res.end() from a https.server() handler sends a `RST` packet provoking `ECONNRESET`

[mmomtchev]

• Version: At least since Node 12
• Platform: Windows - very common, OSX - very common, Linux - rare
• Subsystem: TLS/HTTPS - very common, HTTP - maybe(?), very rare if exists

What steps will reproduce the bug?

node test/parallel/test-https-truncate.js - then dump the network traffic
The problem has existed for quite some time, but was masked for most clients and it appeared as a seemingly random problem

How often does it reproduce? Is there a required condition?

node test/parallel/test-https-truncate.js on Windows is a guaranteed hit
#23169 describes an almost guaranteed hit on OSX
Reproduction on Linux is quite difficult and will usually happen only after running in while /bin/true loop for some time

What is the expected behavior?

res.end() leads to a proper active closing of the TCP connection

What do you see instead?

res.end() causes the server to directly call uv_close() which immediately destroys the kernel socket that goes into TIME_WAIT state - when the client receives this FIN packet he will respond with an ACK and his last data packet - this packet triggers a RST from the server

Additional information

There are two ways to properly close a TCP connection:

• The simultaneous closing, which happens 99% of the time where the higher-level protocol, through some form of a BYE message, signals to both ends to simultaneously call the kernel close() - uv_close() for us - thus exchanging two FIN/ACK sequences - today most higher level protocols do provide some form of a bye message
• The passive/active closing, a more archaic form of closing the connection, where one end will unilaterally close the connection without the other one expecting it. HTTP/1.0 with "Connection: close" is a classical example. TLS/1.1 also has a provision for an optional unilateral closing. In this case, the end originating the closing, the so-called active end, should send a FIN packet triggered by calling the kernel shutdown() - uv_shutdown() in our case. Upon receiving the FIN packet, the passive end should ACK it, then send any remaining data in a data packet and then proceed to send his own FIN. The active end should destroy the connection with close() / uv_close()

What currently happens is that when doing res.end() from JS this ends in net.Socket.close() and then goes through TCPWrap which does not overload Close() and finally in HandleWrap::Close()
Here uv_close() is called - this is a direct, unscheduled code-path
While the uv_shutdown() lies on an indirect code path scheduled by a Dispatch micro-task in LibuvStreamWrap::CreateShutdownWrap()
The result is that the shutdown happens one or two microseconds after the close when in fact a proper close should wait for the shutdown to finish
My opinion is that for TCP connections uv_close() should be called only in the uv_shutdown() callback

Here is the full exchange with all the layers:

Client JS	Client Node/libuv	Client Kernel	Remote Server
res.end()
	shutdown(SD_SEND)
		TCP FIN ->
		kernel socket goes into FIN_WAIT1 state
	close()
		kernel socket goes into TIME_WAIT state
			<- TCP ACK
			<- data
		because the kernel socket is in TIME_WAIT TCP RST ->

And it should be

Client JS	Client Node/libuv	Client Kernel	Remote Server
res.end()
	shutdown(SD_SEND)
		TCP FIN ->
		kernel socket goes into FIN_WAIT1 state
			<- TCP ACK
			<- data
	recv()
		TCP ACK ->
			<- TCP FIN
		kernel socket goes into FIN_WAIT2 state
	recv()
		TCP ACK ->
	close()
		kernel socket goes into TIME_WAIT state

[mmomtchev]

As this is something specific to the TCP protocol, my proposal is that TCPWrap overloads the whole close mechanism, triggering a shutdown, and then destroying the socket once the shutdown is complete

[lpinca]

Note that response.end() calls socket.destroy() via socket.destroySoon() while the other peer might still be sending data.

[lpinca]

Possibly related issue: #27916.

[mmomtchev]

Yes, that issue looks very similar.

socket.destroySoon waits for the transmitting to finish - I guess it might be the reason why it is so difficult to reproduce the issue on Linux, because it will delay the close() a little bit. And if the remote end has Nagle or some other buffering, you are sure to get one last incoming data packet after the FIN. There are also cases where the remote sends an empty data packet - this is the case on Windows with the test-https-truncate.

Waiting for the receiving to finish can only be accomplished at the socket level - you can't do it through Node events alone - you need to make your OS send a FIN packet - by calling shutdown() and then wait for the socket to drain before calling close() - otherwise the kernel will RST on the next data packet - which probably won't be sent until you call shutdown().

Also, when directly calling uv_close() without uv_shutdown(), libuv will do a shutdown, but won't wait for the socket to drain.

The issue can be visualized by adding printf with microsecond resolution in uv_shutdown() and uv_close() and running a Wireshark.

[lpinca]

Yes I understand. My point is that you can't expect a clean closure if you call response.end() before the 'end' event is emitted on the request.

[mmomtchev]

Yes, this is correct, that would be one way to avoid it - when there is such an end event (which would be always in the case of HTTPS?)

[mmomtchev]

No, the end event is not a reliable way to avoid this issue - at least on the test-https-truncate I get it after the resposne.end()
Besides, you might still have some data in the buffer on the client side. I tried artificially delaying the end() by a whole second - I still get some data from the Windows client after he receives the server FIN - it is probably the TLS close_notify. The client does not send this data until it has received a FIN - or until it makes another request.

[mmomtchev]

@lpinca
In fact the first uv_close() in test-https-truncate.js is being triggered by the server.close(). If the server.close() is delayed or removed, the first uv_shutdown() comes before the first uv_close() - but still without waiting for the incoming data to drain

[mmomtchev]

Maybe this could be solved in JS in this case because by the time req.on('end') has been called the shutdown has been initiated. However it is still too early to call close() - one must wait for the EOF - any ideas?

But this is still a TLS-specific solution, the general case needs solving at the TCP level.

[mmomtchev]

@lpinca Yes, I confirm

• with server.close() - uv_close() is called before uv_shutdown() like described because the callbacks are not properly arranged - I am waiting for opinions on how this should work (ie, is this an emergency close or is it a normal close, should a res.end() followed by a server.close() generate an error or not)
• without server.close() all the callbacks work like they should - Socket._final() initiates a shutdown then waits for the callback
  

  node/lib/net.js

  Line 413 in 700612f

  const req = new ShutdownWrap();

  
  However this callback is called way too soon without draining the incoming data - and in this case it is libuv that is at fault:

uv_shutdown() initiates the shutdown and earmarks the socket for endgame:

node/deps/uv/src/win/stream.c

Line 217 in 700612f

uv_want_endgame(loop, (uv_handle_t*)handle);

node/deps/uv/src/win/handle-inl.h

Line 88 in 700612f

INLINE static void uv_want_endgame(uv_loop_t* loop, uv_handle_t* handle) {

Then at the next event loop iteration the socket is simply destroyed:

node/deps/uv/src/win/handle-inl.h

Line 109 in 700612f

uv_tcp_endgame(loop, (uv_tcp_t*) handle);

node/deps/uv/src/win/tcp.c

Line 208 in 700612f

void uv_tcp_endgame(uv_loop_t* loop, uv_tcp_t* handle) {

There is an no intermediate state - waiting for an EOF

@bnoordhuis @cjihrig

[mmomtchev]

The situation on Linux is quite different:

uv_shutdown() calls uv__stream_io()

node/deps/uv/src/unix/stream.c

Line 1280 in 700612f

uv__io_start(stream->loop, &stream->io_watcher, POLLOUT);

which in turns calls uv__drain()

node/deps/uv/src/unix/stream.c

Line 679 in 700612f

static void uv__drain(uv_stream_t* stream) {

However once again it drains only the writing side - it does not wait for an incoming EOF - but unlike Windows - it also reads while writing - so if the last data packets arrives not too late, then everything is good - the reason why it is so difficult to reproduce it on Linux

Maybe instead of a TCPWrap::Close, there should be a new IO state in libuv? UV_HANDLE_DRAINING_HALFCLOSED?