1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/url_request/url_request_throttler_entry.h"
6
7 #include <cmath>
8
9 #include "base/logging.h"
10 #include "base/metrics/field_trial.h"
11 #include "base/metrics/histogram.h"
12 #include "base/rand_util.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/values.h"
15 #include "net/base/load_flags.h"
16 #include "net/base/net_log.h"
17 #include "net/url_request/url_request.h"
18 #include "net/url_request/url_request_context.h"
19 #include "net/url_request/url_request_throttler_header_interface.h"
20 #include "net/url_request/url_request_throttler_manager.h"
21
22 namespace net {
23
24 const int URLRequestThrottlerEntry::kDefaultSlidingWindowPeriodMs = 2000;
25 const int URLRequestThrottlerEntry::kDefaultMaxSendThreshold = 20;
26
27 // This set of back-off parameters will (at maximum values, i.e. without
28 // the reduction caused by jitter) add 0-41% (distributed uniformly
29 // in that range) to the "perceived downtime" of the remote server, once
30 // exponential back-off kicks in and is throttling requests for more than
31 // about a second at a time. Once the maximum back-off is reached, the added
32 // perceived downtime decreases rapidly, percentage-wise.
33 //
34 // Another way to put it is that the maximum additional perceived downtime
35 // with these numbers is a couple of seconds shy of 15 minutes, and such
36 // a delay would not occur until the remote server has been actually
37 // unavailable at the end of each back-off period for a total of about
38 // 48 minutes.
39 //
40 // Ignoring the first couple of errors is just a conservative measure to
41 // avoid false positives. It should help avoid back-off from kicking in e.g.
42 // on flaky connections.
43 const int URLRequestThrottlerEntry::kDefaultNumErrorsToIgnore = 2;
44 const int URLRequestThrottlerEntry::kDefaultInitialDelayMs = 700;
45 const double URLRequestThrottlerEntry::kDefaultMultiplyFactor = 1.4;
46 const double URLRequestThrottlerEntry::kDefaultJitterFactor = 0.4;
47 const int URLRequestThrottlerEntry::kDefaultMaximumBackoffMs = 15 * 60 * 1000;
48 const int URLRequestThrottlerEntry::kDefaultEntryLifetimeMs = 2 * 60 * 1000;
49 const char URLRequestThrottlerEntry::kExponentialThrottlingHeader[] =
50 "X-Chrome-Exponential-Throttling";
51 const char URLRequestThrottlerEntry::kExponentialThrottlingDisableValue[] =
52 "disable";
53
54 // Returns NetLog parameters when a request is rejected by throttling.
NetLogRejectedRequestCallback(const std::string * url_id,int num_failures,int release_after_ms,NetLog::LogLevel)55 base::Value* NetLogRejectedRequestCallback(const std::string* url_id,
56 int num_failures,
57 int release_after_ms,
58 NetLog::LogLevel /* log_level */) {
59 base::DictionaryValue* dict = new base::DictionaryValue();
60 dict->SetString("url", *url_id);
61 dict->SetInteger("num_failures", num_failures);
62 dict->SetInteger("release_after_ms", release_after_ms);
63 return dict;
64 }
65
URLRequestThrottlerEntry(URLRequestThrottlerManager * manager,const std::string & url_id)66 URLRequestThrottlerEntry::URLRequestThrottlerEntry(
67 URLRequestThrottlerManager* manager,
68 const std::string& url_id)
69 : sliding_window_period_(
70 base::TimeDelta::FromMilliseconds(kDefaultSlidingWindowPeriodMs)),
71 max_send_threshold_(kDefaultMaxSendThreshold),
72 is_backoff_disabled_(false),
73 backoff_entry_(&backoff_policy_),
74 manager_(manager),
75 url_id_(url_id),
76 net_log_(BoundNetLog::Make(
77 manager->net_log(), NetLog::SOURCE_EXPONENTIAL_BACKOFF_THROTTLING)) {
78 DCHECK(manager_);
79 Initialize();
80 }
81
URLRequestThrottlerEntry(URLRequestThrottlerManager * manager,const std::string & url_id,int sliding_window_period_ms,int max_send_threshold,int initial_backoff_ms,double multiply_factor,double jitter_factor,int maximum_backoff_ms)82 URLRequestThrottlerEntry::URLRequestThrottlerEntry(
83 URLRequestThrottlerManager* manager,
84 const std::string& url_id,
85 int sliding_window_period_ms,
86 int max_send_threshold,
87 int initial_backoff_ms,
88 double multiply_factor,
89 double jitter_factor,
90 int maximum_backoff_ms)
91 : sliding_window_period_(
92 base::TimeDelta::FromMilliseconds(sliding_window_period_ms)),
93 max_send_threshold_(max_send_threshold),
94 is_backoff_disabled_(false),
95 backoff_entry_(&backoff_policy_),
96 manager_(manager),
97 url_id_(url_id) {
98 DCHECK_GT(sliding_window_period_ms, 0);
99 DCHECK_GT(max_send_threshold_, 0);
100 DCHECK_GE(initial_backoff_ms, 0);
101 DCHECK_GT(multiply_factor, 0);
102 DCHECK_GE(jitter_factor, 0.0);
103 DCHECK_LT(jitter_factor, 1.0);
104 DCHECK_GE(maximum_backoff_ms, 0);
105 DCHECK(manager_);
106
107 Initialize();
108 backoff_policy_.initial_delay_ms = initial_backoff_ms;
109 backoff_policy_.multiply_factor = multiply_factor;
110 backoff_policy_.jitter_factor = jitter_factor;
111 backoff_policy_.maximum_backoff_ms = maximum_backoff_ms;
112 backoff_policy_.entry_lifetime_ms = -1;
113 backoff_policy_.num_errors_to_ignore = 0;
114 backoff_policy_.always_use_initial_delay = false;
115 }
116
IsEntryOutdated() const117 bool URLRequestThrottlerEntry::IsEntryOutdated() const {
118 // This function is called by the URLRequestThrottlerManager to determine
119 // whether entries should be discarded from its url_entries_ map. We
120 // want to ensure that it does not remove entries from the map while there
121 // are clients (objects other than the manager) holding references to
122 // the entry, otherwise separate clients could end up holding separate
123 // entries for a request to the same URL, which is undesirable. Therefore,
124 // if an entry has more than one reference (the map will always hold one),
125 // it should not be considered outdated.
126 //
127 // We considered whether to make URLRequestThrottlerEntry objects
128 // non-refcounted, but since any means of knowing whether they are
129 // currently in use by others than the manager would be more or less
130 // equivalent to a refcount, we kept them refcounted.
131 if (!HasOneRef())
132 return false;
133
134 // If there are send events in the sliding window period, we still need this
135 // entry.
136 if (!send_log_.empty() &&
137 send_log_.back() + sliding_window_period_ > ImplGetTimeNow()) {
138 return false;
139 }
140
141 return GetBackoffEntry()->CanDiscard();
142 }
143
DisableBackoffThrottling()144 void URLRequestThrottlerEntry::DisableBackoffThrottling() {
145 is_backoff_disabled_ = true;
146 }
147
DetachManager()148 void URLRequestThrottlerEntry::DetachManager() {
149 manager_ = NULL;
150 }
151
ShouldRejectRequest(const URLRequest & request,NetworkDelegate * network_delegate) const152 bool URLRequestThrottlerEntry::ShouldRejectRequest(
153 const URLRequest& request,
154 NetworkDelegate* network_delegate) const {
155 bool reject_request = false;
156 if (!is_backoff_disabled_ && !ExplicitUserRequest(request.load_flags()) &&
157 (!network_delegate || network_delegate->CanThrottleRequest(request)) &&
158 GetBackoffEntry()->ShouldRejectRequest()) {
159 int num_failures = GetBackoffEntry()->failure_count();
160 int release_after_ms =
161 GetBackoffEntry()->GetTimeUntilRelease().InMilliseconds();
162
163 net_log_.AddEvent(
164 NetLog::TYPE_THROTTLING_REJECTED_REQUEST,
165 base::Bind(&NetLogRejectedRequestCallback,
166 &url_id_, num_failures, release_after_ms));
167
168 reject_request = true;
169 }
170
171 int reject_count = reject_request ? 1 : 0;
172 UMA_HISTOGRAM_ENUMERATION(
173 "Throttling.RequestThrottled", reject_count, 2);
174
175 return reject_request;
176 }
177
ReserveSendingTimeForNextRequest(const base::TimeTicks & earliest_time)178 int64 URLRequestThrottlerEntry::ReserveSendingTimeForNextRequest(
179 const base::TimeTicks& earliest_time) {
180 base::TimeTicks now = ImplGetTimeNow();
181
182 // If a lot of requests were successfully made recently,
183 // sliding_window_release_time_ may be greater than
184 // exponential_backoff_release_time_.
185 base::TimeTicks recommended_sending_time =
186 std::max(std::max(now, earliest_time),
187 std::max(GetBackoffEntry()->GetReleaseTime(),
188 sliding_window_release_time_));
189
190 DCHECK(send_log_.empty() ||
191 recommended_sending_time >= send_log_.back());
192 // Log the new send event.
193 send_log_.push(recommended_sending_time);
194
195 sliding_window_release_time_ = recommended_sending_time;
196
197 // Drop the out-of-date events in the event list.
198 // We don't need to worry that the queue may become empty during this
199 // operation, since the last element is sliding_window_release_time_.
200 while ((send_log_.front() + sliding_window_period_ <=
201 sliding_window_release_time_) ||
202 send_log_.size() > static_cast<unsigned>(max_send_threshold_)) {
203 send_log_.pop();
204 }
205
206 // Check if there are too many send events in recent time.
207 if (send_log_.size() == static_cast<unsigned>(max_send_threshold_))
208 sliding_window_release_time_ = send_log_.front() + sliding_window_period_;
209
210 return (recommended_sending_time - now).InMillisecondsRoundedUp();
211 }
212
213 base::TimeTicks
GetExponentialBackoffReleaseTime() const214 URLRequestThrottlerEntry::GetExponentialBackoffReleaseTime() const {
215 // If a site opts out, it's likely because they have problems that trigger
216 // the back-off mechanism when it shouldn't be triggered, in which case
217 // returning the calculated back-off release time would probably be the
218 // wrong thing to do (i.e. it would likely be too long). Therefore, we
219 // return "now" so that retries are not delayed.
220 if (is_backoff_disabled_)
221 return ImplGetTimeNow();
222
223 return GetBackoffEntry()->GetReleaseTime();
224 }
225
UpdateWithResponse(const std::string & host,const URLRequestThrottlerHeaderInterface * response)226 void URLRequestThrottlerEntry::UpdateWithResponse(
227 const std::string& host,
228 const URLRequestThrottlerHeaderInterface* response) {
229 if (IsConsideredError(response->GetResponseCode())) {
230 GetBackoffEntry()->InformOfRequest(false);
231 } else {
232 GetBackoffEntry()->InformOfRequest(true);
233
234 std::string throttling_header = response->GetNormalizedValue(
235 kExponentialThrottlingHeader);
236 if (!throttling_header.empty())
237 HandleThrottlingHeader(throttling_header, host);
238 }
239 }
240
ReceivedContentWasMalformed(int response_code)241 void URLRequestThrottlerEntry::ReceivedContentWasMalformed(int response_code) {
242 // A malformed body can only occur when the request to fetch a resource
243 // was successful. Therefore, in such a situation, we will receive one
244 // call to ReceivedContentWasMalformed() and one call to
245 // UpdateWithResponse() with a response categorized as "good". To end
246 // up counting one failure, we need to count two failures here against
247 // the one success in UpdateWithResponse().
248 //
249 // We do nothing for a response that is already being considered an error
250 // based on its status code (otherwise we would count 3 errors instead of 1).
251 if (!IsConsideredError(response_code)) {
252 GetBackoffEntry()->InformOfRequest(false);
253 GetBackoffEntry()->InformOfRequest(false);
254 }
255 }
256
~URLRequestThrottlerEntry()257 URLRequestThrottlerEntry::~URLRequestThrottlerEntry() {
258 }
259
Initialize()260 void URLRequestThrottlerEntry::Initialize() {
261 sliding_window_release_time_ = base::TimeTicks::Now();
262 backoff_policy_.num_errors_to_ignore = kDefaultNumErrorsToIgnore;
263 backoff_policy_.initial_delay_ms = kDefaultInitialDelayMs;
264 backoff_policy_.multiply_factor = kDefaultMultiplyFactor;
265 backoff_policy_.jitter_factor = kDefaultJitterFactor;
266 backoff_policy_.maximum_backoff_ms = kDefaultMaximumBackoffMs;
267 backoff_policy_.entry_lifetime_ms = kDefaultEntryLifetimeMs;
268 backoff_policy_.always_use_initial_delay = false;
269 }
270
IsConsideredError(int response_code)271 bool URLRequestThrottlerEntry::IsConsideredError(int response_code) {
272 // We throttle only for the status codes most likely to indicate the server
273 // is failing because it is too busy or otherwise are likely to be
274 // because of DDoS.
275 //
276 // 500 is the generic error when no better message is suitable, and
277 // as such does not necessarily indicate a temporary state, but
278 // other status codes cover most of the permanent error states.
279 // 503 is explicitly documented as a temporary state where the server
280 // is either overloaded or down for maintenance.
281 // 509 is the (non-standard but widely implemented) Bandwidth Limit Exceeded
282 // status code, which might indicate DDoS.
283 //
284 // We do not back off on 502 or 504, which are reported by gateways
285 // (proxies) on timeouts or failures, because in many cases these requests
286 // have not made it to the destination server and so we do not actually
287 // know that it is down or busy. One degenerate case could be a proxy on
288 // localhost, where you are not actually connected to the network.
289 return (response_code == 500 ||
290 response_code == 503 ||
291 response_code == 509);
292 }
293
ImplGetTimeNow() const294 base::TimeTicks URLRequestThrottlerEntry::ImplGetTimeNow() const {
295 return base::TimeTicks::Now();
296 }
297
HandleThrottlingHeader(const std::string & header_value,const std::string & host)298 void URLRequestThrottlerEntry::HandleThrottlingHeader(
299 const std::string& header_value,
300 const std::string& host) {
301 if (header_value == kExponentialThrottlingDisableValue) {
302 DisableBackoffThrottling();
303 if (manager_)
304 manager_->AddToOptOutList(host);
305 }
306 }
307
GetBackoffEntry() const308 const BackoffEntry* URLRequestThrottlerEntry::GetBackoffEntry() const {
309 return &backoff_entry_;
310 }
311
GetBackoffEntry()312 BackoffEntry* URLRequestThrottlerEntry::GetBackoffEntry() {
313 return &backoff_entry_;
314 }
315
316 // static
ExplicitUserRequest(const int load_flags)317 bool URLRequestThrottlerEntry::ExplicitUserRequest(const int load_flags) {
318 return (load_flags & LOAD_MAYBE_USER_GESTURE) != 0;
319 }
320
321 } // namespace net
322