Improve the poison message deletion handling to reduce the chance of duplicates (#2765)

danielmarbach · web-flow · commit 4f8d525006fe · 2025-03-24T09:14:10.000+01:00
* Add test to verify behavior

* Improve the poison message handling

---------

Co-authored-by: danielmarbach &lt;danielmarbach@users.noreply.github.com&gt;
diff --git a/src/NServiceBus.Transport.SQS.Tests/InputQueuePumpTests.cs b/src/NServiceBus.Transport.SQS.Tests/InputQueuePumpTests.cs
@@ -106,6 +106,65 @@ await SetupInitializedPump(onMessage: (ctx, ct) =>
             Assert.That(mockSqsClient.DeleteMessageRequestsSent.Single().receiptHandle, Is.EqualTo(expectedReceiptHandle));
         }
 
+        static IEnumerable<object[]> PoisonMessageExceptions() =>
+        [
+            [new Exception()],
+            [new ReceiptHandleIsInvalidException("Ooops")]
+        ];
+
+        [Theory]
+        [TestCaseSource(nameof(PoisonMessageExceptions))]
+        public async Task Poison_messages_failed_to_be_deleted_are_deleted_on_next_receive_without_processing(Exception exception)
+        {
+            var nativeMessageId = Guid.NewGuid().ToString();
+            var messageId = Guid.NewGuid().ToString();
+            var expectedFirstReceiptHandle = "receipt-handle-1";
+            var expectedSecondReceiptHandle = "receipt-handle-2";
+
+            var processed = false;
+            await SetupInitializedPump(onMessage: (ctx, ct) =>
+            {
+                processed = true;
+                return Task.FromResult(0);
+            });
+
+            var deleteRequest = mockSqsClient.DeleteMessageRequestResponse;
+            mockSqsClient.DeleteMessageRequestResponse = request => throw exception;
+
+            var message = new Message
+            {
+                ReceiptHandle = expectedFirstReceiptHandle,
+                MessageId = nativeMessageId,
+                MessageAttributes = new Dictionary<string, MessageAttributeValue>
+                {
+                    {Headers.MessageId, new MessageAttributeValue {StringValue = messageId}},
+                },
+                Body = null //poison message
+            };
+
+            // First receive attempt
+            await pump.ProcessMessage(message, CancellationToken.None).ConfigureAwait(false);
+
+            // Restore the previous behavior
+            mockSqsClient.DeleteMessageRequestResponse = deleteRequest;
+            // Second receive attempt of the same message that has already been moved to the error queue
+            // but not deleted from the input queue. It will be received with a new receipt handle.
+            message.ReceiptHandle = expectedSecondReceiptHandle;
+            await pump.ProcessMessage(message, CancellationToken.None).ConfigureAwait(false);
+
+            Assert.Multiple(() =>
+            {
+                Assert.That(processed, Is.False);
+                Assert.That(mockSqsClient.RequestsSent, Has.Count.EqualTo(1), "The message should not be attempted to be sent multiple times to the error queue.");
+                Assert.That(mockSqsClient.DeleteMessageRequestsSent, Has.Count.EqualTo(2));
+            });
+            Assert.Multiple(() =>
+            {
+                Assert.That(mockSqsClient.DeleteMessageRequestsSent[0].receiptHandle, Is.EqualTo(expectedFirstReceiptHandle));
+                Assert.That(mockSqsClient.DeleteMessageRequestsSent[1].receiptHandle, Is.EqualTo(expectedSecondReceiptHandle));
+            });
+        }
+
         [Test]
         public async Task Expired_messages_are_deleted_without_processing()
         {
diff --git a/src/NServiceBus.Transport.SQS/InputQueuePump.cs b/src/NServiceBus.Transport.SQS/InputQueuePump.cs
@@ -590,12 +590,12 @@ await sqsClient
             }
         }
 
-        async Task MovePoisonMessageToErrorQueue(Message message, CancellationToken messageProcessingCancellationToken)
+        async Task MovePoisonMessageToErrorQueue(Message message, CancellationToken cancellationToken)
         {
             string errorQueueUrl = null;
             try
             {
-                errorQueueUrl = await queueCache.GetQueueUrl(errorQueueAddress, messageProcessingCancellationToken)
+                errorQueueUrl = await queueCache.GetQueueUrl(errorQueueAddress, cancellationToken)
                     .ConfigureAwait(false);
                 // Ok to use LINQ here since this is not really a hot path
                 var messageAttributeValues = message.MessageAttributes
@@ -606,12 +606,12 @@ await sqsClient.SendMessageAsync(new SendMessageRequest
                     QueueUrl = errorQueueUrl,
                     MessageBody = message.Body,
                     MessageAttributes = messageAttributeValues
-                }, messageProcessingCancellationToken).ConfigureAwait(false);
+                }, cancellationToken).ConfigureAwait(false);
                 // The Attributes on message are read-only attributes provided by SQS
                 // and can't be re-sent. Unfortunately all the SQS metadata
                 // such as SentTimestamp is reset with this send.
             }
-            catch (Exception ex) when (!ex.IsCausedBy(messageProcessingCancellationToken))
+            catch (Exception ex) when (!ex.IsCausedBy(cancellationToken))
             {
                 Logger.Error($"Error moving poison message to error queue at url {errorQueueUrl}. Moving back to input queue.", ex);
                 try
@@ -621,11 +621,11 @@ await sqsClient.ChangeMessageVisibilityAsync(new ChangeMessageVisibilityRequest
                         QueueUrl = inputQueueUrl,
                         ReceiptHandle = message.ReceiptHandle,
                         VisibilityTimeout = 0
-                    }, messageProcessingCancellationToken).ConfigureAwait(false);
+                    }, cancellationToken).ConfigureAwait(false);
                 }
-                catch (Exception changeMessageVisibilityEx) when (!changeMessageVisibilityEx.IsCausedBy(messageProcessingCancellationToken))
+                catch (Exception changeMessageVisibilityEx) when (!changeMessageVisibilityEx.IsCausedBy(cancellationToken))
                 {
-                    Logger.Warn($"Error returning poison message back to input queue at url {inputQueueUrl}. Poison message will become available at the input queue again after the visibility timeout expires.", changeMessageVisibilityEx);
+                    Logger.Warn($"Error returning poison message with native ID '{message.MessageId}' back to input queue {inputQueueUrl}. Poison message will become available at the input queue again after the visibility timeout expires.", changeMessageVisibilityEx);
                 }
 
                 return;
@@ -637,14 +637,23 @@ await sqsClient.DeleteMessageAsync(new DeleteMessageRequest
                 {
                     QueueUrl = inputQueueUrl,
                     ReceiptHandle = message.ReceiptHandle
-                }, messageProcessingCancellationToken).ConfigureAwait(false);
+                }, CancellationToken.None) // We don't want the delete to be cancellable to avoid unnecessary duplicates of poison messages
+                    .ConfigureAwait(false);
             }
-            catch (Exception ex) when (!ex.IsCausedBy(messageProcessingCancellationToken))
+            catch (ReceiptHandleIsInvalidException ex)
             {
-                Logger.Warn($"Error removing poison message from input queue {inputQueueUrl}. This may cause duplicate poison messages in the error queue for this endpoint.", ex);
+                Logger.Error($"Error removing poison message with native ID '{message.MessageId}' from input queue {inputQueueUrl} because the visibility timeout expired. Poison message will become available at the input queue again and attempted to be removed on a best-effort basis. This may still cause duplicate poison messages in the error queue for this endpoint", ex);
+
+                messagesToBeDeleted.AddOrUpdate(message.MessageId, true);
+            }
+            catch (Exception ex)
+            {
+                Logger.Warn($"Error removing poison message with native ID '{message.MessageId}' from input queue {inputQueueUrl}. Poison message will become available at the input queue again and attempted to be removed on a best-effort basis. This may still cause duplicate poison messages in the error queue for this endpoint", ex);
+
+                messagesToBeDeleted.AddOrUpdate(message.MessageId, true);
             }
 
-            // If there is a message body in S3, simply leave it there
+            // If there is a message body in S3, simply leave it there to be aged out by the S3 lifecycle policy when the TTL expires
         }
 
         List<Task> pumpTasks;

Original file line number	Diff line number	Diff line change
`@@ -590,12 +590,12 @@ await sqsClient`
`590`	`590`	`}`
`591`	`591`	`}`
`592`	`592`
`593`		`- async Task MovePoisonMessageToErrorQueue(Message message, CancellationToken messageProcessingCancellationToken)`
	`593`	`+ async Task MovePoisonMessageToErrorQueue(Message message, CancellationToken cancellationToken)`
`594`	`594`	`{`
`595`	`595`	`string errorQueueUrl = null;`
`596`	`596`	`try`
`597`	`597`	`{`
`598`		`- errorQueueUrl = await queueCache.GetQueueUrl(errorQueueAddress, messageProcessingCancellationToken)`
	`598`	`+ errorQueueUrl = await queueCache.GetQueueUrl(errorQueueAddress, cancellationToken)`
`599`	`599`	`.ConfigureAwait(false);`
`600`	`600`	`// Ok to use LINQ here since this is not really a hot path`
`601`	`601`	`var messageAttributeValues = message.MessageAttributes`
`@@ -606,12 +606,12 @@ await sqsClient.SendMessageAsync(new SendMessageRequest`
`606`	`606`	`QueueUrl = errorQueueUrl,`
`607`	`607`	`MessageBody = message.Body,`
`608`	`608`	`MessageAttributes = messageAttributeValues`
`609`		`- }, messageProcessingCancellationToken).ConfigureAwait(false);`
	`609`	`+ }, cancellationToken).ConfigureAwait(false);`
`610`	`610`	`// The Attributes on message are read-only attributes provided by SQS`
`611`	`611`	`// and can't be re-sent. Unfortunately all the SQS metadata`
`612`	`612`	`// such as SentTimestamp is reset with this send.`
`613`	`613`	`}`
`614`		`- catch (Exception ex) when (!ex.IsCausedBy(messageProcessingCancellationToken))`
	`614`	`+ catch (Exception ex) when (!ex.IsCausedBy(cancellationToken))`
`615`	`615`	`{`
`616`	`616`	`Logger.Error($"Error moving poison message to error queue at url {errorQueueUrl}. Moving back to input queue.", ex);`
`617`	`617`	`try`
`@@ -621,11 +621,11 @@ await sqsClient.ChangeMessageVisibilityAsync(new ChangeMessageVisibilityRequest`
`621`	`621`	`QueueUrl = inputQueueUrl,`
`622`	`622`	`ReceiptHandle = message.ReceiptHandle,`
`623`	`623`	`VisibilityTimeout = 0`
`624`		`- }, messageProcessingCancellationToken).ConfigureAwait(false);`
	`624`	`+ }, cancellationToken).ConfigureAwait(false);`
`625`	`625`	`}`
`626`		`- catch (Exception changeMessageVisibilityEx) when (!changeMessageVisibilityEx.IsCausedBy(messageProcessingCancellationToken))`
	`626`	`+ catch (Exception changeMessageVisibilityEx) when (!changeMessageVisibilityEx.IsCausedBy(cancellationToken))`
`627`	`627`	`{`
`628`		`- Logger.Warn($"Error returning poison message back to input queue at url {inputQueueUrl}. Poison message will become available at the input queue again after the visibility timeout expires.", changeMessageVisibilityEx);`
	`628`	`+ Logger.Warn($"Error returning poison message with native ID '{message.MessageId}' back to input queue {inputQueueUrl}. Poison message will become available at the input queue again after the visibility timeout expires.", changeMessageVisibilityEx);`
`629`	`629`	`}`
`630`	`630`
`631`	`631`	`return;`
`@@ -637,14 +637,23 @@ await sqsClient.DeleteMessageAsync(new DeleteMessageRequest`
`637`	`637`	`{`
`638`	`638`	`QueueUrl = inputQueueUrl,`
`639`	`639`	`ReceiptHandle = message.ReceiptHandle`
`640`		`- }, messageProcessingCancellationToken).ConfigureAwait(false);`
	`640`	`+ }, CancellationToken.None) // We don't want the delete to be cancellable to avoid unnecessary duplicates of poison messages`
	`641`	`+ .ConfigureAwait(false);`
`641`	`642`	`}`
`642`		`- catch (Exception ex) when (!ex.IsCausedBy(messageProcessingCancellationToken))`
	`643`	`+ catch (ReceiptHandleIsInvalidException ex)`
`643`	`644`	`{`
`644`		`- Logger.Warn($"Error removing poison message from input queue {inputQueueUrl}. This may cause duplicate poison messages in the error queue for this endpoint.", ex);`
	`645`	`+ Logger.Error($"Error removing poison message with native ID '{message.MessageId}' from input queue {inputQueueUrl} because the visibility timeout expired. Poison message will become available at the input queue again and attempted to be removed on a best-effort basis. This may still cause duplicate poison messages in the error queue for this endpoint", ex);`
	`646`	`+`
	`647`	`+ messagesToBeDeleted.AddOrUpdate(message.MessageId, true);`
	`648`	`+ }`
	`649`	`+ catch (Exception ex)`
	`650`	`+ {`
	`651`	`+ Logger.Warn($"Error removing poison message with native ID '{message.MessageId}' from input queue {inputQueueUrl}. Poison message will become available at the input queue again and attempted to be removed on a best-effort basis. This may still cause duplicate poison messages in the error queue for this endpoint", ex);`
	`652`	`+`
	`653`	`+ messagesToBeDeleted.AddOrUpdate(message.MessageId, true);`
`645`	`654`	`}`
`646`	`655`
`647`		`- // If there is a message body in S3, simply leave it there`
	`656`	`+ // If there is a message body in S3, simply leave it there to be aged out by the S3 lifecycle policy when the TTL expires`
`648`	`657`	`}`
`649`	`658`
`650`	`659`	`List<Task> pumpTasks;`