DRIVERS-2884: CSOT avoid connection churn when operations timeout

[sanych-sun]

This PR is based on the Preston's work in another PR that was closed by mistake: #1675

This PR implements the design for connection pooling improvements described in DRIVERS-2884, based on the CSOT (Client-Side Operation Timeout) spec. It addresses connection churn caused by network timeouts during operations, especially in environments with low client-side timeouts and high latency.

When a connection is checked out after a network timeout, the driver now attempts to resume and complete reading any pending server response (instead of closing and discarding the connection). This may require multiple connection to be attempted during the connection check out from the pool.
Each pending response draining is subject to a cumulative 3-second static timeout. The timeout is refreshed after each successful read, acknowledging that progress is being made. If no data is read and the timeout is exceeded, the connection is closed.

This update introduces new CMAP events and logging messages (PendingResponseStarted, PendingResponseSucceeded, PendingResponseFailed) to improve observability of this path.

Please complete the following before merging:

• Update changelog.
• Test changes in at least one language driver.
• Test these changes against all server versions and topologies (including standalone, replica set, and sharded
  clusters).

[codeowners-service-app]

Assigned qingyang-hu for team dbx-spec-owners-csot because ShaneHarvey is out of office.

[jmikola]

I reviewed the unified test schema changes alone and those LGTM. I'll defer to CSOT spec folks for the other files.

[baileympearson]

@sanych-sun Have we implemented these changes in any driver? Which driver is supposed to be the second implementer? iirc it was originally Python

[baileympearson]

Do we have pseudocode for "drain the pending response" somewhere? I don't see it in this PR.

[sanych-sun]

As we have events emission in the current pseudocode, not sure if we need to have pseudocode for "drain the pending response", as it basically "consume the bytes from underling stream/socket and ignore them".

[baileympearson]

Connection pools are FIFO. Considering the case where we are successfully reading chunks of data off of the socket but we're timing out before we finish the read (the final else block in your pseudocode), won't checking the connection back into the pool and looping just cause this request to immediately checkout the same connection again (the behavior https://jira.mongodb.org/browse/DRIVERS-3276 is intending to avoid)?

And regarding https://jira.mongodb.org/browse/DRIVERS-3276: are we convinced that its better to potentially block a number of operations on the slow connection than to block just one?

[sanych-sun]

We can check in the connection back only if the current check out is timed out (either because of CSOT or waitQueueTimeout has elapsed), but "pending response sliding window" has not expired yet. But the "current" operation is timed out anyway, so it should raise an error instead of attempting another connection.

[sanych-sun]

If we have "slow to drain" connection in the pool - it will cause the same kind of problem regardless we do retry on operation level or if we attempting to drain several connections inside the checkout. Because such connection will return back to pool and affect next "unlucky" operation anyway.

[baileympearson]

Pseudocode needs to include new event and logging emissions.

[sanych-sun]

Done

[baileympearson]

Seems odd that the events emitted for an operation include a requestId that corresponds to the request that made the connection pending response. What is the value in this datapoint?

If we decide to keep it - do you think a more precise name would be beneficial? requestId is ambiguous - users could easily assume it refers to the request that is reading the pending response, not the operation that made the connection pending.

[sanych-sun]

The idea of reporting the original requestId is to keep tracking how long/how many draining attempt were made before success or failure. Honestly I would prefer to have BOTH, current request Id and "original timed out requestId", but it could make sense only if other check out event had "current requestId" field, which is not there =(

[ShaneHarvey]

This might depend on driver internals but in Python the new request ID will not be available at this point because the command has not been serialized (we need to checkout the connection first).

As for including the old requestId, I'm not sure how useful it is but it seems harmless to add. The driver needs to validate requestId == responseTo field on the server reply using the old requestId anyway to make sure the wire protocol isn't violated so that value will be available.

[sanych-sun]

Thank you Shane! I suppose we want to keep the field. @baileympearson is this OK with you?

[baileympearson]

Please update the changelog.

[sanych-sun]

Done.

[baileympearson]

same comment as on above test.

[baileympearson]

The insert is the first command on the connection, so where are the values for sendBytes coming from?

[sanych-sun]

This is the parameter for proxy, which specifies how many bytes should be streamed, before sleeping.

[baileympearson]

The value of sendBytes is determined based on the state of the connection. But this is the first operation on the connection, so the connection will never have anything in the buffer and it isn't clear what the value of sendBytes should be.

Unless I misunderstand what sub-bullets 1,2, and 3 mean?

[baileympearson]

This doesn't match the actual contents of the test, so either the description or the test needs to be updated.

But if its the description that is inaccurate - with sendAll: true and the events (only one pending read started + finished pair), the full response will be read in the first operation. Don't we have coverage for this scenario from our unified tests?

[sanych-sun]

We are using proxy server here to control when/how server response arrived to the client side. So in step 2 in addition to the regular insert command payload, we have to add additional proxyTest property, which instruct proxy to emulate timeout. It works as following:

1. it send request to the server
2. based on the sendBytes parameter it stream requested amount of bytes instantly
3. it sleeps for delayMS
4. it streams rest of the response.

I think it makes sense to add this explanation to the test summary.

[baileympearson]

Okay, maybe my confusion stems from the interaction between sendBytes and sendAll. Does sendAll being enabled not mean that the proxy will forward the full response back to the client?

[matthewdale]

The mix of exception/error paradigms in this pseudocode block is a bit confusing. We should rewrite this new pseudocode to use try/catch like the existing code.