grpc 1.53.0 → 1.53.2

data/src/core/ext/transport/chttp2/transport/hpack_parser.h

@@ -29,6 +29,7 @@
 
 #include "src/core/ext/transport/chttp2/transport/frame.h"
 #include "src/core/ext/transport/chttp2/transport/hpack_parser_table.h"
+#include "src/core/lib/backoff/random_early_detection.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/transport/metadata_batch.h"
 
@@ -80,7 +81,8 @@ class HPackParser {
   // Begin parsing a new frame
   // Sink receives each parsed header,
   void BeginFrame(grpc_metadata_batch* metadata_buffer,
-                  uint32_t metadata_size_limit, Boundary boundary,
+                  uint32_t metadata_size_soft_limit,
+                  uint32_t metadata_size_hard_limit, Boundary boundary,
                   Priority priority, LogInfo log_info);
   // Start throwing away any received headers after parsing them.
   void StopBufferingFrame() { metadata_buffer_ = nullptr; }
@@ -103,7 +105,9 @@ class HPackParser {
   class String;
 
   grpc_error_handle ParseInput(Input input, bool is_last);
-  bool ParseInputInner(Input* input);
+  void ParseInputInner(Input* input);
+  GPR_ATTRIBUTE_NOINLINE
+  void HandleMetadataSoftSizeLimitExceeded(Input* input);
 
   // Target metadata buffer
   grpc_metadata_batch* metadata_buffer_ = nullptr;
@@ -121,7 +125,7 @@ class HPackParser {
   uint8_t dynamic_table_updates_allowed_;
   // Length of frame so far.
   uint32_t frame_length_;
-  uint32_t metadata_size_limit_;
+  RandomEarlyDetection metadata_early_detection_;
   // Information for logging
   LogInfo log_info_;
 

data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc

@@ -82,8 +82,8 @@ void HPackTable::MementoRingBuffer::Rebuild(uint32_t max_entries) {
 // Evict one element from the table
 void HPackTable::EvictOne() {
   auto first_entry = entries_.PopOne();
-  GPR_ASSERT(first_entry.transport_size() <= mem_used_);
-  mem_used_ -= first_entry.transport_size();
+  GPR_ASSERT(first_entry.md.transport_size() <= mem_used_);
+  mem_used_ -= first_entry.md.transport_size();
 }
 
 void HPackTable::SetMaxBytes(uint32_t max_bytes) {
@@ -104,7 +104,7 @@ grpc_error_handle HPackTable::SetCurrentTableSize(uint32_t bytes) {
     return absl::OkStatus();
   }
   if (bytes > max_bytes_) {
-    return GRPC_ERROR_CREATE(absl::StrFormat(
+    return absl::InternalError(absl::StrFormat(
         "Attempt to make hpack table %d bytes when max is %d bytes", bytes,
         max_bytes_));
   }
@@ -130,7 +130,7 @@ grpc_error_handle HPackTable::Add(Memento md) {
   }
 
   // we can't add elements bigger than the max table size
-  if (md.transport_size() > current_table_bytes_) {
+  if (md.md.transport_size() > current_table_bytes_) {
     // HPACK draft 10 section 4.4 states:
     // If the size of the new entry is less than or equal to the maximum
     // size, that entry is added to the table.  It is not an error to
@@ -145,13 +145,13 @@ grpc_error_handle HPackTable::Add(Memento md) {
   }
 
   // evict entries to ensure no overflow
-  while (md.transport_size() >
+  while (md.md.transport_size() >
          static_cast<size_t>(current_table_bytes_) - mem_used_) {
     EvictOne();
   }
 
   // copy the finalized entry in
-  mem_used_ += md.transport_size();
+  mem_used_ += md.md.transport_size();
   entries_.Put(std::move(md));
   return absl::OkStatus();
 }
@@ -228,12 +228,14 @@ const StaticTableEntry kStaticTable[hpack_constants::kLastStaticEntry] = {
 
 HPackTable::Memento MakeMemento(size_t i) {
   auto sm = kStaticTable[i];
-  return grpc_metadata_batch::Parse(
-      sm.key, Slice::FromStaticString(sm.value),
-      strlen(sm.key) + strlen(sm.value) + hpack_constants::kEntryOverhead,
-      [](absl::string_view, const Slice&) {
-        abort();  // not expecting to see this
-      });
+  return HPackTable::Memento{
+      grpc_metadata_batch::Parse(
+          sm.key, Slice::FromStaticString(sm.value),
+          strlen(sm.key) + strlen(sm.value) + hpack_constants::kEntryOverhead,
+          [](absl::string_view, const Slice&) {
+            abort();  // not expecting to see this
+          }),
+      absl::OkStatus()};
 }
 
 }  // namespace

data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h

@@ -25,6 +25,8 @@
 
 #include <vector>
 
+#include "absl/status/status.h"
+
 #include "src/core/ext/transport/chttp2/transport/hpack_constants.h"
 #include "src/core/lib/gprpp/no_destruct.h"
 #include "src/core/lib/iomgr/error.h"
@@ -45,7 +47,10 @@ class HPackTable {
   void SetMaxBytes(uint32_t max_bytes);
   grpc_error_handle SetCurrentTableSize(uint32_t bytes);
 
-  using Memento = ParsedMetadata<grpc_metadata_batch>;
+  struct Memento {
+    ParsedMetadata<grpc_metadata_batch> md;
+    absl::Status parse_status;
+  };
 
   // Lookup, but don't ref.
   const Memento* Lookup(uint32_t index) const {
@@ -68,6 +73,9 @@ class HPackTable {
   // Current entry count in the table.
   uint32_t num_entries() const { return entries_.num_entries(); }
 
+  // Current size of the table.
+  uint32_t test_only_table_size() const { return mem_used_; }
+
  private:
   struct StaticMementos {
     StaticMementos();

data/src/core/ext/transport/chttp2/transport/internal.h

@@ -457,6 +457,8 @@ struct grpc_chttp2_transport
   bool keepalive_ping_started = false;
   /// keep-alive state machine state
   grpc_chttp2_keepalive_state keepalive_state;
+  // Soft limit on max header size.
+  uint32_t max_header_list_size_soft_limit = 0;
   grpc_core::ContextList* cl = nullptr;
   grpc_core::RefCountedPtr<grpc_core::channelz::SocketNode> channelz_socket;
   uint32_t num_messages_in_next_write = 0;

data/src/core/ext/transport/chttp2/transport/parsing.cc

@@ -475,6 +475,9 @@ static grpc_error_handle init_header_skip_frame_parser(
       "header", grpc_chttp2_header_parser_parse, &t->hpack_parser};
   t->hpack_parser.BeginFrame(
       nullptr,
+      /*metadata_size_soft_limit=*/
+      t->max_header_list_size_soft_limit,
+      /*metadata_size_hard_limit=*/
       t->settings[GRPC_ACKED_SETTINGS]
                  [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE],
       hpack_boundary_type(t, is_eoh), priority_type,
@@ -691,6 +694,9 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
   }
   t->hpack_parser.BeginFrame(
       incoming_metadata_buffer,
+      /*metadata_size_soft_limit=*/
+      t->max_header_list_size_soft_limit,
+      /*metadata_size_hard_limit=*/
       t->settings[GRPC_ACKED_SETTINGS]
                  [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE],
       hpack_boundary_type(t, is_eoh), priority_type,

data/src/core/lib/backoff/random_early_detection.cc

@@ -0,0 +1,31 @@
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/backoff/random_early_detection.h"
+
+namespace grpc_core {
+
+bool RandomEarlyDetection::Reject(uint64_t size) {
+  if (size <= soft_limit_) return false;
+  if (size < hard_limit_) {
+    return absl::Bernoulli(bitgen_,
+                           static_cast<double>(size - soft_limit_) /
+                               static_cast<double>(hard_limit_ - soft_limit_));
+  }
+  return true;
+}
+
+}  // namespace grpc_core

data/src/core/lib/backoff/random_early_detection.h

@@ -0,0 +1,59 @@
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_SRC_CORE_LIB_BACKOFF_RANDOM_EARLY_DETECTION_H
+#define GRPC_SRC_CORE_LIB_BACKOFF_RANDOM_EARLY_DETECTION_H
+
+#include <grpc/support/port_platform.h>
+
+#include <limits.h>
+
+#include <cstdint>
+
+#include "absl/random/random.h"
+
+namespace grpc_core {
+
+// Implements the random early detection algorithm - allows items to be rejected
+// or accepted based upon their size.
+class RandomEarlyDetection {
+ public:
+  RandomEarlyDetection() : soft_limit_(INT_MAX), hard_limit_(INT_MAX) {}
+  RandomEarlyDetection(uint64_t soft_limit, uint64_t hard_limit)
+      : soft_limit_(soft_limit), hard_limit_(hard_limit) {}
+
+  // Returns true if the size is greater than or equal to the hard limit - ie if
+  // this item must be rejected.
+  bool MustReject(uint64_t size) { return size >= hard_limit_; }
+
+  // Returns true if the item should be rejected.
+  bool Reject(uint64_t size);
+
+  uint64_t soft_limit() const { return soft_limit_; }
+  uint64_t hard_limit() const { return hard_limit_; }
+
+ private:
+  // The soft limit is the size at which we start rejecting items with a
+  // probability that increases linearly to 1 as the size approaches the hard
+  // limit.
+  uint64_t soft_limit_;
+  // The hard limit is the size at which we reject all items.
+  uint64_t hard_limit_;
+  // The bit generator used to generate random numbers.
+  absl::InsecureBitGen bitgen_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_BACKOFF_RANDOM_EARLY_DETECTION_H

data/src/core/lib/event_engine/posix_engine/posix_engine.h

@@ -196,6 +196,7 @@ class PosixEventEngine final : public PosixEventEngineWithFdSupport,
       const DNSResolver::ResolverOptions& options) override;
   void Run(Closure* closure) override;
   void Run(absl::AnyInvocable<void()> closure) override;
+  // Caution!! The timer implementation cannot create any fds. See #20418.
   TaskHandle RunAfter(Duration when, Closure* closure) override;
   TaskHandle RunAfter(Duration when,
                       absl::AnyInvocable<void()> closure) override;

data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc

@@ -23,7 +23,9 @@
 #include <sys/socket.h>  // IWYU pragma: keep
 #include <unistd.h>      // IWYU pragma: keep
 
+#include <atomic>
 #include <string>
+#include <tuple>
 #include <utility>
 
 #include "absl/functional/any_invocable.h"
@@ -41,6 +43,7 @@
 #include "src/core/lib/event_engine/posix_engine/tcp_socket_utils.h"
 #include "src/core/lib/event_engine/tcp_socket_utils.h"
 #include "src/core/lib/gprpp/status_helper.h"
+#include "src/core/lib/gprpp/time.h"
 #include "src/core/lib/iomgr/socket_mutator.h"
 
 namespace grpc_event_engine {
@@ -133,6 +136,32 @@ void PosixEngineListenerImpl::AsyncConnectionAcceptor::NotifyOnAccept(
       switch (errno) {
         case EINTR:
           continue;
+        case EMFILE:
+          // When the process runs out of fds, accept4() returns EMFILE. When
+          // this happens, the connection is left in the accept queue until
+          // either a read event triggers the on_read callback, or time has
+          // passed and the accept should be re-tried regardless. This callback
+          // is not cancelled, so a spurious wakeup may occur even when there's
+          // nothing to accept. This is not a performant code path, but if an fd
+          // limit has been reached, the system is likely in an unhappy state
+          // regardless.
+          GRPC_LOG_EVERY_N_SEC(1, "%s",
+                               "File descriptor limit reached. Retrying.");
+          handle_->NotifyOnRead(notify_on_accept_);
+          // Do not schedule another timer if one is already armed.
+          if (retry_timer_armed_.exchange(true)) return;
+          // Hold a ref while the retry timer is waiting, to prevent listener
+          // destruction and the races that would ensue.
+          Ref();
+          std::ignore =
+              engine_->RunAfter(grpc_core::Duration::Seconds(1), [this]() {
+                retry_timer_armed_.store(false);
+                if (!handle_->IsHandleShutdown()) {
+                  handle_->SetReadable();
+                }
+                Unref();
+              });
+          return;
         case EAGAIN:
         case ECONNABORTED:
           handle_->NotifyOnRead(notify_on_accept_);

data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h

@@ -121,6 +121,9 @@ class PosixEngineListenerImpl
     ListenerSocketsContainer::ListenerSocket socket_;
     EventHandle* handle_;
     PosixEngineClosure* notify_on_accept_;
+    // Tracks the status of a backup timer to retry accept4 calls after file
+    // descriptor exhaustion.
+    std::atomic<bool> retry_timer_armed_{false};
   };
   class ListenerAsyncAcceptors : public ListenerSocketsContainer {
    public:

data/src/core/lib/iomgr/endpoint_pair.h

@@ -28,7 +28,7 @@ struct grpc_endpoint_pair {
   grpc_endpoint* server;
 };
 
-grpc_endpoint_pair grpc_iomgr_create_endpoint_pair(const char* name,
-                                                   grpc_channel_args* args);
+grpc_endpoint_pair grpc_iomgr_create_endpoint_pair(
+    const char* name, const grpc_channel_args* args);
 
 #endif  // GRPC_SRC_CORE_LIB_IOMGR_ENDPOINT_PAIR_H

data/src/core/lib/iomgr/endpoint_pair_posix.cc

@@ -55,8 +55,8 @@ static void create_sockets(int sv[2]) {
   GPR_ASSERT(grpc_set_socket_no_sigpipe_if_possible(sv[1]) == absl::OkStatus());
 }
 
-grpc_endpoint_pair grpc_iomgr_create_endpoint_pair(const char* name,
-                                                   grpc_channel_args* args) {
+grpc_endpoint_pair grpc_iomgr_create_endpoint_pair(
+    const char* name, const grpc_channel_args* args) {
   int sv[2];
   grpc_endpoint_pair p;
   create_sockets(sv);

data/src/core/lib/iomgr/endpoint_pair_windows.cc

@@ -80,7 +80,7 @@ static void create_sockets(SOCKET sv[2]) {
 }
 
 grpc_endpoint_pair grpc_iomgr_create_endpoint_pair(
-    const char*, grpc_channel_args* channel_args) {
+    const char*, const grpc_channel_args* /* channel_args */) {
   SOCKET sv[2];
   grpc_endpoint_pair p;
   create_sockets(sv);

data/src/core/lib/iomgr/tcp_server_posix.cc

@@ -16,13 +16,17 @@
 //
 //
 
+#include <grpc/support/port_platform.h>
+
+#include <utility>
+
+#include <grpc/support/atm.h>
+
 // FIXME: "posix" files shouldn't be depending on _GNU_SOURCE
 #ifndef _GNU_SOURCE
 #define _GNU_SOURCE
 #endif
 
-#include <grpc/support/port_platform.h>
-
 #include "src/core/lib/iomgr/port.h"
 
 #ifdef GRPC_POSIX_SOCKET_TCP_SERVER
@@ -45,6 +49,7 @@
 
 #include <grpc/byte_buffer.h>
 #include <grpc/event_engine/endpoint_config.h>
+#include <grpc/event_engine/event_engine.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/sync.h>
@@ -74,6 +79,8 @@
 #include "src/core/lib/transport/error_utils.h"
 
 static std::atomic<int64_t> num_dropped_connections{0};
+static constexpr grpc_core::Duration kRetryAcceptWaitTime{
+    grpc_core::Duration::Seconds(1)};
 
 using ::grpc_event_engine::experimental::EndpointConfig;
 using ::grpc_event_engine::experimental::EventEngine;
@@ -350,22 +357,38 @@ static void on_read(void* arg, grpc_error_handle err) {
     if (fd < 0) {
       if (errno == EINTR) {
         continue;
-      } else if (errno == EAGAIN || errno == ECONNABORTED ||
-                 errno == EWOULDBLOCK) {
+      }
+      // When the process runs out of fds, accept4() returns EMFILE. When this
+      // happens, the connection is left in the accept queue until either a
+      // read event triggers the on_read callback, or time has passed and the
+      // accept should be re-tried regardless. This callback is not cancelled,
+      // so a spurious wakeup may occur even when there's nothing to accept.
+      // This is not a performant code path, but if an fd limit has been
+      // reached, the system is likely in an unhappy state regardless.
+      if (errno == EMFILE) {
+        GRPC_LOG_EVERY_N_SEC(1, "%s",
+                             "File descriptor limit reached. Retrying.");
+        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+        if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
+        grpc_timer_init(&sp->retry_timer,
+                        grpc_core::Timestamp::Now() + kRetryAcceptWaitTime,
+                        &sp->retry_closure);
+        return;
+      }
+      if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
         grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
         return;
+      }
+      gpr_mu_lock(&sp->server->mu);
+      if (!sp->server->shutdown_listeners) {
+        gpr_log(GPR_ERROR, "Failed accept4: %s",
+                grpc_core::StrError(errno).c_str());
       } else {
-        gpr_mu_lock(&sp->server->mu);
-        if (!sp->server->shutdown_listeners) {
-          gpr_log(GPR_ERROR, "Failed accept4: %s",
-                  grpc_core::StrError(errno).c_str());
-        } else {
-          // if we have shutdown listeners, accept4 could fail, and we
-          // needn't notify users
-        }
-        gpr_mu_unlock(&sp->server->mu);
-        goto error;
+        // if we have shutdown listeners, accept4 could fail, and we
+        // needn't notify users
       }
+      gpr_mu_unlock(&sp->server->mu);
+      goto error;
     }
 
     if (sp->server->memory_quota->IsMemoryPressureHigh()) {
@@ -558,6 +581,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener,
     sp->port_index = listener->port_index;
     sp->fd_index = listener->fd_index + count - i;
     GPR_ASSERT(sp->emfd);
+    grpc_tcp_server_listener_initialize_retry_timer(sp);
     while (listener->server->tail->next != nullptr) {
       listener->server->tail = listener->server->tail->next;
     }
@@ -791,6 +815,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
   if (s->active_ports) {
     grpc_tcp_listener* sp;
     for (sp = s->head; sp; sp = sp->next) {
+      grpc_timer_cancel(&sp->retry_timer);
       grpc_fd_shutdown(sp->emfd, GRPC_ERROR_CREATE("Server shutdown"));
     }
   }

data/src/core/lib/iomgr/tcp_server_utils_posix.h

@@ -30,6 +30,7 @@
 #include "src/core/lib/iomgr/resolve_address.h"
 #include "src/core/lib/iomgr/socket_utils_posix.h"
 #include "src/core/lib/iomgr/tcp_server.h"
+#include "src/core/lib/iomgr/timer.h"
 #include "src/core/lib/resource_quota/memory_quota.h"
 
 // one listening port
@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
   // identified while iterating through 'next'.
   struct grpc_tcp_listener* sibling;
   int is_sibling;
+  // If an accept4() call fails, a timer is started to drain the accept queue in
+  // case no further connection attempts reach the gRPC server.
+  grpc_closure retry_closure;
+  grpc_timer retry_timer;
+  gpr_atm retry_timer_armed;
 } grpc_tcp_listener;
 
 // the overall server
@@ -139,4 +145,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket(
 // Ruturn true if the platform supports ifaddrs
 bool grpc_tcp_server_have_ifaddrs(void);
 
+// Initialize (but don't start) the timer and callback to retry accept4() on a
+// listening socket after file descriptors have been exhausted. This must be
+// called when creating a new listener.
+void grpc_tcp_server_listener_initialize_retry_timer(
+    grpc_tcp_listener* listener);
+
 #endif  // GRPC_SRC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H

data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc

@@ -18,6 +18,8 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <grpc/support/atm.h>
+
 #include "src/core/lib/iomgr/port.h"
 
 #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
   return s_max_accept_queue_size;
 }
 
+static void listener_retry_timer_cb(void* arg, grpc_error_handle err) {
+  // Do nothing if cancelled.
+  if (!err.ok()) return;
+  grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
+  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+  if (!grpc_fd_is_shutdown(listener->emfd)) {
+    grpc_fd_set_readable(listener->emfd);
+  }
+}
+
+void grpc_tcp_server_listener_initialize_retry_timer(
+    grpc_tcp_listener* listener) {
+  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+  grpc_timer_init_unset(&listener->retry_timer);
+  GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
+                    grpc_schedule_on_exec_ctx);
+}
+
 static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
                                               const grpc_resolved_address* addr,
                                               unsigned port_index,
@@ -112,6 +132,7 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
   sp->server = s;
   sp->fd = fd;
   sp->emfd = grpc_fd_create(fd, name.c_str(), true);
+  grpc_tcp_server_listener_initialize_retry_timer(sp);
 
   // Check and set fd as prellocated
   if (grpc_tcp_server_pre_allocated_fd(s) == fd) {

data/src/core/lib/surface/validate_metadata.cc

@@ -21,46 +21,20 @@
 #include "src/core/lib/surface/validate_metadata.h"
 
 #include "absl/status/status.h"
+#include "absl/strings/escaping.h"
+#include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc.h>
 
-#include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/bitset.h"
-#include "src/core/lib/gprpp/memory.h"
-#include "src/core/lib/gprpp/status_helper.h"
 #include "src/core/lib/iomgr/error.h"
+#include "src/core/lib/slice/slice_internal.h"
 
-static grpc_error_handle conforms_to(const grpc_slice& slice,
-                                     const grpc_core::BitSet<256>& legal_bits,
-                                     const char* err_desc) {
-  const uint8_t* p = GRPC_SLICE_START_PTR(slice);
-  const uint8_t* e = GRPC_SLICE_END_PTR(slice);
-  for (; p != e; p++) {
-    if (!legal_bits.is_set(*p)) {
-      size_t len;
-      grpc_core::UniquePtr<char> ptr(gpr_dump_return_len(
-          reinterpret_cast<const char*> GRPC_SLICE_START_PTR(slice),
-          GRPC_SLICE_LENGTH(slice), GPR_DUMP_HEX | GPR_DUMP_ASCII, &len));
-      grpc_error_handle error = grpc_error_set_str(
-          grpc_error_set_int(GRPC_ERROR_CREATE(err_desc),
-                             grpc_core::StatusIntProperty::kOffset,
-                             p - GRPC_SLICE_START_PTR(slice)),
-          grpc_core::StatusStrProperty::kRawBytes,
-          absl::string_view(ptr.get(), len));
-      return error;
-    }
-  }
-  return absl::OkStatus();
-}
-
-static int error2int(grpc_error_handle error) {
-  int r = (error.ok());
-  return r;
-}
+namespace grpc_core {
 
 namespace {
-class LegalHeaderKeyBits : public grpc_core::BitSet<256> {
+class LegalHeaderKeyBits : public BitSet<256> {
  public:
   constexpr LegalHeaderKeyBits() {
     for (int i = 'a'; i <= 'z'; i++) set(i);
@@ -71,19 +45,45 @@ class LegalHeaderKeyBits : public grpc_core::BitSet<256> {
   }
 };
 constexpr LegalHeaderKeyBits g_legal_header_key_bits;
-}  // namespace
 
-grpc_error_handle grpc_validate_header_key_is_legal(const grpc_slice& slice) {
-  if (GRPC_SLICE_LENGTH(slice) == 0) {
-    return GRPC_ERROR_CREATE("Metadata keys cannot be zero length");
+GPR_ATTRIBUTE_NOINLINE
+absl::Status DoesNotConformTo(absl::string_view x, const char* err_desc) {
+  return absl::InternalError(absl::StrCat(err_desc, ": ", x, " (hex ",
+                                          absl::BytesToHexString(x), ")"));
+}
+
+absl::Status ConformsTo(absl::string_view x, const BitSet<256>& legal_bits,
+                        const char* err_desc) {
+  for (uint8_t c : x) {
+    if (!legal_bits.is_set(c)) {
+      return DoesNotConformTo(x, err_desc);
+    }
   }
-  if (GRPC_SLICE_LENGTH(slice) > UINT32_MAX) {
-    return GRPC_ERROR_CREATE("Metadata keys cannot be larger than UINT32_MAX");
+  return absl::OkStatus();
+}
+}  // namespace
+
+absl::Status ValidateHeaderKeyIsLegal(absl::string_view key) {
+  if (key.empty()) {
+    return absl::InternalError("Metadata keys cannot be zero length");
   }
-  if (GRPC_SLICE_START_PTR(slice)[0] == ':') {
-    return GRPC_ERROR_CREATE("Metadata keys cannot start with :");
+  if (key.size() > UINT32_MAX) {
+    return absl::InternalError(
+        "Metadata keys cannot be larger than UINT32_MAX");
   }
-  return conforms_to(slice, g_legal_header_key_bits, "Illegal header key");
+  return ConformsTo(key, g_legal_header_key_bits, "Illegal header key");
+}
+
+}  // namespace grpc_core
+
+static int error2int(grpc_error_handle error) {
+  int r = (error.ok());
+  return r;
+}
+
+grpc_error_handle grpc_validate_header_key_is_legal(const grpc_slice& slice) {
+  return grpc_core::ValidateHeaderKeyIsLegal(
+      grpc_core::StringViewFromSlice(slice));
 }
 
 int grpc_header_key_is_legal(grpc_slice slice) {
@@ -104,8 +104,9 @@ constexpr LegalHeaderNonBinValueBits g_legal_header_non_bin_value_bits;
 
 grpc_error_handle grpc_validate_header_nonbin_value_is_legal(
     const grpc_slice& slice) {
-  return conforms_to(slice, g_legal_header_non_bin_value_bits,
-                     "Illegal header value");
+  return grpc_core::ConformsTo(grpc_core::StringViewFromSlice(slice),
+                               g_legal_header_non_bin_value_bits,
+                               "Illegal header value");
 }
 
 int grpc_header_nonbin_value_is_legal(grpc_slice slice) {