fix: kill connections correctly in Net WorkThread

[cheniujh]

本 PR 修复了

执行 client kill ip:port，client kill all，client kill normal 等杀连接的命令流程不正确的问题。

背景

之前的代码中这部分逻辑存在很大问题，会造成 fd 泄露。本人在 PR #2858 中对该问题做了一点修复，fd 不会再泄露了，但那版修复不够完善，没考虑到 Linux 对 fd 复用来接受新连接的逻辑。

代码细节

1. Pika 每同客户端创建一个新连接，都会新建一个 NetConn 对象，期内包含 fd 等信息, fd也会注册到WorkThread的Epoll上，而WorkThread本身也是epoll线程，不断循环epoll_wait。
2. Pika 的网络线程（WorkerThread）收到包，解析出任务以后，会将该任务提交给线程池异步执行，同时带上一枚当前 NetConn 的 shared_ptr，并且关闭该连接（fd）在 epoll 上的读写事件监听。等到线程池异步地执行完命令，会将 response 先写入 NetConn 的 response_，再使用管道通知 epoll 将该连接（fd）的可写事件监听打开。由于发送缓冲区是空的，所以下次 epoll_wait 该 fd 会立刻触发可写事件，于是 NetConn 的 response_ 内容会被写入 socket。也就是说，Pika 中是通过管道通知 epoll 打开对应 fd 的可写监听来触发 response 的写回，或者说使用这样一种机制来标志/通知异步的任务执行结束以通知回写。

问题

当 Pika 要关闭某些连接时，如果直接关闭 fd（并从epoll上移除），可能会出现这样一种情况：该 fd 是从 epoll 上移除并且关闭了，但异步线程池还在执行该连接最后提交的那个任务（异步线程池还持有了一枚 shared_ptr<Netconn>关联这这枚已经关闭的fd）。等异步线程池执行完任务，依旧会用管道通知 epoll 将该 fd 的可写事件打开监听（实际上这枚 fd 已经关闭，且已经不在 epoll 上了），这个通知其实已经是无效的了。

但如果恰好 Linux 立刻复用了该 fd 接受了一个新连接，并且注册到了这个 WorkThread 的 epoll 上，前面提到的无效通知就是一个非法通知了。因为此时该 fd 对应了一个新的 client，而这个非法的，来自旧连接请求的通知会使得 epoll 直接使用新 client 的 NetConn 的 response_ 的内容去回写 fd。问题在于此时线程池可能已经执行完一个该 NetConn 的请求，正在向 response_ 进行写入，这实际上就是 data race 了，可能引起各种期望之外的后果。

本 PR 提供了一个相对完善，分阶段的关闭连接的流程, 步骤如下：

新增：WorkThread::wait_to_close_conns_, WorkThread::ready_to_close_conns_

1. 把 fd 从 epoll 上移掉，这样可以不再接受新的请求（当然，正在执行的请求结束了也不回写了，当前正在 kill conn，这个也是符合预期的），并且将其从 conns_ 中移除，放在 wait_to_close_conns_ 中，并且清除非常规路径上对该 conn 的 shared_ptr 引用（blpop 等阻塞命令，以及 watchKeys 功能都会持有 NetConn 的 shared_ptr）。
2. 在下一次 cronTask 中（即经过了一轮 epoll_wait 循环）检查 wait_to_close_conns_，如果引用计数降为了 1，将其移动到 ready_to_close_conns_。
3. 在下一次 cronTask 中（即又经过了一轮 epoll_wait 循环），关闭掉所有在 ready_to_close_conns_ 中的连接。为什么引用计数降为 1 了，还要放入 ready_to_close_conns_ 等待一轮 epoll 循环以后再关闭 fd ？主要就是前面提到的异步回写通知的问题，假如要关闭的 conn 对象引用计数已经降为 1，也可能异步线程池已经发出过了回写的通知（通过管道和队列通知 epoll打开该fd的可写时间监听，后面进行response回写），需要等 epoll_wait 再走一轮，消化掉这些已经无效的回写通知，才能去关闭 fd，以预防前面提到的 fd 复用和无效回写通知叠加可能导致的问题。

This PR fixes

Incorrect process when executing client kill XX, client kill all, client kill normal, and similar commands to terminate connections.

Background

The previous code had significant issues in this logic, which could lead to fd leaks. In PR #2858, some fixes were made to address this issue, ensuring that fds would no longer leak. However, that fix was not comprehensive enough as it didn't account for Linux's fd reuse logic for accepting new connections.

Code details

Every time Pika creates a new connection with a client, a new NetConn object is created, containing fd and other information. Pika's network thread (WorkerThread) receives packets, parses the task, and submits it to a thread pool for asynchronous execution, passing along a shared_ptr to the current NetConn. It then closes the connection's (fd) read/write event listening on epoll. Once the thread pool completes executing the command asynchronously, it writes the response into NetConn's response_ and notifies epoll via a pipe to enable write event listening for that connection (fd). Since the send buffer is empty, the next epoll_wait will immediately trigger a write event on that fd, causing NetConn's response_ content to be written to the socket. In other words, Pika uses the pipe notification to epoll to open the write event listening for the corresponding fd to trigger the response write-back, or in other words, to signal the completion of the asynchronous task.

Issue

When Pika needs to close certain connections, directly closing the fd can lead to a situation where the fd is removed from epoll and closed, but the asynchronous thread pool is still executing the last submitted task for that connection (the thread pool still holds a shared_ptr<Netconn>). After completing the task, it will still notify epoll via the pipe to enable the write event for that fd (which has already been closed and is no longer on epoll), making this notification ineffective.

However, if Linux happens to immediately reuse that fd for a new connection and registers it on the epoll of this WorkThread, the previously mentioned invalid notification becomes an illegal notification. This is because the fd now corresponds to a new client, and this illegal notification from the old connection will cause epoll to directly use the new client's NetConn's response_ content to write back to the fd. The issue here is that the thread pool may have already executed a request for this NetConn and is writing to response_, leading to a data race, which could cause various unexpected outcomes.

This PR provides a more complete, phased process for closing connections

New additions: WorkThread::wait_to_close_conns_, WorkThread::ready_to_close_conns_

1. Remove the fd from epoll, so it no longer accepts new requests (and ongoing requests will not be written back, which is expected when killing a connection). The fd is also removed from conns_, placed in wait_to_close_conns_, and clears any shared_ptr references to the conn on non-standard paths (such as blpop and watchKeys, which hold a shared_ptr<NetConn>).
2. In the next cronTask (i.e., after one epoll_wait loop), check wait_to_close_conns_. If the reference count drops to 1, move it to ready_to_close_conns_.
3. In the next cronTask (i.e., after another epoll_wait loop), close all connections in ready_to_close_conns_. Why wait for another epoll loop after the reference count drops to 1 before closing the fd? The reason is the asynchronous write-back notification mentioned earlier. If the conn's reference count has dropped to 1, the thread pool may have already issued a wr

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Enhanced connection management with a multi-stage approach for safely closing connections, improving resource handling.
  • Introduction of methods for tracking and managing connections pending closure.
  • Timeout setting increased from 60 to 500 seconds in configuration files to improve operational stability.
  • Lightweight adjustments to the RefillMaster function and tests, reducing key/value sizes and thread count.

• Bug Fixes

  • Improved stability and robustness of connection lifecycles, preventing issues related to premature closure.

• Refactor

  • Code organization and separation of concerns improved through the addition of new helper functions.

• Tests

  • Improved reliability of replication tests by ensuring each operation uses a dedicated Redis client instance.

[coderabbitai]

Walkthrough

The recent changes significantly enhance the WorkerThread's connection management by implementing a structured, multi-stage approach for safely closing connections. New member variables, wait_to_close_conns_ and ready_to_close_conns_, help track connections that are pending or ready for closure. The addition of the ClearConnsRefAndOtherInfo helper function improves the organization of connection reference management and cleanup. Overall, these updates lead to more robust handling of network connections, enhancing resource management and system stability.

Changes

Files	Change Summary
src/net/src/worker_thread.cc, src/net/src/worker_thread.h	Added the public method ClearConnsRefAndOtherInfo and introduced member variables wait_to_close_conns_ and ready_to_close_conns_ for improved connection lifecycle management.
tests/integration/replication_test.go	Modified concurrency handling to create separate Redis client instances for each goroutine, enhancing isolation and reliability in the tests.
tests/integration/start_master_and_slave.sh	Updated configuration files to increase timeout values from 60 to 500 across multiple settings, improving stability for longer operations.
tests/integration/rsync_dynamic_reconfig.go	Reduced key and value sizes and the number of threads in the RefillMaster function, lowering the workload in both implementation and testing.

Sequence Diagram(s)

sequenceDiagram
    participant WorkerThread
    participant NetConn
    WorkerThread->>NetConn: Begin connection close process
    WorkerThread->>NetConn: Check reference count
    alt Reference count is one
        WorkerThread->>WorkerThread: Move to ready_to_close_conns_
        WorkerThread->>NetConn: Close connection
    else Reference count is greater
        WorkerThread->>WorkerThread: Keep in wait_to_close_conns_
    end

Loading

Poem

🐇 In the burrow where connections dwell,
A tidy thread we weave so well.
With care we close, no rush or fuss,
Ensuring all is safe for us.
Hops of joy in code's embrace,
A stable world, our happy place!
🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (3)

src/net/src/worker_thread.h (2)

57-58: Consider adding synchronization for wait_to_close_conns_ and ready_to_close_conns_.

The current code does not show any locks directly associated with accesses to these vectors. Ensure that these vectors are accessed within a lock or other synchronization mechanism to prevent potential thread safety issues.

• Verify that accesses to wait_to_close_conns_ and ready_to_close_conns_ are properly synchronized.

Analysis chain

Consider thread safety for wait_to_close_conns_ and ready_to_close_conns_.

Ensure that access to these vectors is properly synchronized, as they may be accessed from multiple threads.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify access to `wait_to_close_conns_` and `ready_to_close_conns_` for thread safety.

# Test: Search for the vectors' usage. Expect: Access within a lock or other synchronization mechanism.
rg --type cpp $'wait_to_close_conns_|ready_to_close_conns_'

Length of output: 1045

---

Script:

#!/bin/bash
# Search for mutex or lock usage in worker_thread.cc to verify synchronization around vector access.
rg --type cpp 'std::mutex|std::lock_guard|std::unique_lock' -A 5 src/net/src/worker_thread.cc

Length of output: 1437

---

51-51: Potential Thread Safety Issue with ClearConnsRefAndOtherInfo

The function ClearConnsRefAndOtherInfo in worker_thread.cc does not appear to be consistently protected by locks or synchronization mechanisms. This could lead to race conditions if accessed by multiple threads simultaneously. Consider reviewing the function's usage and ensuring it is called within a synchronized context to maintain thread safety.

• File: src/net/src/worker_thread.cc
• Function: ClearConnsRefAndOtherInfo

Analysis chain

Ensure thread safety for ClearConnsRefAndOtherInfo.

The new method ClearConnsRefAndOtherInfo should ensure thread safety, especially if it modifies shared resources.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of `ClearConnsRefAndOtherInfo` for thread safety.

# Test: Search for the function usage. Expect: Usage within a lock or other synchronization mechanism.
rg --type cpp $'ClearConnsRefAndOtherInfo'

Length of output: 451

---

Script:

#!/bin/bash
# Description: Check the context of `ClearConnsRefAndOtherInfo` calls for synchronization mechanisms.
rg --type cpp -A 5 'ClearConnsRefAndOtherInfo' src/net/src/worker_thread.cc

Length of output: 964

---

Script:

#!/bin/bash
# Description: Search for mutexes or locks in `worker_thread.cc` to check for thread safety.
rg --type cpp 'std::mutex|std::lock_guard|std::unique_lock' src/net/src/worker_thread.cc

Length of output: 394

---

Script:

#!/bin/bash
# Description: Search for functions or blocks using `std::lock_guard` in `worker_thread.cc`.
rg --type cpp -B 5 'std::lock_guard' src/net/src/worker_thread.cc

Length of output: 1335

src/net/src/worker_thread.cc (1)

273-284: Clarify and refine comments for the phased connection closure process.

The comments describing the phased approach for closing connections are detailed but could be refined for clarity and conciseness.

- /*
-  * How Do we kill a conn correct:
-  * stage 1: stop accept new request(also give up the write back of shooting request's response)
-  *  1.1 remove the fd from epoll and erase it from conns_ to ensure no more request will submit to threadpool
-  *  1.2 add to-close-conn to wait_to_close_conns_
-  * stage 2: ensure there's no other shared_ptr of this conn in pika
-  *  2.1 in async task that exec by TheadPool, a shared_ptr of conn will hold and my case a pipe event to tell the epoll
-  *  to back the response, we must ensure this notification is done before we really close fd(linux will reuse the fd to accept new conn)
-  *  2.2 we must clear all other shared_ptr of this to-close-conn, like the map of blpop/brpop and the map of watchkeys
-  *  2.3 for those to-close-conns that ref count drop to 1, we add them to ready-to-close-conns_
-  * stage 3: after an epoll cycle(let it handle the already-invalid-writeback-notification ), we can safely close the fds of ready_to_close_conns_
-  */
+ /*
+  * Phased Connection Closure:
+  * Stage 1: Stop accepting new requests and remove the fd from epoll.
+  *  1.1 Remove from conns_ and add to wait_to_close_conns_.
+  * Stage 2: Ensure no other shared_ptr exists.
+  *  2.1 Wait for async tasks to complete and clear shared_ptrs.
+  *  2.2 Move conns with ref count 1 to ready_to_close_conns_.
+  * Stage 3: Safely close fds after an epoll cycle.
+  */

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 6991190 and db64350.

Files selected for processing (2)

• src/net/src/worker_thread.cc (2 hunks)
• src/net/src/worker_thread.h (1 hunks)

Additional comments not posted (3)

src/net/src/worker_thread.cc (3)

286-290: Ensure proper handling of file descriptor closure.

When closing file descriptors in ready_to_close_conns_, ensure that no other operations are pending on these descriptors.

Verification successful

---

Proper Handling of File Descriptor Closure Verified

The code ensures that file descriptors in ready_to_close_conns_ are closed only after confirming no pending operations, as outlined in the multi-stage process described in the comments. The reference count check and epoll cycle handling further support this. No issues were found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify proper handling of file descriptor closure.

# Test: Search for operations on `ready_to_close_conns_`. Expect: No operations on closed fds.
rg --type cpp $'ready_to_close_conns_'

Length of output: 516

---

Script:

#!/bin/bash
# Let's gather more context around the usage of `ready_to_close_conns_` to ensure no operations are performed on closed fds.
rg --type cpp -A 10 -B 10 'ready_to_close_conns_'

Length of output: 3726

---

291-298: Verify reference count logic for wait_to_close_conns_.

Ensure that the logic checking use_count() accurately reflects the intended behavior and that connections are safely moved to ready_to_close_conns_.

Verification successful

---

Reference count logic for wait_to_close_conns_ is correctly implemented.

The use of use_count() to check if the reference count is 1 ensures that connections are safely moved to ready_to_close_conns_ when they are no longer in use elsewhere. The logic aligns with standard practices for managing shared pointers.

• wait_to_close_conns_ is a std::vector<std::shared_ptr<NetConn>>, confirming the appropriateness of use_count().

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify reference count logic for `wait_to_close_conns_`.

# Test: Search for `use_count()` logic. Expect: Correct handling of shared_ptr reference counts.
rg --type cpp $'wait_to_close_conns_.*use_count'

Length of output: 49

---

Script:

#!/bin/bash
# Search for the declaration of `wait_to_close_conns_` to understand its type and usage.
rg --type cpp 'wait_to_close_conns_'

# Search for all occurrences of `use_count()` to see how it's used in the codebase.
rg --type cpp 'use_count()'

Length of output: 635

---

313-319: Ensure ClearConnsRefAndOtherInfo handles all necessary cleanup.

Verify that ClearConnsRefAndOtherInfo effectively clears all relevant references and information associated with a connection.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between db64350 and edd857a.

Files selected for processing (2)

• tests/integration/replication_test.go (1 hunks)
• tests/integration/start_master_and_slave.sh (7 hunks)

Additional comments not posted (3)

tests/integration/start_master_and_slave.sh (1)

17-18: Increase in timeout value.

The timeout value has been increased from 60 to 500 in multiple configuration files. This change is consistent and likely aims to accommodate longer operations or improve system stability.

Also applies to: 28-29, 39-40, 52-53, 66-67, 79-80, 92-93

tests/integration/replication_test.go (2)

637-639: Improved client isolation in goroutines.

Creating a new Redis client instance within each goroutine enhances isolation and reduces the risk of resource contention. This change improves the robustness of concurrent operations.

Also applies to: 643-645

---

652-654: Reconnect client to handle potential timeout issues.

The addition of a sleep and reconnection to the clientSlave helps mitigate timeout-related issues, ensuring the test's reliability.

[wangshao1]

关于wait_close中引用计数为1了加入到ready_to_close这一部分的描述，我理解在追加到wait_to_close_conns_之前，已经从epoll删除了对应的fd。那么即使异步线程已经回写了response并且已经通过signalfd通知了workthread，workthread也不会处理这个conn了吧？

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically.

---

Regarding the description of adding the reference count of 1 in wait_close to ready_to_close, I understand that the corresponding fd has been deleted from epoll before being appended to wait_to_close_conns_. So even if the asynchronous thread has written back the response and notified the workthread through signalfd, the workthread will not process this conn, right?

[cheniujh]

关于wait_close中引用计数为1了加入到ready_to_close这一部分的描述，我理解在追加到wait_to_close_conns_之前，已经从epoll删除了对应的fd。那么即使异步线程已经回写了response并且已经通过signalfd通知了workthread，workthread也不会处理这个conn了吧？

这个异步通知会带着fd过来，workThread收到通知以后会去操作epoll，打开可写事件监听。如果该fd没有被复用还好，这个epoll_ctl会无效，因为fd不在上面。但如果正好有新连接重新进来复用了这个fd，且刚好注册回了这个epoll上，这个异步通知就会打开这个新client的可写时间监听，触发写回。

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically.

---

Regarding the description of adding the reference count of 1 in wait_close to ready_to_close, I understand that the corresponding fd has been deleted from epoll before being appended to wait_to_close_conns_. So even if the asynchronous thread has written back the response and notified the workthread through signalfd, the workthread will not process this conn, right?

This asynchronous notification will come with fd. After receiving the notification, workThread will operate epoll and open writable event monitoring. It's okay if the fd is not reused, but this epoll_ctl will be invalid because the fd is not on it. But if a new connection happens to come in again to reuse this fd, and it happens to be registered back to this epoll, this asynchronous notification will open the writable time monitoring of this new client and trigger writeback.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between edd857a and 79ae59a.

Files selected for processing (1)

• src/net/src/worker_thread.cc (2 hunks)

Files skipped from review as they are similar to previous changes (1)

• src/net/src/worker_thread.cc

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 79ae59a and a7171eb.

Files selected for processing (1)

• src/net/src/worker_thread.cc (2 hunks)

Files skipped from review as they are similar to previous changes (1)

• src/net/src/worker_thread.cc

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between a7171eb and f2fc641.

Files selected for processing (1)

• tests/integration/rsync_dynamic_reconfig.go (2 hunks)

Additional comments not posted (3)

tests/integration/rsync_dynamic_reconfig.go (3)

38-41: LGTM!

The changes in the RefillMaster function's logic are consistent with the reduced data volume for testing.

---

139-139: LGTM!

The test case changes to use a reduced data volume of 2 MB are consistent with the RefillMaster function modifications.

---

38-41: Verify the impact of reduced key/value sizes and thread count.

The reduction in key and value sizes from 1024 to 64 bytes, and the thread count from 10 to 5, may affect performance and concurrency. Ensure these changes align with the intended testing goals and do not adversely impact the test's effectiveness.

Verification successful

---

Verify the impact of reduced key/value sizes and thread count.

The changes to the RefillMaster function, reducing key/value sizes and thread count, are localized to the rsync_dynamic_reconfig.go file. Ensure these modifications align with the test's objectives and do not compromise the intended performance or concurrency simulation. If they do, the changes are acceptable.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the impact of reduced key/value sizes and thread count in `RefillMaster`.

# Test: Check for performance or concurrency issues in the test suite.
# Expected: No significant performance degradation or concurrency issues.
# Note: This script assumes a performance testing framework is available.
# Here, we just list the occurrences for manual review.
rg --type go 'RefillMaster'

Length of output: 335