[multistage] Sender-side gRPC back-pressure for mailbox + MAILBOX_CLIENT_USED_* gauges (draft)

[gortiz]

Why

Customer hit OutOfDirectMemoryError inside MessageFramer.writeRaw from GrpcSendingMailbox.sendContent:

failed to allocate 4194304 byte(s) of direct memory (used: 25163727127, max: 25165824000)
  at io.grpc.netty.shaded.io.netty.util.internal.PlatformDependent.incrementMemoryCounter(...)
  ...
  at io.grpc.internal.MessageFramer.writeRaw(MessageFramer.java:294)
  ...
  at org.apache.pinot.query.mailbox.GrpcSendingMailbox.sendContent(GrpcSendingMailbox.java:227)

Root cause: GrpcSendingMailbox calls StreamObserver.onNext(...) unconditionally on every chunk. The runtime object is a ClientCallStreamObserver exposing isReady() / setOnReadyHandler(), but we don't use either. The receiver-side MailboxStatusObserver already writes back buffer-size metadata to the sender, but it is explicitly thrown away:

// pinot-query-runtime/.../channel/MailboxStatusObserver.java
// TODO: this feedback info is not used to throttle the send speed. it is currently being discarded.

When the receiver drains slower than the sender writes (slow consumer, full mailbox queue, large fan-out, skewed hash shuffle, etc.) the proto chunks pile up in gRPC Netty's outbound queue until the JVM-wide direct-memory cap is hit.

Shape of this PR

This PR ships the mechanism, configs, and observability — production behaviour is unchanged.

The two back-pressure features (sender-side isReady gate, receiver-side manual inbound flow control) both default to off. The OutOfDirectMemoryError failure mode is unchanged from pre-PR for any cluster that doesn't explicitly opt in. Operators who hit the OOM flip two booleans — pinot.query.runner.grpc.sender.backpressure.enabled and pinot.query.runner.grpc.manual.inbound.flow.control.enabled — both to true, optionally raise pinot.query.runner.grpc.inbound.message.credit from its conservative default of 1, and they get the bounded-sender behaviour the rest of this PR description describes.

Transport-tuning defaults (HTTP/2 stream window, Netty WriteBufferWaterMark) are raised from gRPC/Netty's KB-scale defaults to MB-scale — those don't add any per-send cost and are useful regardless of whether the gate is engaged. They can also be tuned per-config if an operator wants to dial them back.

Reproducer / test

GrpcSenderBackpressureTest (in pinot-query-runtime/src/test/.../mailbox/) stands up two real MailboxService instances on localhost (full gRPC stack — not mocked), spawns a slow reader thread polling the receiving mailbox every 20 ms (~50 blocks/s), and runs a fast sender loop on the test thread (sender.send(block) in a tight loop with the same small RowHeapDataBlock reused). The new MAILBOX_CLIENT_USED_* gauges (see "Observability" below) are printed so the behaviour is visible in CI output. The test enables both back-pressure features explicitly in its PinotConfiguration.

Pre-fix behaviour (no protection): sender outruns reader by ≥1858×, client direct memory grows by tens of MB without bound.

Opt-in (feature enabled) behaviour: sender stays roughly in step with reader (~35× ratio — the residual is the HTTP/2 window's worth of in-flight messages before isReady() flips false), client direct memory bounded.

Two companion tests pin the rest of the matrix:

• GrpcSenderBackpressureOffPathTest — same scenario with the gate at its production default (off); asserts the pre-fix unbounded sender behaviour is preserved so the off-path is a true no-op.
• GrpcSenderBackpressureTightGateTest — feature enabled but transport configs shrunk to KB-scale, so the application gate (rather than the wider transport) is the dominant back-pressure mechanism. Asserts the tight polledCount * 50 + 10_000 bound that a no-gate refactor would fail.

What

Three layers of mechanism that compose, all introduced by this PR:

1. Sender-side application gate (GrpcSendingMailbox)

Casts _contentObserver to ClientCallStreamObserver, registers an onReadyHandler via ClientResponseObserver.beforeStart (gRPC rejects late registration), and blocks the calling thread on a Condition until isReady() flips or the mailbox is terminated.

• MailboxStatusObserver becomes a ClientResponseObserver, signalling the sender's Condition on transport-ready transitions and on early-terminate metadata so any receiver-side event can wake a stuck sender.
• GrpcSendingMailbox.awaitReady(boolean bypassReady) is the new wait. Normal sends wait for isReady() with the query deadline as timeout; cancel/close sends pass bypassReady=true so a cancel issued while the receiver is congested can still push its error EOS through without re-blocking on the very back-pressure it's trying to escape. Pokes QueryThreadContext.checkTerminationAndSampleUsage on each iteration so query cancellation can unblock through the existing MSE path.
• _readyLock (the ReentrantLock that already guards _readyCond) now serializes every call to _contentObserver.onNext / onCompleted across sendContent, send(Eos), cancel, and close — closing a family of races where the data path and a concurrent cancel could both call onNext on the non-thread-safe ClientCallStreamObserver. Two regression tests in GrpcSendingMailboxTest reproduce the race on unfixed code (lazy-init race + EOS-vs-cancel half-close race) and confirm the lock closes them.
• Spool: when a stage spools to multiple destination mailboxes via BlockExchange.BlockExchangeSendingMailbox, one slow downstream worker throttles the whole spool. This is intentional — the alternative (forking each destination onto its own thread) would re-introduce the unbounded outbound queue we're fixing. The javadoc on awaitReady calls this out so it doesn't surprise anyone.
• Opt-in: pinot.query.runner.grpc.sender.backpressure.enabled (default false). Setting to true engages the gate. Operators who don't hit the OOM see no behaviour change.

2. Transport-layer tuning (GrpcMailboxServer + ChannelManager)

The default gRPC HTTP/2 stream window is 65 535 bytes initial, BDP-tuned to ~1 MiB on localhost/LAN. At those sizes isReady() flips false on almost every non-trivial chunk, so the gate's slow path (park/wake on Condition) engages essentially per-send. Widening the transport pipeline keeps isReady() true for whole blocks at a time. Three new configs (all in pinot-spi/CommonConstants.MultiStageQueryRunner):

Config	Default	Layer
pinot.query.runner.grpc.flow.control.window.bytes	64 MiB	HTTP/2 stream window the receiver advertises (NettyServerBuilder.flowControlWindow)
pinot.query.runner.grpc.write.buffer.high.water.mark.bytes	64 MiB	Netty per-channel WriteBufferWaterMark high (sender outbound queue)
pinot.query.runner.grpc.write.buffer.low.water.mark.bytes	32 MiB	Netty per-channel WriteBufferWaterMark low

These three are the only defaults this PR changes that have any runtime effect by default. They affect throughput (not safety): wider window/watermark means fewer round-trips per request and a higher direct-memory bound (watermark × #peers on the sender, window × #concurrent inbound streams on the receiver). The Javadoc on each key carries the scaling formula so operators can size against -XX:MaxDirectMemorySize. Fail-fast Preconditions.checkArgument validation at GrpcMailboxServer / ChannelManager constructors rejects misconfiguration at startup (negative watermarks, low > high, window < maxInboundMessageSize) rather than letting it surface mid-query.

3. Manual inbound flow control (GrpcMailboxServer + MailboxContentObserver)

gRPC's default auto-inbound-flow-control issues request(1) after every MailboxContentObserver.onNext returns. That ties the sender's HTTP/2 window replenishment to the receiver's per-message processing time (including the offerRaw lock inside the application queue). Even with the wider 64 MiB window the sender ends up parked in awaitReady for most chunks because only one message is in flight on a stream at a time.

When this feature is enabled, the receiver switches to manual inbound flow control:

• GrpcMailboxServer.open casts the response observer to ServerCallStreamObserver, calls disableAutoInboundFlowControl(), and request(N) once at stream open.
• MailboxContentObserver.onNext calls request(1) at the very start of the method — before the offerRaw lock — so credit is replenished while the sender is still on the wire, not after the receiver is done processing.

Two new configs:

Config	Default	Meaning
pinot.query.runner.grpc.manual.inbound.flow.control.enabled	false	Opt-in. When true, the receiver uses the manual-flow path above. When false, gRPC's auto-inbound applies — 1 message in flight per stream, pre-PR behaviour.
pinot.query.runner.grpc.inbound.message.credit	1	Conservative default — equivalent to gRPC auto when the manual-flow flag is on. Operators tune up for throughput on small/medium blocks; the bench measures it at 128.

Cancel-propagation latency widens with the credit value (the in-band error EOS sits behind buffered inbound up to min(credit messages, flowControlWindow bytes)). Issue #18541 tracks the proper out-of-band cancel work — relevant if operators set a large credit.

Observability (MAILBOX_CLIENT_USED_* gauges)

BrokerGauge and ServerGauge gain two entries each, sourced from ChannelManager._bufAllocator.metric():

Gauge	Source
MAILBOX_CLIENT_USED_DIRECT_MEMORY	usedDirectMemory()
MAILBOX_CLIENT_USED_HEAP_MEMORY	usedHeapMemory()

Mirrors the existing MAILBOX_SERVER_USED_* gauges that GrpcMailboxServer publishes for the inbound (server) allocator. Closes the gap that today we have no per-process visibility into the gRPC client outbound pool — which is exactly the pool that exhausts in this failure mode.

MailboxService registers them in its constructor, picking BrokerMetrics vs ServerMetrics based on InstanceType. Both direct and heap are reported so the numbers stay meaningful regardless of -Dio.netty.noPreferDirect. Four matching @VisibleForTesting accessors (getMailbox{Client,Server}Used{Direct,Heap}MemoryBytes()) let tests and other internal callers read the values without going through the metrics registry.

Benchmark

BenchmarkGrpcMailboxSend was rewritten to a request-shape probe: one @Benchmark invocation ships 128 MiB split into pre-computed RowHeapDataBlocks of _blockSizeBytes, and waits on a CountDownLatch for the receiver-side drain to complete (drainer thread blocks on the receiver's Reader::blockReadyToRead callback via a Semaphore). The bench explicitly enables both back-pressure features and sets credit to 128 in its PinotConfiguration — these numbers measure the feature-enabled regime, not the production default. Time per request, ms/op (lower is better):

Block	FlowCtl Window	gate=on (ms)	gate=off (ms)	Δ (gate cost)
8 KiB	64 KiB	354.0 ± 19.7	348.7 ± 52.9	+1.5%
8 KiB	1 MiB	341.9 ± 78.3	332.9 ± 32.0	+2.7%
8 KiB	64 MiB	344.7 ± 46.5	353.1 ± 24.6	−2.4%
8 MiB	64 KiB	116.4 ± 28.2	114.2 ± 47.6	+1.9%
8 MiB	1 MiB	57.9 ± 4.0	46.7 ± 19.7	+24.0%
8 MiB	64 MiB	49.3 ± 31.2	32.5 ± 1.7	+51.7%
32 MiB	64 KiB	136.3 ±126.6	122.9 ±142.9	+10.9%
32 MiB	1 MiB	71.8 ± 9.7	50.1 ± 7.4	+43.3%
32 MiB	64 MiB	55.6 ± 11.2	38.1 ± 1.5	+46.2%

gate=off is the sender-backpressure kill-switch (current default + pre-fix code path). gate=on is what an operator opting into the feature gets.

The pre-PR steady-state on localhost is gate=off + window=1 MiB (gRPC's BDP-tuned default): 46.7 ms for 8 MiB blocks ≈ 2.7 GiB/s. Opt-in gate=on + window=64 MiB: 49.3 ms ≈ 2.6 GiB/s — ~5% slower than pre-PR steady-state and ~2× faster than pre-PR cold-start (window=65535, 114 ms).

The gate's wall-clock cost on large blocks comes from awaitReady → Condition.await while the per-channel watermark drains. Async-profiler wall-clock confirms 105 / 401 jmh-worker samples are in that exact path; the cost is pure waiting, not lock contention. Switching the gate to an async / setOnReadyHandler-driven path was considered and rejected: with the watermark in place, an async chunk queue would behave like a larger window — it would recover throughput but at the cost of more in-flight memory, which is the very thing we're bounding.

Backwards compatibility

• New gauges: additive only — no rename or removal of existing gauges.
• New MailboxService accessors: @VisibleForTesting, additive.
• New CommonConstants.MultiStageQueryRunner config keys: additive. Both opt-in flags default to false; runtime behaviour is unchanged for any cluster that doesn't explicitly set them. The three transport-tuning defaults (window + 2× watermark) are raised from KB-scale to MB-scale; this changes throughput characteristics but no semantics, and operators can dial them back via config.
• No on-wire protocol change. No existing-config rename. Rolling upgrades unaffected — a fixed sender talking to an old receiver is just the existing behaviour (the new isReady()-gated wait is purely client-local; the new transport configs are independently effective per side).

Test plan

• GrpcSenderBackpressureTest — feature opt-in path with wide defaults, sender stays bounded, ratio ~35×.
• GrpcSenderBackpressureTightGateTest — feature opt-in with narrow transport, asserts the application gate alone bounds the sender.
• GrpcSenderBackpressureOffPathTest — production-default off path; asserts the pre-fix unbounded sender behaviour is preserved verbatim.
• GrpcMailboxServerValidationTest, ChannelManagerTest — startup Preconditions.checkArgument gates: inboundMessageCredit > 0, writeBufferLowWaterMarkBytes > 0, low <= high, flowControlWindow >= maxInboundMessageSize. Each verified to fail-then-pass against unfixed/refixed production code.
• GrpcSendingMailboxTest includes two new race regression tests — lazy-init race (sender + cancel from t=0, exactly-one observer created) and EOS-vs-cancel half-close race (200 iterations, neither call throws). Both verified to reproduce the bug on pre-fix code.
• All other pinot-query-runtime/src/test/.../mailbox/ tests still pass (MailboxServiceTest, MailboxContentObserverTest, InMemorySendingMailboxTest). The testRemoteCancelledBySender* tests caught a real bug in the first cut of the fix (awaitReady short-circuiting cancel's own EOS) — fixed by the bypassReady flag.
• spotless:apply clean, checkstyle:check 0 violations on touched modules.
• CI green on apache/pinot.

🤖 Generated with Claude Code

[codecov-commenter]

Codecov Report

❌ Patch coverage is 71.57895% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.28%. Comparing base (2910445) to head (f6d24f8).
⚠️ Report is 38 commits behind head on master.

Files with missing lines	Patch %	Lines
...apache/pinot/query/mailbox/GrpcSendingMailbox.java	74.76%	20 Missing and 7 partials ⚠️
...va/org/apache/pinot/spi/utils/CommonConstants.java	4.16%	23 Missing ⚠️
...org/apache/pinot/query/mailbox/MailboxService.java	86.95%	0 Missing and 3 partials ⚠️
...he/pinot/query/mailbox/channel/ChannelManager.java	85.71%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #18519      +/-   ##
============================================
+ Coverage     63.75%   64.28%   +0.53%     
+ Complexity     1932     1137     -795     
============================================
  Files          3292     3314      +22     
  Lines        201470   204255    +2785     
  Branches      31316    31785     +469     
============================================
+ Hits         128442   131306    +2864     
+ Misses        62735    62413     -322     
- Partials      10293    10536     +243     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (ø)
integration	100.00% <ø> (ø)
integration1	100.00% <ø> (ø)
integration2	0.00% <ø> (ø)
java-21	64.28% <71.57%> (+0.53%)	⬆️
temurin	64.28% <71.57%> (+0.53%)	⬆️
unittests	64.28% <71.57%> (+0.53%)	⬆️
unittests1	56.74% <71.57%> (+0.94%)	⬆️
unittests2	35.52% <10.00%> (+0.26%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yashmayya]

Nice mechanism overall — ClientResponseObserver.beforeStart + setOnReadyHandler + a Condition for the slow path is the right shape, and the bypass-for-EOS reasoning around preserving the original error code is well thought through. A few concurrency and API-hygiene items worth tightening before merge — comments inline.

[gortiz]

I've run the benchmark and performance drops sensibly when the feature is enabled. The reason is that the http2+netty window is tiny. I'm going to make it configurable and run the tests again

[yashmayya]

Second-pass review after the round-1 inline comments were addressed and two new architectural commits (e1c8459a60 widen-pipeline, dfce8a42cb manual inbound flow control) were pushed.

Round-1 verdicts (re-verified against the latest code): M2 partially-fixed (EOS race closed, data-path race narrowed but still reachable — comment below), M3/M5/M7/M8/M9 confirmed-fixed.

Round-2 focus is whether the new transport defaults still solve the direct-memory OOM the PR was built to fix. The mechanism is now layered: Netty WriteBufferWaterMark on the sender + HTTP/2 flow-control window on the receiver + manual inbound credit with eager replenishment + the original awaitReady application gate as a chunk-level safety net. The combination is correct and bounded, but the defaults are generous enough that on a moderate fan-out (~50 peers) the per-process bound approaches typical -XX:MaxDirectMemorySize ceilings, and the regression test no longer exercises the application gate at default config. Comments below address that plus a couple of related behavioral regressions (data-path race, cancel propagation latency).

Nice work on the rewrite — the bench/test changes and the @VisibleForTesting annotations are exactly what was needed.

[yashmayya]

The TODO downplays the risk this PR was built to address. Pinot deployments with 50–100 servers are common, and the bound here is writeBufferHighWaterMark × #peers on the sender plus flowControlWindow × #incoming_streams on the receiver. With the 64 MB defaults that's ~3.2 GiB/sender at 50 peers, ~6.4 GiB/sender at 100 peers, and a symmetric amount per concurrent inbound stream on the receiver — multiple concurrent queries multiply this. That's well within reach of the original failure mode on a moderate fan-out, not "hundreds of peers per query".

Two concrete asks:

1. Convert this to a tracked issue with a quantitative trigger condition, so it doesn't rot as a comment.
2. Add an operator-facing scaling formula to CommonConstants.MultiStageQueryRunner Javadoc: peak_sender_direct_memory ≈ writeBufferHighWaterMark × #peers, peak_receiver_direct_memory ≈ flowControlWindow × #incoming_streams. Without that, operators have no way to size watermark vs -XX:MaxDirectMemorySize for their topology, and the defaults will deceive.

[gortiz]

I originally included this on the PR, but it just made it more complex. It is also difficult to trace total in-flight memory, as the natural way to track this is to increase a counter when a block is sent and reduce it when the receiver sends a status message, but that means we measure at block level, not chunk/message level.

[gortiz]

I created #18539. Anyway, note that multiplying these numbers by the number of concurrent opchains and servers is unrealistic.

[yashmayya]

The honest admission here ("awaitReady rarely fires the application-level gate") is correct — and it's also why this test no longer guards what it was built to guard. With the new transport defaults a 128-byte payload at 50 polls/sec for 3 seconds simply cannot fill a 64 MB sender write-buffer or a 64 MB HTTP/2 stream window, so the application gate never engages. The 140× relaxation (polledCount * 50 + 10_000 → polledCount * 7000 at line 210) means a future refactor that deletes the entire setOnReadyHandler + ClientResponseObserver.beforeStart + awaitReady machinery would still pass this test, because the kernel TCP send buffer alone bounds the ratio well under 7000× at this payload size.

Suggest a companion GrpcSenderBackpressureTightGateTest that overrides the new transport keys to small values via PinotConfiguration:

Map.of(
  "pinot.query.runner.grpc.flow.control.window.bytes", "65535",
  "pinot.query.runner.grpc.write.buffer.high.water.mark.bytes", "262144",
  "pinot.query.runner.grpc.write.buffer.low.water.mark.bytes", "131072"
)

with the original tight assertion (polledCount * 50 + 10_000). That makes the application gate the dominant back-pressure mechanism, so the test fails if awaitReady regresses. GrpcSenderBackpressureDisabledTest already exercises the kill-switch-off case; this would complete the matrix.

[gortiz]

Added in commit 2d8fe69320 as GrpcSenderBackpressureTightGateTest, with exactly the config matrix you proposed:

Map.of(
    KEY_OF_GRPC_FLOW_CONTROL_WINDOW_BYTES, 65535,
    KEY_OF_GRPC_WRITE_BUFFER_HIGH_WATER_MARK_BYTES, 262144,
    KEY_OF_GRPC_WRITE_BUFFER_LOW_WATER_MARK_BYTES, 131072,
    // Y3 fail-fast validation requires window >= maxInboundMessageSize, so shrink that too:
    KEY_OF_MAX_INBOUND_QUERY_DATA_BLOCK_SIZE_BYTES, 65535)

Tight assertion: sendCount <= polledCount * 50 + 10_000 (the original bound from before the wide-defaults relaxation). With narrow transport caps a deletion of the application gate would fail this loudly. Class-level Javadoc references the three-test matrix (GrpcSenderBackpressureTest — wide-defaults regime, GrpcSenderBackpressureDisabledTest — kill-switch off, this one — narrow transport with the gate as the dominant back-pressure mechanism).

The KEY_OF_MAX_INBOUND_QUERY_DATA_BLOCK_SIZE_BYTES override was added in commit 1d29438dc0 ("Fail fast on invalid gRPC mailbox transport configuration") — the Y3 startup-time check I added (flowControlWindow >= maxInboundMessageSize) immediately caught this test setup as misconfigured on first run; shrinking both together to 65 535 satisfies it.

[yashmayya]

Two validation gaps that fail lazily instead of at startup:

1. WriteBufferWaterMark(low, high) throws IllegalArgumentException if low > high, but only inside getChannel on the first send to a previously-unseen peer (lines 103-104, 116-117). A misconfigured cluster starts up fine, exposes metrics, and then explodes mid-query.
2. No positivity check; a 0 or negative watermark would be accepted by Netty as effectively always-writable / always-unwritable — not what operators expect.

Worth adding Preconditions.checkArgument(0 < writeBufferLowWaterMarkBytes && writeBufferLowWaterMarkBytes <= writeBufferHighWaterMarkBytes, ...) here, matching the existing pattern at GrpcMailboxServer.java:149-152 for _inboundMessageCredit. Same shape applies to flowControlWindow >= maxInboundMessageSize in GrpcMailboxServer — a window smaller than the max message size makes the stream unusable, and there's currently no check.

[gortiz]

Done in 1d29438dc0. Two validations added:

1. ChannelManager: eagerly constructs the WriteBufferWaterMark in the constructor (so Netty's own 0 <= low <= high check fires at startup, not on first getChannel), plus an explicit Preconditions.checkArgument(writeBufferLowWaterMarkBytes > 0, …) for the low = 0 degenerate case Netty accepts. The two int fields collapsed into a single _writeBufferWaterMark field reused across all peers.

2. GrpcMailboxServer: Preconditions.checkArgument(_flowControlWindowBytes >= maxInboundMessageSize, …), sitting next to the existing _inboundMessageCredit > 0 check.

Both match the precondition-with-config-key-name error-message style used for _inboundMessageCredit.

Side effect: the new validation caught GrpcSenderBackpressureTightGateTest on first run — it was overriding flowControlWindow to 65535 without also shrinking maxInboundMessageSize (default 16 MiB). The test now shrinks both together so the application gate, not the new validation, is what bounds the sender. The fact that the validation flagged a real (test-time) misconfiguration on first run is reassuring — exactly what fail-fast is for.

[yashmayya]

Subtle but worth surfacing: this credit replenishment runs before the blocking _mailbox.offerRaw at line 85. The comment explains the intent (decouple HTTP/2 window from per-message processing time) and the throughput rationale is reasonable, but architecturally this means the receiver replenishes credit independently of application drain rate. If the downstream ReceivingMailbox queue (cap 5) fills and the dispatch thread parks in _notFull.await, the sender keeps shipping bytes into the receiver's Netty inbound buffer up to the 64 MB stream window — i.e. receiver-side direct memory pinned per stalled stream is bounded by flowControlWindow, not by application progress.

That is the intentional design and it works as long as flowControlWindow × concurrent_streams stays well below -XX:MaxDirectMemorySize. Two suggestions:

1. Add // Do not move this below the blocking call so a future maintainer doesn't "fix" the apparent ordering oddity and re-couple credits to drain rate.
2. Spell out in the KEY_OF_GRPC_FLOW_CONTROL_WINDOW_BYTES Javadoc that this value is the per-stalled-stream receiver-side direct-memory exposure, not just a throughput knob — so operators sizing it understand the OOM-bound implication.

[gortiz]

Done in commit b5d19714ae. Above the _responseObserver.request(1) call there's now a blunt warning:

// Do not move this below the blocking _mailbox.offerRaw call — it must replenish credit
// BEFORE the offer so the receiver doesn't gate the sender on per-message application drain time.
_responseObserver.request(1);

And in CommonConstants.KEY_OF_GRPC_FLOW_CONTROL_WINDOW_BYTES Javadoc I spelled out that this value is the per-stalled-stream receiver-side direct-memory exposure (not just a throughput knob): when an inbound stream's application queue stalls, the wire can still buffer up to flowControlWindow bytes on that stream before the HTTP/2 peer stops sending. Operators sizing the window have the OOM-bound implication called out explicitly.

[yashmayya]

Round-1 review flagged this race; the EOS path was correctly closed in commit 573356ee74 by reordering _senderSideClosed = true before onCompleted(). This data-path mitigation is narrower — the isTerminated() re-check reduces but doesn't eliminate the window where two threads can call onNext on the same non-thread-safe ClientCallStreamObserver. Under heavy cancel-while-sending workloads the race surfaces as either an IllegalStateException from gRPC ("call already closed") or two concurrent onNext calls on a stream gRPC does not contractually promise to be thread-safe.

The clean fix is to hold _readyLock across awaitReady() + onNext(). The fast path of awaitReady is already lock-free (returns on isReady() outside the lock), so the extra acquire is paid only when the gate would have parked anyway — negligible. Alternative: keep the current approach but elevate this paragraph to class-level Javadoc so it's not lost in the middle of sendContent.

[gortiz]

Fixed in c39e12f1a4 by going with your "clean fix" — _readyLock (the existing ReentrantLock already used for _readyCond) now serializes every outbound observer call. Three sites are now lock-protected:

1. sendContent: lock spans the post-awaitReady isTerminated() re-check and the onNext. awaitReady itself stays outside the lock — its slow path takes _readyLock internally for _readyCond.await, so wrapping it would just nest. The fast isReady() == true path remains lock-free.
2. send(MseBlock.Eos, …): lock spans _senderSideClosed = true + onCompleted so the success-path close is atomic against any racing sendContent.
3. cancel: lock spans processAndSend(errorBlock, bypassReady=true) + onCompleted. The inner sendContent re-acquires via ReentrantLock's same-thread reentry, no-op cost.

The previous in-code paragraph that explained the narrow-window mitigation is gone — the race is no longer narrow, it's closed. Class-level Javadoc gained a one-liner: "_readyLock serializes every call to _contentObserver.onNext / onCompleted. Acquire it around any new outbound call site you add." so future maintainers don't accidentally add an unprotected fourth site.

Rationale for picking the full fix over the "elevate the comment to class-level Javadoc and file a follow-up" alternative: this PR already paid the equivalent cost in 573356ee74 for the symmetric cancel-vs-EOS race. Leaving the data-path variant behind a re-check that visibly doesn't close it (and writing that fact down) felt like the wrong invariant to ship. The cost of the lock is one uncontended lock()/unlock() per chunk — tens of ns against onNext, no measurable bench impact.

Tests: 40/40 mailbox tests still pass, including testRemoteCancelledBySender* in GrpcSendingMailboxTest (which is exactly the cancel-vs-send race scenario).

[yashmayya]

Behavioral regression worth documenting (and ideally testing): with auto inbound flow control the receiver saw one in-flight message at a time. With this change the in-flight window per stream becomes min(_inboundMessageCredit messages, flowControlWindow bytes) — min(128, 64 MB) at defaults. That widens cancel-propagation latency proportionally: when the sender calls cancel() and pushes an error EOS (bypassReady=true), the EOS is appended to the same HTTP/2 stream behind any messages already in the inbound buffer. The receiver dispatches each through MailboxContentObserver.onNext before observing the cancel, and if the application queue is full each dispatch parks in _notFull.await. A cancelled query can take noticeably longer to actually stop while up to 64 MB of buffered data is drained.

Two recommendations:

1. Register setOnCancelHandler on the ServerCallStreamObserver here. That gives the server an out-of-band signal to call _mailbox.cancel() and wake the parked dispatch thread immediately, independent of the stream-ordered EOS.
2. Add a test that issues a cancel while the receiver is parked on a full queue and asserts the receiver mailbox terminates within a tight bound (e.g. < 100 ms), independent of how many buffered messages remain on the stream.

[gortiz]

Two-part response landed in acdd1e3266:

1. Rollback knob (pinot.query.runner.grpc.manual.inbound.flow.control.enabled, default true).
Lets operators flip the receiver back to gRPC's auto-inbound-flow-control (1 in-flight message at a time, no disableAutoInboundFlowControl() call, no manual request(1) in onNext) without rebuilding. The rollback path matches the pre-PR receiver behaviour verbatim and is exercised in MailboxContentObserverTest (new testOnNextDoesNotReplenishCreditWhenManualFlowControlDisabled asserts request(anyInt()) is never called when the flag is false). This shrinks the worst-case cancel-latency window back to where it was before this PR, at the cost of the throughput improvement the manual flow control buys.

2. GH issue #18541 — MSE: out-of-band cancel propagation for stuck receivers.
Documents the underlying hang (in-band EOS gated by a parked dispatch thread on a full application queue) and explicitly notes it's pre-existing — the rollback path above doesn't fix it either, just shrinks the window. Two design options written up in the issue:

• Option 1: setOnCancelHandler + sender stream.cancel(). Faster, but the in-band error EOS can be dropped → loss of specific QueryErrorCode on the receiver.
• Option 2 (preferred): dedicated Mailbox.Cancel(mailboxId, errorPayload) unary RPC. Out-of-band, preserves error code fidelity, slightly more work (proto + handler + sender wiring). This is the route the user suggested when we discussed.

Also included: a concrete test recipe (cancel-while-receiver-parked-on-full-queue, assert termination within ~100 ms) that would fail today and pass after either option.

Going with documentation + rollback + issue in this PR rather than implementing the out-of-band cancel here: the proper fix is a non-trivial behavioural change to the cancel contract, and the issue Yash flagged is bounded (the rollback gives operators a release valve, and the hang it would re-expose predates this PR). Issue #18541 carries the design for the proper fix as a focused follow-up.

KEY_OF_GRPC_INBOUND_MESSAGE_CREDIT Javadoc now spells out the cancel-latency tradeoff (min(credit messages, flowControlWindow bytes) of buffered inbound to drain before the EOS reaches the application) and links #18541. GrpcSendingMailbox.cancel(Throwable) Javadoc carries the same link.

Tests: 41/41 mailbox tests still pass, including the new manual-flow-disabled test.

[Jackie-Jiang]

Good catch!

We are introducing a lot of new configs. What is the guideline for them? Do you foresee tuning each of them individually?

[Jackie-Jiang]

Should we align this with pinot.query.runner.max.msg.size.bytes (16MB by default)?

[gortiz]

No, we shouldn't. Using the same value as the default would mean that when large blocks are sent, a single message can be in-flight, which would penalize the performance. Benchmarks clearly show that 64MB is better for large messages than smaller values. In fact, larger values could produce a better throughput (at the cost of making more likely to get out of direct memory).

[gortiz]

Just to be clear: This is the buffer the sender has to send bytes until the receiver acks them. So it marks how many bytes we may have in-flight before blocking the sender. Having a larger value than pinot.query.runner.max.msg.size.bytes means that we can have more than 1 message in-flight, which is desired. The more messages we can have in-flight, the closer we are to the previous state, where the sender never blocks but keeps buffering off-heap memory. This increases performance at the cost of stability.

[gortiz]

A better explaination from Claude:

• flowControlWindow (64 MB): per-stream HTTP/2 inbound byte window the receiver advertises. Caps bytes in flight per stream
  before the sender has to wait for WINDOW_UPDATE.
• writeBufferHighWaterMark (64 MB): per-channel Netty outbound queue size on the sender. Once the queue grows past this,
  Channel.isWritable() flips false and the application gate parks.
• writeBufferLowWaterMark (32 MB): the drain threshold that flips isWritable() back to true.

flowControlWindow and writeBufferHighWaterMark are aligned at 64 MB by design — they cap roughly the same conceptual thing (one peer's worth of in-flight bytes) from the two ends of the wire. We could collapse them into a single config, but I prefer keeping them separate so operators can tune them independently if their workload calls for it (e.g. an asymmetric one-way fan-in).

writeBufferLowWaterMark intentionally is not equal to high — they're a hysteresis pair, not a single threshold. Netty marks the channel unwritable when the outbound queue grows above high, and writable again only when it drains below low. If we set them equal, the channel would oscillate between writable/unwritable on every byte once the queue is around that size, forcing constant park/wake on the application gate under sustained pressure. Half-of-high is the standard hysteresis ratio.

[Jackie-Jiang]

Does this mean we allow 128 gRPC messages to queue up on the sender side? How is this 128 calculated? This is way higher than the default blocking queue size, which is 5

[gortiz]

Yes, this means exactly that.

The max number of queued up messages will be 128 + the 5 we have in the blocking queue, but:

• The ones in the blocking queue are heap allocated, while the ones in gRPC should be off-heap (depending on the gRPC implementation)
• Their total size in bytes is still limited by the window size (DEFAULT_GRPC_FLOW_CONTROL_WINDOW_BYTES).

This is useful for small blocks that are sent very rapidly (which is probably not a common case in Pinot). Before this change, the number of messages in-flight was limited to 1. This wasn't that problematic because we buffered indefinitely on the sender side, but with this feature, it blocks the sender (the window isn't considered ready).

[Jackie-Jiang]

Do we want to also emit the server side memory usage?

[gortiz]

We already have that in MAILBOX_SERVER_USED_*, registered in GrpcMailboxServer. Probably worth following up on whether gauges give us enough spike fidelity — scrape-interval polling will miss short-lived bursts. A histogram or a max-since-last-scrape gauge would catch those, but either way means churn on existing metric names and neither of these concepts is supported by our PinotMetric abstraction

[xiangfu0]

Found one high-signal issue; see inline comment.

[xiangfu0]

This post-awaitReady() guard still leaves ClientCallStreamObserver exposed to concurrent use. If cancel() or close() wins the race after this check but before the sender thread reaches _contentObserver.onNext(...), the cancel path can still call onNext()/onCompleted() on the same observer concurrently. The comment above already notes the window is only reduced, not eliminated, and gRPC does not guarantee these observers are thread-safe. This needs a fully serialized send/close path (or a single-thread handoff), otherwise the back-pressure fix still leaves a correctness race in cancellation handling.

[gortiz]

You're right — the narrow re-check on its own wasn't enough, and this was independently flagged by @yashmayya in #3269229790. The full fix landed in commit c39e12f1a4 ("Fix data race on _contentObserver by serializing all outbound calls under _readyLock"), after the diff this thread was posted against.

What's there now: _readyLock (the existing ReentrantLock that already guards _readyCond) serializes every call to _contentObserver.onNext / onCompleted, across all three call sites:

• sendContent (GrpcSendingMailbox.java:372) — lock spans the post-awaitReady isTerminated() re-check and the onNext.
• send(MseBlock.Eos, …) (:142) — lock spans _senderSideClosed = true + onCompleted so the success-path close is atomic against any racing sendContent.
• cancel(Throwable) (:268) — lock spans processAndSend(errorBlock, bypassReady=true) + onCompleted. The inner sendContent reacquires the same ReentrantLock via same-thread reentry.

awaitReady itself stays outside the lock — its slow path acquires _readyLock internally to call _readyCond.await, and the fast isReady()-true path remains lock-free. The fast lock()/unlock() pair we pay per send is ~tens of ns vs. onNext cost, no measurable bench impact.

The "narrow-window mitigation" comment you were referring to has been removed; class-level Javadoc now carries the new invariant:

// _readyLock serializes every call to _contentObserver.onNext / onCompleted.
// Acquire it around any new outbound call site you add.

Tests in GrpcSendingMailboxTest (including testRemoteCancelledBySender*, which specifically exercises the cancel-vs-send race) still pass.

[yashmayya]

Third-pass review — validated the 10 follow-up commits since round 2. All round-2 inline comments were addressed cleanly: the data-path race is genuinely closed by serializing all three outbound observer call sites under _readyLock in c39e12f1a4 (verified there is no deadlock path — nothing that holds _readyLock ever invokes the slow path of awaitReady, so the reentrant-lock + Condition.await "releases only one level" footgun is dodged by construction; serialization runs outside the lock so the per-chunk cost stays at one uncontended lock pair). Startup validation, tight-gate test, kill-switch, TODO→issue link, scaling formulas all check out.

One real bug found — inline comment below.

[yashmayya]

This benchmark is broken by the new fail-fast validation in 1d29438dc0.

_flowControlWindowBytes is swept over {65535, 1048576, 67108864} (line 123) but the cfg map here only overrides KEY_OF_GRPC_FLOW_CONTROL_WINDOW_BYTES. maxInboundMessageSize stays at the 16 MiB default (DEFAULT_MAX_INBOUND_QUERY_DATA_BLOCK_SIZE_BYTES). The new Preconditions.checkArgument(_flowControlWindowBytes >= maxInboundMessageSize, ...) at GrpcMailboxServer.java:163 then rejects two of the three axis values at MailboxService.start():

• 65535 < 16 MiB → IllegalArgumentException
• 1048576 < 16 MiB → IllegalArgumentException
• 67108864 (64 MiB) ≥ 16 MiB → passes

So 16 of the 24 @Param configurations (2 × 4 × 2 = 16 with broken window values, out of 2 × 4 × 3 = 24 total) blow up in @Setup instead of running. The whole point of the benchmark — comparing the gate's behavior across the three flow-control-window regimes — collapses to a single regime.

Fix is one line — mirror what GrpcSenderBackpressureTightGateTest.java:118 already does:

PinotConfiguration cfg = new PinotConfiguration(Map.of(
    CommonConstants.MultiStageQueryRunner.KEY_OF_GRPC_SENDER_BACKPRESSURE_ENABLED, _backpressureEnabled,
    CommonConstants.MultiStageQueryRunner.KEY_OF_GRPC_FLOW_CONTROL_WINDOW_BYTES, _flowControlWindowBytes,
    CommonConstants.MultiStageQueryRunner.KEY_OF_MAX_INBOUND_QUERY_DATA_BLOCK_SIZE_BYTES,
        Math.min(_flowControlWindowBytes, CommonConstants.MultiStageQueryRunner.DEFAULT_MAX_INBOUND_QUERY_DATA_BLOCK_SIZE_BYTES)));

(The Math.min keeps the 64 MiB axis using the production-default 16 MiB max-message-size, which is what an operator would actually run; the two smaller axes pin maxInboundMessageSize down to the window so the validation passes.)

[gortiz]

Fixed in 6116e5442d. Same Math.min(window, default) clamp you proposed, applied to the bench's PinotConfiguration map.

You're right that I should have caught this when I added the validation — GrpcSenderBackpressureTightGateTest (which I also wrote) was already using exactly this clamp pattern, but I missed updating the bench in the same change. The bench's _flowControlWindowBytes axis is back to running all three cells (64 KiB / 1 MiB / 64 MiB).

Small correction to the description: the post-rewrite bench has 3 axes (_blockSizeBytes × 3, _backpressureEnabled × 2, _flowControlWindowBytes × 3 = 18 cells, not 24 — the old _payloadBytes × 4 axis was dropped when the bench moved to a request-shape probe in a597d63a64). But the conclusion was right — 12 of 18 cells were blowing up at @Setup.

[xiangfu0]

Found one high-signal issue; see inline comment.

[xiangfu0]

This lazy initialization is still racy with cancel(): both paths do a plain _contentObserver == null check and can each open their own gRPC stream for the same mailbox. If that happens, the cancel EOS / onCompleted() can run on a different ClientCallStreamObserver than the data path uses, so the receiver can miss the cancellation or see two concurrent streams for one mailbox. Please guard observer creation under _readyLock (or another one-time init primitive) so sender and cancel share a single stream.

[gortiz]

Fixed in 04eb98577c. The race was real — I landed a regression test (concurrentSendAndCancelInitializeContentObserverExactlyOnce) that reproduces it: sender thread + cancel thread driven through CyclicBarrier(2), asserts exactly one observer is created across 200 iterations; fires immediately on iteration 0 against unfixed code (counter sees 2), passes deterministically with the fix.

Fix uses the standard double-checked-lock idiom against the existing _readyLock:

private void ensureContentObserverInitialized() {
  if (_contentObserver != null) {
    return;                          // fast path, volatile read
  }
  _readyLock.lock();
  try {
    if (_contentObserver == null) {
      _contentObserver = getContentObserver();
    }
  } finally {
    _readyLock.unlock();
  }
}

Both bare if (_contentObserver == null) blocks (in sendInternal and cancel) now route through this helper. Kept the lazy init rather than eagerly initializing in the constructor — cancel-before-first-send must still open a stream so the receiver gets an explicit error EOS, so the lazy-init-on-cancel comment in the cancel path is load-bearing.

Your thread-safety prompt also pointed the way to a symmetric race we surfaced in a pre-push strict review: send(Eos) racing cancel's onCompleted on the half-close edge — both pass their top-of-method isTerminated() check, cancel wins the lock, calls onCompleted, and the EOS path's onNext / onCompleted then throws IllegalStateException from gRPC. Fixed in 840c5640ea with a defensive try/catch around the EOS path (matching the existing pattern in cancel) plus a second regression test that races send(Eos) and cancel and asserts neither throws. Plus a half-open-stream leak in close() fixed in aeaacc893d for completeness. Both worth flagging since they're in the same observer-lifecycle area you were looking at.

[gortiz]

After the latest round of reviewer-requested fixes, I ran an internal strict pre-push review across the cumulative diff. It surfaced three additional issues that weren't on any review thread — fixed all three to avoid shipping them.

Fixed

1. send(Eos) vs cancel race throwing IllegalStateException — symmetric to the data-path race that c39e12f1a4 closed, but on the closing edge of the stream. Both paths pass their top-of-method isTerminated() check before either sets _senderSideClosed. Cancel wins the _readyLock, calls onCompleted(), releases. The EOS path then takes the lock and calls onNext / onCompleted on an already-half-closed stream → IllegalStateException propagates out of send(Eos). Cancel-path swallowed it defensively; EOS-path didn't. Fixed in 840c5640ea with a defensive try/catch around the EOS path (matching the cancel-side pattern) plus a regression test concurrentSendEosAndCancelDoesNotThrow that drives send(EOS) + cancel() through a CyclicBarrier(2) for 200 iterations and asserts neither call throws.

2. close() leaving the gRPC sender stream half-open — close() pushes an internal-error block via processAndSend(...bypassReady=true) but never calls onCompleted(). The stream sits half-open from the sender side until the per-call deadline fires — for multi-minute MSE queries that's exactly the allocator pin this PR exists to fix. Also had a _contentObserver != null check-then-act outside the lock (same shape ensureContentObserverInitialized exists to prevent). Fixed in aeaacc893d: route through ensureContentObserverInitialized, take _readyLock, set _senderSideClosed = true, call onCompleted() with the same defensive try/catch.

3. wakeWaiters from Netty event-loop locks _readyLock — setOnReadyHandler fires on a Netty channel/event-loop thread; wakeWaiters then acquires _readyLock. If the sender thread is mid-onNext under that lock, the event-loop thread briefly blocks. Intentional and the lock-held sections are bounded by a single onNext/onCompleted, but the pattern is non-obvious enough to surprise a maintainer debugging latency spikes. Documented in e367aa697f so the next reader doesn't reach for a tryLock+executor restructure without context.

Considered and skipped

• AtomicBoolean CAS on _senderSideClosed to make the close transition atomic across EOS / cancel / close(). Behavioral effect is now bounded by the defensive try/catches; left as a separate concern.
• Documenting the precondition on ensureContentObserverInitialized ("callers must isTerminated()-check first") — pure docs.
• Bench drainer's _stop.set(true) before _readSignal.release() ordering — benign at JVM shutdown.

Strict review run: code-reviewer agent with 8 domain-specialized sub-reviewers in parallel (concurrency-state, performance, correctness-nulls, testing, architecture, naming-api, process-scope, config-backcompat). The three above were everything in the CRITICAL/MAJOR/MINOR-worth-fixing buckets.