http: add evhttp_connection_set_closecb to avoid g_requests hang

[Crypt-iQ]

Prior to this patch, it was possible that if an RPC was interrupted before the reply was received, the success callback evhttp_request_set_on_complete_cb would never be called and g_requests wouldn't be cleaned up. When attempting to shutdown bitcoind, it would hang waiting for g_requests.empty().

Fixes #27722

I am currently working on testing this with a libevent version of 2.2.1 to ensure that the patch also works for that version.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Approach ACK	stickies-v

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #28551 (http: bugfix: allow server shutdown in case of remote client disconnection by stickies-v)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[fanquake]

cc @fjahr

[stickies-v]

Concept ACK.

Was able to reproduce the bug, and this fixes the issue for me (libevent 2.1.12, macOS 13.4).

Need to read up on the libevent workaround a bit more first.

[promag]

Why I am not co-author?

[Crypt-iQ]

Why I am not co-author?

Happy to add you of course since you wrote it -- I couldn't find your email via git log to add it and I wasn't sure how to give credit w/o an email

[jonatack]

I'd suggest using @promag's commit authored by him (and then maybe/maybe not an additional commit if any substantive new changes).

[Crypt-iQ]

Can you advise on how to do that? I can close this in favor of another and let somebody take it over with proper commit attribution. I opened this PR since it wasn't addressed for a month

[jonatack]

git log for me has @promag's email as João Barbosa <joao.paulo.barbosa@gmail.com>

Would be something like git commit --amend --author="João Barbosa <joao.paulo.barbosa@gmail.com>"

[jonatack]

or git cherry-pick d41736b

[Crypt-iQ]

git log for me has @promag's email as João Barbosa joao.paulo.barbosa@gmail.com

I see, I grepped for promag instead of the name. Anyways, the commit attribution is fixed. Sorry about that @promag

or git cherry-pick d41736b

I didn't do this because that commit only fixes it for certain libevent versions

[promag]

@Crypt-iQ No worries mate, thanks for picking this work!

[stickies-v]

I agree with the approach of calling evhttp_connection_set_closecb regardless of whether EV_READ is enabled or disabled, which is currently the only difference between this PR and #27245.

With this PR:

• In the case that EV_READ is enabled, evhttp_connection_set_closecb will be called as soon as the connection is closed, including in case of a remote client disconnection (especially useful during long-running requests as described here), which is the most efficient as we're not wasting server resources on completing the request that won't get served anyway.

• In the case that EV_READ is disabled, evhttp_connection_set_closecb will not be called immediately in case of remote client disconnection (because we're not listening for it), but it will still be called when the server is shutting down, still resolving the issue in http: add evhttp_connection_set_closecb to avoid g_requests hang #27909 where bitcoind can't gracefully shutdown but potentially wasting resources on requests of which the connection has been closed.

However, I'm not sure the entire code block to enable EV_READ is safe, as per my comment. I'll continue digging into that but looking forward to hearing other views on this? If it's not safe, I think we need to leave this out and look for alternatives to monitoring remote client disconnections. A fix is suggested in azat/libevent@7d2e2a8, but I can't see it in the 2.2.1-alpha release yet. Even with EV_READ disabled, I still think calling evhttp_connection_set_closecb is a very worthwhile improvement.

[stickies-v]

Is this safe to do? Unless I misunderstand, this effectively disables the bugfix introduced in libevent/libevent@5ff8eb2, which means that if we get new data in our inbound buffer this will put the connection in an invalid state. I'm not sure yet how that would get triggered in practice, so I'm just going off what I read so far as I can't reproduce the race condition reported in #11593.

[Crypt-iQ]

I wasn't able to reproduce using this #11593 (comment) and since you pointed out that the change wasn't merged into 2.2, I think it's better to err on the side of caution and not enable reading

[Crypt-iQ]

I've updated the PR and removed this

[fjahr]

I opened this PR since it wasn't addressed for a month

Why didn't you ask me first if I am still working on this? A month isn't a long time in this project when you working on multiple things at the same time...

Typically people leave a review comment in a situation like this instead of opening a new PR.

[fjahr]

@Crypt-iQ There is no need to close this PR now since it got attention and review. I will close mine if you want to continue. But I wanted to clarify this for the future.

[Crypt-iQ]

Ok I reopened, it would be helpful if these things were made explicit (leave a comment) rather than implicit

[Crypt-iQ]

@Crypt-iQ There is no need to close this PR now since it got attention and review. I will close mine if you want to continue. But I wanted to clarify this for the future.

I think you can reopen your PR to include the bufferevent read enable. I've updated this PR to include a minimal fix for the issue (without the bufferevent read enable) because I'm still a little unclear on what exactly the bug fix was originally for and I can't reproduce it. Also happy to close this PR in favor of yours since this is now missing the read enable.

[stickies-v]

Approach ACK 710985d

I think improving remote client disconnect detection is best left for a separate PR; this is a worthwhile improvement on its own and I think uncontroversial.

[stickies-v]

I'm curious why we make notify_all() dependent on g_requests.empty() here, when in all other places we notify for all added and removed events?

Suggested change

	auto n{g_requests.erase(req)};
	if (n == 1 && g_requests.empty()) g_requests_cv.notify_all();
	if (g_requests.erase(req)) g_requests_cv.notify_all();

[Crypt-iQ]

I think because the only call to g_requests_cv.wait(...) has a predicate that waits for g_requests.empty(). I've removed the dependency in the latest patch

[Crypt-iQ]

I've removed the assert(n == 1) in evhttp_request_set_on_complete_cb because of this comment: #27722 (comment). It appears that both evhttp_connection_set_closecb and evhttp_request_set_on_complete_cb can run which causes a crash. I wasn't able to reproduce it and still want to know what exactly happened, but I think removing the assert here is certainly better than having a crash.

[Crypt-iQ]

This assumes that a connection can never have more than 1 request, and I'm not sure if that's the case.

I'm also not sure. This PR body leads me to believe that it is possible to have more than 1 request per connection: libevent/libevent#592 (comment) , however I'm not sure whether it's possible for them to be interleaved and cause problems with your connection-based patch. Something I'll try to investigate.

[Crypt-iQ]

It is possible for a connection to have more than one request (see: libevent/libevent#1383 (comment)) or evhttp_associate_new_request_with_connection in the libevent code. It appears though that the requests are sequential so when one completes the next one can run. I modified the python script to test this, but it doesn't lead to a deadlock or crash because when the next request comes in, it uses the same evhttp_connection* and so the insert into g_http_conns is a no-op. The next request will also update the callback on the evhttp_connection* via evhttp_connection_set_closecb so that only one callback is run. When the connection is finally closed, it will find the connection & delete it. I think this means your patch works, but I'll continue to investigate a little more

python script

import http.client
import base64
from concurrent.futures import ThreadPoolExecutor
import time

host = "localhost"
port = 18443

auth_string = base64.b64encode('user:pass'.encode()).decode()

num_threads =  1
iterations_per_thread = 1

def send_requests(i):
    for _ in range(iterations_per_thread):
        conn = http.client.HTTPConnection(host, port)
        conn.request("POST", "/", headers={"Keep-Alive": "timeout=500, max=1000"})
        
        #response = conn.getresponse()
        #conn.close()

        time.sleep(3)

        conn.request("POST", "/", headers={"Keep-Alive": "timeout=500, max=1000"})

        time.sleep(100)

with ThreadPoolExecutor(max_workers=num_threads) as executor:
    executor.map(send_requests, range(num_threads))

[Crypt-iQ]

I haven't been able to cause a crash with the connection-based code. Given that the connection-based code is different than the crashing code here, do you want to open a new PR with the connection-based code @stickies-v ?

[fanquake]

What is that status of this? cc @stickies-v.

[vasild]

libevent/libevent#78 is relevant. Need to check how libevent was fixed to detect client close and make use of that in bitcoind.

[stickies-v]

Need to check how libevent was fixed to detect client close and make use of that in bitcoind.

As far as I could find, it's not yet fixed but it's also largely orthogonal, see my comment here and this open libevent issue. Detecting a remote disconnect would help save resources by not completing a request we'll no longer be serving, but isn't necessary to avoid the hangs on shutdown.

[fanquake]

Going to mark this as draft for now, given that #28551 is open.

[stickies-v]

Superseded by #28551, can be closed now.

[fanquake]

Closing for now.