grpc 1.50.0.pre1 → 1.51.0

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -46,7 +46,9 @@
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/gprpp/host_port.h"
+#include "src/core/lib/gprpp/orphanable.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/status_helper.h"
 #include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/gprpp/time.h"
 #include "src/core/lib/http/httpcli.h"
@@ -65,8 +67,8 @@
 #include "src/core/lib/security/credentials/jwt/json_token.h"
 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
+#include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
-#include "src/core/lib/slice/slice_refcount.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/transport/error_utils.h"
 #include "src/core/lib/uri/uri_parser.h"
@@ -171,7 +173,7 @@ static void on_metadata_server_detection_http_response(
     void* user_data, grpc_error_handle error) {
   metadata_server_detector* detector =
       static_cast<metadata_server_detector*>(user_data);
-  if (GRPC_ERROR_IS_NONE(error) && detector->response.status == 200 &&
+  if (error.ok() && detector->response.status == 200 &&
       detector->response.hdr_count > 0) {
     /* Internet providers can return a generic response to all requests, so
        it is necessary to check that metadata header is present also. */
@@ -273,7 +275,12 @@ bool ValidateUrlField(const Json& json, const std::string& field) {
   absl::string_view host;
   absl::string_view port;
   grpc_core::SplitHostPort(url->authority(), &host, &port);
-  if (absl::ConsumeSuffix(&host, ".googleapis.com")) {
+  if (absl::ConsumeSuffix(&host, ".p.googleapis.com")) {
+    if (absl::StartsWith(host, "sts-") ||
+        absl::StartsWith(host, "iamcredentials-")) {
+      return true;
+    }
+  } else if (absl::ConsumeSuffix(&host, ".googleapis.com")) {
     if (host == "sts" || host == "iamcredentials") {
       return true;
     } else if (absl::StartsWith(host, "sts.") ||
@@ -307,14 +314,14 @@ static grpc_error_handle create_default_creds_from_path(
   grpc_auth_refresh_token token;
   grpc_core::RefCountedPtr<grpc_call_credentials> result;
   grpc_slice creds_data = grpc_empty_slice();
-  grpc_error_handle error = GRPC_ERROR_NONE;
+  grpc_error_handle error;
   Json json;
   if (creds_path.empty()) {
-    error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("creds_path unset");
+    error = GRPC_ERROR_CREATE("creds_path unset");
     goto end;
   }
   error = grpc_load_file(creds_path.c_str(), 0, &creds_data);
-  if (!GRPC_ERROR_IS_NONE(error)) goto end;
+  if (!error.ok()) goto end;
   {
     auto json_or = Json::Parse(grpc_core::StringViewFromSlice(creds_data));
     if (!json_or.ok()) {
@@ -324,9 +331,9 @@ static grpc_error_handle create_default_creds_from_path(
     json = std::move(*json_or);
   }
   if (json.type() != Json::Type::OBJECT) {
-    error = grpc_error_set_str(
-        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Failed to parse JSON"),
-        GRPC_ERROR_STR_RAW_BYTES, grpc_core::StringViewFromSlice(creds_data));
+    error = grpc_error_set_str(GRPC_ERROR_CREATE("Failed to parse JSON"),
+                               grpc_core::StatusStrProperty::kRawBytes,
+                               grpc_core::StringViewFromSlice(creds_data));
     goto end;
   }
 
@@ -337,7 +344,7 @@ static grpc_error_handle create_default_creds_from_path(
         grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
             key, grpc_max_auth_token_lifetime());
     if (result == nullptr) {
-      error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+      error = GRPC_ERROR_CREATE(
           "grpc_service_account_jwt_access_credentials_create_from_auth_json_"
           "key failed");
     }
@@ -350,7 +357,7 @@ static grpc_error_handle create_default_creds_from_path(
     result =
         grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
     if (result == nullptr) {
-      error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+      error = GRPC_ERROR_CREATE(
           "grpc_refresh_token_credentials_create_from_auth_refresh_token "
           "failed");
     }
@@ -359,15 +366,14 @@ static grpc_error_handle create_default_creds_from_path(
 
   /* Finally try an external account credentials.*/
   if (!ValidateExteralAccountCredentials(json)) {
-    error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "Invalid external account credentials format.");
+    error = GRPC_ERROR_CREATE("Invalid external account credentials format.");
     goto end;
   }
   result = grpc_core::ExternalAccountCredentials::Create(json, {}, &error);
 
 end:
-  GPR_ASSERT((result == nullptr) + (GRPC_ERROR_IS_NONE(error)) == 1);
-  grpc_slice_unref_internal(creds_data);
+  GPR_ASSERT((result == nullptr) + (error.ok()) == 1);
+  grpc_core::CSliceUnref(creds_data);
   *creds = result;
   return error;
 }
@@ -402,14 +408,14 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
   auto path_from_env = grpc_core::GetEnv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
   if (path_from_env.has_value()) {
     err = create_default_creds_from_path(*path_from_env, &call_creds);
-    if (GRPC_ERROR_IS_NONE(err)) return call_creds;
+    if (err.ok()) return call_creds;
     *error = grpc_error_add_child(*error, err);
   }
 
   /* Then the well-known file. */
   err = create_default_creds_from_path(
       grpc_get_well_known_google_credentials_file_path(), &call_creds);
-  if (GRPC_ERROR_IS_NONE(err)) return call_creds;
+  if (err.ok()) return call_creds;
   *error = grpc_error_add_child(*error, err);
 
   update_tenancy();
@@ -418,11 +424,9 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
     call_creds = grpc_core::RefCountedPtr<grpc_call_credentials>(
         grpc_google_compute_engine_credentials_create(nullptr));
     if (call_creds == nullptr) {
-      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          GRPC_GOOGLE_CREDENTIAL_CREATION_ERROR);
+      *error = GRPC_ERROR_CREATE(GRPC_GOOGLE_CREDENTIAL_CREATION_ERROR);
       *error = grpc_error_add_child(
-          *error, GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-                      "Failed to get credentials from network"));
+          *error, GRPC_ERROR_CREATE("Failed to get credentials from network"));
     }
   }
 
@@ -433,7 +437,7 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
     grpc_call_credentials* call_credentials) {
   grpc_channel_credentials* result = nullptr;
   grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
-  grpc_error_handle error = GRPC_ERROR_NONE;
+  grpc_error_handle error;
   grpc_core::ExecCtx exec_ctx;
 
   GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1,
@@ -462,9 +466,8 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
     GPR_ASSERT(result != nullptr);
   } else {
     gpr_log(GPR_ERROR, "Could not create google default credentials: %s",
-            grpc_error_std_string(error).c_str());
+            grpc_core::StatusToString(error).c_str());
   }
-  GRPC_ERROR_UNREF(error);
   return result;
 }
 

data/src/core/lib/security/credentials/iam/iam_credentials.cc

@@ -22,6 +22,7 @@
 
 #include <stdlib.h>
 
+#include <memory>
 #include <utility>
 
 #include "absl/strings/str_format.h"

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -23,7 +23,6 @@
 #include <stdint.h>
 #include <string.h>
 
-#include <map>
 #include <string>
 #include <utility>
 
@@ -77,7 +76,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) {
   BIO* bio = nullptr;
   const char* prop_value;
   int success = 0;
-  grpc_error_handle error = GRPC_ERROR_NONE;
+  grpc_error_handle error;
 
   memset(&result, 0, sizeof(grpc_auth_json_key));
   result.type = GRPC_AUTH_JSON_TYPE_INVALID;

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -23,7 +23,7 @@
 #include <inttypes.h>
 #include <stdlib.h>
 
-#include <map>
+#include <memory>
 #include <string>
 #include <utility>
 

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -63,8 +63,8 @@
 #include "src/core/lib/iomgr/polling_entity.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/slice/b64.h"
+#include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
-#include "src/core/lib/slice/slice_refcount.h"
 #include "src/core/lib/uri/uri_parser.h"
 #include "src/core/tsi/ssl_types.h"
 
@@ -114,7 +114,7 @@ static Json parse_json_part_from_jwt(const char* str, size_t len) {
   }
   absl::string_view string = grpc_core::StringViewFromSlice(slice);
   auto json = Json::Parse(string);
-  grpc_slice_unref_internal(slice);
+  grpc_core::CSliceUnref(slice);
   if (!json.ok()) {
     gpr_log(GPR_ERROR, "JSON parse error: %s",
             json.status().ToString().c_str());
@@ -396,8 +396,8 @@ static verifier_cb_ctx* verifier_cb_ctx_create(
 void verifier_cb_ctx_destroy(verifier_cb_ctx* ctx) {
   if (ctx->audience != nullptr) gpr_free(ctx->audience);
   if (ctx->claims != nullptr) grpc_jwt_claims_destroy(ctx->claims);
-  grpc_slice_unref_internal(ctx->signature);
-  grpc_slice_unref_internal(ctx->signed_data);
+  grpc_core::CSliceUnref(ctx->signature);
+  grpc_core::CSliceUnref(ctx->signed_data);
   jose_header_destroy(ctx->header);
   for (size_t i = 0; i < HTTP_RESPONSE_COUNT; i++) {
     grpc_http_response_destroy(&ctx->responses[i]);
@@ -487,7 +487,7 @@ static BIGNUM* bignum_from_base64(const char* b64) {
   }
   result = BN_bin2bn(GRPC_SLICE_START_PTR(bin),
                      TSI_SIZE_AS_SIZE(GRPC_SLICE_LENGTH(bin)), nullptr);
-  grpc_slice_unref_internal(bin);
+  grpc_core::CSliceUnref(bin);
   return result;
 }
 

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -47,6 +47,7 @@
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gprpp/memory.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/status_helper.h"
 #include "src/core/lib/http/httpcli_ssl_credentials.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/load_file.h"
@@ -56,11 +57,9 @@
 #include "src/core/lib/promise/poll.h"
 #include "src/core/lib/promise/promise.h"
 #include "src/core/lib/security/util/json_util.h"
-#include "src/core/lib/slice/slice_refcount.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/transport/error_utils.h"
 #include "src/core/lib/transport/metadata_batch.h"
-#include "src/core/lib/transport/transport.h"
 #include "src/core/lib/uri/uri_parser.h"
 
 using grpc_core::Json;
@@ -80,7 +79,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
   grpc_auth_refresh_token result;
   const char* prop_value;
   int success = 0;
-  grpc_error_handle error = GRPC_ERROR_NONE;
+  grpc_error_handle error;
 
   memset(&result, 0, sizeof(grpc_auth_refresh_token));
   result.type = GRPC_AUTH_JSON_TYPE_INVALID;
@@ -235,7 +234,7 @@ end:
 
 static void on_oauth2_token_fetcher_http_response(void* user_data,
                                                   grpc_error_handle error) {
-  GRPC_LOG_IF_ERROR("oauth_fetch", GRPC_ERROR_REF(error));
+  GRPC_LOG_IF_ERROR("oauth_fetch", error);
   grpc_credentials_metadata_request* r =
       static_cast<grpc_credentials_metadata_request*>(user_data);
   grpc_oauth2_token_fetcher_credentials* c =
@@ -248,10 +247,9 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
   absl::optional<grpc_core::Slice> access_token_value;
   grpc_core::Duration token_lifetime;
   grpc_credentials_status status =
-      GRPC_ERROR_IS_NONE(error)
-          ? grpc_oauth2_token_fetcher_credentials_parse_server_response(
-                &r->response, &access_token_value, &token_lifetime)
-          : GRPC_CREDENTIALS_ERROR;
+      error.ok() ? grpc_oauth2_token_fetcher_credentials_parse_server_response(
+                       &r->response, &access_token_value, &token_lifetime)
+                 : GRPC_CREDENTIALS_ERROR;
   // Update cache and grab list of pending requests.
   gpr_mu_lock(&mu_);
   token_fetch_pending_ = false;
@@ -275,10 +273,9 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
           [](absl::string_view, const grpc_core::Slice&) { abort(); });
       pending_request->result = std::move(pending_request->md);
     } else {
-      auto err = GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+      auto err = GRPC_ERROR_CREATE_REFERENCING(
           "Error occurred when fetching oauth2 token.", &error, 1);
       pending_request->result = grpc_error_to_absl_status(err);
-      GRPC_ERROR_UNREF(err);
     }
     pending_request->done.store(true, std::memory_order_release);
     pending_request->waker.Wakeup();
@@ -534,10 +531,10 @@ void MaybeAddToBody(const char* field_name, const char* field,
 
 grpc_error_handle LoadTokenFile(const char* path, gpr_slice* token) {
   grpc_error_handle err = grpc_load_file(path, 1, token);
-  if (!GRPC_ERROR_IS_NONE(err)) return err;
+  if (!err.ok()) return err;
   if (GRPC_SLICE_LENGTH(*token) == 0) {
     gpr_log(GPR_ERROR, "Token file %s is empty", path);
-    err = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Token file is empty.");
+    err = GRPC_ERROR_CREATE("Token file is empty.");
   }
   return err;
 }
@@ -572,9 +569,8 @@ class StsTokenFetcherCredentials
     grpc_http_request request;
     memset(&request, 0, sizeof(grpc_http_request));
     grpc_error_handle err = FillBody(&request.body, &request.body_length);
-    if (!GRPC_ERROR_IS_NONE(err)) {
+    if (!err.ok()) {
       response_cb(metadata_req, err);
-      GRPC_ERROR_UNREF(err);
       return;
     }
     grpc_http_header header = {
@@ -606,22 +602,22 @@ class StsTokenFetcherCredentials
     std::vector<std::string> body_parts;
     grpc_slice subject_token = grpc_empty_slice();
     grpc_slice actor_token = grpc_empty_slice();
-    grpc_error_handle err = GRPC_ERROR_NONE;
+    grpc_error_handle err;
 
     auto cleanup = [&body, &body_length, &body_parts, &subject_token,
                     &actor_token, &err]() {
-      if (GRPC_ERROR_IS_NONE(err)) {
+      if (err.ok()) {
         std::string body_str = absl::StrJoin(body_parts, "");
         *body = gpr_strdup(body_str.c_str());
         *body_length = body_str.size();
       }
-      grpc_slice_unref_internal(subject_token);
-      grpc_slice_unref_internal(actor_token);
+      CSliceUnref(subject_token);
+      CSliceUnref(actor_token);
       return err;
     };
 
     err = LoadTokenFile(subject_token_path_.get(), &subject_token);
-    if (!GRPC_ERROR_IS_NONE(err)) return cleanup();
+    if (!err.ok()) return cleanup();
     body_parts.push_back(absl::StrFormat(
         GRPC_STS_POST_MINIMAL_BODY_FORMAT_STRING,
         reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(subject_token)),
@@ -633,7 +629,7 @@ class StsTokenFetcherCredentials
                    &body_parts);
     if ((actor_token_path_ != nullptr) && *actor_token_path_ != '\0') {
       err = LoadTokenFile(actor_token_path_.get(), &actor_token);
-      if (!GRPC_ERROR_IS_NONE(err)) return cleanup();
+      if (!err.ok()) return cleanup();
       MaybeAddToBody(
           "actor_token",
           reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(actor_token)),
@@ -666,31 +662,29 @@ absl::StatusOr<URI> ValidateStsCredentialsOptions(
                      ? ""
                      : options->token_exchange_service_uri);
   if (!sts_url.ok()) {
-    error_list.push_back(GRPC_ERROR_CREATE_FROM_CPP_STRING(
+    error_list.push_back(GRPC_ERROR_CREATE(
         absl::StrFormat("Invalid or missing STS endpoint URL. Error: %s",
                         sts_url.status().ToString())));
   } else if (sts_url->scheme() != "https" && sts_url->scheme() != "http") {
-    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "Invalid URI scheme, must be https to http."));
+    error_list.push_back(
+        GRPC_ERROR_CREATE("Invalid URI scheme, must be https to http."));
   }
   if (options->subject_token_path == nullptr ||
       strlen(options->subject_token_path) == 0) {
-    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "subject_token needs to be specified"));
+    error_list.push_back(
+        GRPC_ERROR_CREATE("subject_token needs to be specified"));
   }
   if (options->subject_token_type == nullptr ||
       strlen(options->subject_token_type) == 0) {
-    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "subject_token_type needs to be specified"));
+    error_list.push_back(
+        GRPC_ERROR_CREATE("subject_token_type needs to be specified"));
   }
   if (error_list.empty()) {
     return sts_url;
   }
   auto grpc_error_vec = GRPC_ERROR_CREATE_FROM_VECTOR(
       "Invalid STS Credentials Options", &error_list);
-  auto retval =
-      absl::InvalidArgumentError(grpc_error_std_string(grpc_error_vec));
-  GRPC_ERROR_UNREF(grpc_error_vec);
+  auto retval = absl::InvalidArgumentError(StatusToString(grpc_error_vec));
   return retval;
 }
 

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -21,6 +21,7 @@
 #include "src/core/lib/security/credentials/plugin/plugin_credentials.h"
 
 #include <atomic>
+#include <memory>
 
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
@@ -95,7 +96,7 @@ grpc_plugin_credentials::PendingRequest::ProcessPluginResult(
       for (size_t i = 0; i < num_md; ++i) {
         md_->Append(
             grpc_core::StringViewFromSlice(md[i].key),
-            grpc_core::Slice(grpc_slice_ref_internal(md[i].value)),
+            grpc_core::Slice(grpc_core::CSliceRef(md[i].value)),
             [&error](absl::string_view message, const grpc_core::Slice&) {
               error = absl::UnavailableError(message);
             });
@@ -132,8 +133,8 @@ void grpc_plugin_credentials::PendingRequest::RequestMetadataReady(
   }
   for (size_t i = 0; i < num_md; ++i) {
     grpc_metadata p;
-    p.key = grpc_slice_ref_internal(md[i].key);
-    p.value = grpc_slice_ref_internal(md[i].value);
+    p.key = grpc_core::CSliceRef(md[i].key);
+    p.value = grpc_core::CSliceRef(md[i].value);
     r->metadata_.push_back(p);
   }
   r->error_details_ = error_details == nullptr ? "" : error_details;
@@ -191,8 +192,8 @@ grpc_plugin_credentials::GetRequestMetadata(
                                              error_details);
   // Clean up.
   for (size_t i = 0; i < num_creds_md; ++i) {
-    grpc_slice_unref_internal(creds_md[i].key);
-    grpc_slice_unref_internal(creds_md[i].value);
+    grpc_core::CSliceUnref(creds_md[i].key);
+    grpc_core::CSliceUnref(creds_md[i].value);
   }
   gpr_free(const_cast<char*>(error_details));
 

data/src/core/lib/security/credentials/plugin/plugin_credentials.h

@@ -45,7 +45,7 @@
 #include "src/core/lib/promise/poll.h"
 #include "src/core/lib/security/credentials/call_creds_util.h"
 #include "src/core/lib/security/credentials/credentials.h"
-#include "src/core/lib/slice/slice_refcount.h"
+#include "src/core/lib/slice/slice.h"
 #include "src/core/lib/transport/transport.h"
 
 extern grpc_core::TraceFlag grpc_plugin_credentials_trace;
@@ -81,8 +81,8 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
     ~PendingRequest() override {
       grpc_auth_metadata_context_reset(&context_);
       for (size_t i = 0; i < metadata_.size(); i++) {
-        grpc_slice_unref_internal(metadata_[i].key);
-        grpc_slice_unref_internal(metadata_[i].value);
+        grpc_core::CSliceUnref(metadata_[i].key);
+        grpc_core::CSliceUnref(metadata_[i].value);
       }
     }
 

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc

@@ -19,7 +19,8 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 
 #include <algorithm>
-#include <vector>
+
+#include "absl/status/status.h"
 
 #include <grpc/grpc_security.h>
 #include <grpc/support/log.h>
@@ -32,7 +33,7 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
   auto& cert_info = certificate_info_map_[cert_name];
   if (pem_root_certs.has_value()) {
     // Successful credential updates will clear any pre-existing error.
-    cert_info.SetRootError(GRPC_ERROR_NONE);
+    cert_info.SetRootError(absl::OkStatus());
     for (auto* watcher_ptr : cert_info.root_cert_watchers) {
       GPR_ASSERT(watcher_ptr != nullptr);
       const auto watcher_it = watchers_.find(watcher_ptr);
@@ -57,7 +58,7 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
   }
   if (pem_key_cert_pairs.has_value()) {
     // Successful credential updates will clear any pre-existing error.
-    cert_info.SetIdentityError(GRPC_ERROR_NONE);
+    cert_info.SetIdentityError(absl::OkStatus());
     for (const auto watcher_ptr : cert_info.identity_cert_watchers) {
       GPR_ASSERT(watcher_ptr != nullptr);
       const auto watcher_it = watchers_.find(watcher_ptr);
@@ -113,7 +114,7 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
       GPR_ASSERT(watcher_it != watchers_.end());
       // identity_cert_error_to_report is the error of the identity cert this
       // watcher is watching, if there is any.
-      grpc_error_handle identity_cert_error_to_report = GRPC_ERROR_NONE;
+      grpc_error_handle identity_cert_error_to_report;
       if (identity_cert_error.has_value() &&
           watcher_it->second.identity_cert_name == cert_name) {
         identity_cert_error_to_report = *identity_cert_error;
@@ -122,8 +123,7 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
             certificate_info_map_[*watcher_it->second.identity_cert_name];
         identity_cert_error_to_report = identity_cert_info.identity_cert_error;
       }
-      watcher_ptr->OnError(GRPC_ERROR_REF(*root_cert_error),
-                           GRPC_ERROR_REF(identity_cert_error_to_report));
+      watcher_ptr->OnError(*root_cert_error, identity_cert_error_to_report);
     }
     cert_info.SetRootError(*root_cert_error);
   }
@@ -134,7 +134,7 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
       GPR_ASSERT(watcher_it != watchers_.end());
       // root_cert_error_to_report is the error of the root cert this watcher is
       // watching, if there is any.
-      grpc_error_handle root_cert_error_to_report = GRPC_ERROR_NONE;
+      grpc_error_handle root_cert_error_to_report;
       if (root_cert_error.has_value() &&
           watcher_it->second.root_cert_name == cert_name) {
         // In this case, We've already sent the error updates at the time when
@@ -145,32 +145,28 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
             certificate_info_map_[*watcher_it->second.root_cert_name];
         root_cert_error_to_report = root_cert_info.root_cert_error;
       }
-      watcher_ptr->OnError(GRPC_ERROR_REF(root_cert_error_to_report),
-                           GRPC_ERROR_REF(*identity_cert_error));
+      watcher_ptr->OnError(root_cert_error_to_report, *identity_cert_error);
     }
     cert_info.SetIdentityError(*identity_cert_error);
   }
 };
 
 void grpc_tls_certificate_distributor::SetError(grpc_error_handle error) {
-  GPR_ASSERT(!GRPC_ERROR_IS_NONE(error));
+  GPR_ASSERT(!error.ok());
   grpc_core::MutexLock lock(&mu_);
   for (const auto& watcher : watchers_) {
     const auto watcher_ptr = watcher.first;
     GPR_ASSERT(watcher_ptr != nullptr);
     const auto& watcher_info = watcher.second;
     watcher_ptr->OnError(
-        watcher_info.root_cert_name.has_value() ? GRPC_ERROR_REF(error)
-                                                : GRPC_ERROR_NONE,
-        watcher_info.identity_cert_name.has_value() ? GRPC_ERROR_REF(error)
-                                                    : GRPC_ERROR_NONE);
+        watcher_info.root_cert_name.has_value() ? error : absl::OkStatus(),
+        watcher_info.identity_cert_name.has_value() ? error : absl::OkStatus());
   }
   for (auto& cert_info_entry : certificate_info_map_) {
     auto& cert_info = cert_info_entry.second;
-    cert_info.SetRootError(GRPC_ERROR_REF(error));
-    cert_info.SetIdentityError(GRPC_ERROR_REF(error));
+    cert_info.SetRootError(error);
+    cert_info.SetIdentityError(error);
   }
-  GRPC_ERROR_UNREF(error);
 };
 
 void grpc_tls_certificate_distributor::WatchTlsCertificates(
@@ -195,15 +191,15 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
                               identity_cert_name};
     absl::optional<absl::string_view> updated_root_certs;
     absl::optional<grpc_core::PemKeyCertPairList> updated_identity_pairs;
-    grpc_error_handle root_error = GRPC_ERROR_NONE;
-    grpc_error_handle identity_error = GRPC_ERROR_NONE;
+    grpc_error_handle root_error;
+    grpc_error_handle identity_error;
     if (root_cert_name.has_value()) {
       CertificateInfo& cert_info = certificate_info_map_[*root_cert_name];
       start_watching_root_cert = cert_info.root_cert_watchers.empty();
       already_watching_identity_for_root_cert =
           !cert_info.identity_cert_watchers.empty();
       cert_info.root_cert_watchers.insert(watcher_ptr);
-      root_error = GRPC_ERROR_REF(cert_info.root_cert_error);
+      root_error = cert_info.root_cert_error;
       // Empty credentials will be treated as no updates.
       if (!cert_info.pem_root_certs.empty()) {
         updated_root_certs = cert_info.pem_root_certs;
@@ -215,7 +211,7 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
       already_watching_root_for_identity_cert =
           !cert_info.root_cert_watchers.empty();
       cert_info.identity_cert_watchers.insert(watcher_ptr);
-      identity_error = GRPC_ERROR_REF(cert_info.identity_cert_error);
+      identity_error = cert_info.identity_cert_error;
       // Empty credentials will be treated as no updates.
       if (!cert_info.pem_key_cert_pairs.empty()) {
         updated_identity_pairs = cert_info.pem_key_cert_pairs;
@@ -231,13 +227,9 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
                                          std::move(updated_identity_pairs));
     }
     // Notify this watcher if the certs it is watching already had some errors.
-    if (!GRPC_ERROR_IS_NONE(root_error) ||
-        !GRPC_ERROR_IS_NONE(identity_error)) {
-      watcher_ptr->OnError(GRPC_ERROR_REF(root_error),
-                           GRPC_ERROR_REF(identity_error));
+    if (!root_error.ok() || !identity_error.ok()) {
+      watcher_ptr->OnError(root_error, identity_error);
     }
-    GRPC_ERROR_UNREF(root_error);
-    GRPC_ERROR_UNREF(identity_error);
   }
   // Invoke watch status callback if needed.
   {

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h

@@ -176,9 +176,9 @@ struct grpc_tls_certificate_distributor
     // The contents of the identity key-certificate pairs.
     grpc_core::PemKeyCertPairList pem_key_cert_pairs;
     // The root cert reloading error propagated by the caller.
-    grpc_error_handle root_cert_error = GRPC_ERROR_NONE;
+    grpc_error_handle root_cert_error;
     // The identity cert reloading error propagated by the caller.
-    grpc_error_handle identity_cert_error = GRPC_ERROR_NONE;
+    grpc_error_handle identity_cert_error;
     // The set of watchers watching root certificates.
     // This is mainly used for quickly looking up the affected watchers while
     // performing a credential reloading.
@@ -188,16 +188,9 @@ struct grpc_tls_certificate_distributor
     // credential reloading.
     std::set<TlsCertificatesWatcherInterface*> identity_cert_watchers;
 
-    ~CertificateInfo() {
-      GRPC_ERROR_UNREF(root_cert_error);
-      GRPC_ERROR_UNREF(identity_cert_error);
-    }
-    void SetRootError(grpc_error_handle error) {
-      GRPC_ERROR_UNREF(root_cert_error);
-      root_cert_error = error;
-    }
+    ~CertificateInfo() {}
+    void SetRootError(grpc_error_handle error) { root_cert_error = error; }
     void SetIdentityError(grpc_error_handle error) {
-      GRPC_ERROR_UNREF(identity_cert_error);
       identity_cert_error = error;
     }
   };