grpc 1.56.0 → 1.56.2

data/src/core/ext/transport/chttp2/transport/hpack_parser.h

@@ -21,16 +21,28 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <stddef.h>
 #include <stdint.h>
 
+#include <string>
+#include <utility>
 #include <vector>
 
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/span.h"
+#include "absl/types/variant.h"
+
 #include <grpc/slice.h>
 
 #include "src/core/ext/transport/chttp2/transport/frame.h"
+#include "src/core/ext/transport/chttp2/transport/hpack_parse_result.h"
 #include "src/core/ext/transport/chttp2/transport/hpack_parser_table.h"
 #include "src/core/lib/backoff/random_early_detection.h"
 #include "src/core/lib/iomgr/error.h"
+#include "src/core/lib/slice/slice.h"
+#include "src/core/lib/slice/slice_refcount.h"
 #include "src/core/lib/transport/metadata_batch.h"
 
 // IWYU pragma: no_include <type_traits>
@@ -92,17 +104,150 @@ class HPackParser {
   void FinishFrame();
 
   // Retrieve the associated hpack table (for tests, debugging)
-  HPackTable* hpack_table() { return &table_; }
+  HPackTable* hpack_table() { return &state_.hpack_table; }
   // Is the current frame a boundary of some sort
   bool is_boundary() const { return boundary_ != Boundary::None; }
   // Is the current frame the end of a stream
   bool is_eof() const { return boundary_ == Boundary::EndOfStream; }
 
+  // How many bytes are buffered (for tests to assert on)
+  size_t buffered_bytes() const { return unparsed_bytes_.size(); }
+
  private:
   // Helper classes: see implementation
   class Parser;
   class Input;
-  class String;
+
+  // Helper to parse a string and turn it into a slice with appropriate memory
+  // management characteristics
+  class String {
+   public:
+    // StringResult carries both a HpackParseStatus and the parsed string
+    struct StringResult;
+
+    String() : value_(absl::Span<const uint8_t>()) {}
+    String(const String&) = delete;
+    String& operator=(const String&) = delete;
+    String(String&& other) noexcept : value_(std::move(other.value_)) {
+      other.value_ = absl::Span<const uint8_t>();
+    }
+    String& operator=(String&& other) noexcept {
+      value_ = std::move(other.value_);
+      other.value_ = absl::Span<const uint8_t>();
+      return *this;
+    }
+
+    // Take the value and leave this empty
+    Slice Take();
+
+    // Return a reference to the value as a string view
+    absl::string_view string_view() const;
+
+    // Parse a non-binary string
+    static StringResult Parse(Input* input, bool is_huff, size_t length);
+
+    // Parse a binary string
+    static StringResult ParseBinary(Input* input, bool is_huff, size_t length);
+
+   private:
+    void AppendBytes(const uint8_t* data, size_t length);
+    explicit String(std::vector<uint8_t> v) : value_(std::move(v)) {}
+    explicit String(absl::Span<const uint8_t> v) : value_(v) {}
+    String(grpc_slice_refcount* r, const uint8_t* begin, const uint8_t* end)
+        : value_(Slice::FromRefcountAndBytes(r, begin, end)) {}
+
+    // Parse some huffman encoded bytes, using output(uint8_t b) to emit each
+    // decoded byte.
+    template <typename Out>
+    static HpackParseStatus ParseHuff(Input* input, uint32_t length,
+                                      Out output);
+
+    // Parse some uncompressed string bytes.
+    static StringResult ParseUncompressed(Input* input, uint32_t length,
+                                          uint32_t wire_size);
+
+    // Turn base64 encoded bytes into not base64 encoded bytes.
+    static StringResult Unbase64(String s);
+
+    // Main loop for Unbase64
+    static absl::optional<std::vector<uint8_t>> Unbase64Loop(
+        const uint8_t* cur, const uint8_t* end);
+
+    absl::variant<Slice, absl::Span<const uint8_t>, std::vector<uint8_t>>
+        value_;
+  };
+
+  // Prefix for a string
+  struct StringPrefix {
+    // Number of bytes in input for string
+    uint32_t length;
+    // Is it huffman compressed
+    bool huff;
+
+    std::string ToString() const {
+      return absl::StrCat(length, " bytes ",
+                          huff ? "huffman compressed" : "uncompressed");
+    }
+  };
+
+  // Current parse state
+  // ┌───┐
+  // │Top│
+  // └┬─┬┘
+  //  │┌▽────────────────┐
+  //  ││ParsingKeyLength │
+  //  │└┬───────────────┬┘
+  //  │┌▽─────────────┐┌▽──────────────┐
+  //  ││ParsingKeyBody││SkippingKeyBody│
+  //  │└┬─────────────┘└───┬───────────┘
+  // ┌▽─▽────────────────┐┌▽──────────────────┐
+  // │ParsingValueLength ││SkippingValueLength│
+  // └┬─────────────────┬┘└┬──────────────────┘
+  // ┌▽───────────────┐┌▽──▽─────────────┐
+  // │ParsingValueBody││SkippingValueBody│
+  // └────────────────┘└─────────────────┘
+  enum class ParseState : uint8_t {
+    // Start of one opcode
+    kTop,
+    // Parsing a literal keys length
+    kParsingKeyLength,
+    // Parsing a literal key
+    kParsingKeyBody,
+    // Skipping a literal key
+    kSkippingKeyBody,
+    // Parsing a literal value length
+    kParsingValueLength,
+    // Parsing a literal value
+    kParsingValueBody,
+    // Reading a literal value length (so we can skip it)
+    kSkippingValueLength,
+    // Skipping a literal value
+    kSkippingValueBody,
+  };
+
+  // Shared state for Parser instances between slices.
+  struct InterSliceState {
+    HPackTable hpack_table;
+    // Error so far for this frame (set by class Input)
+    HpackParseResult frame_error;
+    // Length of frame so far.
+    uint32_t frame_length = 0;
+    // Length of the string being parsed
+    uint32_t string_length;
+    // How many more dynamic table updates are allowed
+    uint8_t dynamic_table_updates_allowed;
+    // Current parse state
+    ParseState parse_state = ParseState::kTop;
+    // RED for overly large metadata sets
+    RandomEarlyDetection metadata_early_detection;
+    // Should the current header be added to the hpack table?
+    bool add_to_table;
+    // Is the string being parsed huffman compressed?
+    bool is_string_huff_compressed;
+    // Is the value being parsed binary?
+    bool is_binary_header;
+    absl::variant<const HPackTable::Memento*, Slice> key;
+  };
 
   grpc_error_handle ParseInput(Input input, bool is_last);
   void ParseInputInner(Input* input);
@@ -114,6 +259,8 @@ class HPackParser {
 
   // Bytes that could not be parsed last parsing round
   std::vector<uint8_t> unparsed_bytes_;
+  // How many bytes would be needed before progress could be made?
+  size_t min_progress_size_ = 0;
   // Buffer kind of boundary
   // TODO(ctiller): see if we can move this argument to Parse, and avoid
   // buffering.
@@ -122,15 +269,9 @@ class HPackParser {
   // TODO(ctiller): see if we can move this argument to Parse, and avoid
   // buffering.
   Priority priority_;
-  uint8_t dynamic_table_updates_allowed_;
-  // Length of frame so far.
-  uint32_t frame_length_;
-  RandomEarlyDetection metadata_early_detection_;
   // Information for logging
   LogInfo log_info_;
-
-  // hpack table
-  HPackTable table_;
+  InterSliceState state_;
 };
 
 }  // namespace grpc_core

data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc

@@ -25,16 +25,16 @@
 #include <algorithm>
 #include <cstddef>
 #include <cstring>
-#include <initializer_list>
 #include <utility>
 
 #include "absl/status/status.h"
-#include "absl/strings/str_format.h"
+#include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/support/log.h>
 
 #include "src/core/ext/transport/chttp2/transport/hpack_constants.h"
+#include "src/core/ext/transport/chttp2/transport/hpack_parse_result.h"
 #include "src/core/ext/transport/chttp2/transport/http_trace.h"
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/slice/slice.h"
@@ -80,6 +80,14 @@ void HPackTable::MementoRingBuffer::Rebuild(uint32_t max_entries) {
   entries_.swap(entries);
 }
 
+void HPackTable::MementoRingBuffer::ForEach(
+    absl::FunctionRef<void(uint32_t, const Memento&)> f) const {
+  uint32_t index = 0;
+  while (auto* m = Lookup(index++)) {
+    f(index, *m);
+  }
+}
+
 // Evict one element from the table
 void HPackTable::EvictOne() {
   auto first_entry = entries_.PopOne();
@@ -100,15 +108,9 @@ void HPackTable::SetMaxBytes(uint32_t max_bytes) {
   max_bytes_ = max_bytes;
 }
 
-grpc_error_handle HPackTable::SetCurrentTableSize(uint32_t bytes) {
-  if (current_table_bytes_ == bytes) {
-    return absl::OkStatus();
-  }
-  if (bytes > max_bytes_) {
-    return absl::InternalError(absl::StrFormat(
-        "Attempt to make hpack table %d bytes when max is %d bytes", bytes,
-        max_bytes_));
-  }
+bool HPackTable::SetCurrentTableSize(uint32_t bytes) {
+  if (current_table_bytes_ == bytes) return true;
+  if (bytes > max_bytes_) return false;
   if (GRPC_TRACE_FLAG_ENABLED(grpc_http_trace)) {
     gpr_log(GPR_INFO, "Update hpack parser table size to %d", bytes);
   }
@@ -119,30 +121,16 @@ grpc_error_handle HPackTable::SetCurrentTableSize(uint32_t bytes) {
   uint32_t new_cap = std::max(hpack_constants::EntriesForBytes(bytes),
                               hpack_constants::kInitialTableEntries);
   entries_.Rebuild(new_cap);
-  return absl::OkStatus();
+  return true;
 }
 
-grpc_error_handle HPackTable::Add(Memento md) {
-  if (current_table_bytes_ > max_bytes_) {
-    return GRPC_ERROR_CREATE(absl::StrFormat(
-        "HPACK max table size reduced to %d but not reflected by hpack "
-        "stream (still at %d)",
-        max_bytes_, current_table_bytes_));
-  }
+bool HPackTable::Add(Memento md) {
+  if (current_table_bytes_ > max_bytes_) return false;
 
   // we can't add elements bigger than the max table size
   if (md.md.transport_size() > current_table_bytes_) {
-    // HPACK draft 10 section 4.4 states:
-    // If the size of the new entry is less than or equal to the maximum
-    // size, that entry is added to the table.  It is not an error to
-    // attempt to add an entry that is larger than the maximum size; an
-    // attempt to add an entry larger than the entire table causes
-    // the table to be emptied of all existing entries, and results in an
-    // empty table.
-    while (entries_.num_entries()) {
-      EvictOne();
-    }
-    return absl::OkStatus();
+    AddLargerThanCurrentTableSize();
+    return true;
   }
 
   // evict entries to ensure no overflow
@@ -154,7 +142,33 @@ grpc_error_handle HPackTable::Add(Memento md) {
   // copy the finalized entry in
   mem_used_ += md.md.transport_size();
   entries_.Put(std::move(md));
-  return absl::OkStatus();
+  return true;
+}
+
+void HPackTable::AddLargerThanCurrentTableSize() {
+  // HPACK draft 10 section 4.4 states:
+  // If the size of the new entry is less than or equal to the maximum
+  // size, that entry is added to the table.  It is not an error to
+  // attempt to add an entry that is larger than the maximum size; an
+  // attempt to add an entry larger than the entire table causes
+  // the table to be emptied of all existing entries, and results in an
+  // empty table.
+  while (entries_.num_entries()) {
+    EvictOne();
+  }
+}
+
+std::string HPackTable::TestOnlyDynamicTableAsString() const {
+  std::string out;
+  entries_.ForEach([&out](uint32_t i, const Memento& m) {
+    if (m.parse_status.ok()) {
+      absl::StrAppend(&out, i, ": ", m.md.DebugString(), "\n");
+    } else {
+      absl::StrAppend(&out, i, ": ", m.parse_status.Materialize().ToString(),
+                      "\n");
+    }
+  });
+  return out;
 }
 
 namespace {
@@ -236,7 +250,7 @@ HPackTable::Memento MakeMemento(size_t i) {
           [](absl::string_view, const Slice&) {
             abort();  // not expecting to see this
           }),
-      absl::OkStatus()};
+      HpackParseResult()};
 }
 
 }  // namespace

data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h

@@ -23,13 +23,14 @@
 
 #include <stdint.h>
 
+#include <string>
 #include <vector>
 
-#include "absl/status/status.h"
+#include "absl/functional/function_ref.h"
 
 #include "src/core/ext/transport/chttp2/transport/hpack_constants.h"
+#include "src/core/ext/transport/chttp2/transport/hpack_parse_result.h"
 #include "src/core/lib/gprpp/no_destruct.h"
-#include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/transport/metadata_batch.h"
 #include "src/core/lib/transport/parsed_metadata.h"
 
@@ -45,11 +46,12 @@ class HPackTable {
   HPackTable& operator=(const HPackTable&) = delete;
 
   void SetMaxBytes(uint32_t max_bytes);
-  grpc_error_handle SetCurrentTableSize(uint32_t bytes);
+  bool SetCurrentTableSize(uint32_t bytes);
+  uint32_t current_table_size() { return current_table_bytes_; }
 
   struct Memento {
     ParsedMetadata<grpc_metadata_batch> md;
-    absl::Status parse_status;
+    HpackParseResult parse_status;
   };
 
   // Lookup, but don't ref.
@@ -68,7 +70,8 @@ class HPackTable {
   }
 
   // add a table entry to the index
-  grpc_error_handle Add(Memento md) GRPC_MUST_USE_RESULT;
+  bool Add(Memento md) GRPC_MUST_USE_RESULT;
+  void AddLargerThanCurrentTableSize();
 
   // Current entry count in the table.
   uint32_t num_entries() const { return entries_.num_entries(); }
@@ -76,6 +79,13 @@ class HPackTable {
   // Current size of the table.
   uint32_t test_only_table_size() const { return mem_used_; }
 
+  // Maximum allowed size of the table currently
+  uint32_t max_bytes() const { return max_bytes_; }
+  uint32_t current_table_bytes() const { return current_table_bytes_; }
+
+  // Dynamic table entries, stringified
+  std::string TestOnlyDynamicTableAsString() const;
+
  private:
   struct StaticMementos {
     StaticMementos();
@@ -98,6 +108,9 @@ class HPackTable {
     // Lookup the entry at index, or return nullptr if none exists.
     const Memento* Lookup(uint32_t index) const;
 
+    void ForEach(absl::FunctionRef<void(uint32_t dynamic_index, const Memento&)>
+                     f) const;
+
     uint32_t max_entries() const { return max_entries_; }
     uint32_t num_entries() const { return num_entries_; }
 

data/src/core/ext/transport/chttp2/transport/parsing.cc

@@ -23,7 +23,6 @@
 
 #include <initializer_list>
 #include <string>
-#include <utility>
 
 #include "absl/base/attributes.h"
 #include "absl/status/status.h"
@@ -470,8 +469,8 @@ static HPackParser::LogInfo hpack_parser_log_info(
 }
 
 static grpc_error_handle init_header_skip_frame_parser(
-    grpc_chttp2_transport* t, HPackParser::Priority priority_type) {
-  bool is_eoh = t->expect_continuation_stream_id != 0;
+    grpc_chttp2_transport* t, HPackParser::Priority priority_type,
+    bool is_eoh) {
   t->parser = grpc_chttp2_transport::Parser{
       "header", grpc_chttp2_header_parser_parse, &t->hpack_parser};
   t->hpack_parser.BeginFrame(
@@ -595,7 +594,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
       GRPC_CHTTP2_IF_TRACING(
           gpr_log(GPR_ERROR,
                   "grpc_chttp2_stream disbanded before CONTINUATION received"));
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     }
     if (t->is_client) {
       if (GPR_LIKELY((t->incoming_stream_id & 1) &&
@@ -605,7 +604,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
         GRPC_CHTTP2_IF_TRACING(gpr_log(
             GPR_ERROR, "ignoring new grpc_chttp2_stream creation on client"));
       }
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     } else if (GPR_UNLIKELY(t->last_new_stream_id >= t->incoming_stream_id)) {
       GRPC_CHTTP2_IF_TRACING(gpr_log(
           GPR_ERROR,
@@ -613,13 +612,13 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
           "last grpc_chttp2_stream "
           "id=%d, new grpc_chttp2_stream id=%d",
           t->last_new_stream_id, t->incoming_stream_id));
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     } else if (GPR_UNLIKELY((t->incoming_stream_id & 1) == 0)) {
       GRPC_CHTTP2_IF_TRACING(gpr_log(
           GPR_ERROR,
           "ignoring grpc_chttp2_stream with non-client generated index %d",
           t->incoming_stream_id));
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     } else if (GPR_UNLIKELY(
                    grpc_chttp2_stream_map_size(&t->stream_map) >=
                    t->settings[GRPC_ACKED_SETTINGS]
@@ -632,7 +631,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
           "grpc_chttp2_stream request id=%d, last grpc_chttp2_stream id=%d",
           t, std::string(t->peer_string.as_string_view()).c_str(),
           t->incoming_stream_id, t->last_new_stream_id));
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     }
     t->last_new_stream_id = t->incoming_stream_id;
     s = t->incoming_stream =
@@ -640,7 +639,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
     if (GPR_UNLIKELY(s == nullptr)) {
       GRPC_CHTTP2_IF_TRACING(
           gpr_log(GPR_ERROR, "grpc_chttp2_stream not accepted"));
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
     }
     if (t->channelz_socket != nullptr) {
       t->channelz_socket->RecordStreamStartedFromRemote();
@@ -654,7 +653,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
     GRPC_CHTTP2_IF_TRACING(gpr_log(
         GPR_ERROR, "skipping already closed grpc_chttp2_stream header"));
     t->incoming_stream = nullptr;
-    return init_header_skip_frame_parser(t, priority_type);
+    return init_header_skip_frame_parser(t, priority_type, is_eoh);
   }
   t->parser = grpc_chttp2_transport::Parser{
       "header", grpc_chttp2_header_parser_parse, &t->hpack_parser};
@@ -687,7 +686,7 @@ static grpc_error_handle init_header_frame_parser(grpc_chttp2_transport* t,
       break;
     case 2:
       gpr_log(GPR_ERROR, "too many header frames received");
-      return init_header_skip_frame_parser(t, priority_type);
+      return init_header_skip_frame_parser(t, priority_type, is_eoh);
   }
   if (frame_type == HPackParser::LogInfo::kTrailers && !t->header_eof) {
     return GRPC_ERROR_CREATE(
@@ -815,8 +814,9 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t,
                          &unused)) {
     grpc_chttp2_parsing_become_skip_parser(t);
     if (s) {
-      grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus()));
+      grpc_chttp2_cancel_stream(t, s, err);
     }
+    return absl::OkStatus();
   }
   return err;
 }

data/src/core/lib/backoff/random_early_detection.h

@@ -43,6 +43,11 @@ class RandomEarlyDetection {
   uint64_t soft_limit() const { return soft_limit_; }
   uint64_t hard_limit() const { return hard_limit_; }
 
+  void SetLimits(uint64_t soft_limit, uint64_t hard_limit) {
+    soft_limit_ = soft_limit;
+    hard_limit_ = hard_limit;
+  }
+
  private:
   // The soft limit is the size at which we start rejecting items with a
   // probability that increases linearly to 1 as the size approaches the hard

data/src/core/lib/event_engine/posix_engine/posix_engine.h

@@ -196,6 +196,7 @@ class PosixEventEngine final : public PosixEventEngineWithFdSupport,
       const DNSResolver::ResolverOptions& options) override;
   void Run(Closure* closure) override;
   void Run(absl::AnyInvocable<void()> closure) override;
+  // Caution!! The timer implementation cannot create any fds. See #20418.
   TaskHandle RunAfter(Duration when, Closure* closure) override;
   TaskHandle RunAfter(Duration when,
                       absl::AnyInvocable<void()> closure) override;

data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc

@@ -23,7 +23,9 @@
 #include <sys/socket.h>  // IWYU pragma: keep
 #include <unistd.h>      // IWYU pragma: keep
 
+#include <atomic>
 #include <string>
+#include <tuple>
 #include <utility>
 
 #include "absl/functional/any_invocable.h"
@@ -41,6 +43,7 @@
 #include "src/core/lib/event_engine/posix_engine/tcp_socket_utils.h"
 #include "src/core/lib/event_engine/tcp_socket_utils.h"
 #include "src/core/lib/gprpp/status_helper.h"
+#include "src/core/lib/gprpp/time.h"
 #include "src/core/lib/iomgr/socket_mutator.h"
 
 namespace grpc_event_engine {
@@ -136,6 +139,32 @@ void PosixEngineListenerImpl::AsyncConnectionAcceptor::NotifyOnAccept(
       switch (errno) {
         case EINTR:
           continue;
+        case EMFILE:
+          // When the process runs out of fds, accept4() returns EMFILE. When
+          // this happens, the connection is left in the accept queue until
+          // either a read event triggers the on_read callback, or time has
+          // passed and the accept should be re-tried regardless. This callback
+          // is not cancelled, so a spurious wakeup may occur even when there's
+          // nothing to accept. This is not a performant code path, but if an fd
+          // limit has been reached, the system is likely in an unhappy state
+          // regardless.
+          GRPC_LOG_EVERY_N_SEC(1, GPR_ERROR, "%s",
+                               "File descriptor limit reached. Retrying.");
+          handle_->NotifyOnRead(notify_on_accept_);
+          // Do not schedule another timer if one is already armed.
+          if (retry_timer_armed_.exchange(true)) return;
+          // Hold a ref while the retry timer is waiting, to prevent listener
+          // destruction and the races that would ensue.
+          Ref();
+          std::ignore =
+              engine_->RunAfter(grpc_core::Duration::Seconds(1), [this]() {
+                retry_timer_armed_.store(false);
+                if (!handle_->IsHandleShutdown()) {
+                  handle_->SetReadable();
+                }
+                Unref();
+              });
+          return;
         case EAGAIN:
         case ECONNABORTED:
           handle_->NotifyOnRead(notify_on_accept_);

data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h

@@ -121,6 +121,9 @@ class PosixEngineListenerImpl
     ListenerSocketsContainer::ListenerSocket socket_;
     EventHandle* handle_;
     PosixEngineClosure* notify_on_accept_;
+    // Tracks the status of a backup timer to retry accept4 calls after file
+    // descriptor exhaustion.
+    std::atomic<bool> retry_timer_armed_{false};
   };
   class ListenerAsyncAcceptors : public ListenerSocketsContainer {
    public:

data/src/core/lib/iomgr/tcp_server_posix.cc

@@ -18,6 +18,8 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <utility>
+
 #include <grpc/support/atm.h>
 
 // FIXME: "posix" files shouldn't be depending on _GNU_SOURCE
@@ -78,6 +80,8 @@
 #include "src/core/lib/transport/error_utils.h"
 
 static std::atomic<int64_t> num_dropped_connections{0};
+static constexpr grpc_core::Duration kRetryAcceptWaitTime{
+    grpc_core::Duration::Seconds(1)};
 
 using ::grpc_event_engine::experimental::EndpointConfig;
 using ::grpc_event_engine::experimental::EventEngine;
@@ -361,22 +365,38 @@ static void on_read(void* arg, grpc_error_handle err) {
     if (fd < 0) {
       if (errno == EINTR) {
         continue;
-      } else if (errno == EAGAIN || errno == ECONNABORTED ||
-                 errno == EWOULDBLOCK) {
+      }
+      // When the process runs out of fds, accept4() returns EMFILE. When this
+      // happens, the connection is left in the accept queue until either a
+      // read event triggers the on_read callback, or time has passed and the
+      // accept should be re-tried regardless. This callback is not cancelled,
+      // so a spurious wakeup may occur even when there's nothing to accept.
+      // This is not a performant code path, but if an fd limit has been
+      // reached, the system is likely in an unhappy state regardless.
+      if (errno == EMFILE) {
+        GRPC_LOG_EVERY_N_SEC(1, GPR_ERROR, "%s",
+                             "File descriptor limit reached. Retrying.");
+        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+        if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
+        grpc_timer_init(&sp->retry_timer,
+                        grpc_core::Timestamp::Now() + kRetryAcceptWaitTime,
+                        &sp->retry_closure);
+        return;
+      }
+      if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
         grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
         return;
+      }
+      gpr_mu_lock(&sp->server->mu);
+      if (!sp->server->shutdown_listeners) {
+        gpr_log(GPR_ERROR, "Failed accept4: %s",
+                grpc_core::StrError(errno).c_str());
       } else {
-        gpr_mu_lock(&sp->server->mu);
-        if (!sp->server->shutdown_listeners) {
-          gpr_log(GPR_ERROR, "Failed accept4: %s",
-                  grpc_core::StrError(errno).c_str());
-        } else {
-          // if we have shutdown listeners, accept4 could fail, and we
-          // needn't notify users
-        }
-        gpr_mu_unlock(&sp->server->mu);
-        goto error;
+        // if we have shutdown listeners, accept4 could fail, and we
+        // needn't notify users
       }
+      gpr_mu_unlock(&sp->server->mu);
+      goto error;
     }
 
     if (sp->server->memory_quota->IsMemoryPressureHigh()) {
@@ -569,6 +589,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener,
     sp->port_index = listener->port_index;
     sp->fd_index = listener->fd_index + count - i;
     GPR_ASSERT(sp->emfd);
+    grpc_tcp_server_listener_initialize_retry_timer(sp);
     while (listener->server->tail->next != nullptr) {
       listener->server->tail = listener->server->tail->next;
     }
@@ -817,6 +838,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
   if (s->active_ports) {
     grpc_tcp_listener* sp;
     for (sp = s->head; sp; sp = sp->next) {
+      grpc_timer_cancel(&sp->retry_timer);
       grpc_fd_shutdown(sp->emfd, GRPC_ERROR_CREATE("Server shutdown"));
     }
   }