Make HTTP server shutdown more graceful

laanwj commented at 3:46 pm on September 24, 2015: member

Shutting down the HTTP server currently breaks off all current requests. This can create a race condition with RPC stop command, where the calling process never receives confirmation.

This change removes the listening sockets on shutdown so that no new requests can come in, but no longer breaks off requests in progress.

Meant to fix #6717.

laanwj added the label RPC on Sep 24, 2015

laanwj added the label Tests on Sep 24, 2015

dcousens commented at 6:49 am on September 25, 2015: contributor

but no longer breaks off requests in progress.

Possible attack vector by denying the service the ability to shut down / restart by keeping a connection open?

laanwj commented at 7:40 am on September 25, 2015: member

After -rpcservertimeout current connections will get booted, unless there is activity. If they do any requests they get a server unavailable error. But yes, if your application software is truly malicious they could keep the server busy by sending e.g. one header at a time, every timeout-1 seconds.

Note that this solution is cleaner in any case, it doesn’t rule out queuing a event_base_loopbreak(eventBase);, say, 30 seconds in the future to force a shutdown.

jonasschnelli commented at 9:17 am on September 25, 2015: contributor

utACK.

I agree that the attack vectors are out of scope for this PR maybe for the whole http-json-rpc-daemon (it’s not hardened enough to expose to potential malicious environments).

dcousens commented at 10:00 am on September 25, 2015: contributor

utACK, just thought I’d mention it.

laanwj commented at 12:00 pm on September 25, 2015: member

@dcousens It’s great that you mentioned it. It reminded me of potential issue of this: what happens if a timer is stilll running, will it block the event queue exit until it triggers? Will test this scenario by stopping with an unlocked wallet.

Pushed another related fix:

http: Wait for worker threads to exit

Add a WaitExit() call to http’s WorkQueue to make StopHTTPServer delete the work queue only when all worker threads stopped.

This fixes a problem that was reproducable by pressing Ctrl-C during AppInit2:

0/usr/include/boost/thread/pthread/condition_variable_fwd.hpp:81: boost::condition_variable::~condition_variable(): Assertion `!ret' failed.
1/usr/include/boost/thread/pthread/mutex.hpp:108: boost::mutex::~mutex(): Assertion `!posix::pthread_mutex_destroy(&m)' failed.

I was assuming that threadGroup->join_all(); would always have been called when entering the Shutdown(). However this is not the case in bitcoind’s AppInit2-non-zero-exit case “was left out intentionally here”. (now that the http module takes care of waiting for its own worker threads, we could even make it stop using threadGroup completely, but I leave that for a future refactor)

laanwj force-pushed on Sep 25, 2015

laanwj commented at 1:39 pm on September 25, 2015: member

Pushed another commit to force-exit the event loop after a predefined time after interruption. This addresses @dcousens ’s issue, as well as the case that other events are still lingering (such as a wallet unlock timer).

dcousens commented at 2:19 pm on September 25, 2015: contributor

utACK, well done @laanwj

theuni commented at 9:35 pm on September 25, 2015: member

Concept ACK, btw. Definitely an improvement.

Make HTTP server shutdown more graceful

Shutting down the HTTP server currently breaks off all current requests.
This can create a race condition with RPC `stop` command, where the calling
process never receives confirmation.

This change removes the listening sockets on shutdown so that no new
requests can come in, but no longer breaks off requests in progress.

Meant to fix #6717.

5e0c221356

http: Wait for worker threads to exit

Add a WaitExit() call to http's WorkQueue to make it delete the work
queue only when all worker threads stopped.

This fixes a problem that was reproducable by pressing Ctrl-C during
AppInit2:
```
/usr/include/boost/thread/pthread/condition_variable_fwd.hpp:81: boost::condition_variable::~condition_variable(): Assertion `!ret' failed.
/usr/include/boost/thread/pthread/mutex.hpp:108: boost::mutex::~mutex(): Assertion `!posix::pthread_mutex_destroy(&m)' failed.
```

I was assuming that `threadGroup->join_all();` would always have been
called when entering the Shutdown(). However this is not the case in
bitcoind's AppInit2-non-zero-exit case "was left out intentionally
here".

de9de2de36

http: Force-exit event loop after predefined time

This makes sure that the event loop eventually terminates, even if an
event (like an open timeout, or a hanging connection) happens to be
holding it up.

ec908d5f7a

laanwj force-pushed on Sep 28, 2015

laanwj commented at 1:09 pm on September 28, 2015: member

Processed @theuni ’s comments. WIll merge as soon as Travis passes.

theuni commented at 1:35 pm on September 28, 2015: member

Thanks. ut ACK.

laanwj merged this on Sep 28, 2015

laanwj closed this on Sep 28, 2015

laanwj referenced this in commit 1a9f19a78d on Sep 28, 2015

laanwj referenced this in commit 856be4fe46 on Nov 11, 2015

laanwj referenced this in commit 1ec9198c68 on Nov 13, 2015

laanwj referenced this in commit febcc13b18 on Nov 13, 2015

laanwj referenced this in commit a264c32e33 on Nov 13, 2015

zkbot referenced this in commit fb2f98e00b on Oct 23, 2017

sickpig referenced this in commit 46b5b86be5 on Mar 9, 2018

sickpig referenced this in commit dadc2880a1 on Mar 9, 2018

sickpig referenced this in commit 6d4a55878a on Mar 12, 2018

sickpig referenced this in commit 6db640a393 on Mar 12, 2018

sickpig referenced this in commit 76cf243311 on Mar 12, 2018

sickpig referenced this in commit 4428056252 on Mar 12, 2018

marlengit referenced this in commit 297ac08c3a on Sep 25, 2018

MarcoFalke locked this on Sep 8, 2021

Make HTTP server shutdown more graceful #6719

http: Wait for worker threads to exit