608 lines
24 KiB
Markdown
Raw Normal View History

2023-03-05 13:23:23 +01:00
# Extension pipelining
`websocket-extensions` models the extension negotiation and processing pipeline
of the WebSocket protocol. Between the driver parsing messages from the TCP
stream and handing those messages off to the application, there may exist a
stack of extensions that transform the message somehow.
In the parlance of this framework, a *session* refers to a single instance of an
extension, acting on a particular socket on either the server or the client
side. A session may transform messages both incoming to the application and
outgoing from the application, for example the `permessage-deflate` extension
compresses outgoing messages and decompresses incoming messages. Message streams
in either direction are independent; that is, incoming and outgoing messages
cannot be assumed to 'pair up' as in a request-response protocol.
Asynchronous processing of messages poses a number of problems that this
pipeline construction is intended to solve.
## Overview
Logically, we have the following:
+-------------+ out +---+ +---+ +---+ +--------+
| |------>| |---->| |---->| |------>| |
| Application | | A | | B | | C | | Driver |
| |<------| |<----| |<----| |<------| |
+-------------+ in +---+ +---+ +---+ +--------+
\ /
+----------o----------+
|
sessions
For outgoing messages, the driver receives the result of
C.outgoing(B.outgoing(A.outgoing(message)))
or, [A, B, C].reduce(((m, ext) => ext.outgoing(m)), message)
For incoming messages, the application receives the result of
A.incoming(B.incoming(C.incoming(message)))
or, [C, B, A].reduce(((m, ext) => ext.incoming(m)), message)
A session is of the following type, to borrow notation from pseudo-Haskell:
type Session = {
incoming :: Message -> Message
outgoing :: Message -> Message
close :: () -> ()
}
(That `() -> ()` syntax is intended to mean that `close()` is a nullary void
method; I apologise to any Haskell readers for not using the right monad.)
The `incoming()` and `outgoing()` methods perform message transformation in the
respective directions; `close()` is called when a socket closes so the session
can release any resources it's holding, for example a DEFLATE de/compression
context.
However because this is JavaScript, the `incoming()` and `outgoing()` methods
may be asynchronous (indeed, `permessage-deflate` is based on `zlib`, whose API
is stream-based). So their interface is strictly:
type Session = {
incoming :: Message -> Callback -> ()
outgoing :: Message -> Callback -> ()
close :: () -> ()
}
type Callback = Either Error Message -> ()
This means a message *m2* can be pushed into a session while it's still
processing the preceding message *m1*. The messages can be processed
concurrently but they *must* be given to the next session in line (or to the
application) in the same order they came in. Applications will expect to receive
messages in the order they arrived over the wire, and sessions require this too.
So ordering of messages must be preserved throughout the pipeline.
Consider the following highly simplified extension that deflates messages on the
wire. `message` is a value conforming the type:
type Message = {
rsv1 :: Boolean
rsv2 :: Boolean
rsv3 :: Boolean
opcode :: Number
data :: Buffer
}
Here's the extension:
```js
var zlib = require('zlib');
var deflate = {
outgoing: function(message, callback) {
zlib.deflateRaw(message.data, function(error, result) {
message.rsv1 = true;
message.data = result;
callback(error, message);
});
},
incoming: function(message, callback) {
// decompress inbound messages (elided)
},
close: function() {
// no state to clean up
}
};
```
We can call it with a large message followed by a small one, and the small one
will be returned first:
```js
var crypto = require('crypto'),
large = crypto.randomBytes(1 << 14),
small = new Buffer('hi');
deflate.outgoing({ data: large }, function() {
console.log(1, 'large');
});
deflate.outgoing({ data: small }, function() {
console.log(2, 'small');
});
/* prints: 2 'small'
1 'large' */
```
So a session that processes messages asynchronously may fail to preserve message
ordering.
Now, this extension is stateless, so it can process messages in any order and
still produce the same output. But some extensions are stateful and require
message order to be preserved.
For example, when using `permessage-deflate` without `no_context_takeover` set,
the session retains a DEFLATE de/compression context between messages, which
accumulates state as it consumes data (later messages can refer to sections of
previous ones to improve compression). Reordering parts of the DEFLATE stream
will result in a failed decompression. Messages must be decompressed in the same
order they were compressed by the peer in order for the DEFLATE protocol to
work.
Finally, there is the problem of closing a socket. When a WebSocket is closed by
the application, or receives a closing request from the other peer, there may be
messages outgoing from the application and incoming from the peer in the
pipeline. If we close the socket and pipeline immediately, two problems arise:
* We may send our own closing frame to the peer before all prior messages we
sent have been written to the socket, and before we have finished processing
all prior messages from the peer
* The session may be instructed to close its resources (e.g. its de/compression
context) while it's in the middle of processing a message, or before it has
received messages that are upstream of it in the pipeline
Essentially, we must defer closing the sessions and sending a closing frame
until after all prior messages have exited the pipeline.
## Design goals
* Message order must be preserved between the protocol driver, the extension
sessions, and the application
* Messages should be handed off to sessions and endpoints as soon as possible,
to maximise throughput of stateless sessions
* The closing procedure should block any further messages from entering the
pipeline, and should allow all existing messages to drain
* Sessions should be closed as soon as possible to prevent them holding memory
and other resources when they have no more messages to handle
* The closing API should allow the caller to detect when the pipeline is empty
and it is safe to continue the WebSocket closing procedure
* Individual extensions should remain as simple as possible to facilitate
modularity and independent authorship
The final point about modularity is an important one: this framework is designed
to facilitate extensions existing as plugins, by decoupling the protocol driver,
extensions, and application. In an ideal world, plugins should only need to
contain code for their specific functionality, and not solve these problems that
apply to all sessions. Also, solving some of these problems requires
consideration of all active sessions collectively, which an individual session
is incapable of doing.
For example, it is entirely possible to take the simple `deflate` extension
above and wrap its `incoming()` and `outgoing()` methods in two `Transform`
streams, producing this type:
type Session = {
incoming :: TransformStream
outtoing :: TransformStream
close :: () -> ()
}
The `Transform` class makes it easy to wrap an async function such that message
order is preserved:
```js
var stream = require('stream'),
session = new stream.Transform({ objectMode: true });
session._transform = function(message, _, callback) {
var self = this;
deflate.outgoing(message, function(error, result) {
self.push(result);
callback();
});
};
```
However, this has a negative impact on throughput: it works by deferring
`callback()` until the async function has 'returned', which blocks `Transform`
from passing further input into the `_transform()` method until the current
message is dealt with completely. This would prevent sessions from processing
messages concurrently, and would unnecessarily reduce the throughput of
stateless extensions.
So, input should be handed off to sessions as soon as possible, and all we need
is a mechanism to reorder the output so that message order is preserved for the
next session in line.
## Solution
We now describe the model implemented here and how it meets the above design
goals. The above diagram where a stack of extensions sit between the driver and
application describes the data flow, but not the object graph. That looks like
this:
+--------+
| Driver |
+---o----+
|
V
+------------+ +----------+
| Extensions o----->| Pipeline |
+------------+ +-----o----+
|
+---------------+---------------+
| | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
A driver using this framework holds an instance of the `Extensions` class, which
it uses to register extension plugins, negotiate headers and transform messages.
The `Extensions` instance itself holds a `Pipeline`, which contains an array of
`Cell` objects, each of which wraps one of the sessions.
### Message processing
Both the `Pipeline` and `Cell` classes have `incoming()` and `outgoing()`
methods; the `Pipeline` interface pushes messages into the pipe, delegates the
message to each `Cell` in turn, then returns it back to the driver. Outgoing
messages pass through `A` then `B` then `C`, and incoming messages in the
reverse order.
Internally, a `Cell` contains two `Functor` objects. A `Functor` wraps an async
function and makes sure its output messages maintain the order of its input
messages. This name is due to [@fronx](https://github.com/fronx), on the basis
that, by preserving message order, the abstraction preserves the *mapping*
between input and output messages. To use our simple `deflate` extension from
above:
```js
var functor = new Functor(deflate, 'outgoing');
functor.call({ data: large }, function() {
console.log(1, 'large');
});
functor.call({ data: small }, function() {
console.log(2, 'small');
});
/* -> 1 'large'
2 'small' */
```
A `Cell` contains two of these, one for each direction:
+-----------------------+
+---->| Functor [A, incoming] |
+----------+ | +-----------------------+
| Cell [A] o------+
+----------+ | +-----------------------+
+---->| Functor [A, outgoing] |
+-----------------------+
This satisfies the message transformation requirements: the `Pipeline` simply
loops over the cells in the appropriate direction to transform each message.
Because each `Cell` will preserve message order, we can pass a message to the
next `Cell` in line as soon as the current `Cell` returns it. This gives each
`Cell` all the messages in order while maximising throughput.
### Session closing
We want to close each session as soon as possible, after all existing messages
have drained. To do this, each `Cell` begins with a pending message counter in
each direction, labelled `in` and `out` below.
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
| | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 0 out: 0 out: 0
When a message *m1* enters the pipeline, say in the `outgoing` direction, we
increment the `pending.out` counter on all cells immediately.
+----------+
m1 => | Pipeline |
+-----o----+
|
+---------------+---------------+
| | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 1 out: 1 out: 1
*m1* is handed off to `A`, meanwhile a second message `m2` arrives in the same
direction. All `pending.out` counters are again incremented.
+----------+
m2 => | Pipeline |
+-----o----+
|
+---------------+---------------+
m1 | | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 2 out: 2 out: 2
When the first cell's `A.outgoing` functor finishes processing *m1*, the first
`pending.out` counter is decremented and *m1* is handed off to cell `B`.
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
m2 | m1 | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 1 out: 2 out: 2
As `B` finishes with *m1*, and as `A` finishes with *m2*, the `pending.out`
counters continue to decrement.
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
| m2 | m1 |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 0 out: 1 out: 2
Say `C` is a little slow, and begins processing *m2* while still processing
*m1*. That's fine, the `Functor` mechanism will keep *m1* ahead of *m2* in the
output.
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
| | m2 | m1
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 0 out: 0 out: 2
Once all messages are dealt with, the counters return to `0`.
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
| | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 0 out: 0 out: 0
The same process applies in the `incoming` direction, the only difference being
that messages are passed to `C` first.
This makes closing the sessions quite simple. When the driver wants to close the
socket, it calls `Pipeline.close()`. This *immediately* calls `close()` on all
the cells. If a cell has `in == out == 0`, then it immediately calls
`session.close()`. Otherwise, it stores the closing call and defers it until
`in` and `out` have both ticked down to zero. The pipeline will not accept new
messages after `close()` has been called, so we know the pending counts will not
increase after this point.
This means each session is closed as soon as possible: `A` can close while the
slow `C` session is still working, because it knows there are no more messages
on the way. Similarly, `C` will defer closing if `close()` is called while *m1*
is still in `B`, and *m2* in `A`, because its pending count means it knows it
has work yet to do, even if it's not received those messages yet. This concern
cannot be addressed by extensions acting only on their own local state, unless
we pollute individual extensions by making them all implement this same
mechanism.
The actual closing API at each level is slightly different:
type Session = {
close :: () -> ()
}
type Cell = {
close :: () -> Promise ()
}
type Pipeline = {
close :: Callback -> ()
}
This might appear inconsistent so it's worth explaining. Remember that a
`Pipeline` holds a list of `Cell` objects, each wrapping a `Session`. The driver
talks (via the `Extensions` API) to the `Pipeline` interface, and it wants
`Pipeline.close()` to do two things: close all the sessions, and tell me when
it's safe to start the closing procedure (i.e. when all messages have drained
from the pipe and been handed off to the application or socket). A callback API
works well for that.
At the other end of the stack, `Session.close()` is a nullary void method with
no callback or promise API because we don't care what it does, and whatever it
does do will not block the WebSocket protocol; we're not going to hold off
processing messages while a session closes its de/compression context. We just
tell it to close itself, and don't want to wait while it does that.
In the middle, `Cell.close()` returns a promise rather than using a callback.
This is for two reasons. First, `Cell.close()` might not do anything
immediately, it might have to defer its effect while messages drain. So, if
given a callback, it would have to store it in a queue for later execution.
Callbacks work fine if your method does something and can then invoke the
callback itself, but if you need to store callbacks somewhere so another method
can execute them, a promise is a better fit. Second, it better serves the
purposes of `Pipeline.close()`: it wants to call `close()` on each of a list of
cells, and wait for all of them to finish. This is simple and idiomatic using
promises:
```js
var closed = cells.map((cell) => cell.close());
Promise.all(closed).then(callback);
```
(We don't actually use a full *Promises/A+* compatible promise here, we use a
much simplified construction that acts as a callback aggregater and resolves
synchronously and does not support chaining, but the principle is the same.)
### Error handling
We've not mentioned error handling so far but it bears some explanation. The
above counter system still applies, but behaves slightly differently in the
presence of errors.
Say we push three messages into the pipe in the outgoing direction:
+----------+
m3, m2, m1 => | Pipeline |
+-----o----+
|
+---------------+---------------+
| | |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 3 out: 3 out: 3
They pass through the cells successfully up to this point:
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
m3 | m2 | m1 |
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 1 out: 2 out: 3
At this point, session `B` produces an error while processing *m2*, that is *m2*
becomes *e2*. *m1* is still in the pipeline, and *m3* is queued behind *m2*.
What ought to happen is that *m1* is handed off to the socket, then *m2* is
released to the driver, which will detect the error and begin closing the
socket. No further processing should be done on *m3* and it should not be
released to the driver after the error is emitted.
To handle this, we allow errors to pass down the pipeline just like messages do,
to maintain ordering. But, once a cell sees its session produce an error, or it
receives an error from upstream, it should refuse to accept any further
messages. Session `B` might have begun processing *m3* by the time it produces
the error *e2*, but `C` will have been given *e2* before it receives *m3*, and
can simply drop *m3*.
Now, say *e2* reaches the slow session `C` while *m1* is still present,
meanwhile *m3* has been dropped. `C` will never receive *m3* since it will have
been dropped upstream. Under the present model, its `out` counter will be `3`
but it is only going to emit two more values: *m1* and *e2*. In order for
closing to work, we need to decrement `out` to reflect this. The situation
should look like this:
+----------+
| Pipeline |
+-----o----+
|
+---------------+---------------+
| | e2 | m1
+-----o----+ +-----o----+ +-----o----+
| Cell [A] | | Cell [B] | | Cell [C] |
+----------+ +----------+ +----------+
in: 0 in: 0 in: 0
out: 0 out: 0 out: 2
When a cell sees its session emit an error, or when it receives an error from
upstream, it sets its pending count in the appropriate direction to equal the
number of messages it is *currently* processing. It will not accept any messages
after it sees the error, so this will allow the counter to reach zero.
Note that while *e2* is in the pipeline, `Pipeline` should drop any further
messages in the outgoing direction, but should continue to accept incoming
messages. Until *e2* makes it out of the pipe to the driver, behind previous
successful messages, the driver does not know an error has happened, and a
message may arrive over the socket and make it all the way through the incoming
pipe in the meantime. We only halt processing in the affected direction to avoid
doing unnecessary work since messages arriving after an error should not be
processed.
Some unnecessary work may happen, for example any messages already in the
pipeline following *m2* will be processed by `A`, since it's upstream of the
error. Those messages will be dropped by `B`.
## Alternative ideas
I am considering implementing `Functor` as an object-mode transform stream
rather than what is essentially an async function. Being object-mode, a stream
would preserve message boundaries and would also possibly help address
back-pressure. I'm not sure whether this would require external API changes so
that such streams could be connected to the downstream driver's streams.
## Acknowledgements
Credit is due to [@mnowster](https://github.com/mnowster) for helping with the
design and to [@fronx](https://github.com/fronx) for helping name things.