Rambling Comments

RFC 6455: The WebSocket protocol

2011-12-14T08:46:47Z

I know I've said this before, but now it's really done...

The WebSocket protocol is now an official RFC. There are a small number of changes between RFC 6455 and the draft WebSocket protocol version 17; the only important ones being he addition of two new close status codes. The rest is just a case of tidying up the draft.

There will be a 6.5.3 release of The Server Framework to include these changes.

Inside the Windows 8 Registered I/O Extensions, RIO

2011-10-24T20:30:38Z

Before I started to look at RIO for inclusion in The Server Framework I did a quick check on the Microsoft BUILD site to see if there were any sessions that dealt with it specifically, I didn't find any. Once I posted my blog posting I did another check and found this video that deals specifically with RIO. This gives some in depth details of how RIO works and the kinds of performance improvements that Microsoft has witnessed in their labs. It's interesting and impressive.

One thing that I hadn't realised is that with RIO, SO_SNDBUF and SO_RCVBUF are no longer applicable with RIO, it's as if you're operating with them set to zero. You need to always have recvs pending if you don't want to drop datagrams...

More once I've watched it all...

The WebSocket protocol is done...

2011-09-27T11:05:33Z

Version 16 of the draft WebSocket protocol specification was just released and the HyBi mailing list announcement for this version contained the following:

Chairs and editors believe that this version is final (before the publication of the RFC). Thank you to everybody who helped to get this completed and for the stimulating discussions on the way.
Now feel free to discuss extensions, WebSocket 1.1, etc. :-).

There are no major differences between this and version 13 and the version number of the protocol itself stays at 13 so The WebSockets Option Pack supports everything that will be in the final RFC.

Designing an asynchronous server-side API for WebSockets

2011-09-27T09:24:04Z

I've just released The WebSockets Option Pack for The Server Framework and I think it's worth running through why the API that I designed ended up as it did. This will probably end up as part of The Server Framework's WebSockets documentation, which is currently a little sparse.

]]> The WebSockets protocol is a message based protocol with unbounded message sizes. This makes a general purpose API more difficult to design as some clients of the API may wish to work in terms of discrete messages and some may wish to work in terms of streams of data. Due to the possibility of frame fragmentation occurring between the client and the server (due to unknown intermediaries being present in the data path) the server-side cannot assume that it will be able to determine the size of an individual message in advance of receiving the final frame for that message.

Whilst the client code may only ever generate messages that are 100 bytes or less the server could receive those messages as (in the worst case) a sequence of 100 frames each of 1 byte. Since each fragmented frame contains only the size of the current fragment there is no way for the server to determine that the message is 100 bytes long until the final fragment arrives.

Often the code that's using the server-side API will also be the code that deploys the client side code which is communicating with it, this allows that code to know things about the messaging it's expecting, after all, it's quite likely that the same organisation created both the client and server code. The challenge for The Server Framework's WebSockets API is to expose the underlying Websockets connection in such a way that the user of the API can decide how best to deal with the inbound data. It's tempting to simply structure the API to work in terms of a series of streams and to pass the problems of message accumulation on to the user of the API, however I felt that was taking the easy way out and doing the users of the API a disservice. Instead the API can be configured to work in terms of complete, distinct, messages as long as they will fit into a single 'buffer' and then degrade to working in terms of a stream if the message is too large. Since the user of the API gets to determine how big the buffers that they use are, they can select a size that is appropriate for their message size, if that is important to them. Users who would prefer to work with streams, or who are working in terms of a single unending stream of data rather than discrete messages, can opt to receive data as it arrives rather than having it accumulated inside The Server Framework's WebSockets API.

The API interface looks something like this.

      virtual void OnData(
         JetByteTools::WebSocket::HyBi::IWebSocket &socket,
         const JetByteTools::Win32::_tstring &text,
         const JetByteTools::WebSocket::MessageStatus status,
         const __int64 messageBytesOutstanding);

      virtual void OnData(
         JetByteTools::WebSocket::HyBi::IWebSocket &socket,
         JetByteTools::IO::IBuffer &buffer,
         const JetByteTools::WebSocket::MessageType type,
         const JetByteTools::WebSocket::MessageStatus status,
         const __int64 messageBytesOutstanding);

Where type tells us if we have a binary message or a text message, status tells us if this data forms a complete message or if it's just part of the message and messageBytesOutstanding tells us how many bytes are still to come, if it can be determined. There are two versions of the OnData() callback because some clients of the API may wish to work in terms of text messages presented to them pre-converted from UTF-8 into a string and some may prefer the flexibility of having the IBuffer interface passed to them so that they can, in turn, pass it off to another thread for processing, perhaps, using the reference counting functionality that's built into the buffer system.

When configuring your server you decide on the size of buffers used and whether the WebSockets protocol handler accumulates messages or simply passes you the data as it arrives. See the WebSockets example servers for more details.

When configured correctly a message based implementation could process discrete messages from a WebSockets connection like this:

void CSocketServer::OnData(
   IWebSocket &socket,
   IBuffer &buffer,
   const MessageType type,
   const MessageStatus status,
   const __int64 messageBytesOutstanding)
{
   if (status != MessageStatusComplete)
   {
      throw CException(
         _T("CSocketServer::OnData()"),
         _T("Unexpected: message larger than buffer size"));
   }

   if (messageBytesOutstanding != 0)
   {
      throw CException(
         _T("CSocketServer::OnData()"),
         _T("Unexpected: message larger than buffer size: ") + ToString(messageBytesOutstanding) + _T(" outstanding"));
   }

   if (type == MessageTypeText)
   {
      // Process a text message
   }
   else
   {
      // Process a binary message
   }

   socket.TryRead();  // Read a new message into a new buffer
}

You may wish to do your message accumulation yourself, perhaps because the inbound data is actually a stream of application messages presented as a sequence of WebSockets fragments (and remember, you can't rely on the fragments that are sent being the same size as the fragments that are received!). In this case it would be normal to sometimes pass the buffer that you received back to the next call to read so that more data can be added to the end of the buffer...

   socket.TryRead(&buffer);  // Read more data into this buffer
}

Accumulating messages larger than your buffer size is easy if you simply chain the buffers together once they're full.

void CPerConnectionData::OnData(
   IWebSocket &socket,
   IBuffer &buffer,
   const MessageType type,
   const MessageStatus status,
   const __int64 messageBytesOutstanding)
{
   if (m_messageSize == 0)
   {
      m_messageType = type;
   }
   else if (m_messageType != type)
   {
      throw CException(_T("CPerConnectionData::OnDataFrame()"), _T("Unexpected frame type"));
   }

   if (status == MessageStatusComplete && messageBytesOutstanding == 0)
   {
      AddBuffer(buffer);

      EchoMessage(socket);

      socket.TryRead();
   }
   else if (buffer.GetSize() == buffer.GetUsed())
   {
      AddBuffer(buffer);

      socket.TryRead();
   }
   else
   {
      socket.TryRead(&buffer);
   }
}

void CPerConnectionData::AddBuffer(
   IBuffer &buffer)
{
   const IBuffer::BufferSize used = buffer.GetUsed();

   if (used || m_messageBuffers.IsEmpty())
   {
      m_messageSize += used;

      m_messageBuffers.Add(buffer);
   }
}

Sending data would be simple if we restricted the user to buffer sized chunks or to single send calls, however an API user may wish to send very large messages, or to send a sequence of fragments where the actual message size is unknown at the time when the message is started. The API supports both of these options as well as the simple 'send a buffer as a text/binary message' option.

Here we send a single buffer as a discrete WebSockets message.

   if (type == MessageTypeText)
   {
      socket.TryWriteText(buffer);
   }
   else
   {
      socket.TryWriteBinary(buffer);
   }

Whilst here, we send a message as a sequence of buffers. We know the size of the complete message before we start and pass that value in our call to StartMessage().

void CPerConnectionData::EchoMessage(
   IWebSocket &socket)
{
   CSmartBuffer buffer(m_messageBuffers.GetNext());

   socket.StartMessage(m_messageType, m_messageSize, buffer.GetRef());

   buffer = m_messageBuffers.GetNext();

   while (buffer.Get())
   {
      socket.SendMessageData(buffer.GetRef());

      buffer = m_messageBuffers.GetNext();
   }

   m_messageSize = 0;
}

Finally, here we show sending a message as a sequence of fragments, not knowing how long the resulting message will be when we start sending.

void CFragmentEchoingSocketServer::OnData(
   IWebSocket &socket,
   IBuffer &buffer,
   const MessageType type,
   const MessageStatus status,
   const __int64 messageBytesOutstanding)
{
   const bool echoing = ToBool(socket.GetUserData(m_userDataIndex));

   if (echoing)
   {
      if (status == MessageStatusComplete && messageBytesOutstanding == 0)
      {
         socket.StartNewFragment(buffer.GetUsed(), buffer, true);

         socket.SetUserData(m_userDataIndex, false);
      }
      else
      {
         socket.StartNewFragment(buffer.GetUsed(), buffer);
      }
   }
   else 
   {
      socket.StartFragmentedMessage(type, buffer.GetUsed(), buffer);

      socket.SetUserData(m_userDataIndex, true);
   }

   socket.TryRead();
}

See the WebSockets example servers for more details.

The WebSockets protocol presents itself as providing a message based interface but given that a single message can have an unbounded size it's complicated to provide a general purpose API which will suit all potential users. By allowing the user of the API to select the buffering and accumulation strategies we provide the flexibility to make it as easy to work with simple, small, discrete messages as it is to work with a potentially endless stream of data.

The WebSockets Option Pack for The Server Framework is available from version 6.5 of The Server Framework which was released recently.

The WebSocket protocol - Draft, HyBi 13

2011-09-01T07:29:05Z

Another day, another WebSocket protocol draft...

That's probably a little unfair actually. Although there have been several drafts in quick succession over the past few weeks the protocol itself has only changed very slightly. The majority of the changes have simply been to the wording and arrangement of the document.

I was fairly cynical about the likely quality of the final RFC when I started looking at the 09 draft and then, in search of clarification, started following the HyBi Working Group's mailing list. As I said at the time, there are a lot of interested parties and they all want their own special requirements reflected in the document. What I wasn't really aware of then was that once the document moved towards standardisation the issues would be managed in a much more controlled manner. Since then, Peter Saint-Andre has guided the Working Group and the document in a subtle but controlled manner. The discussions have still been heated (and in many cases circular) but each outstanding issue has finally been resolved and the document has moved forward.

When I started following the Working Group I felt that I couldn't make a difference. There were lots of loud personalities that had been involved from the start and came across as having a lot more weight in the process than others on the list. I'm pleased that I decided to ignore my initial fears and raise some of the issues that I was concerned about as in some cases I feel that it made a difference.

So, where are we on my list of rants from back in July?

WebSockets is a stream, not a message based protocol... - The wording of the RFC has been changed so that it doesn't imply that a message based API is the only one that should be considered and private use extension tokens are no longer allowed (so no x-tcp-stream)
Why differentiate between text and binary frames? - No change. The WebSocket protocol needs to deal with UTF8 transformations just so that the users don't.
Why do we need to mask data from client to server? - The document has been updated to explain the rationale behind this requirement.
How the deflate-stream extension is broken and badly designed - The extension has been removed.
I miss the TCP half-close - No change.

So the main issues that I was concerned about have been dealt with and the remaining two are pretty minor. It's somewhat annoying that deflate-stream was removed after I implemented it, but since I implemented it as a general purpose connection filter the code can be reused by anyone using The Server Framework who wants to deflate their TCP data.

WebSocket support is available in The Server Framework from release 6.5 which is currently in final testing.

Autobahn WebSockets protocol compliance test suite

2011-08-31T07:27:29Z

I'm nearing the end of my WebSockets implementation for The Server Framework and have been dealing with various protocol compliance issues. Whilst I have decent unit test coverage I haven't, yet, sat down and produced compliance specific unit tests which walk through the various parts of the (ever changing) draft RFC and test each aspect. Looking back, I probably should have taken this approach even though the RFC was fluid. Anyway. One of the people involved in the WebSockets Working Group has a nice set of compliance tests for their implementation and they have made these tests are freely available; so I've been using them! They've really helped nail a few subtle issues in my implementation (and one or two not so subtle issues!).

The Autobahn tests can be found here, and the report generated by the current pre-release version of my implementation can be found here.

WebSockets - I miss the TCP half close...

2011-07-08T15:25:59Z

As I mentioned here, the WebSockets protocol is, at this point, a bit of a mess due to the evolution of the protocol and the fact that it's being pulled in various directions by various interested parties. I'm just ranting about some of the things that I find annoying...

The WebSockets protocol includes a way for the endpoints to shut down the connection.


   If an endpoint receives a Close frame and that endpoint did not
   previously send a Close frame, the endpoint MUST send a Close frame
   in response.  It SHOULD do so as soon as is practical.  An endpoint
   MAY delay sending a close frame until its current message is sent
   (for instance, if the majority of a fragmented message is already
   sent, an endpoint MAY send the remaining fragments before sending a
   Close frame).  However, there is no guarantee that the endpoint which
   has already sent a Close frame will continue to process data.

   After both sending and receiving a close message, an endpoint
   considers the WebSocket connection closed, and MUST close the
   underlying TCP connection.  The server MUST close the underlying TCP
   connection immediately; the client SHOULD wait for the server to
   close the connection but MAY close the connection at any time after
   sending and receiving a close message, e.g. if it has not received a
   TCP close from the server in a reasonable time period.

Unfortunately it's a full close of the connection in both directions rather than an indication that the endpoint sending it has nothing more to send. In effect it's a close() rather than a shutdown(). This means that if you ever want to indicate that you're done sending but that you'd like the other end to finish up and then close you have to implement it yourself...]]> TCP allows you to close each direction of the connection independently. The first peer to shut down their sending side is deemed to have issued the active close. Whoever issues the active close ends up in TIME_WAIT state (see here for more details on that). The WebSockets protocol provides a protocol level close message which is intended to do the following:


   The closing handshake is intended to complement the TCP closing
   handshake (FIN/ACK), on the basis that the TCP closing handshake is
   not always reliable end-to-end, especially in the presence of man-in-
   the-middle proxies and other intermediaries.

   By sending a close frame and waiting for a close frame in response,
   certain cases are avoided where data may be unnecessarily lost.  For
   instance, on some platforms, if a socket is closed with data in the
   receive queue, a RST packet is sent, which will then cause recv() to
   fail for the party that received the RST, even if there was data
   waiting to be read.

Which is all well and good but the ability to perform a half-close would be very useful and its unfortunate omission will no doubt lead to applications inventing their own...

WebSockets - The deflate-stream extension is broken and badly designed

2011-07-08T15:00:00Z

The WebSockets protocol is designed to be extended, which is all well and good. Extensions can, at present, be formally specified by RFCs or be "private use" extensions with names that are prefixed with an "x-". So far the only "official" extension is the deflate-stream extension that's detailed in the WebSockets protocol RFC itself.

Unfortunately, the deflate-stream extension isn't really an ideal example of how future extensions should work. A far better example would be the alternative deflate-application-data extension that's detailed here.

So, what's wrong with deflate-stream?]]> The WebSockets protocol is very open to extension, possibly too open.


4.8.  Extensibility

   The protocol is designed to allow for extensions, which will add
   capabilities to the base protocols.  The endpoints of a connection
   MUST negotiate the use of any extensions during the opening
   handshake.  This specification provides opcodes 0x3 through 0x7 and
   0xB through 0xF, the extension data field, and the frame-rsv1, frame-
   rsv2, and frame-rsv3 bits of the frame header for use by extensions.

   The negotiation of extensions is discussed in further detail in
   Section 9.1.  Below are some anticipated uses of extensions.  This
   list is neither complete nor proscriptive.

   o  Extension data may be placed in the payload data before the
      application data.

   o  Reserved bits can be allocated for per-frame needs.

   o  Reserved opcode values can be defined.

   o  Reserved bits can be allocated to the opcode field if more opcode
      values are needed.

   o  A reserved bit or an "extension" opcode can be defined which
      allocates additional bits out of the payload data to define larger
      opcodes or more per-frame bits.

But even with all of this available the deflate-stream extension goes further. The deflate-stream extension completely replaces the wire format of the WebSockets protocol with a stream of compressed data. That is, all framing and headers are included in the compression and you can't decompress a portion of the stream without decompressing all of it. It means that any form of proxy that wants to inspect the contents of WebSocket traffic has to decompress the whole stream to look at the individual frames; it can't even simply use the header information to skip the data portions of the frames as the headers are also compressed. The WebSocket protocol doesn't really even hint at this being the intended use of the extension mechanism, in fact it seems to suggest that whilst extensions can fiddle with the header contents and the frame contents they can't simply replace the entire wire format. There are those who think the inclusion of "connection-level" extensions is a bad idea and I agree with them. After all, by following the example of the deflate-stream extension surely the obvious solution to the rather broken message based aspect of the protocol is simply to write an extension that replaces the entire WebSocket wire format with one that pleases you better; x-raw-tcp-stream anyone?

If the fact that the deflate-stream extension isn't exactly an ideal example of how extensions should be built isn't enough of a reason to remove it from the RFC then surely the fact that it doesn't actually work as expected might be? It doesn't seem likely. The problem is that now that WebSockets requires client to server data frames to be masked the data being sent from client to server is sufficiently random that compression can't be applied. So, at best, deflate-stream, simply burns server-side CPU when dealing with inbound WebSocket data and at worst it makes the data stream from client to server bigger than it need be. Ideally you'd simply not mask if you were going to use deflate-stream but that doesn't seem to be an option; there appear to be concerns that the extremely unlikely situation that client to server masking is supposed to protect against could occur using unmasked compressed data. Of course the attacker would have to know exactly how the data was going to be deflated and could therefore somehow come up with some payload data that results in a useful stream of deflated data; but really...

Ripping deflate-stream out of the RFC entirely and/or replacing it with deflate-application-data would seem to be the obvious course of action, but there seems to be resistance to this. Making it possible to enable deflate-stream in one direction only, i.e. from server to client, would also seem to be a potential win as you'd get your deflated stream in the direction that it can work and not waste time on data that can't be meaningfully compressed.

Another day, another deadlock avoided with no harm done

2011-07-07T08:43:50Z

I'm currently building a new example server for The Server Framework. This is a variation on one of our proxy server examples for a client that's doing some WebSockets work. The idea is that the server takes an inbound WebSockets connection, creates an outbound TCP connection to the target server and routes data to and from the remote server and the WebSockets client. It's fairly simple stuff to put together once you're up to speed on The Server Framework but my client needed a helping hand and it's another nice example of what you can do with the framework.

As I've mentioned before, all of these example servers run a set of black box integration tests during the build process. Once the code has compiled the tests kick off automatically, start the server, run a client against it, check the results are as expected, etc. If the test fails then the build fails.

This works great at flushing out any latent issues that the unit tests of all the framework code don't happen to catch. It's good for race condition problems and deadlocks and the like. The fact that the integration tests run on all of my build servers (which are a nice mix of power, memory and processors) means that race conditions and whatever get shaken out of the framework pretty quickly. ]]> As I mentioned a while back, I've now got memory leak analysis and lock inversion detection built into the integration test runners. The lock inversion detection can find and report on potential deadlocks without the code under test needing to actually deadlock. It detects that the code COULD deadlock and reports why. You can download the lock inversion detector that I use from here on my www.lockexplorer.com site.

Anyway, I set up the integration tests for my new server example this morning and ran it. The tests ran fine but LID reported lock inversions. Every lock inversion is a deadlock waiting to happen and although the tests had run through fine and the server hadn't deadlocked the report from LID was showing me that, given the right set of threading circumstances, it could...

By default I run LID during the integration tests as this runs slightly faster than LIA the full featured lock inversion analyser. A simple adjustment to the configuration of the integration test lets me run LIA instead and the report was quite clear as to where the lock inversions were.

****************New Log*****************
Target process has terminated
Process "E:\OutboundGatewayServer\Output\VS2010\URelease\OutboundGatewayServer.exe" exit code: 0
Checking 3151 lock acquisition sequences for inversions

Lock inversions detected!

Lock inversion in acquisition of locks 164 and 41
Primary lock acquisition sequence: 164 @ 171, 41 @ 173
Executed on thread: 8 [6164] "IOPool"
Secondary lock acquisition sequence: 41 @ 154, 164 @ 178
Executed on threads: 5 [1064] "IOPool", 17 [1236] "IOPool", 16 [1288] "IOPool", 3 [2028] "IOPool", 13 [3652] "IOPool", 9 [4056] "IOPool", 12 [4676] "IOPool", 10 [4948] "IOPool", 7 [5444] "IOPool", 8 [6164] "IOPool", 4 [6232] "IOPool", 15 [6412] "IOPool", 11 [6704] "IOPool", 6 [6836] "IOPool", 14 [6876] "IOPool", 18 [7080] "IOPool"
Secondary lock acquisition sequence: 41 @ 154, 164 @ 187
Executed on threads: 5 [1064] "IOPool", 17 [1236] "IOPool", 16 [1288] "IOPool", 3 [2028] "IOPool", 13 [3652] "IOPool", 9 [4056] "IOPool", 12 [4676] "IOPool", 10 [4948] "IOPool", 7 [5444] "IOPool", 8 [6164] "IOPool", 4 [6232] "IOPool", 15 [6412] "IOPool", 11 [6704] "IOPool", 6 [6836] "IOPool", 14 [6876] "IOPool", 18 [7080] "IOPool"
Secondary lock acquisition sequence: 41 @ 154, 164 @ 194
Executed on thread: 12 [4676] "IOPool"
Location: 154
e:\jetbytetools\win32tools\criticalsection.cpp(80) : CCriticalSection::Enter
e:\jetbytetools\win32tools\icriticalsection.cpp(44) : ICriticalSection::Owner::Owner
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(260) : CProtocolHandler::OnDataReceived
e:\outboundgatewayserver\socketserver.cpp(206) : CSocketServer::OnReadCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanagerbase.cpp(128) : CStreamSocketConnectionManagerBase::OnReadCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(933) : TStreamSocketConnectionManager::HandleOperation
e:\jetbytetools\sockettools\tasyncsocket.h(565) : TAsyncSocket::HandleOperation
e:\jetbytetools\iotools\iopool.cpp(319) : CIOPool::WorkerThread::Run
e:\jetbytetools\win32tools\thread.cpp(241) : CThread::ThreadFunction
---
Location: 171
e:\jetbytetools\win32tools\criticalsection.cpp(80) : CCriticalSection::Enter
e:\jetbytetools\win32tools\icriticalsection.cpp(44) : ICriticalSection::Owner::Owner
e:\outboundgatewayserver\connection.cpp(128) : CConnection::OnConnectionEstablished
e:\outboundgatewayserver\socketserver.cpp(157) : CSocketServer::OnConnectionEstablished
e:\jetbytetools\sockettools\streamsocketconnectionmanagerbase.cpp(86) : CStreamSocketConnectionManagerBase::OnConnectionEstablished
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(1422) : TStreamSocketConnectionManager::ConnectCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(981) : TStreamSocketConnectionManager::HandleOperation
e:\jetbytetools\sockettools\tasyncsocket.h(565) : TAsyncSocket::HandleOperation
e:\jetbytetools\iotools\iopool.cpp(319) : CIOPool::WorkerThread::Run
e:\jetbytetools\win32tools\thread.cpp(241) : CThread::ThreadFunction
---
Location: 173
e:\jetbytetools\win32tools\criticalsection.cpp(80) : CCriticalSection::Enter
e:\jetbytetools\win32tools\icriticalsection.cpp(44) : ICriticalSection::Owner::Owner
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(996) : CProtocolHandler::TryRead
e:\jetbytetools\websockettools\hybi08\websocket.cpp(166) : CWebSocket::TryRead
e:\jetbytetools\websockettools\hybi08\websocket.cpp(145) : CWebSocket::TryRead
e:\outboundgatewayserver\connection.cpp(143) : CConnection::OnConnectionEstablished
e:\outboundgatewayserver\socketserver.cpp(157) : CSocketServer::OnConnectionEstablished
e:\jetbytetools\sockettools\streamsocketconnectionmanagerbase.cpp(86) : CStreamSocketConnectionManagerBase::OnConnectionEstablished
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(1422) : TStreamSocketConnectionManager::ConnectCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(981) : TStreamSocketConnectionManager::HandleOperation
e:\jetbytetools\sockettools\tasyncsocket.h(565) : TAsyncSocket::HandleOperation
e:\jetbytetools\iotools\iopool.cpp(319) : CIOPool::WorkerThread::Run
e:\jetbytetools\win32tools\thread.cpp(241) : CThread::ThreadFunction
---
Location: 178
e:\jetbytetools\win32tools\criticalsection.cpp(80) : CCriticalSection::Enter
e:\jetbytetools\win32tools\icriticalsection.cpp(44) : ICriticalSection::Owner::Owner
e:\outboundgatewayserver\connection.cpp(165) : CConnection::OnReadCompleted
e:\outboundgatewayserver\socketserver.cpp(322) : CSocketServer::OnDataFrame
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(917) : CProtocolHandler::HandleData
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(692) : CProtocolHandler::DispatchFrame
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(536) : CProtocolHandler::ProcessDataReceived
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(341) : CProtocolHandler::HandleDataReceived
e:\jetbytetools\websockettools\hybi08\protocolhandler.cpp(284) : CProtocolHandler::OnDataReceived
e:\outboundgatewayserver\socketserver.cpp(206) : CSocketServer::OnReadCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanagerbase.cpp(128) : CStreamSocketConnectionManagerBase::OnReadCompleted
e:\jetbytetools\sockettools\streamsocketconnectionmanager.h(933) : TStreamSocketConnectionManager::HandleOperation
e:\jetbytetools\sockettools\tasyncsocket.h(565) : TAsyncSocket::HandleOperation
e:\jetbytetools\iotools\iopool.cpp(319) : CIOPool::WorkerThread::Run
e:\jetbytetools\win32tools\thread.cpp(241) : CThread::ThreadFunction
---

Diving into the code for the lock acquisitions in question shows me that in one of the objects concerned I'm holding the lock for longer than I need to. Reducing the scope of the lock means that I don't hold it across the use of the other object which removes the lock inversion. 2 minutes and one recompile from discovery to confirmed fix. A nice start to the day.

WebSockets - Why do we need to mask data from client to server?

2011-07-06T14:52:04Z

   The client MUST mask all frames sent to the server.  A server MUST
   close the connection upon receiving a frame with the MASK bit set to
   0.  In this case, a server MAY send a close frame with a status code
   of 1002 (protocol error) as defined in Section 7.4.1.

Fair enough, but why?

]]> The masking in itself is relatively painless to achieve but it interacts poorly with the albeit badly designed deflate-stream extension and forcing the client to mask zero length frames seems unnecessary - though I agree that special cases don't really seem warranted.

The RFC doesn't explain why masking from client to server is considered essential but a search through the discussion list brings up plenty of hits. The best descriptions of why can be found here and here.

Masking of WebSocket traffic from client to server is required because of the unlikely chance that malicious code could cause some broken proxies to do the wrong thing and use this as an attack of some kind. Nobody has proved that this could actually happen, but since the fact that it could happen was reason enough for browser vendors to get twitchy, masking was added to remove the possibility of it being used as an attack.

The idea being that since the API level code generating the WebSocket frame gets to select a masking key and mask the data supplied by the application code the application code cannot in any meaningful way dictate the data that ends up passing through the potentially broken intermediaries and therefore can't cause trouble. Since the masking key is in the frame intermediaries can be written to understand and unmask the data to perform some form of clever inspection if they want to.

Now, would it be so hard to add something that explains this to the RFC?

WebSockets - Why differentiate between text and binary frames?

2011-07-06T13:14:49Z

Back when binary frames were mentioned in the WebSocket protocol specification as a slightly hand wavy "something for the future" and only text frames were actually possible to send and receive using the clients at the time then there MAY (in the strictest RFC meaning of the word) have been a need to differentiate between text and binary frames. Especially since text frames were 0xFF terminated rather than length prefixed. Now, however, it seems pointless to have a protocol level differentiation between text and binary frame types.

This would be, perhaps, less pointless if a general purpose protocol handler could reliably deliver complete messages to an application, but as we've seen before, that's not possible. Although backtracking to the last complete character in the UTF-8 stream is relatively straight forward (see here) there seems to be little value in converting a partial message to a wide string form only to have the have the application layer have to store and concatenate to obtain a complete message...

Robert Gezelter probably says it far better than I can here on his blog; the differentiation between binary and text should occur at the application level.

WebSockets is a stream, not a message based protocol...

2011-07-06T12:34:17Z

The first thing to realise about the WebSockets protocol is that it isn't really message based at all despite what the RFC claims.

   Clients and servers, after a successful handshake, transfer data back
   and forth in conceptual units referred to in this specification as
   "messages".  A message is a complete unit of data at an application
   level, with the expectation that many or most applications
   implementing this protocol (such as web user agents) provide APIs in
   terms of sending and receiving messages.  The WebSocket message does
   not necessarily correspond to a particular network layer framing, as
   a fragmented message may be coalesced, or vice versa, e.g. by an
   intermediary.

and...

   The WebSocket protocol uses this framing so that specifications that
   use the WebSocket protocol can expose such connections using an
   event-based mechanism instead of requiring users of those
   specifications to implement buffering and piecing together of
   messages manually.

Suggest that a message based, event driven design which presents complete messages to the application layer would be a sensible design. Unfortunately once you realise exactly how a message is made up it becomes impossible to provide an interface where you ONLY deliver messages as complete units to the application layer.

]]> WebSocket messages consist of one or more frames. A frame can be either a complete frame or a fragmented frame. Messages themselves do not have any length indication built into the protocol, only frames do. Frames can have a payload length of up to 9,223,372,036,854,775,807 bytes (due to the fact that the protocol allows for a 63bit length indicator) and finally...

   The primary purpose of fragmentation is to allow sending a message
   that is of unknown size when the message is started without having to
   buffer that message.  If messages couldn't be fragmented, then an
   endpoint would have to buffer the entire message so its length could
   be counted before first byte is sent.  With fragmentation, a server
   or intermediary may choose a reasonable size buffer, and when the
   buffer is full write a fragment to the network.

So a single WebSocket "message" can consist of an unlimited number of 9,223,372,036,854,775,807 byte fragments. This makes it impossible for a general purpose Websocket protocol parser to only present complete messages to the application layer in such a way that the application doesn't need to do some form of "buffering and piecing together of messages manually". At best a general purpose parser could present Websocket data as a 'sequence of streams', given that each "message" is in fact simply a potentially infinite stream of bytes with a message terminator (the FIN bit in the frame header) at the end. It could do this by passing the application layer an interface that allowed the application to pull data from the Websocket "message" until it was complete, and that's less than ideal if you are used to working with asynchronous, push, APIs, or trying to avoid unnecessary memory copies...

Even if the maximum frame size was reduced, as some propose, the problem would still be present due to the fact that a single message can consist of an infinite number of fragments. Likewise a protocol parser can not take the easy route and simply disallow fragmented frames since the RFC states that...

   o  Clients and servers MUST support receiving both fragmented and
      unfragmented messages.

   o  An intermediary MUST NOT change the fragmentation of a message if
      any reserved bit values are used and the meaning of these values
      is not known to the intermediary.

   o  An intermediary MUST NOT change the fragmentation of any message
      in the context of a connection where extensions have been
      negotiated and the intermediary is not aware of the semantics of
      the negotiated extensions.

Which means that although the application that you've written may send and receive WebSocket messages of an application restricted maximum size you may still find that you receive fragments because an intermediary has decided to fragment your frames. Unless, of course, you subvert the protocol extensions functionality by negotiating "x-{My own private GUID}" extension between your client and server which would neatly prevent any intermediaries (except ones that you'd written yourself) from changing the fragmentation of your frames... Then, of course, the intermediaries may simply decide to remove the client's request for your unknown extension from its initial handshake request to prevent it being negotiated. Or, perhaps more likely, close your connection with a 1004 close code...

There's resistance to proposals to allow the maximum frame size to be negotiated during the handshake phase but there's a standard close code for "frame too big"... Should an application just guess how large it's allowed to go?

The view of some on the discussion list seems to be that "A server (or client) which exposes the frames as its primary API is doing it wrong." but it seems to me that to write a flexible and general purpose protocol parser which can be used by both push and pull APIs you have no option but to expose details of the message framing. The reason for this is that a general purpose parser cannot buffer complete messages, or even complete frames and so must deliver the data either as a stream of bytes at an application level or as a sequence of partial frames and allow the application to decide how to accumulate the frames into messages. By hiding all of the framing from the application the application developer cannot take advantage of knowledge that he has of the message structure of his particular messages. This is especially useful with asynchronous APIs where the application might be pushed buffers with data in them as the data arrives - which is how most of The Server Framework happens to operate and how I/O Completion Port centric designs would tend to work. If an application works in terms of, say, messages that could be at most 4096 bytes and is dealing with buffers that can contain complete messages then it could use the details of the data framing to allow it to efficiently accumulate the data into a single buffer and then dispatch the complete message for processing when it receives the final frame. The alternative is to add complexity to the protocol parser by allowing it to accumulate 'messages' up to a configurable size and present complete messages via one callback and incomplete messages via another, or to provide only a stream based pull API which requires the application to needlessly copy data from the protocol parser's buffers into its own.

The 63bit fragment size and fragmentation in general appear to come from a requirement for streaming data from one end of the connection to the other, see here where a Unixy design idea of simply telling the application to "read x amount of data from this file handle" seems perfectly sensible... Of course this design will fail as soon as you need to send a stream that's bigger than the 63bit frame size will allow and it'll also fail if the frame is fragmented as then the API becomes "read x amount of data from this file handle, but you're not done yet, wait and I'll call you again with more"... At which point and given the possibility of intermediaries that fragment your large fragment down to, lets be generous, 1024 byte fragments anyway, you may as well simply limit the maximum size of frames to something more manageable... But I suppose "nobody will ever need more than 63bits of data length"...

Unfortunately, large frame sizes also open the protocol up to lazy application design. Lets say we're sending a file, we open the file and read some, send a fragmented frame header for the total file length and then simply start sending data. Cool, we don't need to worry about the protocol any more, no need to build messages, just pull the data from disk and send it to the other side. This works fine until you have a read failure, or any other reason to terminate the connection. Since you're in the middle of sending a single huge frame you can't send an application level frame that informs the other side of the problem. You can't even send a WebSocket close frame to shut down the connection cleanly, all you can do is abort the connection...

So, WebSockets presents a sequence of infinitely long byte streams with a termination indicator (the FIN bit in the frame header) and not a message based interface as you might initially believe. Given that a general purpose protocol handler can only work in terms of partial frames, we effectively have a stream based protocol with lots of added complexity to provide the illusion of a message based protocol that can actually only ever be dealt with as a stream of bytes.

The WebSocket protocol, design by committee and requirements tracing

2011-07-06T07:37:14Z

I've been working with the WebSocket protocol recently, updating the code that implements the protocol in The Server Framework to the latest version of the draft standard (the HyBi 09 version). Whilst this looks like it's almost a real standard, there are still lots of potentially open issues as can be seen from the HyBi discussion mailing list.

It's quite clear from some of the less cohesive parts of the draft spec (and more so from the mailing list) that the protocol is very much a design by committee effort. This is both good and bad: It's good that the protocol includes support for a wide range of use cases and, well, it's bad that the protocol is more complex because it includes support for a wide range of use cases...

It would be fascinating (and time consuming) to read through the discussion lists from the start and track the reasons behind the various changes and evolutionary steps that the protocol has gone through. Unfortunately, at present some of the elements of the protocol require you to do that if you want to understand why they exist. Without reading all of the discussion list there's a lack of traceability from the various elements of the protocol to the various use case requirements that caused them to be included. Given the evolution of the protocol it's likely that some areas of the protocol have become detached from the original requirements (as other areas have been modified and now no longer support the original requirements, for example, the idea that WebSockets is a message based protocol is undermined by defining a message in terms of an infinite number of fragments without any form of message length indication).

All of this means that implementing the protocol from the current RFC is harder than it needs to be and often the wording of the RFC itself will lead you towards designs that don't work well with the actual protocol. Ideally all of these loose ends will get cleaned up before the standard is ratified but the protocol has been in draft form for a long time and I'm sure some would prefer it to be ratified as is rather than go through yet another round of changes...

I've been accumulating several rants about the protocol and I'll be presenting them as stand alone blog entries (mainly because they've each grown too large to be joined together in one entry). Often the solution to my frustrations would simply be a modification of the descriptive portions of the RFC text to give a little more explanation as to the thoughts behind the decisions.

GetExtendedTcpTable(), MIB_TCPTABLE_OWNER_PID and TIME_WAIT

2011-02-07T16:49:28Z

I have a client who is possibly suffering from TIME_WAIT accumulation issues and I thought that the best way to find out for sure was to get them to add the TIME_WAIT perfmon counter to their normal counter logs so that we could see how and when sockets in TIME_WAIT accumulate on the machine.

The problem is that there doesn't seem to be a perfmon counter for this, which is unfortunate, especially since you can easily get the number of established and reset connections from the TCPv4 and TCPv6 performance objects.

Since all of this information is available by querying the TCP table with GetTcpTable() or GetExtendedTcpTable() I might put together a utility that polls the TCP table and publishes the a TIME_WAIT counter, however, before doing that I decided to hack up a simple example that polls the TCP table and simply dumps the number of connections in TIME_WAIT to the console. This is a bit like netstat and post processing the output.

I got this working quite nicely and then thought it might be useful to switch to using MIB_TCPTABLE_OWNER_PID so that I could group the connections by process and so show which processes were causing the TIME_WAIT connections to accumulate. Unfortunately the dwOwningPid field is set to zero for connections in TIME_WAIT, which is somewhat understandable, as they can outlive the process that generated them, but unfortunate when they haven't...

Lock inversion detector finally fully integrated in my build

2010-11-23T09:25:00Z

After a week or so of serious dog fooding I've finally got a nice reliable lock inversion detector running as part of my build system for The Server Framework's example servers.

Note: the deadlock detector mentioned in this blog post is now available for download from www.lockexplorer.com.

The build system has always run a set of 'black box' server tests for each server example as part of the build. These start up the example server in question, run a set of connections against it and shut the server down. This proves that the example servers actually work and has also proved a very useful technique for flushing out hard to reproduce bugs; generally race conditions. Since the build system runs so often and on so many different build machines the code gets run enough and on varied enough hardware to flush out these problems.

I've been aiming to get some form of deadlock testing into this build system for a while. The original deadlock detector tool was too slow to run on the build servers and so I developed a cut down version and tuned the injection and monitoring engine. That gave me a detector that COULD run as part of the build system...

This last piece of work has involved integrating that detector into the test scripts so that it gets run and can report failures in a way that will flag the build as failed if it detects any lock inversions. Of course it also detects full blown deadlocks but the lock inversion detection is much more powerful as the code under test need never actually be coaxed into deadlocking it just has to show the possibility of deadlocking for the tests to fail.

I've now run the new build system for the 70+ example servers and I've found one lock inversion in three places of the framework; the inversion was due to a pattern that I repeated for the OpenSSL, SChannel and SSPI connectors and was easily fixed by removing the lock that was the cause of the inversion and instead using one lock rather than two. This clearly shows what I've known for a long time, object oriented programming and encapsulation in particular are often at odds with concurrency. It's obvious to make an object thread safe by giving it a lock that it can use to protect itself; it's often then more complex to ensure that these objects don't deadlock as they call into each other whilst holding locks that aren't evident at the call site. At present I consider it a post design optimisation to break encapsulation and, potentially, share locks across related objects. The lock inversion detector as part of the build makes it obvious when it's not just an optimisation but a requirement.

The lock inversions mentioned above are removed in release 6.3.2 of The Server Framework which was released today.