tls: fix leak of WriteWrap+TLSWrap combination #9586
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage.
|
Unrelated CI failures as far as I can tell. |
|
Here is a video about identifying this leak for anyone interested: https://asciinema.org/a/be58dh43vbsy7o02wqewxvrrt |
cjihrig
reviewed
Nov 13, 2016
| ssl._secureContext.context = null; | ||
| } | ||
| } | ||
| if (cb) |
There was a problem hiding this comment.
Can you check typeof cb === 'function'
cjihrig
reviewed
Nov 13, 2016
| }); | ||
|
|
||
| c.write('hello', common.mustCall((err) => { | ||
| assert.equal(err.code, 'ECANCELED'); |
There was a problem hiding this comment.
Can you use assert.strictEqual() please.
|
Thanks @indutny for this |
|
👍 Tested this patch on Mac OS x and I can see that, the patch fixes the leak, even after creating thousands of timeouts on I will share more details and numbers after testing this on our production environment. |
|
@bnoordhuis or @shigeki do you have some time to take a look at this? This is a pretty severe issue and I hope that we could release a fix for it ASAP. cc @nodejs/lts (since it needs to be backported to v4) |
bnoordhuis
requested changes
Nov 15, 2016
| } | ||
|
|
||
| // Invoke `destroySSL` on close to clean up possibly pending write requests | ||
| // that may self-reference TLSWrap, leading to leak |
| const done = () => { | ||
| if (ssl) { | ||
| ssl.destroySSL(); | ||
| if (ssl._secureContext.singleUse) { |
There was a problem hiding this comment.
What does .singleUse signify? It's always true as far as I can tell because it's the inversion of options.keepAlive, which is not a documented option and seems to have no test coverage or uses in core.
There was a problem hiding this comment.
keepAlive is an option passed by https.Agent, I suspect that it should be tested in our test suite through https module.
There was a problem hiding this comment.
I don't quite understand. keepAlive is a layer 7 thing, why would that influence the TLS layer?
| } | ||
| if (typeof cb === 'function') | ||
| cb(); | ||
| }; |
There was a problem hiding this comment.
I'm curious, what would happen when ssl.destroySSL() gets called synchronously, i.e., outside the callback?
There was a problem hiding this comment.
Crash, because of StreamBase callbacks.
There was a problem hiding this comment.
The reason is actually way simpler than this, I'll simplify the code.
Thank you for bringing my attention to this.
There was a problem hiding this comment.
It crashes if done in the same tick because it may be invoked within the OpenSSL's call stack. If invoked with setImmediate - it won't crash.
There was a problem hiding this comment.
Oh... just run the test suite after using setImmediate() and it confirms my initial assumption. Sorry, not going to fix it.
The write callbacks are invoked with UV_ECANCELED and thus things are getting back to tls_wrap.cc at places where it doesn't expect ssl_ to be nullptr. Therefore it is better to free it up after closing the underlying libuv handle.
There was a problem hiding this comment.
To be honest, I'm so unhappy with what we have right now (I know that I wrote most of it). I wish we would move to uv_ssl_t.
bnoordhuis
approved these changes
Nov 15, 2016
| })).listen(0, common.mustCall(() => { | ||
| const c = tls.connect({ port: server.address().port }); | ||
| c.on('error', () => { | ||
| // Otherwise `.write()` callback won't be invoked |
|
Landed in 478fabf, thank you! |
indutny
added a commit
that referenced
this pull request
Nov 15, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: #9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
indutny
added a commit
to indutny/io.js
that referenced
this pull request
Nov 15, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: nodejs#9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
4 tasks
|
Backport to v4.x: #9626 |
MylesBorins
pushed a commit
that referenced
this pull request
Nov 16, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: #9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
This landed cleanly on v6.x fwiw |
MylesBorins
pushed a commit
that referenced
this pull request
Nov 17, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: #9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 19, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: #9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 22, 2016
Writing data to TLSWrap instance during handshake will result in it being queued in `write_item_queue_`. This queue won't get cleared up until the end of the handshake. Technically, it gets cleared on `~TLSWrap` invocation, however this won't ever happen because every `WriteWrap` holds a reference to the `TLSWrap` through JS object, meaning that they are doomed to be alive for eternity. To breach this dreadful contract a knight shall embark from the `close` function to kill the dragon of memory leak with his magic spear of `destroySSL`. `destroySSL` cleans up `write_item_queue_` and frees `SSL` structure, both are good for memory usage. PR-URL: #9586 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
#7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) #3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) #7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) #4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) #4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
#6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) #8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9736
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
#7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) #3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) #7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) #4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) #4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
#6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) #8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9736
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
#7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) #3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) #7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) #4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) #4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
#6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) #8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9736
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
nodejs/node#7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) nodejs/node#3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) nodejs/node#7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) nodejs/node#4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) nodejs/node#4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
nodejs/node#6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) nodejs/node#8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9736
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
nodejs/node#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchan)
nodejs/node#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
nodejs/node#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
nodejs/node#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) nodejs/node#9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9735
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
nodejs/node#7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) nodejs/node#3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) nodejs/node#7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) nodejs/node#4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) nodejs/node#4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
nodejs/node#6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) nodejs/node#8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9736
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
nodejs/node#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchan)
nodejs/node#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
nodejs/node#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
nodejs/node#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) nodejs/node#9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9735
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
make -j8 test(UNIX), orvcbuild test nosign(Windows) passesAffected core subsystem(s)
tls
Description of change
Writing data to TLSWrap instance during handshake will result in it
being queued in
write_item_queue_. This queue won't get cleared upuntil the end of the handshake.
Technically, it gets cleared on
~TLSWrapinvocation, however thiswon't ever happen because every
WriteWrapholds a reference to theTLSWrapthrough JS object, meaning that they are doomed to be alivefor eternity.
To breach this dreadful contract a knight shall embark from the
closefunction to kill the dragon of memory leak with his magicspear of
destroySSL.destroySSLcleans upwrite_item_queue_and freesSSLstructure,both are good for memory usage.
R= @bnoordhuis and @nodejs/crypto