (and the matcher) to support counting these event types as well (or confirm the unified format only uses waitForEvent for them and document that constraint).
| case "connectionClosedEvent": | ||
| eventClass = ConnectionClosedEvent.class; | ||
| break; | ||
| case "connectionCheckedInEvent": | ||
| eventClass = ConnectionCheckedInEvent.class; | ||
| break; |
There was a problem hiding this comment.
waitForConnectionPoolEvents was extended to support connectionClosedEvent / connectionCheckedInEvent, but assertConnectionPoolEventCount still only supports poolClearedEvent / poolReadyEvent. This asymmetry can break unified tests that use assertEventCount for these new connection pool events. Please add these event types to assertConnectionPoolEventCount (and mirror the support in UnifiedTest.executeAssertEventCount).
| executor.awaitTermination(20, SECONDS)); | ||
| } finally { | ||
| if (!executor.isTerminated()) { | ||
| executor.shutdownNow(); |
There was a problem hiding this comment.
After calling shutdownNow() when the executor doesn’t terminate in time, the test doesn’t do a second awaitTermination. If driver I/O doesn’t respond promptly to interrupts, threads may linger and destabilize/hang subsequent tests. Consider awaiting termination after shutdownNow() (with a short timeout) and failing explicitly if it still won’t terminate, to ensure the suite can reliably progress.
| executor.shutdownNow(); | |
| executor.shutdownNow(); | |
| try { | |
| if (!executor.awaitTermination(5, SECONDS)) { | |
| fail("Executor did not terminate after shutdownNow"); | |
| } | |
| } catch (InterruptedException e) { | |
| Thread.currentThread().interrupt(); | |
| fail("Interrupted while awaiting executor termination after shutdownNow"); | |
| } |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Original PR #1854 accidentally closed, and had no outstanding review comments.
This current PR depends on [JAVA-6033] ServerHeartbeatSucceededEvent is not fired for initial POLL monitoring #1856:Update: This PR no longer depends on [JAVA-6033] ServerHeartbeatSucceededEvent is not fired for initial POLL monitoring #1856. Spec PR DRIVERS-3367: Fix racy backpressure-network-* tests specifications#1880 rewrote the
backpressure-network-*-fail.ymltests to wait onserverDescriptionChangedEventinstead ofserverHeartbeatSucceededEvent.we should merge the latter intomain, then merge this PR inbackpressure, and leave the necessaryTODOcomments in #1918 related to the dependency on #1856.backpressurebranch, rebasebackpressureon top ofmainto include the changes from themain(see Mergemainintobackpressure#1917 (comment) for more context on this process).TODOcomments.Specification changes:
Note that there was a change in the description of one of the tests that belongs to this PR, but I closed the corresponding JAVA-6095 (see this comment): DRIVERS-3394: adjust spec test description (#1894).
JAVA-5949, JAVA-6056, JAVA-5664
AI usage and effectiveness: