The implementation of the External Processor filter coordinates data across the application thread, the data plane response thread, and the external processor's response thread. To ensure thread safety and compliance with the gRPC contract, the

  following synchronization measures were implemented:

  1. Thread-Unsafe StreamObserver
   * Challenge: The gRPC StreamObserver used to send messages to the external processor is not thread-safe. Concurrent calls to its onNext(), onCompleted(), and onError() methods from different threads can corrupt the internal state of the communication
     channel. Additionally, calling isReady() on the observer while another thread is sending data can lead to race conditions.
   * Fix: All interactions with the external processor's StreamObserver—including data transmission (onNext), terminal signals (onCompleted, onError), and readiness checks (isReady)—are now protected by the lock object.

  2. ClientCall.Listener Serialization Contract
   * Challenge: gRPC requires that all callbacks to an application's ClientCall.Listener (such as onHeaders, onMessage, and onReady) be strictly serialized. Because these events can be triggered by either the backend server or the external processor,
     there was a risk of overlapping callbacks.
   * Fix: The logic that delivers events to the application's Listener is now synchronized using the lock. This ensures that even if multiple threads attempt to "unblock" and deliver buffered metadata or status simultaneously, the application receives
     them in a single, non-overlapping sequence.

  3. Visibility and Consistency of Internal State
   * Challenge: The filter maintains several internal state variables, such as buffers for response metadata and flags to track the lifecycle of the call. If these are accessed concurrently without synchronization, one thread might act on stale data,
     potentially leading to duplicate headers or incorrect flow control decisions.
   * Fix: Access to all internal state and control flags is now guarded by the lock. Furthermore, the flag indicating whether request headers have been processed was marked as volatile to ensure its state is immediately visible across threads during
     high-frequency checks like sendMessage().

  4. Synchronizing Terminal Signals
   * Challenge: Closing or faulting the external processor's stream while another thread is still attempting to send data can cause crashes or undefined behavior in the gRPC transport.
   * Fix: All terminal signals (onCompleted and onError) sent to the external processor's StreamObserver are synchronized with the same lock used for sending data. This ensures that the stream is only terminated after any ongoing data transfers have
     safely finished.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/ExternalProcessorFilter.java

@@ -341,10 +341,11 @@ private static void applyHeaderMutations(Metadata headers, io.envoyproxy.envoy.s
     private static class ExtProcClientCall extends SimpleForwardingClientCall<InputStream, InputStream> {
       private final ExternalProcessorGrpc.ExternalProcessorStub stub;
       private final ExternalProcessor config;
+      private final Object lock = new Object();
       private ClientCallStreamObserver<ProcessingRequest> extProcClientCallRequestObserver;
       private ExtProcListener wrappedListener;
 
-      private boolean headersSent = false;
+      private volatile boolean headersSent = false;
       private Metadata requestHeaders;
       private final java.util.Queue<Runnable> pendingActions = new java.util.concurrent.ConcurrentLinkedQueue<>();
       final AtomicBoolean extProcStreamFailed = new AtomicBoolean(false);
@@ -378,7 +379,9 @@ public void onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingResponse re
 
             if (response.getRequestDrain()) {
               drainingExtProcStream.set(true);
-              extProcClientCallRequestObserver.onCompleted(); // Sends half-close to ext_proc
+              synchronized (lock) {
+                extProcClientCallRequestObserver.onCompleted(); // Sends half-close to ext_proc
+              }
               return;
             }
 
@@ -402,7 +405,9 @@ else if (response.hasRequestBody()) {
                 io.grpc.StatusRuntimeException ex = io.grpc.Status.INTERNAL
                     .withDescription("gRPC message compression not supported in ext_proc")
                     .asRuntimeException();
-                extProcClientCallRequestObserver.onError(ex);
+                synchronized (lock) {
+                  extProcClientCallRequestObserver.onError(ex);
+                }
                 onError(ex);
                 return;
               }
@@ -418,14 +423,16 @@ else if (response.hasResponseHeaders()) {
             }
             // 5. Server Message (Response Body)
             else if (response.hasResponseBody()) {
-              if (response.getResponseBody().hasResponse()
+              if (response.hasResponseBody().hasResponse()
                   && response.getResponseBody().getResponse().hasBodyMutation()
                   && response.getResponseBody().getResponse().getBodyMutation().hasStreamedResponse()
                   && response.getResponseBody().getResponse().getBodyMutation().getStreamedResponse().getGrpcMessageCompressed()) {
                 io.grpc.StatusRuntimeException ex = io.grpc.Status.INTERNAL
                     .withDescription("gRPC message compression not supported in ext_proc")
                     .asRuntimeException();
-                extProcClientCallRequestObserver.onError(ex);
+                synchronized (lock) {
+                  extProcClientCallRequestObserver.onError(ex);
+                }
                 onError(ex);
                 return;
               }
@@ -442,7 +449,9 @@ else if (response.hasResponseBody()) {
               }
               // Finally notify the local app of the completion
               wrappedListener.proceedWithClose();
-              extProcClientCallRequestObserver.onCompleted();
+              synchronized (lock) {
+                extProcClientCallRequestObserver.onCompleted();
+              }
             }
           }
 
@@ -470,11 +479,13 @@ public void onCompleted() {
 
         wrappedListener.setStream(extProcClientCallRequestObserver);
 
-        extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
-            .setRequestHeaders(io.envoyproxy.envoy.service.ext_proc.v3.HttpHeaders.newBuilder()
-                .setHeaders(toHeaderMap(headers))
-                .build())
-            .build());
+        synchronized (lock) {
+          extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
+              .setRequestHeaders(io.envoyproxy.envoy.service.ext_proc.v3.HttpHeaders.newBuilder()
+                  .setHeaders(toHeaderMap(headers))
+                  .build())
+              .build());
+        }
 
         if (config.getObservabilityMode()) {
           headersSent = true;
@@ -497,8 +508,10 @@ public boolean isReady() {
           return false;
         }
         if (config.getObservabilityMode()) {
-          return super.isReady() && extProcClientCallRequestObserver != null
-              && extProcClientCallRequestObserver.isReady();
+          synchronized (lock) {
+            return super.isReady() && extProcClientCallRequestObserver != null
+                && extProcClientCallRequestObserver.isReady();
+          }
         }
         return super.isReady();
       }
@@ -531,12 +544,14 @@ public void sendMessage(InputStream message) {
 
         try {
           byte[] bodyBytes = ByteStreams.toByteArray(message);
-          extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
-              .setRequestBody(io.envoyproxy.envoy.service.ext_proc.v3.HttpBody.newBuilder()
-                  .setBody(com.google.protobuf.ByteString.copyFrom(bodyBytes))
-                  .setEndOfStream(false)
-                  .build())
-              .build());
+          synchronized (lock) {
+            extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
+                .setRequestBody(io.envoyproxy.envoy.service.ext_proc.v3.HttpBody.newBuilder()
+                    .setBody(com.google.protobuf.ByteString.copyFrom(bodyBytes))
+                    .setEndOfStream(false)
+                    .build())
+                .build());
+          }
 
           if (config.getObservabilityMode()) {
             super.sendMessage(new ByteArrayInputStream(bodyBytes));
@@ -554,18 +569,22 @@ public void halfClose() {
         }
 
         // Signal end of request body stream to the external processor.
-        extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
-            .setRequestBody(io.envoyproxy.envoy.service.ext_proc.v3.HttpBody.newBuilder()
-                .setEndOfStreamWithoutMessage(true)
-                .build())
-            .build());
+        synchronized (lock) {
+          extProcClientCallRequestObserver.onNext(io.envoyproxy.envoy.service.ext_proc.v3.ProcessingRequest.newBuilder()
+              .setRequestBody(io.envoyproxy.envoy.service.ext_proc.v3.HttpBody.newBuilder()
+                  .setEndOfStreamWithoutMessage(true)
+                  .build())
+              .build());
+        }
         super.halfClose();
       }
 
       @Override
       public void cancel(@Nullable String message, @Nullable Throwable cause) {
-        if (extProcClientCallRequestObserver != null) {
-          extProcClientCallRequestObserver.onError(Status.CANCELLED.withDescription(message).withCause(cause).asRuntimeException());
+        synchronized (lock) {
+          if (extProcClientCallRequestObserver != null) {
+            extProcClientCallRequestObserver.onError(Status.CANCELLED.withDescription(message).withCause(cause).asRuntimeException());
+          }
         }
         super.cancel(message, cause);
       }
@@ -605,7 +624,9 @@ private void handleImmediateResponse(io.envoyproxy.envoy.service.ext_proc.v3.Imm
         io.grpc.Status status = io.grpc.Status.fromCodeValue(immediate.getGrpcStatus().getStatus());
         delegate().cancel("Rejected by ExtProc", null);
         listener.onClose(status, new Metadata());
-        extProcClientCallRequestObserver.onCompleted();
+        synchronized (lock) {
+          extProcClientCallRequestObserver.onCompleted();
+        }
       }
 
       private void handleFailOpen(ExtProcListener listener) {
@@ -655,19 +676,28 @@ public void onHeaders(Metadata headers) {
           super.onHeaders(headers);
           return;
         }
-        this.savedHeaders = headers;
-        extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
-            .setResponseHeaders(io.envoyproxy.envoy.service.ext_proc.v3.HttpHeaders.newBuilder()
-                .setHeaders(toHeaderMap(headers))
-                .build())
-            .build());
+        synchronized (extProcClientCall.lock) {
+          this.savedHeaders = headers;
+          extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
+              .setResponseHeaders(io.envoyproxy.envoy.service.ext_proc.v3.HttpHeaders.newBuilder()
+                  .setHeaders(toHeaderMap(headers))
+                  .build())
+              .build());
+        }
 
         if (extProcClientCall.config.getObservabilityMode()) {
           super.onHeaders(headers);
         }
       }
 
-      void proceedWithHeaders() { super.onHeaders(savedHeaders); }
+      void proceedWithHeaders() {
+        synchronized (extProcClientCall.lock) {
+          if (savedHeaders != null) {
+            super.onHeaders(savedHeaders);
+            savedHeaders = null;
+          }
+        }
+      }
 
       @Override
       public void onMessage(InputStream message) {
@@ -679,7 +709,7 @@ public void onMessage(InputStream message) {
         try {
           byte[] bodyBytes = ByteStreams.toByteArray(message);
           sendResponseBodyToExtProc(bodyBytes, false);
-          
+
           if (extProcClientCall.config.getObservabilityMode()) {
             super.onMessage(new ByteArrayInputStream(bodyBytes));
           }
@@ -703,22 +733,26 @@ public void onClose(io.grpc.Status status, Metadata trailers) {
           return;
         }
 
-        this.savedStatus = status;
-        this.savedTrailers = trailers;
+        synchronized (extProcClientCall.lock) {
+          this.savedStatus = status;
+          this.savedTrailers = trailers;
 
-        // Signal end of response body stream to the external processor.
-        sendResponseBodyToExtProc(null, true);
+          // Signal end of response body stream to the external processor.
+          sendResponseBodyToExtProc(null, true);
 
-        // Event 6: Server Trailers with ACTUAL data
-        extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
-            .setResponseTrailers(io.envoyproxy.envoy.service.ext_proc.v3.HttpTrailers.newBuilder()
-                .setTrailers(toHeaderMap(savedTrailers)) // Map the captured trailers here
-                .build())
-            .build());
+          // Event 6: Server Trailers with ACTUAL data
+          extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
+              .setResponseTrailers(io.envoyproxy.envoy.service.ext_proc.v3.HttpTrailers.newBuilder()
+                  .setTrailers(toHeaderMap(savedTrailers)) // Map the captured trailers here
+                  .build())
+              .build());
+        }
 
         if (extProcClientCall.config.getObservabilityMode()) {
           super.onClose(status, trailers);
-          extProcClientCall.extProcClientCallRequestObserver.onCompleted();
+          synchronized (extProcClientCall.lock) {
+            extProcClientCall.extProcClientCallRequestObserver.onCompleted();
+          }
         }
       }
 
@@ -734,16 +768,24 @@ private void sendResponseBodyToExtProc(@Nullable byte[] bodyBytes, boolean endOf
         }
         bodyBuilder.setEndOfStream(endOfStream);
 
-        extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
-            .setResponseBody(bodyBuilder.build())
-            .build());
+        synchronized (extProcClientCall.lock) {
+          extProcClientCall.extProcClientCallRequestObserver.onNext(ProcessingRequest.newBuilder()
+              .setResponseBody(bodyBuilder.build())
+              .build());
+        }
       }
 
       /**
        * Called when ExtProc gives the final "OK" for the trailers phase.
        */
       void proceedWithClose() {
-        super.onClose(savedStatus, savedTrailers);
+        synchronized (extProcClientCall.lock) {
+          if (savedStatus != null) {
+            super.onClose(savedStatus, savedTrailers);
+            savedStatus = null;
+            savedTrailers = null;
+          }
+        }
       }
 
       void onExternalBody(com.google.protobuf.ByteString body) {
@@ -755,12 +797,8 @@ void onExternalBody(com.google.protobuf.ByteString body) {
       void unblockAfterStreamComplete() {
         // This is called when the ext_proc stream is gracefully completed.
         // We need to flush any pending state that is waiting for a response from ext_proc.
-        if (savedHeaders != null) {
-          proceedWithHeaders();
-        }
-        if (savedStatus != null) {
-          proceedWithClose();
-        }
+        proceedWithHeaders();
+        proceedWithClose();
       }
     }
   }