Fix GrpcChannel handle leak in AzureManaged backend

[torosent]

Summary

What changed?

• Added inline channel caching in ConfigureGrpcChannel class using ConcurrentDictionary<string, Lazy<GrpcChannel>>
• Made ConfigureGrpcChannel implement IDisposable to properly dispose channels when the ServiceProvider is disposed
• Channels are cached per configuration key (options name + endpoint + task hub)

Why is this change needed?

• When the Durable Task Scheduler service is unreachable, the IConfigureNamedOptions<DurableTaskSchedulerOptions>.Configure() method was being called multiple times (on each retry)
• Each call created a new GrpcChannel, which allocates internal HTTP handlers and socket connections
• The channels were never disposed because when options.Channel is pre-set (AzureManaged case), GetCallInvoker() returns default for the disposable reference
• This caused handle/resource leaks that accumulated over time, especially when the service was unavailable

Issues / work items

• Related #N/A (fixes handle leak issue)

---

Project checklist

• Release notes are not required for the next release
  • Otherwise: Notes added to release_notes.md
• Backport is not required
  • Otherwise: Backport tracked by issue/PR #issue_or_pr
• All required tests have been added/updated (unit tests, E2E tests)
• Breaking change?
  • If yes: No breaking changes - internal implementation change only, public API unchanged

---

AI-assisted code disclosure (required)

Was an AI tool used? (select one)

• No
• Yes, AI helped write parts of this PR (e.g., GitHub Copilot)
• Yes, an AI agent generated most of this PR

If AI was used:

• Tool(s): GitHub Copilot (Claude)
• AI-assisted areas/files:
  • src/Client/AzureManaged/DurableTaskSchedulerClientExtensions.cs (modified)
  • src/Worker/AzureManaged/DurableTaskSchedulerWorkerExtensions.cs (modified)
  • test/Client/AzureManaged.Tests/DurableTaskSchedulerClientExtensionsTests.cs (modified)
  • test/Worker/AzureManaged.Tests/DurableTaskSchedulerWorkerExtensionsTests.cs (modified)
• What you changed after AI output: Simplified from separate GrpcChannelCache class to inline ConcurrentDictionary<string, Lazy<GrpcChannel>> per reviewer feedback

AI verification (required if AI was used):

• I understand the code and can explain it
• I verified referenced APIs/types exist and are correct
• I reviewed edge cases/failure paths (timeouts, retries, cancellation, exceptions)
• I reviewed concurrency/async behavior
• I checked for unintended breaking or behavior changes

---

Testing

Automated tests

• Result: Passed
  • test/Client/AzureManaged.Tests - 33 tests passed
  • test/Worker/AzureManaged.Tests - 31 tests passed
  • test/Shared/AzureManaged.Tests - 20 tests passed
  • Total: 84 tests passed

Manual validation (only if runtime/behavior changed)

• Not performed (behavior change is internal - channels are now cached and disposed properly)

---

Notes for reviewers

• The ConfigureGrpcChannel class now uses ConcurrentDictionary<string, Lazy<GrpcChannel>> for thread-safe channel caching
• Lazy<GrpcChannel> ensures thread-safe initialization without holding locks during channel creation (avoids potential deadlocks)
• Channel keys include options name, endpoint, and task hub to ensure proper isolation
• Fire-and-forget ShutdownAsync() is called before Dispose() for graceful shutdown of in-flight RPCs
• The volatile keyword on the disposed field ensures proper memory visibility when checking disposal state from multiple threads

[cgillum]

I asked Copilot CLI to review this with the following prompt since the currently proposed solution looks far more complicated than I was expecting.

Please review this PR. I'm especially interested in knowing if a significantly simpler solution is possible

Here's what the response was:

   PR Review Summary

   Overall Assessment: The fix correctly addresses the GrpcChannel leak, but there's a significantly simpler solution available.

   The Core Problem

   When options.Channel is pre-set (AzureManaged case), GetCallInvoker() returns default for the disposable reference (line 549 in
   GrpcDurableTaskClient.cs), meaning the channel is never disposed. Combined with IConfigureNamedOptions.Configure() being called on each
   retry, this creates a resource leak.

   Simpler Alternative

   Instead of introducing a full GrpcChannelCache class with locking, disposal tracking, and 400+ lines of test code, consider this much
   simpler fix:

   Option 1: Make the channel a Lazy<GrpcChannel> in the options class

     // In ConfigureGrpcChannel class
     class ConfigureGrpcChannel(IOptionsMonitor<DurableTaskSchedulerClientOptions> schedulerOptions) :
         IConfigureNamedOptions<GrpcDurableTaskClientOptions>
     {
         readonly ConcurrentDictionary<string, Lazy<GrpcChannel>> channels = new();

         public void Configure(string? name, GrpcDurableTaskClientOptions options)
         {
             string key = name ?? Options.DefaultName;
             DurableTaskSchedulerClientOptions source = schedulerOptions.Get(key);

             options.Channel = this.channels.GetOrAdd(
                 $"{key}:{source.EndpointAddress}:{source.TaskHubName}",
                 _ => new Lazy<GrpcChannel>(source.CreateChannel)).Value;
         }
     }

   This is ~10 lines vs 170+ lines for GrpcChannelCache, and the IConfigureOptions<T> is already registered as a singleton, so the channel
   cache lives in that singleton's state.

   Option 2: Cache directly on the scheduler options instance

   Since DurableTaskSchedulerClientOptions instances are already managed via the options system, add a lazily-created channel property there:

     // In DurableTaskSchedulerClientOptions
     Lazy<GrpcChannel>? cachedChannel;

     internal GrpcChannel GetOrCreateChannel()
     {
         this.cachedChannel ??= new Lazy<GrpcChannel>(this.CreateChannel);
         return this.cachedChannel.Value;
     }

   Concerns with Current Implementation

     - Unused methods: Replace() and TryRemove() in GrpcChannelCache are never called - they add complexity without value.
     - Fire-and-forget disposal: The DisposeChannelAsync pattern with _ = Task.Run(...) can orphan disposal if the app terminates quickly.
   Consider whether synchronous disposal is acceptable.
     - Over-engineering: The cache handles scenarios (explicit replacement, removal) that don't apply to this use case.
     - Code quality issues already flagged: Nested if statements, unused variable, generic catch clause.

   Recommendation

   Go with the simpler ConcurrentDictionary<string, Lazy<GrpcChannel>> approach directly in the ConfigureGrpcChannel class. This:

     - Fixes the leak
     - Requires no new classes
     - Has minimal test surface area
     - Is easier to understand and maintain

   If you need disposal support, implement IDisposable on ConfigureGrpcChannel and register it properly with DI (though the existing code
   doesn't dispose channels either, so this may be acceptable).

I can try to review this more deeply tomorrow.

[Copilot]

Pull request overview

Fixes a gRPC channel/handle leak in the AzureManaged Durable Task Scheduler integration by caching GrpcChannel instances and disposing them when the DI container is disposed.

Changes:

• Cache GrpcChannel instances inside ConfigureGrpcChannel using ConcurrentDictionary<..., Lazy<GrpcChannel>>.
• Make the channel configurators disposable so cached channels are cleaned up on ServiceProvider disposal.
• Add tests intended to validate channel reuse and disposal behavior for both client and worker extensions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 12 comments.

File	Description
src/Client/AzureManaged/DurableTaskSchedulerClientExtensions.cs	Adds per-configuration GrpcChannel caching and async disposal logic for client-side options configuration.
src/Worker/AzureManaged/DurableTaskSchedulerWorkerExtensions.cs	Adds per-configuration GrpcChannel caching and async disposal logic for worker-side options configuration.
test/Client/AzureManaged.Tests/DurableTaskSchedulerClientExtensionsTests.cs	Adds tests for channel reuse/isolation and disposal on DI container teardown for client extensions.
test/Worker/AzureManaged.Tests/DurableTaskSchedulerWorkerExtensionsTests.cs	Adds tests for channel reuse/isolation and disposal on DI container teardown for worker extensions.

[Copilot]

PR description mentions IDisposable and a volatile disposed flag, but this implementation is IAsyncDisposable-only and the disposed field isn’t volatile (and is read without Volatile.Read). Either update the PR description or adjust the implementation to match (e.g., implement IDisposable and use volatile/Volatile.Read for the disposed check).

[Copilot]

PR description mentions IDisposable and a volatile disposed flag, but this implementation is IAsyncDisposable-only and the disposed field isn’t volatile (and is read without Volatile.Read). Either update the PR description or adjust the implementation to match (e.g., implement IDisposable and use volatile/Volatile.Read for the disposed check).

[Copilot]

DisposeAsync throws an AggregateException when any channel shutdown/dispose fails. Throwing from ServiceProvider disposal can surface as app shutdown failures and is difficult for callers to handle. Consider making this best-effort (swallow/log disposal errors) instead of throwing.

[Copilot]

This test uses different endpoints for different named options, so it will pass even if the cache key accidentally ignores the options name. To validate name isolation in the cache key, use the same endpoint/task hub for both names and assert the channels differ; also dispose the ServiceProvider to avoid leaking channels.

[Copilot]

CreateChannel() behavior depends on more than endpoint/task hub (e.g., ResourceId, Credential, AllowInsecureCredentials, and WorkerId via the call credentials interceptor). If any of these values change while EndpointAddress/TaskHubName stay the same (e.g., via options reload), the cached channel will be reused with stale settings. Consider including these fields in the cache key or enforcing immutability for them.

[torosent]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

DisposeAsync throws an AggregateException when any channel shutdown/dispose fails. Throwing from ServiceProvider disposal can surface as app shutdown failures and is difficult for callers to handle. Consider making this best-effort (swallow/log disposal errors) instead of throwing.

[Copilot]

@torosent I've opened a new pull request, #626, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

[Copilot]

The cache key uses source.EndpointAddress, but DurableTaskSchedulerWorkerOptions.CreateChannel() normalizes endpoints by adding a scheme when missing. As a result, equivalent endpoints (with vs without https://) will not share a cache entry and will create multiple channels. Consider normalizing the endpoint string for the cache key the same way CreateChannel() does (or use the channel target/normalized endpoint).

[Copilot]

The ServiceProvider created here is not disposed. Since these tests now create/dispose cached gRPC channels via DI, the provider should be wrapped in using/await using to avoid leaking resources across test runs.

[torosent]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

The ServiceProvider created here is not disposed. Please wrap it in using/await using so the container can dispose the cached channels and other tracked disposables, preventing cross-test resource leakage.

[Copilot]

disposed is written via Interlocked.Exchange in DisposeAsync, but read here via a plain field read. For cross-thread visibility, the read should use Volatile.Read(ref this.disposed) (or make the field volatile) to ensure Configure reliably observes disposal under concurrency.

[Copilot]

disposed is written via Interlocked.Exchange in DisposeAsync, but read here via a plain field read. Use Volatile.Read(ref this.disposed) (or make the field volatile) so concurrent calls to Configure reliably observe disposal.

[Copilot]

This test uses IOptionsMonitor.Get twice for the same name, which typically returns the same cached options instance. As a result, it may pass even if ConfigureGrpcChannel.Configure creates a new channel on each invocation. To actually validate channel reuse across multiple configurations, consider using IOptionsFactory<GrpcDurableTaskWorkerOptions>.Create(...) twice (like the client tests do).

[Copilot]

@torosent I've opened a new pull request, #627, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

[Copilot]

The cache key only includes the credential type (FullName), but CreateChannel() captures and uses the TokenCredential instance (e.g., for AccessTokenCache and auth headers). If the credential instance changes while keeping the same type (e.g., two ManagedIdentityCredential instances with different client IDs, or config reload), this will incorrectly reuse a channel created with the old credential. Consider keying on the credential instance identity (or a stable credential-specific identifier) rather than only its type, and also normalize EndpointAddress the same way CreateChannel() does (scheme/no-scheme) to avoid duplicate channels for the same effective endpoint.

[Copilot]

disposed is used as a cross-thread flag (read in Configure, written via Interlocked.Exchange in DisposeAsync) but is read without volatile/Volatile.Read. Also, Configure can race with DisposeAsync (an in-flight Configure can create/add a channel after DisposeAsync has enumerated/cleared the dictionary), which would leak the channel. Consider synchronizing Configure vs DisposeAsync (e.g., a lock/reader-writer gate) and using volatile/Volatile.Read for the flag.

Suggested change

	int disposed;
	volatile int disposed;

[Copilot]

The cache key only includes the credential type (FullName), but CreateChannel() uses the TokenCredential instance (token cache + auth headers). If the credential instance changes while keeping the same type, this will incorrectly reuse a channel created with the old credential. Consider keying on the credential instance identity (or a stable credential-specific identifier) rather than only its type, and normalize EndpointAddress the same way CreateChannel() does to avoid duplicate channels for equivalent endpoints.

[Copilot]

disposed is used as a cross-thread flag (read in Configure, written via Interlocked.Exchange in DisposeAsync) but is read without volatile/Volatile.Read. Also, Configure can race with DisposeAsync (an in-flight Configure can create/add a channel after DisposeAsync has enumerated/cleared the dictionary), which would leak the channel. Consider synchronizing Configure vs DisposeAsync (e.g., a lock/reader-writer gate) and using volatile/Volatile.Read for the flag.

Suggested change

	int disposed;
	volatile int disposed;

[torosent]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@torosent I've opened a new pull request, #628, to work on those changes. Once the pull request is ready, I'll request review from you.

[torosent]

Closing this PR and will open a new fixed PR