grpc 1.69.0 → 1.71.0

data/src/core/xds/xds_client/xds_client.cc

@@ -24,6 +24,7 @@
 #include <algorithm>
 #include <functional>
 #include <memory>
+#include <optional>
 #include <string>
 #include <type_traits>
 #include <vector>
@@ -37,11 +38,12 @@
 #include "absl/strings/str_split.h"
 #include "absl/strings/string_view.h"
 #include "absl/strings/strip.h"
-#include "absl/types/optional.h"
 #include "envoy/config/core/v3/base.upb.h"
-#include "envoy/service/status/v3/csds.upb.h"
+#include "envoy/service/discovery/v3/discovery.upb.h"
+#include "envoy/service/discovery/v3/discovery.upbdefs.h"
 #include "google/protobuf/any.upb.h"
 #include "google/protobuf/timestamp.upb.h"
+#include "google/rpc/status.upb.h"
 #include "src/core/lib/iomgr/exec_ctx.h"
 #include "src/core/util/backoff.h"
 #include "src/core/util/debug_location.h"
@@ -55,6 +57,8 @@
 #include "src/core/xds/xds_client/xds_locality.h"
 #include "upb/base/string_view.h"
 #include "upb/mem/arena.h"
+#include "upb/reflection/def.h"
+#include "upb/text/encode.h"
 
 #define GRPC_XDS_INITIAL_CONNECT_BACKOFF_SECONDS 1
 #define GRPC_XDS_RECONNECT_BACKOFF_MULTIPLIER 1.6
@@ -107,7 +111,7 @@ class XdsClient::XdsChannel::RetryableCall final
 
   // Retry state.
   BackOff backoff_;
-  absl::optional<EventEngine::TaskHandle> timer_handle_
+  std::optional<EventEngine::TaskHandle> timer_handle_
       ABSL_GUARDED_BY(&XdsClient::mu_);
 
   bool shutting_down_ = false;
@@ -120,7 +124,10 @@ class XdsClient::XdsChannel::AdsCall final
   // The ctor and dtor should not be used directly.
   explicit AdsCall(RefCountedPtr<RetryableCall<AdsCall>> retryable_call);
 
-  void Orphan() override;
+  // Disable thread-safety analysis because this method is called via
+  // OrphanablePtr<>, but there's no way to pass the lock annotation
+  // through there.
+  void Orphan() override ABSL_NO_THREAD_SAFETY_ANALYSIS;
 
   RetryableCall<AdsCall>* retryable_call() const {
     return retryable_call_.get();
@@ -141,44 +148,6 @@ class XdsClient::XdsChannel::AdsCall final
  private:
   class AdsReadDelayHandle;
 
-  class AdsResponseParser final : public XdsApi::AdsResponseParserInterface {
-   public:
-    struct Result {
-      const XdsResourceType* type;
-      std::string type_url;
-      std::string version;
-      std::string nonce;
-      std::vector<std::string> errors;
-      std::map<std::string /*authority*/, std::set<XdsResourceKey>>
-          resources_seen;
-      uint64_t num_valid_resources = 0;
-      uint64_t num_invalid_resources = 0;
-      RefCountedPtr<ReadDelayHandle> read_delay_handle;
-    };
-
-    explicit AdsResponseParser(AdsCall* ads_call) : ads_call_(ads_call) {}
-
-    absl::Status ProcessAdsResponseFields(AdsResponseFields fields) override
-        ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
-
-    void ParseResource(upb_Arena* arena, size_t idx, absl::string_view type_url,
-                       absl::string_view resource_name,
-                       absl::string_view serialized_resource) override
-        ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
-
-    void ResourceWrapperParsingFailed(size_t idx,
-                                      absl::string_view message) override;
-
-    Result TakeResult() { return std::move(result_); }
-
-   private:
-    XdsClient* xds_client() const { return ads_call_->xds_client(); }
-
-    AdsCall* ads_call_;
-    const Timestamp update_time_ = Timestamp::Now();
-    Result result_;
-  };
-
   class ResourceTimer final : public InternallyRefCounted<ResourceTimer> {
    public:
     ResourceTimer(const XdsResourceType* type, const XdsResourceName& name)
@@ -238,14 +207,20 @@ class XdsClient::XdsChannel::AdsCall final
       // optimize by not resending the resource that we already have.
       auto& authority_state =
           ads_call->xds_client()->authority_state_map_[name_.authority];
-      ResourceState& state = authority_state.resource_map[type_][name_.key];
-      if (state.resource != nullptr) return;
+      ResourceState& state = authority_state.type_map[type_][name_.key];
+      if (state.HasResource()) return;
       // Start timer.
       ads_call_ = std::move(ads_call);
+      Duration timeout = ads_call_->xds_client()->request_timeout_;
+      if (timeout == Duration::Zero()) {
+        timeout = XdsDataErrorHandlingEnabled() &&
+                          ads_call_->xds_channel()
+                              ->server_.ResourceTimerIsTransientFailure()
+                      ? Duration::Seconds(30)
+                      : Duration::Seconds(15);
+      }
       timer_handle_ = ads_call_->xds_client()->engine()->RunAfter(
-          ads_call_->xds_client()->request_timeout_,
-          [self = Ref(DEBUG_LOCATION, "timer")]() {
-            ApplicationCallbackExecCtx callback_exec_ctx;
+          timeout, [self = Ref(DEBUG_LOCATION, "timer")]() {
             ExecCtx exec_ctx;
             self->OnTimer();
           });
@@ -257,10 +232,10 @@ class XdsClient::XdsChannel::AdsCall final
         timer_handle_.reset();
         auto& authority_state =
             ads_call_->xds_client()->authority_state_map_[name_.authority];
-        ResourceState& state = authority_state.resource_map[type_][name_.key];
+        ResourceState& state = authority_state.type_map[type_][name_.key];
         // We might have received the resource after the timer fired but before
         // the callback ran.
-        if (state.resource == nullptr) {
+        if (!state.HasResource()) {
           GRPC_TRACE_LOG(xds_client, INFO)
               << "[xds_client " << ads_call_->xds_client() << "] xds server "
               << ads_call_->xds_channel()->server_.server_uri()
@@ -270,12 +245,20 @@ class XdsClient::XdsChannel::AdsCall final
                      name_.authority, type_->type_url(), name_.key)
               << "} from xds server";
           resource_seen_ = true;
-          state.meta.client_status = XdsApi::ResourceMetadata::DOES_NOT_EXIST;
-          ads_call_->xds_client()->NotifyWatchersOnResourceDoesNotExist(
-              state.watchers, ReadDelayHandle::NoWait());
+          if (XdsDataErrorHandlingEnabled() &&
+              ads_call_->xds_channel()
+                  ->server_.ResourceTimerIsTransientFailure()) {
+            state.SetTimeout(
+                absl::StrCat("timeout obtaining resource from xDS server ",
+                             ads_call_->xds_channel()->server_uri()));
+          } else {
+            state.SetDoesNotExistOnTimeout();
+          }
+          ads_call_->xds_client()->NotifyWatchersOnResourceChanged(
+              state.failed_status(), state.watchers(),
+              ReadDelayHandle::NoWait());
         }
       }
-      ads_call_->xds_client()->work_serializer_.DrainQueue();
       ads_call_.reset();
     }
 
@@ -290,7 +273,7 @@ class XdsClient::XdsChannel::AdsCall final
     // stream or (b) declared the resource to not exist due to the timer
     // firing.
     bool resource_seen_ ABSL_GUARDED_BY(&XdsClient::mu_) = false;
-    absl::optional<EventEngine::TaskHandle> timer_handle_
+    std::optional<EventEngine::TaskHandle> timer_handle_
         ABSL_GUARDED_BY(&XdsClient::mu_);
   };
 
@@ -323,9 +306,44 @@ class XdsClient::XdsChannel::AdsCall final
         subscribed_resources;
   };
 
+  std::string CreateAdsRequest(absl::string_view type_url,
+                               absl::string_view version,
+                               absl::string_view nonce,
+                               const std::vector<std::string>& resource_names,
+                               absl::Status status) const
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
+
   void SendMessageLocked(const XdsResourceType* type)
       ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
 
+  struct DecodeContext {
+    upb::Arena arena;
+    const XdsResourceType* type;
+    std::string type_url;
+    std::string version;
+    std::string nonce;
+    std::vector<std::string> errors;
+    std::map<std::string /*authority*/, std::set<XdsResourceKey>>
+        resources_seen;
+    uint64_t num_valid_resources = 0;
+    uint64_t num_invalid_resources = 0;
+    Timestamp update_time = Timestamp::Now();
+    RefCountedPtr<ReadDelayHandle> read_delay_handle;
+  };
+  void ParseResource(size_t idx, absl::string_view type_url,
+                     absl::string_view resource_name,
+                     absl::string_view serialized_resource,
+                     DecodeContext* context)
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
+  void HandleServerReportedResourceError(size_t idx,
+                                         absl::string_view resource_name,
+                                         absl::Status status,
+                                         DecodeContext* context)
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
+  absl::Status DecodeAdsResponse(absl::string_view encoded_response,
+                                 DecodeContext* context)
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_);
+
   void OnRequestSent(bool ok);
   void OnRecvMessage(absl::string_view payload);
   void OnStatusReceived(absl::Status status);
@@ -430,16 +448,12 @@ void XdsClient::XdsChannel::Orphaned() ABSL_NO_THREAD_SAFETY_ANALYSIS {
 
 void XdsClient::XdsChannel::ResetBackoff() { transport_->ResetBackoff(); }
 
-XdsClient::XdsChannel::AdsCall* XdsClient::XdsChannel::ads_call() const {
-  return ads_call_->call();
-}
-
 void XdsClient::XdsChannel::SubscribeLocked(const XdsResourceType* type,
                                             const XdsResourceName& name) {
   if (ads_call_ == nullptr) {
     // Start the ADS call if this is the first request.
-    ads_call_.reset(
-        new RetryableCall<AdsCall>(WeakRef(DEBUG_LOCATION, "XdsChannel+ads")));
+    ads_call_ = MakeOrphanable<RetryableCall<AdsCall>>(
+        WeakRef(DEBUG_LOCATION, "XdsChannel+ads"));
     // Note: AdsCall's ctor will automatically subscribe to all
     // resources that the XdsClient already has watchers for, so we can
     // return here.
@@ -447,9 +461,9 @@ void XdsClient::XdsChannel::SubscribeLocked(const XdsResourceType* type,
   }
   // If the ADS call is in backoff state, we don't need to do anything now
   // because when the call is restarted it will resend all necessary requests.
-  if (ads_call() == nullptr) return;
+  if (ads_call_->call() == nullptr) return;
   // Subscribe to this resource if the ADS call is active.
-  ads_call()->SubscribeLocked(type, name, /*delay_send=*/false);
+  ads_call_->call()->SubscribeLocked(type, name, /*delay_send=*/false);
 }
 
 void XdsClient::XdsChannel::UnsubscribeLocked(const XdsResourceType* type,
@@ -462,6 +476,12 @@ void XdsClient::XdsChannel::UnsubscribeLocked(const XdsResourceType* type,
       if (!call->HasSubscribedResources()) {
         ads_call_.reset();
       }
+    } else {
+      // If there is currently no ADS call because we're in retry backoff,
+      // then we immediately trigger deletion of unsubscribed cache entries.
+      // This may orphan the XdsChannel, which would stop the retry
+      // timer, since we would no longer need to restart the ADS call.
+      xds_client_->MaybeRemoveUnsubscribedCacheEntriesForTypeLocked(this, type);
     }
   }
 }
@@ -481,10 +501,12 @@ bool XdsClient::XdsChannel::MaybeFallbackLocked(
        ++i) {
     authority_state.xds_channels.emplace_back(
         xds_client_->GetOrCreateXdsChannelLocked(*xds_servers[i], "fallback"));
-    for (const auto& type_resource : authority_state.resource_map) {
-      for (const auto& key_state : type_resource.second) {
-        authority_state.xds_channels.back()->SubscribeLocked(
-            type_resource.first, {authority, key_state.first});
+    for (const auto& [type, resource_map] : authority_state.type_map) {
+      for (const auto& [key, resource_state] : resource_map) {
+        if (resource_state.HasWatchers()) {
+          authority_state.xds_channels.back()->SubscribeLocked(
+              type, {authority, key});
+        }
       }
     }
     GRPC_TRACE_LOG(xds_client, INFO)
@@ -505,28 +527,32 @@ void XdsClient::XdsChannel::SetHealthyLocked() {
   // 1. Channel is on the list of authority channels
   // 2. Channel is not the last channel on the list (i.e. not the active
   // channel)
-  for (auto& authority : xds_client_->authority_state_map_) {
-    auto& channels = authority.second.xds_channels;
+  for (auto& [authority, authority_state] : xds_client_->authority_state_map_) {
+    auto& channels = authority_state.xds_channels;
     // Skip if channel is active.
     if (channels.back() == this) continue;
     auto channel_it = std::find(channels.begin(), channels.end(), this);
     // Skip if this is not on the list
     if (channel_it != channels.end()) {
       GRPC_TRACE_LOG(xds_client, INFO)
-          << "[xds_client " << xds_client_.get() << "] authority "
-          << authority.first << ": Falling forward to " << server_.server_uri();
+          << "[xds_client " << xds_client_.get() << "] authority " << authority
+          << ": Falling forward to " << server_.server_uri();
       // Lower priority channels are no longer needed, connection is back!
+      // Note that we move the lower priority channels out of the vector
+      // before we unref them, or else
+      // MaybeRemoveUnsubscribedCacheEntriesForTypeLocked() will try to
+      // access the vector while we are modifying it.
+      std::vector<RefCountedPtr<XdsChannel>> channels_to_unref(
+          std::make_move_iterator(channel_it + 1),
+          std::make_move_iterator(channels.end()));
       channels.erase(channel_it + 1, channels.end());
     }
   }
 }
 
 void XdsClient::XdsChannel::OnConnectivityFailure(absl::Status status) {
-  {
-    MutexLock lock(&xds_client_->mu_);
-    SetChannelStatusLocked(std::move(status));
-  }
-  xds_client_->work_serializer_.DrainQueue();
+  MutexLock lock(&xds_client_->mu_);
+  SetChannelStatusLocked(std::move(status));
 }
 
 void XdsClient::XdsChannel::SetChannelStatusLocked(absl::Status status) {
@@ -535,15 +561,6 @@ void XdsClient::XdsChannel::SetChannelStatusLocked(absl::Status status) {
                                                     server_.server_uri(), ": ",
                                                     status.message()));
   LOG(INFO) << "[xds_client " << xds_client() << "] " << status;
-  // If the node ID is set, append that to the status message that we send to
-  // the watchers, so that it will appear in log messages visible to users.
-  const auto* node = xds_client_->bootstrap_->node();
-  if (node != nullptr) {
-    status = absl::Status(
-        status.code(),
-        absl::StrCat(status.message(),
-                     " (node ID:", xds_client_->bootstrap_->node()->id(), ")"));
-  }
   // If status was previously OK, report that the channel has gone unhealthy.
   if (status_.ok() && xds_client_->metrics_reporter_ != nullptr) {
     xds_client_->metrics_reporter_->ReportServerFailure(server_.server_uri());
@@ -552,30 +569,32 @@ void XdsClient::XdsChannel::SetChannelStatusLocked(absl::Status status) {
   // error for any new watchers that may be started.
   status_ = status;
   // Find all watchers for this channel.
-  std::set<RefCountedPtr<ResourceWatcherInterface>> watchers;
-  for (auto& a : xds_client_->authority_state_map_) {  // authority
-    if (a.second.xds_channels.empty() || a.second.xds_channels.back() != this ||
-        MaybeFallbackLocked(a.first, a.second)) {
+  WatcherSet watchers_cached;
+  WatcherSet watchers_uncached;
+  for (auto& [authority, authority_state] : xds_client_->authority_state_map_) {
+    if (authority_state.xds_channels.empty() ||
+        authority_state.xds_channels.back() != this ||
+        MaybeFallbackLocked(authority, authority_state)) {
       continue;
     }
-    for (const auto& t : a.second.resource_map) {  // type
-      for (const auto& r : t.second) {             // resource id
-        for (const auto& w : r.second.watchers) {  // watchers
-          watchers.insert(w.second);
+    for (const auto& [_, resource_map] : authority_state.type_map) {
+      for (const auto& [_, resource_state] : resource_map) {
+        auto& watchers =
+            resource_state.HasResource() ? watchers_cached : watchers_uncached;
+        for (const auto& watcher : resource_state.watchers()) {
+          watchers.insert(watcher);
         }
       }
     }
   }
-  if (!watchers.empty()) {
-    // Enqueue notification for the watchers.
-    xds_client_->work_serializer_.Schedule(
-        [watchers = std::move(watchers), status = std::move(status)]()
-            ABSL_EXCLUSIVE_LOCKS_REQUIRED(xds_client_->work_serializer_) {
-              for (const auto& watcher : watchers) {
-                watcher->OnError(status, ReadDelayHandle::NoWait());
-              }
-            },
-        DEBUG_LOCATION);
+  // Enqueue notifications for the watchers.
+  if (!watchers_cached.empty()) {
+    xds_client_->NotifyWatchersOnAmbientError(
+        status, std::move(watchers_cached), ReadDelayHandle::NoWait());
+  }
+  if (!watchers_uncached.empty()) {
+    xds_client_->NotifyWatchersOnResourceChanged(
+        status, std::move(watchers_uncached), ReadDelayHandle::NoWait());
   }
 }
 
@@ -642,7 +661,6 @@ void XdsClient::XdsChannel::RetryableCall<T>::StartRetryTimerLocked() {
   timer_handle_ = xds_channel()->xds_client()->engine()->RunAfter(
       delay,
       [self = this->Ref(DEBUG_LOCATION, "RetryableCall+retry_timer_start")]() {
-        ApplicationCallbackExecCtx callback_exec_ctx;
         ExecCtx exec_ctx;
         self->OnRetryTimer();
       });
@@ -682,203 +700,6 @@ class XdsClient::XdsChannel::AdsCall::AdsReadDelayHandle final
   RefCountedPtr<AdsCall> ads_call_;
 };
 
-//
-// XdsClient::XdsChannel::AdsCall::AdsResponseParser
-//
-
-absl::Status
-XdsClient::XdsChannel::AdsCall::AdsResponseParser::ProcessAdsResponseFields(
-    AdsResponseFields fields) {
-  GRPC_TRACE_LOG(xds_client, INFO)
-      << "[xds_client " << ads_call_->xds_client() << "] xds server "
-      << ads_call_->xds_channel()->server_.server_uri()
-      << ": received ADS response: type_url=" << fields.type_url
-      << ", version=" << fields.version << ", nonce=" << fields.nonce
-      << ", num_resources=" << fields.num_resources;
-  result_.type =
-      ads_call_->xds_client()->GetResourceTypeLocked(fields.type_url);
-  if (result_.type == nullptr) {
-    return absl::InvalidArgumentError(
-        absl::StrCat("unknown resource type ", fields.type_url));
-  }
-  result_.type_url = std::move(fields.type_url);
-  result_.version = std::move(fields.version);
-  result_.nonce = std::move(fields.nonce);
-  result_.read_delay_handle =
-      MakeRefCounted<AdsReadDelayHandle>(ads_call_->Ref());
-  return absl::OkStatus();
-}
-
-namespace {
-
-// Build a resource metadata struct for ADS result accepting methods and CSDS.
-XdsApi::ResourceMetadata CreateResourceMetadataAcked(
-    std::string serialized_proto, std::string version, Timestamp update_time) {
-  XdsApi::ResourceMetadata resource_metadata;
-  resource_metadata.serialized_proto = std::move(serialized_proto);
-  resource_metadata.update_time = update_time;
-  resource_metadata.version = std::move(version);
-  resource_metadata.client_status = XdsApi::ResourceMetadata::ACKED;
-  return resource_metadata;
-}
-
-// Update resource_metadata for NACK.
-void UpdateResourceMetadataNacked(const std::string& version,
-                                  const std::string& details,
-                                  Timestamp update_time,
-                                  XdsApi::ResourceMetadata* resource_metadata) {
-  resource_metadata->client_status = XdsApi::ResourceMetadata::NACKED;
-  resource_metadata->failed_version = version;
-  resource_metadata->failed_details = details;
-  resource_metadata->failed_update_time = update_time;
-}
-
-}  // namespace
-
-void XdsClient::XdsChannel::AdsCall::AdsResponseParser::ParseResource(
-    upb_Arena* arena, size_t idx, absl::string_view type_url,
-    absl::string_view resource_name, absl::string_view serialized_resource) {
-  std::string error_prefix = absl::StrCat(
-      "resource index ", idx, ": ",
-      resource_name.empty() ? "" : absl::StrCat(resource_name, ": "));
-  // Check the type_url of the resource.
-  if (result_.type_url != type_url) {
-    result_.errors.emplace_back(
-        absl::StrCat(error_prefix, "incorrect resource type \"", type_url,
-                     "\" (should be \"", result_.type_url, "\")"));
-    ++result_.num_invalid_resources;
-    return;
-  }
-  // Parse the resource.
-  XdsResourceType::DecodeContext context = {
-      xds_client(), ads_call_->xds_channel()->server_, &xds_client_trace,
-      xds_client()->def_pool_.ptr(), arena};
-  XdsResourceType::DecodeResult decode_result =
-      result_.type->Decode(context, serialized_resource);
-  // If we didn't already have the resource name from the Resource
-  // wrapper, try to get it from the decoding result.
-  if (resource_name.empty()) {
-    if (decode_result.name.has_value()) {
-      resource_name = *decode_result.name;
-      error_prefix =
-          absl::StrCat("resource index ", idx, ": ", resource_name, ": ");
-    } else {
-      // We don't have any way of determining the resource name, so
-      // there's nothing more we can do here.
-      result_.errors.emplace_back(absl::StrCat(
-          error_prefix, decode_result.resource.status().ToString()));
-      ++result_.num_invalid_resources;
-      return;
-    }
-  }
-  // If decoding failed, make sure we include the error in the NACK.
-  const absl::Status& decode_status = decode_result.resource.status();
-  if (!decode_status.ok()) {
-    result_.errors.emplace_back(
-        absl::StrCat(error_prefix, decode_status.ToString()));
-  }
-  // Check the resource name.
-  auto parsed_resource_name =
-      xds_client()->ParseXdsResourceName(resource_name, result_.type);
-  if (!parsed_resource_name.ok()) {
-    result_.errors.emplace_back(
-        absl::StrCat(error_prefix, "Cannot parse xDS resource name"));
-    ++result_.num_invalid_resources;
-    return;
-  }
-  // Cancel resource-does-not-exist timer, if needed.
-  auto timer_it = ads_call_->state_map_.find(result_.type);
-  if (timer_it != ads_call_->state_map_.end()) {
-    auto it = timer_it->second.subscribed_resources.find(
-        parsed_resource_name->authority);
-    if (it != timer_it->second.subscribed_resources.end()) {
-      auto res_it = it->second.find(parsed_resource_name->key);
-      if (res_it != it->second.end()) {
-        res_it->second->MarkSeen();
-      }
-    }
-  }
-  // Lookup the authority in the cache.
-  auto authority_it =
-      xds_client()->authority_state_map_.find(parsed_resource_name->authority);
-  if (authority_it == xds_client()->authority_state_map_.end()) {
-    return;  // Skip resource -- we don't have a subscription for it.
-  }
-  // Found authority, so look up type.
-  AuthorityState& authority_state = authority_it->second;
-  auto type_it = authority_state.resource_map.find(result_.type);
-  if (type_it == authority_state.resource_map.end()) {
-    return;  // Skip resource -- we don't have a subscription for it.
-  }
-  auto& type_map = type_it->second;
-  // Found type, so look up resource key.
-  auto it = type_map.find(parsed_resource_name->key);
-  if (it == type_map.end()) {
-    return;  // Skip resource -- we don't have a subscription for it.
-  }
-  ResourceState& resource_state = it->second;
-  // If needed, record that we've seen this resource.
-  if (result_.type->AllResourcesRequiredInSotW()) {
-    result_.resources_seen[parsed_resource_name->authority].insert(
-        parsed_resource_name->key);
-  }
-  // If we previously ignored the resource's deletion, log that we're
-  // now re-adding it.
-  if (resource_state.ignored_deletion) {
-    LOG(INFO) << "[xds_client " << xds_client() << "] xds server "
-              << ads_call_->xds_channel()->server_.server_uri()
-              << ": server returned new version of resource for which we "
-                 "previously ignored a deletion: type "
-              << type_url << " name " << resource_name;
-    resource_state.ignored_deletion = false;
-  }
-  // Update resource state based on whether the resource is valid.
-  if (!decode_status.ok()) {
-    xds_client()->NotifyWatchersOnErrorLocked(
-        resource_state.watchers,
-        absl::UnavailableError(
-            absl::StrCat("invalid resource: ", decode_status.ToString())),
-        result_.read_delay_handle);
-    UpdateResourceMetadataNacked(result_.version, decode_status.ToString(),
-                                 update_time_, &resource_state.meta);
-    ++result_.num_invalid_resources;
-    return;
-  }
-  // Resource is valid.
-  ++result_.num_valid_resources;
-  // If it didn't change, ignore it.
-  if (resource_state.resource != nullptr &&
-      result_.type->ResourcesEqual(resource_state.resource.get(),
-                                   decode_result.resource->get())) {
-    GRPC_TRACE_LOG(xds_client, INFO)
-        << "[xds_client " << xds_client() << "] " << result_.type_url
-        << " resource " << resource_name << " identical to current, ignoring.";
-    return;
-  }
-  // Update the resource state.
-  resource_state.resource = std::move(*decode_result.resource);
-  resource_state.meta = CreateResourceMetadataAcked(
-      std::string(serialized_resource), result_.version, update_time_);
-  // Notify watchers.
-  auto& watchers_list = resource_state.watchers;
-  xds_client()->work_serializer_.Schedule(
-      [watchers_list, value = resource_state.resource,
-       read_delay_handle = result_.read_delay_handle]()
-          ABSL_EXCLUSIVE_LOCKS_REQUIRED(&xds_client()->work_serializer_) {
-            for (const auto& p : watchers_list) {
-              p.first->OnGenericResourceChanged(value, read_delay_handle);
-            }
-          },
-      DEBUG_LOCATION);
-}
-
-void XdsClient::XdsChannel::AdsCall::AdsResponseParser::
-    ResourceWrapperParsingFailed(size_t idx, absl::string_view message) {
-  result_.errors.emplace_back(
-      absl::StrCat("resource index ", idx, ": ", message));
-  ++result_.num_invalid_resources;
-}
-
 //
 // XdsClient::XdsChannel::AdsCall
 //
@@ -907,30 +728,37 @@ XdsClient::XdsChannel::AdsCall::AdsCall(
       << ", streaming_call: " << streaming_call_.get() << ")";
   // If this is a reconnect, add any necessary subscriptions from what's
   // already in the cache.
-  for (auto& a : xds_client()->authority_state_map_) {
-    const std::string& authority = a.first;
-    auto it = std::find(a.second.xds_channels.begin(),
-                        a.second.xds_channels.end(), xds_channel());
+  for (auto& [authority, authority_state] :
+       xds_client()->authority_state_map_) {
+    auto it = std::find(authority_state.xds_channels.begin(),
+                        authority_state.xds_channels.end(), xds_channel());
     // Skip authorities that are not using this xDS channel. The channel can be
     // anywhere in the list.
-    if (it == a.second.xds_channels.end()) continue;
-    for (const auto& t : a.second.resource_map) {
-      const XdsResourceType* type = t.first;
-      for (const auto& r : t.second) {
-        const XdsResourceKey& resource_key = r.first;
-        SubscribeLocked(type, {authority, resource_key}, /*delay_send=*/true);
+    if (it == authority_state.xds_channels.end()) continue;
+    for (const auto& [type, resource_map] : authority_state.type_map) {
+      for (const auto& [resource_key, resource_state] : resource_map) {
+        if (resource_state.HasWatchers()) {
+          SubscribeLocked(type, {authority, resource_key}, /*delay_send=*/true);
+        }
       }
     }
   }
   // Send initial message if we added any subscriptions above.
-  for (const auto& p : state_map_) {
-    SendMessageLocked(p.first);
+  for (const auto& [type, _] : state_map_) {
+    SendMessageLocked(type);
   }
   streaming_call_->StartRecvMessage();
 }
 
 void XdsClient::XdsChannel::AdsCall::Orphan() {
   state_map_.clear();
+  // We may have unsubscriptions for which we have not yet actually sent
+  // unsubscribe messages, and now we never will, so do a pass to delete
+  // any cache entries for which we've unsubscribed.
+  for (const auto& [_, type] : xds_client()->resource_types_) {
+    xds_client()->MaybeRemoveUnsubscribedCacheEntriesForTypeLocked(
+        xds_channel(), type);
+  }
   // Note that the initial ref is held by the StreamEventHandler, which
   // will be destroyed when streaming_call_ is destroyed, which may not happen
   // here, since there may be other refs held to streaming_call_ by internal
@@ -938,31 +766,6 @@ void XdsClient::XdsChannel::AdsCall::Orphan() {
   streaming_call_.reset();
 }
 
-void XdsClient::XdsChannel::AdsCall::SendMessageLocked(
-    const XdsResourceType* type)
-    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_) {
-  // Buffer message sending if an existing message is in flight.
-  if (send_message_pending_ != nullptr) {
-    buffered_requests_.insert(type);
-    return;
-  }
-  auto& state = state_map_[type];
-  std::string serialized_message = xds_client()->api_.CreateAdsRequest(
-      type->type_url(), xds_channel()->resource_type_version_map_[type],
-      state.nonce, ResourceNamesForRequest(type), state.status,
-      !sent_initial_message_);
-  sent_initial_message_ = true;
-  GRPC_TRACE_LOG(xds_client, INFO)
-      << "[xds_client " << xds_client() << "] xds server "
-      << xds_channel()->server_.server_uri()
-      << ": sending ADS request: type=" << type->type_url()
-      << " version=" << xds_channel()->resource_type_version_map_[type]
-      << " nonce=" << state.nonce << " error=" << state.status;
-  state.status = absl::OkStatus();
-  streaming_call_->SendMessage(std::move(serialized_message));
-  send_message_pending_ = type;
-}
-
 void XdsClient::XdsChannel::AdsCall::SubscribeLocked(
     const XdsResourceType* type, const XdsResourceName& name, bool delay_send) {
   auto& state = state_map_[type].subscribed_resources[name.authority][name.key];
@@ -980,6 +783,10 @@ void XdsClient::XdsChannel::AdsCall::UnsubscribeLocked(
   authority_map.erase(name.key);
   if (authority_map.empty()) {
     type_state_map.subscribed_resources.erase(name.authority);
+    // Note: We intentionally do not remove the top-level map entry for
+    // the resource type even if the authority map for the type is empty,
+    // because we need to retain the nonce in case a new watch is
+    // started for a resource of this type while this stream is still open.
   }
   // Don't need to send unsubscription message if this was the last
   // resource we were subscribed to, since we'll be closing the stream
@@ -990,21 +797,134 @@ void XdsClient::XdsChannel::AdsCall::UnsubscribeLocked(
 }
 
 bool XdsClient::XdsChannel::AdsCall::HasSubscribedResources() const {
-  for (const auto& p : state_map_) {
-    if (!p.second.subscribed_resources.empty()) return true;
+  for (const auto& [_, resource_type_state] : state_map_) {
+    if (!resource_type_state.subscribed_resources.empty()) return true;
   }
   return false;
 }
 
+namespace {
+
+void MaybeLogDiscoveryRequest(
+    const XdsClient* client, upb_DefPool* def_pool,
+    const envoy_service_discovery_v3_DiscoveryRequest* request) {
+  if (GRPC_TRACE_FLAG_ENABLED(xds_client) && ABSL_VLOG_IS_ON(2)) {
+    const upb_MessageDef* msg_type =
+        envoy_service_discovery_v3_DiscoveryRequest_getmsgdef(def_pool);
+    char buf[10240];
+    upb_TextEncode(reinterpret_cast<const upb_Message*>(request), msg_type,
+                   nullptr, 0, buf, sizeof(buf));
+    VLOG(2) << "[xds_client " << client << "] constructed ADS request: " << buf;
+  }
+}
+
+std::string SerializeDiscoveryRequest(
+    upb_Arena* arena, envoy_service_discovery_v3_DiscoveryRequest* request) {
+  size_t output_length;
+  char* output = envoy_service_discovery_v3_DiscoveryRequest_serialize(
+      request, arena, &output_length);
+  return std::string(output, output_length);
+}
+
+}  // namespace
+
+std::string XdsClient::XdsChannel::AdsCall::CreateAdsRequest(
+    absl::string_view type_url, absl::string_view version,
+    absl::string_view nonce, const std::vector<std::string>& resource_names,
+    absl::Status status) const {
+  upb::Arena arena;
+  // Create a request.
+  envoy_service_discovery_v3_DiscoveryRequest* request =
+      envoy_service_discovery_v3_DiscoveryRequest_new(arena.ptr());
+  // Set type_url.
+  std::string type_url_str = absl::StrCat("type.googleapis.com/", type_url);
+  envoy_service_discovery_v3_DiscoveryRequest_set_type_url(
+      request, StdStringToUpbString(type_url_str));
+  // Set version_info.
+  if (!version.empty()) {
+    envoy_service_discovery_v3_DiscoveryRequest_set_version_info(
+        request, StdStringToUpbString(version));
+  }
+  // Set nonce.
+  if (!nonce.empty()) {
+    envoy_service_discovery_v3_DiscoveryRequest_set_response_nonce(
+        request, StdStringToUpbString(nonce));
+  }
+  // Set error_detail if it's a NACK.
+  std::string error_string_storage;
+  if (!status.ok()) {
+    google_rpc_Status* error_detail =
+        envoy_service_discovery_v3_DiscoveryRequest_mutable_error_detail(
+            request, arena.ptr());
+    // Hard-code INVALID_ARGUMENT as the status code.
+    // TODO(roth): If at some point we decide we care about this value,
+    // we could attach a status code to the individual errors where we
+    // generate them in the parsing code, and then use that here.
+    google_rpc_Status_set_code(error_detail, GRPC_STATUS_INVALID_ARGUMENT);
+    // Error description comes from the status that was passed in.
+    error_string_storage = std::string(status.message());
+    upb_StringView error_description =
+        StdStringToUpbString(error_string_storage);
+    google_rpc_Status_set_message(error_detail, error_description);
+  }
+  // Populate node.
+  if (!sent_initial_message_) {
+    envoy_config_core_v3_Node* node_msg =
+        envoy_service_discovery_v3_DiscoveryRequest_mutable_node(request,
+                                                                 arena.ptr());
+    PopulateXdsNode(xds_client()->bootstrap_->node(),
+                    xds_client()->user_agent_name_,
+                    xds_client()->user_agent_version_, node_msg, arena.ptr());
+    envoy_config_core_v3_Node_add_client_features(
+        node_msg, upb_StringView_FromString("xds.config.resource-in-sotw"),
+        arena.ptr());
+  }
+  // Add resource_names.
+  for (const std::string& resource_name : resource_names) {
+    envoy_service_discovery_v3_DiscoveryRequest_add_resource_names(
+        request, StdStringToUpbString(resource_name), arena.ptr());
+  }
+  MaybeLogDiscoveryRequest(xds_client(), xds_client()->def_pool_.ptr(),
+                           request);
+  return SerializeDiscoveryRequest(arena.ptr(), request);
+}
+
+void XdsClient::XdsChannel::AdsCall::SendMessageLocked(
+    const XdsResourceType* type)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&XdsClient::mu_) {
+  // Buffer message sending if an existing message is in flight.
+  if (send_message_pending_ != nullptr) {
+    buffered_requests_.insert(type);
+    return;
+  }
+  xds_client()->MaybeRemoveUnsubscribedCacheEntriesForTypeLocked(xds_channel(),
+                                                                 type);
+  auto& state = state_map_[type];
+  std::string serialized_message = CreateAdsRequest(
+      type->type_url(), xds_channel()->resource_type_version_map_[type],
+      state.nonce, ResourceNamesForRequest(type), state.status);
+  sent_initial_message_ = true;
+  GRPC_TRACE_LOG(xds_client, INFO)
+      << "[xds_client " << xds_client() << "] xds server "
+      << xds_channel()->server_.server_uri()
+      << ": sending ADS request: type=" << type->type_url()
+      << " version=" << xds_channel()->resource_type_version_map_[type]
+      << " nonce=" << state.nonce << " error=" << state.status;
+  state.status = absl::OkStatus();
+  streaming_call_->SendMessage(std::move(serialized_message));
+  send_message_pending_ = type;
+}
+
 void XdsClient::XdsChannel::AdsCall::OnRequestSent(bool ok) {
   MutexLock lock(&xds_client()->mu_);
   // For each resource that was in the message we just sent, start the
   // resource timer if needed.
   if (ok) {
     auto& resource_type_state = state_map_[send_message_pending_];
-    for (const auto& p : resource_type_state.subscribed_resources) {
-      for (auto& q : p.second) {
-        q.second->MaybeMarkSubscriptionSendComplete(
+    for (const auto& [_, resource_map] :
+         resource_type_state.subscribed_resources) {
+      for (auto& [_, resource_timer] : resource_map) {
+        resource_timer->MaybeMarkSubscriptionSendComplete(
             Ref(DEBUG_LOCATION, "ResourceTimer"));
       }
     }
@@ -1028,142 +948,467 @@ void XdsClient::XdsChannel::AdsCall::OnRequestSent(bool ok) {
   }
 }
 
+void XdsClient::XdsChannel::AdsCall::ParseResource(
+    size_t idx, absl::string_view type_url, absl::string_view resource_name,
+    absl::string_view serialized_resource, DecodeContext* context) {
+  std::string error_prefix = absl::StrCat(
+      "resource index ", idx, ": ",
+      resource_name.empty() ? "" : absl::StrCat(resource_name, ": "));
+  // Check the type_url of the resource.
+  if (context->type_url != type_url) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, "incorrect resource type \"", type_url,
+                     "\" (should be \"", context->type_url, "\")"));
+    ++context->num_invalid_resources;
+    return;
+  }
+  // Parse the resource.
+  XdsResourceType::DecodeContext resource_type_context = {
+      xds_client(), xds_channel()->server_, xds_client()->def_pool_.ptr(),
+      context->arena.ptr()};
+  XdsResourceType::DecodeResult decode_result =
+      context->type->Decode(resource_type_context, serialized_resource);
+  // If we didn't already have the resource name from the Resource
+  // wrapper, try to get it from the decoding result.
+  if (resource_name.empty()) {
+    if (decode_result.name.has_value()) {
+      resource_name = *decode_result.name;
+      error_prefix =
+          absl::StrCat("resource index ", idx, ": ", resource_name, ": ");
+    } else {
+      // We don't have any way of determining the resource name, so
+      // there's nothing more we can do here.
+      context->errors.emplace_back(absl::StrCat(
+          error_prefix, decode_result.resource.status().ToString()));
+      ++context->num_invalid_resources;
+      return;
+    }
+  }
+  // If decoding failed, make sure we include the error in the NACK.
+  const absl::Status& decode_status = decode_result.resource.status();
+  if (!decode_status.ok()) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, decode_status.ToString()));
+  }
+  // Check the resource name.
+  auto parsed_resource_name =
+      xds_client()->ParseXdsResourceName(resource_name, context->type);
+  if (!parsed_resource_name.ok()) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, "Cannot parse xDS resource name"));
+    ++context->num_invalid_resources;
+    return;
+  }
+  // Cancel resource-does-not-exist timer, if needed.
+  if (auto it = state_map_.find(context->type); it != state_map_.end()) {
+    auto& resource_type_state = it->second;
+    auto authority_it = resource_type_state.subscribed_resources.find(
+        parsed_resource_name->authority);
+    if (authority_it != resource_type_state.subscribed_resources.end()) {
+      auto& resource_map = authority_it->second;
+      auto res_it = resource_map.find(parsed_resource_name->key);
+      if (res_it != resource_map.end()) {
+        res_it->second->MarkSeen();
+      }
+    }
+  }
+  // Lookup the authority in the cache.
+  auto authority_it =
+      xds_client()->authority_state_map_.find(parsed_resource_name->authority);
+  if (authority_it == xds_client()->authority_state_map_.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  AuthorityState& authority_state = authority_it->second;
+  // Found authority, so look up type.
+  auto type_it = authority_state.type_map.find(context->type);
+  if (type_it == authority_state.type_map.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  auto& type_map = type_it->second;
+  // Found type, so look up resource key.
+  auto res_it = type_map.find(parsed_resource_name->key);
+  if (res_it == type_map.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  ResourceState& resource_state = res_it->second;
+  // If needed, record that we've seen this resource.
+  if (context->type->AllResourcesRequiredInSotW()) {
+    context->resources_seen[parsed_resource_name->authority].insert(
+        parsed_resource_name->key);
+  }
+  // Update resource state based on whether the resource is valid.
+  if (!decode_status.ok()) {
+    ++context->num_invalid_resources;
+    // If the fail_on_data_errors server feature is present, drop the
+    // existing cached resource, if any.
+    const bool drop_cached_resource = XdsDataErrorHandlingEnabled() &&
+                                      xds_channel()->server_.FailOnDataErrors();
+    resource_state.SetNacked(context->version, decode_status.message(),
+                             context->update_time, drop_cached_resource);
+    xds_client()->NotifyWatchersOnError(resource_state,
+                                        context->read_delay_handle);
+    return;
+  }
+  // Resource is valid.
+  ++context->num_valid_resources;
+  // Check if the resource has changed.
+  const bool resource_identical =
+      resource_state.HasResource() &&
+      context->type->ResourcesEqual(resource_state.resource().get(),
+                                    decode_result.resource->get());
+  // If not changed, keep using the current decoded resource object.
+  // This should avoid wasting memory, since external watchers may be
+  // holding refs to the current object.
+  if (resource_identical) decode_result.resource = resource_state.resource();
+  // Update the resource state.
+  resource_state.SetAcked(std::move(*decode_result.resource),
+                          std::string(serialized_resource), context->version,
+                          context->update_time);
+  // If the resource didn't change, inhibit watcher notifications.
+  if (resource_identical) {
+    GRPC_TRACE_LOG(xds_client, INFO)
+        << "[xds_client " << xds_client() << "] " << context->type_url
+        << " resource " << resource_name << " identical to current, ignoring.";
+    // If we previously had connectivity problems, notify watchers that
+    // the ambient error has been cleared.
+    if (!xds_channel()->status().ok()) {
+      xds_client()->NotifyWatchersOnAmbientError(absl::OkStatus(),
+                                                 resource_state.watchers(),
+                                                 context->read_delay_handle);
+    }
+    return;
+  }
+  // Notify watchers.
+  xds_client()->NotifyWatchersOnResourceChanged(resource_state.resource(),
+                                                resource_state.watchers(),
+                                                context->read_delay_handle);
+}
+
+void XdsClient::XdsChannel::AdsCall::HandleServerReportedResourceError(
+    size_t idx, absl::string_view resource_name, absl::Status status,
+    DecodeContext* context) {
+  std::string error_prefix = absl::StrCat(
+      "resource_errors index ", idx, ": ",
+      resource_name.empty() ? "" : absl::StrCat(resource_name, ": "));
+  if (resource_name.empty()) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, "resource_name unset"));
+    ++context->num_invalid_resources;
+    return;
+  }
+  if (status.ok()) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, "error_detail must be non-OK"));
+    ++context->num_invalid_resources;
+    return;
+  }
+  // Check the resource name.
+  auto parsed_resource_name =
+      xds_client()->ParseXdsResourceName(resource_name, context->type);
+  if (!parsed_resource_name.ok()) {
+    context->errors.emplace_back(
+        absl::StrCat(error_prefix, "Cannot parse xDS resource name"));
+    ++context->num_invalid_resources;
+    return;
+  }
+  // Cancel resource-does-not-exist timer, if needed.
+  auto timer_it = state_map_.find(context->type);
+  if (timer_it != state_map_.end()) {
+    auto it = timer_it->second.subscribed_resources.find(
+        parsed_resource_name->authority);
+    if (it != timer_it->second.subscribed_resources.end()) {
+      auto res_it = it->second.find(parsed_resource_name->key);
+      if (res_it != it->second.end()) {
+        res_it->second->MarkSeen();
+      }
+    }
+  }
+  // Lookup the authority in the cache.
+  auto authority_it =
+      xds_client()->authority_state_map_.find(parsed_resource_name->authority);
+  if (authority_it == xds_client()->authority_state_map_.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  AuthorityState& authority_state = authority_it->second;
+  // Found authority, so look up type.
+  auto type_it = authority_state.type_map.find(context->type);
+  if (type_it == authority_state.type_map.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  auto& type_map = type_it->second;
+  // Found type, so look up resource key.
+  auto it = type_map.find(parsed_resource_name->key);
+  if (it == type_map.end()) {
+    return;  // Skip resource -- we don't have a subscription for it.
+  }
+  ResourceState& resource_state = it->second;
+  // If needed, record that we've seen this resource.
+  if (context->type->AllResourcesRequiredInSotW()) {
+    context->resources_seen[parsed_resource_name->authority].insert(
+        parsed_resource_name->key);
+  }
+  ++context->num_invalid_resources;
+  // Update cache state.
+  const bool drop_cached_resource =
+      xds_channel()->server_.FailOnDataErrors() &&
+      (status.code() == absl::StatusCode::kNotFound ||
+       status.code() == absl::StatusCode::kPermissionDenied);
+  resource_state.SetReceivedError(context->version, std::move(status),
+                                  context->update_time, drop_cached_resource);
+  // If there is no cached resource (either because we didn't have one
+  // or because we just dropped it due to fail_on_data_errors), then notify
+  // via OnResourceChanged(); otherwise, notify via OnAmbientError().
+  if (!resource_state.HasResource()) {
+    xds_client()->NotifyWatchersOnResourceChanged(
+        resource_state.failed_status(), resource_state.watchers(),
+        context->read_delay_handle);
+  } else {
+    xds_client()->NotifyWatchersOnAmbientError(resource_state.failed_status(),
+                                               resource_state.watchers(),
+                                               context->read_delay_handle);
+  }
+}
+
+namespace {
+
+void MaybeLogDiscoveryResponse(
+    const XdsClient* client, upb_DefPool* def_pool,
+    const envoy_service_discovery_v3_DiscoveryResponse* response) {
+  if (GRPC_TRACE_FLAG_ENABLED(xds_client) && ABSL_VLOG_IS_ON(2)) {
+    const upb_MessageDef* msg_type =
+        envoy_service_discovery_v3_DiscoveryResponse_getmsgdef(def_pool);
+    char buf[10240];
+    upb_TextEncode(reinterpret_cast<const upb_Message*>(response), msg_type,
+                   nullptr, 0, buf, sizeof(buf));
+    VLOG(2) << "[xds_client " << client << "] received response: " << buf;
+  }
+}
+
+}  // namespace
+
+absl::Status XdsClient::XdsChannel::AdsCall::DecodeAdsResponse(
+    absl::string_view encoded_response, DecodeContext* context) {
+  // Decode the response.
+  const envoy_service_discovery_v3_DiscoveryResponse* response =
+      envoy_service_discovery_v3_DiscoveryResponse_parse(
+          encoded_response.data(), encoded_response.size(),
+          context->arena.ptr());
+  // If decoding fails, report a fatal error and return.
+  if (response == nullptr) {
+    return absl::InvalidArgumentError("Can't decode DiscoveryResponse.");
+  }
+  MaybeLogDiscoveryResponse(xds_client(), xds_client()->def_pool_.ptr(),
+                            response);
+  // Get the type_url, version, nonce, number of resources, and number
+  // of errors.
+  context->type_url = std::string(absl::StripPrefix(
+      UpbStringToAbsl(
+          envoy_service_discovery_v3_DiscoveryResponse_type_url(response)),
+      "type.googleapis.com/"));
+  context->version = UpbStringToStdString(
+      envoy_service_discovery_v3_DiscoveryResponse_version_info(response));
+  context->nonce = UpbStringToStdString(
+      envoy_service_discovery_v3_DiscoveryResponse_nonce(response));
+  size_t num_resources;
+  const google_protobuf_Any* const* resources =
+      envoy_service_discovery_v3_DiscoveryResponse_resources(response,
+                                                             &num_resources);
+  size_t num_errors = 0;
+  const envoy_service_discovery_v3_ResourceError* const* errors = nullptr;
+  if (XdsDataErrorHandlingEnabled()) {
+    errors = envoy_service_discovery_v3_DiscoveryResponse_resource_errors(
+        response, &num_errors);
+  }
+  GRPC_TRACE_LOG(xds_client, INFO)
+      << "[xds_client " << xds_client() << "] xds server "
+      << xds_channel()->server_.server_uri()
+      << ": received ADS response: type_url=" << context->type_url
+      << ", version=" << context->version << ", nonce=" << context->nonce
+      << ", num_resources=" << num_resources << ", num_errors=" << num_errors;
+  context->type = xds_client()->GetResourceTypeLocked(context->type_url);
+  if (context->type == nullptr) {
+    return absl::InvalidArgumentError(
+        absl::StrCat("unknown resource type ", context->type_url));
+  }
+  context->read_delay_handle = MakeRefCounted<AdsReadDelayHandle>(Ref());
+  // Process each resource.
+  for (size_t i = 0; i < num_resources; ++i) {
+    absl::string_view type_url = absl::StripPrefix(
+        UpbStringToAbsl(google_protobuf_Any_type_url(resources[i])),
+        "type.googleapis.com/");
+    absl::string_view serialized_resource =
+        UpbStringToAbsl(google_protobuf_Any_value(resources[i]));
+    // Unwrap Resource messages, if so wrapped.
+    absl::string_view resource_name;
+    if (type_url == "envoy.service.discovery.v3.Resource") {
+      const auto* resource_wrapper = envoy_service_discovery_v3_Resource_parse(
+          serialized_resource.data(), serialized_resource.size(),
+          context->arena.ptr());
+      if (resource_wrapper == nullptr) {
+        context->errors.emplace_back(absl::StrCat(
+            "resource index ", i, ": Can't decode Resource proto wrapper"));
+        ++context->num_invalid_resources;
+        continue;
+      }
+      const auto* resource =
+          envoy_service_discovery_v3_Resource_resource(resource_wrapper);
+      if (resource == nullptr) {
+        context->errors.emplace_back(
+            absl::StrCat("resource index ", i,
+                         ": No resource present in Resource proto wrappe"));
+        ++context->num_invalid_resources;
+        continue;
+      }
+      type_url = absl::StripPrefix(
+          UpbStringToAbsl(google_protobuf_Any_type_url(resource)),
+          "type.googleapis.com/");
+      serialized_resource =
+          UpbStringToAbsl(google_protobuf_Any_value(resource));
+      resource_name = UpbStringToAbsl(
+          envoy_service_discovery_v3_Resource_name(resource_wrapper));
+    }
+    ParseResource(i, type_url, resource_name, serialized_resource, context);
+  }
+  // Process each error.
+  for (size_t i = 0; i < num_errors; ++i) {
+    absl::string_view name;
+    {
+      const envoy_service_discovery_v3_ResourceName* resource_name =
+          envoy_service_discovery_v3_ResourceError_resource_name(errors[i]);
+      if (resource_name != nullptr) {
+        name = UpbStringToAbsl(
+            envoy_service_discovery_v3_ResourceName_name(resource_name));
+      }
+    }
+    absl::Status status;
+    {
+      const google_rpc_Status* error_detail =
+          envoy_service_discovery_v3_ResourceError_error_detail(errors[i]);
+      if (error_detail != nullptr) {
+        status = absl::Status(
+            static_cast<absl::StatusCode>(google_rpc_Status_code(error_detail)),
+            UpbStringToAbsl(google_rpc_Status_message(error_detail)));
+      }
+    }
+    HandleServerReportedResourceError(i, name, std::move(status), context);
+  }
+  return absl::OkStatus();
+}
+
 void XdsClient::XdsChannel::AdsCall::OnRecvMessage(absl::string_view payload) {
-  // Needs to be destroyed after the mutex is released.
-  RefCountedPtr<ReadDelayHandle> read_delay_handle;
-  {
-    MutexLock lock(&xds_client()->mu_);
-    if (!IsCurrentCallOnChannel()) return;
-    // Parse and validate the response.
-    AdsResponseParser parser(this);
-    absl::Status status = xds_client()->api_.ParseAdsResponse(payload, &parser);
-    // This includes a handle that will trigger an ADS read.
-    AdsResponseParser::Result result = parser.TakeResult();
-    read_delay_handle = std::move(result.read_delay_handle);
-    if (!status.ok()) {
-      // Ignore unparsable response.
+  // context.read_delay_handle needs to be destroyed after the mutex is
+  // released.
+  DecodeContext context;
+  MutexLock lock(&xds_client()->mu_);
+  if (!IsCurrentCallOnChannel()) return;
+  // Parse and validate the response.
+  absl::Status status = DecodeAdsResponse(payload, &context);
+  if (!status.ok()) {
+    // Ignore unparsable response.
+    LOG(ERROR) << "[xds_client " << xds_client() << "] xds server "
+               << xds_channel()->server_.server_uri()
+               << ": error parsing ADS response (" << status << ") -- ignoring";
+  } else {
+    seen_response_ = true;
+    xds_channel()->SetHealthyLocked();
+    // Update nonce.
+    auto& state = state_map_[context.type];
+    state.nonce = context.nonce;
+    // If we got an error, set state.status so that we'll NACK the update.
+    if (!context.errors.empty()) {
+      state.status = absl::UnavailableError(
+          absl::StrCat("xDS response validation errors: [",
+                       absl::StrJoin(context.errors, "; "), "]"));
       LOG(ERROR) << "[xds_client " << xds_client() << "] xds server "
                  << xds_channel()->server_.server_uri()
-                 << ": error parsing ADS response (" << status
-                 << ") -- ignoring";
-    } else {
-      seen_response_ = true;
-      xds_channel()->SetHealthyLocked();
-      // Update nonce.
-      auto& state = state_map_[result.type];
-      state.nonce = result.nonce;
-      // If we got an error, set state.status so that we'll NACK the update.
-      if (!result.errors.empty()) {
-        state.status = absl::UnavailableError(
-            absl::StrCat("xDS response validation errors: [",
-                         absl::StrJoin(result.errors, "; "), "]"));
-        LOG(ERROR) << "[xds_client " << xds_client() << "] xds server "
-                   << xds_channel()->server_.server_uri()
-                   << ": ADS response invalid for resource type "
-                   << result.type_url << " version " << result.version
-                   << ", will NACK: nonce=" << state.nonce
-                   << " status=" << state.status;
-      }
-      // Delete resources not seen in update if needed.
-      if (result.type->AllResourcesRequiredInSotW()) {
-        for (auto& a : xds_client()->authority_state_map_) {
-          const std::string& authority = a.first;
-          AuthorityState& authority_state = a.second;
-          // Skip authorities that are not using this xDS channel.
-          if (authority_state.xds_channels.back() != xds_channel()) {
-            continue;
-          }
-          auto seen_authority_it = result.resources_seen.find(authority);
-          // Find this resource type.
-          auto type_it = authority_state.resource_map.find(result.type);
-          if (type_it == authority_state.resource_map.end()) continue;
-          // Iterate over resource ids.
-          for (auto& r : type_it->second) {
-            const XdsResourceKey& resource_key = r.first;
-            ResourceState& resource_state = r.second;
-            if (seen_authority_it == result.resources_seen.end() ||
-                seen_authority_it->second.find(resource_key) ==
-                    seen_authority_it->second.end()) {
-              // If the resource was newly requested but has not yet been
-              // received, we don't want to generate an error for the
-              // watchers, because this ADS response may be in reaction to an
-              // earlier request that did not yet request the new resource, so
-              // its absence from the response does not necessarily indicate
-              // that the resource does not exist.  For that case, we rely on
-              // the request timeout instead.
-              if (resource_state.resource == nullptr) continue;
-              if (xds_channel()->server_.IgnoreResourceDeletion()) {
-                if (!resource_state.ignored_deletion) {
-                  LOG(ERROR)
-                      << "[xds_client " << xds_client() << "] xds server "
-                      << xds_channel()->server_.server_uri()
-                      << ": ignoring deletion for resource type "
-                      << result.type_url << " name "
-                      << XdsClient::ConstructFullXdsResourceName(
-                             authority, result.type_url.c_str(), resource_key);
-                  resource_state.ignored_deletion = true;
-                }
-              } else {
-                resource_state.resource.reset();
-                resource_state.meta.client_status =
-                    XdsApi::ResourceMetadata::DOES_NOT_EXIST;
-                xds_client()->NotifyWatchersOnResourceDoesNotExist(
-                    resource_state.watchers, read_delay_handle);
-              }
-            }
+                 << ": ADS response invalid for resource type "
+                 << context.type_url << " version " << context.version
+                 << ", will NACK: nonce=" << state.nonce
+                 << " status=" << state.status;
+    }
+    // Delete resources not seen in update if needed.
+    if (context.type->AllResourcesRequiredInSotW()) {
+      for (auto& [authority, authority_state] :
+           xds_client()->authority_state_map_) {
+        // Skip authorities that are not using this xDS channel.
+        if (authority_state.xds_channels.back() != xds_channel()) {
+          continue;
+        }
+        auto seen_authority_it = context.resources_seen.find(authority);
+        // Find this resource type.
+        auto type_it = authority_state.type_map.find(context.type);
+        if (type_it == authority_state.type_map.end()) continue;
+        // Iterate over resource ids.
+        for (auto& [resource_key, resource_state] : type_it->second) {
+          if (seen_authority_it == context.resources_seen.end() ||
+              seen_authority_it->second.find(resource_key) ==
+                  seen_authority_it->second.end()) {
+            // If the resource was newly requested but has not yet been
+            // received, we don't want to generate an error for the
+            // watchers, because this ADS response may be in reaction to an
+            // earlier request that did not yet request the new resource, so
+            // its absence from the response does not necessarily indicate
+            // that the resource does not exist.  For that case, we rely on
+            // the request timeout instead.
+            if (!resource_state.HasResource()) continue;
+            const bool drop_cached_resource =
+                XdsDataErrorHandlingEnabled()
+                    ? xds_channel()->server_.FailOnDataErrors()
+                    : !xds_channel()->server_.IgnoreResourceDeletion();
+            resource_state.SetDoesNotExistOnLdsOrCdsDeletion(
+                context.version, context.update_time, drop_cached_resource);
+            xds_client()->NotifyWatchersOnError(resource_state,
+                                                context.read_delay_handle);
           }
         }
       }
-      // If we had valid resources or the update was empty, update the version.
-      if (result.num_valid_resources > 0 || result.errors.empty()) {
-        xds_channel()->resource_type_version_map_[result.type] =
-            std::move(result.version);
-      }
-      // Send ACK or NACK.
-      SendMessageLocked(result.type);
     }
-    // Update metrics.
-    if (xds_client()->metrics_reporter_ != nullptr) {
-      xds_client()->metrics_reporter_->ReportResourceUpdates(
-          xds_channel()->server_.server_uri(), result.type_url,
-          result.num_valid_resources, result.num_invalid_resources);
+    // If we had valid resources or the update was empty, update the version.
+    if (context.num_valid_resources > 0 || context.errors.empty()) {
+      xds_channel()->resource_type_version_map_[context.type] =
+          std::move(context.version);
     }
+    // Send ACK or NACK.
+    SendMessageLocked(context.type);
+  }
+  // Update metrics.
+  if (xds_client()->metrics_reporter_ != nullptr) {
+    xds_client()->metrics_reporter_->ReportResourceUpdates(
+        xds_channel()->server_.server_uri(), context.type_url,
+        context.num_valid_resources, context.num_invalid_resources);
   }
-  xds_client()->work_serializer_.DrainQueue();
 }
 
 void XdsClient::XdsChannel::AdsCall::OnStatusReceived(absl::Status status) {
-  {
-    MutexLock lock(&xds_client()->mu_);
-    GRPC_TRACE_LOG(xds_client, INFO)
-        << "[xds_client " << xds_client() << "] xds server "
-        << xds_channel()->server_.server_uri()
-        << ": ADS call status received (xds_channel=" << xds_channel()
-        << ", ads_call=" << this << ", streaming_call=" << streaming_call_.get()
-        << "): " << status;
-    // Cancel any does-not-exist timers that may be pending.
-    for (const auto& p : state_map_) {
-      for (const auto& q : p.second.subscribed_resources) {
-        for (auto& r : q.second) {
-          r.second->MaybeCancelTimer();
-        }
+  MutexLock lock(&xds_client()->mu_);
+  GRPC_TRACE_LOG(xds_client, INFO)
+      << "[xds_client " << xds_client() << "] xds server "
+      << xds_channel()->server_.server_uri()
+      << ": ADS call status received (xds_channel=" << xds_channel()
+      << ", ads_call=" << this << ", streaming_call=" << streaming_call_.get()
+      << "): " << status;
+  // Cancel any does-not-exist timers that may be pending.
+  for (const auto& [_, resource_type_state] : state_map_) {
+    for (const auto& [_, resource_map] :
+         resource_type_state.subscribed_resources) {
+      for (auto& [_, resource_timer] : resource_map) {
+        resource_timer->MaybeCancelTimer();
       }
     }
-    // Ignore status from a stale call.
-    if (IsCurrentCallOnChannel()) {
-      // Try to restart the call.
-      retryable_call_->OnCallFinishedLocked();
-      // If we didn't receive a response on the stream, report the
-      // stream failure as a connectivity failure, which will report the
-      // error to all watchers of resources on this channel.
-      if (!seen_response_) {
-        xds_channel()->SetChannelStatusLocked(absl::UnavailableError(
-            absl::StrCat("xDS call failed with no responses received; status: ",
-                         status.ToString())));
-      }
+  }
+  // Ignore status from a stale call.
+  if (IsCurrentCallOnChannel()) {
+    // Try to restart the call.
+    retryable_call_->OnCallFinishedLocked();
+    // If we didn't receive a response on the stream, report the
+    // stream failure as a connectivity failure, which will report the
+    // error to all watchers of resources on this channel.
+    if (!seen_response_) {
+      xds_channel()->SetChannelStatusLocked(absl::UnavailableError(
+          absl::StrCat("xDS call failed with no responses received; status: ",
+                       status.ToString())));
     }
   }
-  xds_client()->work_serializer_.DrainQueue();
 }
 
 bool XdsClient::XdsChannel::AdsCall::IsCurrentCallOnChannel() const {
@@ -1179,13 +1424,10 @@ XdsClient::XdsChannel::AdsCall::ResourceNamesForRequest(
   std::vector<std::string> resource_names;
   auto it = state_map_.find(type);
   if (it != state_map_.end()) {
-    for (auto& a : it->second.subscribed_resources) {
-      const std::string& authority = a.first;
-      for (auto& p : a.second) {
-        const XdsResourceKey& resource_key = p.first;
+    for (auto& [authority, authority_state] : it->second.subscribed_resources) {
+      for (auto& [resource_key, resource_timer] : authority_state) {
         resource_names.emplace_back(XdsClient::ConstructFullXdsResourceName(
             authority, type->type_url(), resource_key));
-        OrphanablePtr<ResourceTimer>& resource_timer = p.second;
         resource_timer->MarkSubscriptionSendStarted();
       }
     }
@@ -1193,6 +1435,144 @@ XdsClient::XdsChannel::AdsCall::ResourceNamesForRequest(
   return resource_names;
 }
 
+//
+// XdsClient::ResourceState
+//
+
+void XdsClient::ResourceState::SetAcked(
+    std::shared_ptr<const XdsResourceType::ResourceData> resource,
+    std::string serialized_proto, std::string version, Timestamp update_time) {
+  resource_ = std::move(resource);
+  client_status_ = ClientResourceStatus::ACKED;
+  serialized_proto_ = std::move(serialized_proto);
+  update_time_ = update_time;
+  version_ = std::move(version);
+  failed_version_.clear();
+  failed_status_ = absl::OkStatus();
+}
+
+void XdsClient::ResourceState::SetNacked(const std::string& version,
+                                         absl::string_view details,
+                                         Timestamp update_time,
+                                         bool drop_cached_resource) {
+  if (drop_cached_resource) {
+    resource_.reset();
+    serialized_proto_.clear();
+  }
+  client_status_ = ClientResourceStatus::NACKED;
+  failed_status_ =
+      absl::InvalidArgumentError(absl::StrCat("invalid resource: ", details));
+  failed_version_ = version;
+  failed_update_time_ = update_time;
+}
+
+void XdsClient::ResourceState::SetReceivedError(const std::string& version,
+                                                absl::Status status,
+                                                Timestamp update_time,
+                                                bool drop_cached_resource) {
+  if (drop_cached_resource) {
+    resource_.reset();
+    serialized_proto_.clear();
+  }
+  client_status_ = ClientResourceStatus::RECEIVED_ERROR;
+  failed_version_ = version;
+  failed_status_ = std::move(status);
+  failed_update_time_ = update_time;
+}
+
+void XdsClient::ResourceState::SetDoesNotExistOnLdsOrCdsDeletion(
+    const std::string& version, Timestamp update_time,
+    bool drop_cached_resource) {
+  if (drop_cached_resource) {
+    resource_.reset();
+    serialized_proto_.clear();
+  }
+  client_status_ = ClientResourceStatus::DOES_NOT_EXIST;
+  failed_status_ = absl::NotFoundError("does not exist");
+  failed_version_ = version;
+  failed_update_time_ = update_time;
+}
+
+void XdsClient::ResourceState::SetDoesNotExistOnTimeout() {
+  client_status_ = ClientResourceStatus::DOES_NOT_EXIST;
+  failed_status_ = absl::NotFoundError("does not exist");
+  failed_version_.clear();
+}
+
+void XdsClient::ResourceState::SetTimeout(const std::string& details) {
+  client_status_ = ClientResourceStatus::TIMEOUT;
+  failed_status_ = absl::UnavailableError(details);
+  failed_version_.clear();
+}
+
+absl::string_view XdsClient::ResourceState::CacheStateString() const {
+  switch (client_status_) {
+    case ClientResourceStatus::REQUESTED:
+      return "requested";
+    case ClientResourceStatus::DOES_NOT_EXIST:
+      return resource_ != nullptr ? "does_not_exist_but_cached"
+                                  : "does_not_exist";
+    case ClientResourceStatus::ACKED:
+      return "acked";
+    case ClientResourceStatus::NACKED:
+      return resource_ != nullptr ? "nacked_but_cached" : "nacked";
+    case ClientResourceStatus::RECEIVED_ERROR:
+      return resource_ != nullptr ? "received_error_but_cached"
+                                  : "received_error";
+    case ClientResourceStatus::TIMEOUT:
+      return "timeout";
+  }
+  Crash("unknown resource state");
+}
+
+namespace {
+
+google_protobuf_Timestamp* EncodeTimestamp(Timestamp value, upb_Arena* arena) {
+  google_protobuf_Timestamp* timestamp = google_protobuf_Timestamp_new(arena);
+  gpr_timespec timespec = value.as_timespec(GPR_CLOCK_REALTIME);
+  google_protobuf_Timestamp_set_seconds(timestamp, timespec.tv_sec);
+  google_protobuf_Timestamp_set_nanos(timestamp, timespec.tv_nsec);
+  return timestamp;
+}
+
+}  // namespace
+
+void XdsClient::ResourceState::FillGenericXdsConfig(
+    upb_StringView type_url, upb_StringView resource_name, upb_Arena* arena,
+    envoy_service_status_v3_ClientConfig_GenericXdsConfig* entry) const {
+  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_type_url(entry,
+                                                                     type_url);
+  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_name(entry,
+                                                                 resource_name);
+  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_client_status(
+      entry, client_status_);
+  if (!serialized_proto_.empty()) {
+    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_version_info(
+        entry, StdStringToUpbString(version_));
+    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_last_updated(
+        entry, EncodeTimestamp(update_time_, arena));
+    auto* any_field =
+        envoy_service_status_v3_ClientConfig_GenericXdsConfig_mutable_xds_config(
+            entry, arena);
+    google_protobuf_Any_set_type_url(any_field, type_url);
+    google_protobuf_Any_set_value(any_field,
+                                  StdStringToUpbString(serialized_proto_));
+  }
+  if (!failed_status_.ok()) {
+    auto* update_failure_state = envoy_admin_v3_UpdateFailureState_new(arena);
+    envoy_admin_v3_UpdateFailureState_set_details(
+        update_failure_state, StdStringToUpbString(failed_status_.message()));
+    if (!failed_version_.empty()) {
+      envoy_admin_v3_UpdateFailureState_set_version_info(
+          update_failure_state, StdStringToUpbString(failed_version_));
+      envoy_admin_v3_UpdateFailureState_set_last_update_attempt(
+          update_failure_state, EncodeTimestamp(failed_update_time_, arena));
+    }
+    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_error_state(
+        entry, update_failure_state);
+  }
+}
+
 //
 // XdsClient
 //
@@ -1209,11 +1589,11 @@ XdsClient::XdsClient(
     : DualRefCounted<XdsClient>(
           GRPC_TRACE_FLAG_ENABLED(xds_client_refcount) ? "XdsClient" : nullptr),
       bootstrap_(std::move(bootstrap)),
+      user_agent_name_(std::move(user_agent_name)),
+      user_agent_version_(std::move(user_agent_version)),
       transport_factory_(std::move(transport_factory)),
       request_timeout_(resource_request_timeout),
       xds_federation_enabled_(XdsFederationEnabled()),
-      api_(this, &xds_client_trace, bootstrap_->node(), &def_pool_,
-           std::move(user_agent_name), std::move(user_agent_version)),
       work_serializer_(engine),
       engine_(std::move(engine)),
       metrics_reporter_(std::move(metrics_reporter)) {
@@ -1238,7 +1618,12 @@ void XdsClient::Orphaned() {
   MutexLock lock(&mu_);
   shutting_down_ = true;
   // Clear cache and any remaining watchers that may not have been cancelled.
-  authority_state_map_.clear();
+  // Note: We move authority_state_map_ out of the way before clearing
+  // it, because clearing the map will trigger calls to
+  // MaybeRemoveUnsubscribedCacheEntriesForTypeLocked(), which would try to
+  // modify the map while we are iterating over it.
+  auto authority_state_map = std::move(authority_state_map_);
+  authority_state_map.clear();
   invalid_watchers_.clear();
 }
 
@@ -1257,10 +1642,11 @@ RefCountedPtr<XdsClient::XdsChannel> XdsClient::GetOrCreateXdsChannelLocked(
 }
 
 bool XdsClient::HasUncachedResources(const AuthorityState& authority_state) {
-  for (const auto& type_resource : authority_state.resource_map) {
-    for (const auto& key_state : type_resource.second) {
-      if (key_state.second.meta.client_status ==
-          XdsApi::ResourceMetadata::REQUESTED) {
+  for (const auto& [_, resource_map] : authority_state.type_map) {
+    for (const auto& [_, resource_state] : resource_map) {
+      if (resource_state.HasWatchers() &&
+          resource_state.client_status() ==
+              ResourceState::ClientResourceStatus::REQUESTED) {
         return true;
       }
     }
@@ -1271,24 +1657,19 @@ bool XdsClient::HasUncachedResources(const AuthorityState& authority_state) {
 void XdsClient::WatchResource(const XdsResourceType* type,
                               absl::string_view name,
                               RefCountedPtr<ResourceWatcherInterface> watcher) {
-  ResourceWatcherInterface* w = watcher.get();
   // Lambda for handling failure cases.
   auto fail = [&](absl::Status status) mutable {
     {
       MutexLock lock(&mu_);
       MaybeRegisterResourceTypeLocked(type);
-      invalid_watchers_[w] = watcher;
+      invalid_watchers_.insert(watcher);
     }
-    work_serializer_.Run(
-        [watcher = std::move(watcher), status = std::move(status)]()
-            ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-              watcher->OnError(status, ReadDelayHandle::NoWait());
-            },
-        DEBUG_LOCATION);
+    NotifyWatchersOnResourceChanged(std::move(status), {watcher},
+                                    ReadDelayHandle::NoWait());
   };
   auto resource_name = ParseXdsResourceName(name, type);
   if (!resource_name.ok()) {
-    fail(absl::UnavailableError(
+    fail(absl::InvalidArgumentError(
         absl::StrCat("Unable to parse resource name ", name)));
     return;
   }
@@ -1298,7 +1679,7 @@ void XdsClient::WatchResource(const XdsResourceType* type,
     auto* authority =
         bootstrap_->LookupAuthority(std::string(resource_name->authority));
     if (authority == nullptr) {
-      fail(absl::UnavailableError(
+      fail(absl::FailedPreconditionError(
           absl::StrCat("authority \"", resource_name->authority,
                        "\" not present in bootstrap config")));
       return;
@@ -1306,103 +1687,67 @@ void XdsClient::WatchResource(const XdsResourceType* type,
     xds_servers = authority->servers();
   }
   if (xds_servers.empty()) xds_servers = bootstrap_->servers();
-  {
-    MutexLock lock(&mu_);
-    MaybeRegisterResourceTypeLocked(type);
-
-    AuthorityState& authority_state =
-        authority_state_map_[resource_name->authority];
-    auto it_is_new = authority_state.resource_map[type].emplace(
-        resource_name->key, ResourceState());
-    bool first_watcher_for_resource = it_is_new.second;
-    ResourceState& resource_state = it_is_new.first->second;
-    resource_state.watchers[w] = watcher;
-    if (first_watcher_for_resource) {
-      // We try to add new channels in 2 cases:
-      // - This is the first resource for this authority (i.e., the list
-      //   of channels is empty).
-      // - The last channel in the list is failing.  That failure may not
-      //   have previously triggered fallback if there were no uncached
-      //   resources, but we've just added a new uncached resource,
-      //   so we need to trigger fallback now.
-      //
-      // Note that when we add a channel, it might already be failing
-      // due to being used in a different authority.  So we keep going
-      // until either we add one that isn't failing or we've added them all.
-      if (authority_state.xds_channels.empty() ||
-          !authority_state.xds_channels.back()->status().ok()) {
-        for (size_t i = authority_state.xds_channels.size();
-             i < xds_servers.size(); ++i) {
-          authority_state.xds_channels.emplace_back(
-              GetOrCreateXdsChannelLocked(*xds_servers[i], "start watch"));
-          if (authority_state.xds_channels.back()->status().ok()) {
-            break;
-          }
-        }
-      }
-      for (const auto& channel : authority_state.xds_channels) {
-        channel->SubscribeLocked(type, *resource_name);
-      }
-    } else {
-      // If we already have a cached value for the resource, notify the new
-      // watcher immediately.
-      if (resource_state.resource != nullptr) {
-        GRPC_TRACE_LOG(xds_client, INFO)
-            << "[xds_client " << this << "] returning cached listener data for "
-            << name;
-        work_serializer_.Schedule(
-            [watcher, value = resource_state.resource]()
-                ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-                  watcher->OnGenericResourceChanged(value,
-                                                    ReadDelayHandle::NoWait());
-                },
-            DEBUG_LOCATION);
-      } else if (resource_state.meta.client_status ==
-                 XdsApi::ResourceMetadata::DOES_NOT_EXIST) {
-        GRPC_TRACE_LOG(xds_client, INFO)
-            << "[xds_client " << this
-            << "] reporting cached does-not-exist for " << name;
-        work_serializer_.Schedule(
-            [watcher]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-              watcher->OnResourceDoesNotExist(ReadDelayHandle::NoWait());
-            },
-            DEBUG_LOCATION);
-      } else if (resource_state.meta.client_status ==
-                 XdsApi::ResourceMetadata::NACKED) {
-        GRPC_TRACE_LOG(xds_client, INFO)
-            << "[xds_client " << this
-            << "] reporting cached validation failure for " << name << ": "
-            << resource_state.meta.failed_details;
-        std::string details = resource_state.meta.failed_details;
-        const auto* node = bootstrap_->node();
-        if (node != nullptr) {
-          absl::StrAppend(&details, " (node ID:", bootstrap_->node()->id(),
-                          ")");
+  MutexLock lock(&mu_);
+  MaybeRegisterResourceTypeLocked(type);
+  AuthorityState& authority_state =
+      authority_state_map_[resource_name->authority];
+  auto [it, created_entry] = authority_state.type_map[type].emplace(
+      resource_name->key, ResourceState());
+  ResourceState& resource_state = it->second;
+  resource_state.AddWatcher(watcher);
+  if (created_entry) {
+    // We try to add new channels in 2 cases:
+    // - This is the first resource for this authority (i.e., the list
+    //   of channels is empty).
+    // - The last channel in the list is failing.  That failure may not
+    //   have previously triggered fallback if there were no uncached
+    //   resources, but we've just added a new uncached resource,
+    //   so we need to trigger fallback now.
+    //
+    // Note that when we add a channel, it might already be failing
+    // due to being used in a different authority.  So we keep going
+    // until either we add one that isn't failing or we've added them all.
+    if (authority_state.xds_channels.empty() ||
+        !authority_state.xds_channels.back()->status().ok()) {
+      for (size_t i = authority_state.xds_channels.size();
+           i < xds_servers.size(); ++i) {
+        authority_state.xds_channels.emplace_back(
+            GetOrCreateXdsChannelLocked(*xds_servers[i], "start watch"));
+        if (authority_state.xds_channels.back()->status().ok()) {
+          break;
         }
-        work_serializer_.Schedule(
-            [watcher, details = std::move(details)]()
-                ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-                  watcher->OnError(absl::UnavailableError(absl::StrCat(
-                                       "invalid resource: ", details)),
-                                   ReadDelayHandle::NoWait());
-                },
-            DEBUG_LOCATION);
       }
     }
-    absl::Status channel_status = authority_state.xds_channels.back()->status();
-    if (!channel_status.ok()) {
+  } else {
+    // If we already have a cached value for the resource, notify the new
+    // watcher immediately.
+    if (resource_state.HasResource()) {
+      GRPC_TRACE_LOG(xds_client, INFO)
+          << "[xds_client " << this << "] returning cached data for " << name;
+      NotifyWatchersOnResourceChanged(resource_state.resource(), {watcher},
+                                      ReadDelayHandle::NoWait());
+    }
+    if (!resource_state.failed_status().ok()) {
       GRPC_TRACE_LOG(xds_client, INFO)
-          << "[xds_client " << this << "] returning cached channel error for "
-          << name << ": " << channel_status;
-      work_serializer_.Schedule(
-          [watcher = std::move(watcher), status = std::move(channel_status)]()
-              ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) mutable {
-                watcher->OnError(std::move(status), ReadDelayHandle::NoWait());
-              },
-          DEBUG_LOCATION);
+          << "[xds_client " << this << "] returning cached error for " << name
+          << ": " << resource_state.failed_status();
+      NotifyWatchersOnError(resource_state, ReadDelayHandle::NoWait(),
+                            {watcher});
     }
   }
-  work_serializer_.DrainQueue();
+  // Make sure all channels are subscribing to the resource.
+  for (const auto& channel : authority_state.xds_channels) {
+    channel->SubscribeLocked(type, *resource_name);
+  }
+  // If the channel is not connected, report an error to the watcher.
+  absl::Status channel_status = authority_state.xds_channels.back()->status();
+  if (!channel_status.ok()) {
+    GRPC_TRACE_LOG(xds_client, INFO)
+        << "[xds_client " << this << "] returning cached channel error for "
+        << name << ": " << channel_status;
+    NotifyWatchersOnError(resource_state, ReadDelayHandle::NoWait(), {watcher},
+                          std::move(channel_status));
+  }
 }
 
 void XdsClient::CancelResourceWatch(const XdsResourceType* type,
@@ -1420,34 +1765,63 @@ void XdsClient::CancelResourceWatch(const XdsResourceType* type,
   if (authority_it == authority_state_map_.end()) return;
   AuthorityState& authority_state = authority_it->second;
   // Find type map.
-  auto type_it = authority_state.resource_map.find(type);
-  if (type_it == authority_state.resource_map.end()) return;
-  auto& type_map = type_it->second;
+  auto type_it = authority_state.type_map.find(type);
+  if (type_it == authority_state.type_map.end()) return;
+  auto& resource_map = type_it->second;
   // Find resource key.
-  auto resource_it = type_map.find(resource_name->key);
-  if (resource_it == type_map.end()) return;
+  auto resource_it = resource_map.find(resource_name->key);
+  if (resource_it == resource_map.end()) return;
   ResourceState& resource_state = resource_it->second;
   // Remove watcher.
-  resource_state.watchers.erase(watcher);
-  // Clean up empty map entries, if any.
-  if (resource_state.watchers.empty()) {
-    if (resource_state.ignored_deletion) {
-      LOG(INFO) << "[xds_client " << this
-                << "] unsubscribing from a resource for which we "
-                << "previously ignored a deletion: type " << type->type_url()
-                << " name " << name;
-    }
+  resource_state.RemoveWatcher(watcher);
+  // If this was the last watcher, clean up.
+  if (!resource_state.HasWatchers()) {
+    // Unsubscribe from this resource on all XdsChannels.
     for (const auto& xds_channel : authority_state.xds_channels) {
       xds_channel->UnsubscribeLocked(type, *resource_name,
                                      delay_unsubscription);
     }
-    type_map.erase(resource_it);
-    if (type_map.empty()) {
-      authority_state.resource_map.erase(type_it);
-      if (authority_state.resource_map.empty()) {
-        authority_state.xds_channels.clear();
+    // Note: We wait to remove the cache entry until we actualle send
+    // the unsubscription message on the ADS stream, so that if a watch is
+    // stopped and then started again before we send the next request
+    // for that resource type, we don't lose the cache entry without the
+    // xDS server knowing it needs to re-send it.
+    //
+    // Note: Because the cache cleanup may have been triggered by the
+    // unsubscription, it's no longer safe to access any of the
+    // iterators that we have from above.
+  }
+}
+
+void XdsClient::MaybeRemoveUnsubscribedCacheEntriesForTypeLocked(
+    XdsChannel* xds_channel, const XdsResourceType* type) {
+  for (auto authority_it = authority_state_map_.begin();
+       authority_it != authority_state_map_.end();) {
+    AuthorityState& authority_state = authority_it->second;
+    if (authority_state.xds_channels.back() == xds_channel) {
+      // Find type map.
+      auto type_it = authority_state.type_map.find(type);
+      if (type_it != authority_state.type_map.end()) {
+        auto& resource_map = type_it->second;
+        // Remove the cache entry for any resource without watchers.
+        for (auto resource_it = resource_map.begin();
+             resource_it != resource_map.end();) {
+          ResourceState& resource_state = resource_it->second;
+          if (!resource_state.HasWatchers()) {
+            resource_map.erase(resource_it++);
+          } else {
+            ++resource_it;
+          }
+        }
+        // Clean up empty entries in the map.
+        if (resource_map.empty()) authority_state.type_map.erase(type_it);
       }
     }
+    if (authority_state.type_map.empty()) {
+      authority_state_map_.erase(authority_it++);
+    } else {
+      ++authority_it;
+    }
   }
 }
 
@@ -1490,9 +1864,9 @@ absl::StatusOr<XdsClient::XdsResourceName> XdsClient::ParseXdsResourceName(
   }
   // Canonicalize order of query params.
   std::vector<URI::QueryParam> query_params;
-  for (const auto& p : uri->query_parameter_map()) {
+  for (const auto& [key, value] : uri->query_parameter_map()) {
     query_params.emplace_back(
-        URI::QueryParam{std::string(p.first), std::string(p.second)});
+        URI::QueryParam{std::string(key), std::string(value)});
   }
   return XdsResourceName{
       uri->authority(),
@@ -1515,94 +1889,65 @@ std::string XdsClient::ConstructFullXdsResourceName(
 
 void XdsClient::ResetBackoff() {
   MutexLock lock(&mu_);
-  for (auto& p : xds_channel_map_) {
-    p.second->ResetBackoff();
+  for (auto& [_, xds_channel] : xds_channel_map_) {
+    xds_channel->ResetBackoff();
   }
 }
 
-void XdsClient::NotifyWatchersOnErrorLocked(
-    const std::map<ResourceWatcherInterface*,
-                   RefCountedPtr<ResourceWatcherInterface>>& watchers,
-    absl::Status status, RefCountedPtr<ReadDelayHandle> read_delay_handle) {
+absl::Status XdsClient::AppendNodeToStatus(const absl::Status& status) const {
   const auto* node = bootstrap_->node();
-  if (node != nullptr) {
-    status = absl::Status(
-        status.code(),
-        absl::StrCat(status.message(), " (node ID:", node->id(), ")"));
-  }
-  work_serializer_.Schedule(
-      [watchers, status = std::move(status),
+  if (node == nullptr) return status;
+  return absl::Status(
+      status.code(), absl::StrCat(status.message(),
+                                  " (node ID:", bootstrap_->node()->id(), ")"));
+}
+
+void XdsClient::NotifyWatchersOnResourceChanged(
+    absl::StatusOr<std::shared_ptr<const XdsResourceType::ResourceData>>
+        resource,
+    WatcherSet watchers, RefCountedPtr<ReadDelayHandle> read_delay_handle) {
+  if (!resource.ok()) resource = AppendNodeToStatus(resource.status());
+  work_serializer_.Run(
+      [watchers = std::move(watchers), resource = std::move(resource),
        read_delay_handle = std::move(read_delay_handle)]()
           ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-            for (const auto& p : watchers) {
-              p.first->OnError(status, read_delay_handle);
+            for (const auto& watcher : watchers) {
+              watcher->OnGenericResourceChanged(resource, read_delay_handle);
             }
           },
       DEBUG_LOCATION);
 }
 
-void XdsClient::NotifyWatchersOnResourceDoesNotExist(
-    const std::map<ResourceWatcherInterface*,
-                   RefCountedPtr<ResourceWatcherInterface>>& watchers,
+void XdsClient::NotifyWatchersOnAmbientError(
+    absl::Status status, WatcherSet watchers,
     RefCountedPtr<ReadDelayHandle> read_delay_handle) {
-  work_serializer_.Schedule(
-      [watchers, read_delay_handle = std::move(read_delay_handle)]()
+  if (!status.ok()) status = AppendNodeToStatus(status);
+  work_serializer_.Run(
+      [watchers = std::move(watchers), status = std::move(status),
+       read_delay_handle = std::move(read_delay_handle)]()
           ABSL_EXCLUSIVE_LOCKS_REQUIRED(&work_serializer_) {
-            for (const auto& p : watchers) {
-              p.first->OnResourceDoesNotExist(read_delay_handle);
+            for (const auto& watcher : watchers) {
+              watcher->OnAmbientError(status, read_delay_handle);
             }
           },
       DEBUG_LOCATION);
 }
 
-namespace {
-
-google_protobuf_Timestamp* EncodeTimestamp(Timestamp value, upb_Arena* arena) {
-  google_protobuf_Timestamp* timestamp = google_protobuf_Timestamp_new(arena);
-  gpr_timespec timespec = value.as_timespec(GPR_CLOCK_REALTIME);
-  google_protobuf_Timestamp_set_seconds(timestamp, timespec.tv_sec);
-  google_protobuf_Timestamp_set_nanos(timestamp, timespec.tv_nsec);
-  return timestamp;
-}
-
-void FillGenericXdsConfig(
-    const XdsApi::ResourceMetadata& metadata, upb_StringView type_url,
-    upb_StringView resource_name, upb_Arena* arena,
-    envoy_service_status_v3_ClientConfig_GenericXdsConfig* entry) {
-  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_type_url(entry,
-                                                                     type_url);
-  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_name(entry,
-                                                                 resource_name);
-  envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_client_status(
-      entry, metadata.client_status);
-  if (!metadata.serialized_proto.empty()) {
-    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_version_info(
-        entry, StdStringToUpbString(metadata.version));
-    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_last_updated(
-        entry, EncodeTimestamp(metadata.update_time, arena));
-    auto* any_field =
-        envoy_service_status_v3_ClientConfig_GenericXdsConfig_mutable_xds_config(
-            entry, arena);
-    google_protobuf_Any_set_type_url(any_field, type_url);
-    google_protobuf_Any_set_value(
-        any_field, StdStringToUpbString(metadata.serialized_proto));
-  }
-  if (metadata.client_status == XdsApi::ResourceMetadata::NACKED) {
-    auto* update_failure_state = envoy_admin_v3_UpdateFailureState_new(arena);
-    envoy_admin_v3_UpdateFailureState_set_details(
-        update_failure_state, StdStringToUpbString(metadata.failed_details));
-    envoy_admin_v3_UpdateFailureState_set_version_info(
-        update_failure_state, StdStringToUpbString(metadata.failed_version));
-    envoy_admin_v3_UpdateFailureState_set_last_update_attempt(
-        update_failure_state,
-        EncodeTimestamp(metadata.failed_update_time, arena));
-    envoy_service_status_v3_ClientConfig_GenericXdsConfig_set_error_state(
-        entry, update_failure_state);
+void XdsClient::NotifyWatchersOnError(
+    const ResourceState& resource_state,
+    RefCountedPtr<ReadDelayHandle> read_delay_handle, WatcherSet watchers,
+    absl::Status status) {
+  if (watchers.empty()) watchers = resource_state.watchers();
+  if (status.ok()) status = resource_state.failed_status();
+  if (!resource_state.HasResource()) {
+    NotifyWatchersOnResourceChanged(std::move(status), std::move(watchers),
+                                    std::move(read_delay_handle));
+  } else {
+    NotifyWatchersOnAmbientError(std::move(status), std::move(watchers),
+                                 std::move(read_delay_handle));
   }
 }
 
-}  // namespace
-
 void XdsClient::DumpClientConfig(
     std::set<std::string>* string_pool, upb_Arena* arena,
     envoy_service_status_v3_ClientConfig* client_config) {
@@ -1610,70 +1955,51 @@ void XdsClient::DumpClientConfig(
   // Fill-in the node information
   auto* node =
       envoy_service_status_v3_ClientConfig_mutable_node(client_config, arena);
-  api_.PopulateNode(node, arena);
+  PopulateXdsNode(bootstrap_->node(), user_agent_name_, user_agent_version_,
+                  node, arena);
   // Dump each resource.
-  for (const auto& a : authority_state_map_) {  // authority
-    const std::string& authority = a.first;
-    for (const auto& t : a.second.resource_map) {  // type
-      const XdsResourceType* type = t.first;
+  for (const auto& [authority, authority_state] : authority_state_map_) {
+    for (const auto& [type, resource_map] : authority_state.type_map) {
       auto it =
           string_pool
               ->emplace(absl::StrCat("type.googleapis.com/", type->type_url()))
               .first;
       upb_StringView type_url = StdStringToUpbString(*it);
-      for (const auto& r : t.second) {  // resource id
+      for (const auto& [resource_key, resource_state] : resource_map) {
+        if (!resource_state.HasWatchers()) continue;
         auto it2 = string_pool
                        ->emplace(ConstructFullXdsResourceName(
-                           authority, type->type_url(), r.first))
+                           authority, type->type_url(), resource_key))
                        .first;
         upb_StringView resource_name = StdStringToUpbString(*it2);
         envoy_service_status_v3_ClientConfig_GenericXdsConfig* entry =
             envoy_service_status_v3_ClientConfig_add_generic_xds_configs(
                 client_config, arena);
-        FillGenericXdsConfig(r.second.meta, type_url, resource_name, arena,
-                             entry);
+        resource_state.FillGenericXdsConfig(type_url, resource_name, arena,
+                                            entry);
       }
     }
   }
 }
 
-namespace {
-
-absl::string_view CacheStateForEntry(const XdsApi::ResourceMetadata& metadata,
-                                     bool resource_cached) {
-  switch (metadata.client_status) {
-    case XdsApi::ResourceMetadata::REQUESTED:
-      return "requested";
-    case XdsApi::ResourceMetadata::DOES_NOT_EXIST:
-      return "does_not_exist";
-    case XdsApi::ResourceMetadata::ACKED:
-      return "acked";
-    case XdsApi::ResourceMetadata::NACKED:
-      return resource_cached ? "nacked_but_cached" : "nacked";
-  }
-  Crash("unknown resource state");
-}
-
-}  // namespace
-
 void XdsClient::ReportResourceCounts(
     absl::FunctionRef<void(const ResourceCountLabels&, uint64_t)> func) {
   ResourceCountLabels labels;
-  for (const auto& a : authority_state_map_) {  // authority
-    labels.xds_authority = a.first;
-    for (const auto& t : a.second.resource_map) {  // type
-      labels.resource_type = t.first->type_url();
+  for (const auto& [authority, authority_state] : authority_state_map_) {
+    labels.xds_authority = authority;
+    for (const auto& [type, resource_map] : authority_state.type_map) {
+      labels.resource_type = type->type_url();
       // Count the number of entries in each state.
       std::map<absl::string_view, uint64_t> counts;
-      for (const auto& r : t.second) {  // resource id
-        absl::string_view cache_state =
-            CacheStateForEntry(r.second.meta, r.second.resource != nullptr);
-        ++counts[cache_state];
+      for (const auto& [_, resource_state] : resource_map) {
+        if (resource_state.HasWatchers()) {
+          ++counts[resource_state.CacheStateString()];
+        }
       }
       // Report the count for each state.
-      for (const auto& c : counts) {
-        labels.cache_state = c.first;
-        func(labels, c.second);
+      for (const auto& [state, count] : counts) {
+        labels.cache_state = state;
+        func(labels, count);
       }
     }
   }
@@ -1681,8 +2007,8 @@ void XdsClient::ReportResourceCounts(
 
 void XdsClient::ReportServerConnections(
     absl::FunctionRef<void(absl::string_view, bool)> func) {
-  for (const auto& p : xds_channel_map_) {
-    func(p.second->server_uri(), p.second->status().ok());
+  for (const auto& [_, xds_channel] : xds_channel_map_) {
+    func(xds_channel->server_uri(), xds_channel->status().ok());
   }
 }