Fix race conditions and improve robustness during socket I/O by julianz- · Pull Request #779 · cherrypy/cheroot

julianz- · 2025-10-05T18:43:42Z

Fixed race conditions to make socket I/O more resilient during connection teardown.

BufferedWriter's write(): Added error handling to ignore common socket errors (e.g., ECONNRESET, EPIPE, ENOTCONN, EBADF) that occur when the underlying connection has been unexpectedly closed by the client or OS. This prevents a crash when attempting to write to a defunct socket.
BufferedWriters's close(): Made idempotent, allowing safe repeated calls without raising exceptions.
Needed to add explicit handling of WINDOWS environments as these are seen to throw Windows specific WSAENOTSOCK errors.

Includes new unit tests to cover the idempotency and graceful handling of already closed underlying buffers.

This change is

codecov · 2025-10-05T19:08:12Z

Codecov Report

❌ Patch coverage is 98.52941% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 78.38%. Comparing base (3937fe1) to head (7fb95c2).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #779      +/-   ##
==========================================
+ Coverage   78.09%   78.38%   +0.29%     
==========================================
  Files          41       41              
  Lines        4788     4853      +65     
  Branches      547      553       +6     
==========================================
+ Hits         3739     3804      +65     
+ Misses        910      908       -2     
- Partials      139      141       +2

webknjaz · 2025-10-22T01:42:06Z

@julianz- could you scan the modules more broadly for places where we could stop suppressing connection errors on the low level layers? I'm not looking into the tests until we figure out the architectural overview of the whole thing. But I feel like we're getting closer. I think we might need to split this PR into two at some point, will see.

julianz- · 2025-10-22T03:32:26Z

Thank you @webknjaz for all your great suggestions and points. I will take a look at everything. The layering is actually more complicated than I had realized.

webknjaz · 2025-10-31T00:15:31Z

The layering is actually more complicated than I had realized.

Yep, that's why I have incomplete pieces of code somewhere locally that I never finalized. It does require some effort..

webknjaz · 2025-10-31T12:39:28Z

I think the current state of this module is good but Codecov shows that none of the newly added lines are covered with tests. We'll have to fix this before merging.

It looks like the updates to cheroot.ssl.pyopenssl could go into a standalone pull request. Could you extract this and add tests+changenote in a separate PR? I hope this will simplify reviewing this one.

Added tests and pyopenssl was updated in #800 and #801.

webknjaz · 2025-10-31T12:41:27Z

    errno.EPIPE,
    errno.ESHUTDOWN,  # corresponds to BrokenPipeError in Python 3
    errno.ECONNRESET,  # corresponds to ConnectionResetError in Python 3
+    *((errno.WSAENOTSOCK,) if _compat.IS_WINDOWS else ()),


Does this exception correspond to EBADF semantically? If so, I'd probably keep them close to each other as suggested in https://github.com/cherrypy/cheroot/pull/779/files#r2432797948.

Additionally, could you add a comment hinting what might be causing it in practice?

@julianz- missed this question?

Sorry missed these from October! Now addressed.

webknjaz · 2025-10-31T12:46:29Z

            'sendall',
            'settimeout',
            'gettimeout',
            'shutdown',


Will this interferre with the newly added decorator/methods? proxy_wrapper() below does effectively what we did with @_morph_syscall_to_connection_error and so shutdown() will end up double-decorated/locked if I'm reading this correctly.

webknjaz · 2025-10-31T12:46:38Z

            'accept',
            'setblocking',
            'fileno',
            'close',


Will this interferre with the newly added decorator/methods? proxy_wrapper() below does effectively what we did with @_morph_syscall_to_connection_error and so shutdown() will end up double-decorated/locked if I'm reading this correctly.

webknjaz · 2026-06-23T14:24:00Z

+    except Exception as exc:
+        pytest.fail(f'Unexpected exception raised: {type(exc).__name__}')


It's unclear why this needs to be wrapped with try/except: tests are supposed to be as simple as possible — adding more logic makes it difficult to reason about them. Additionally, any exception would bubble up and render in the output with the entire stack and respective context attached unlike a short failure message with the stack being lost.

This is gone from the current version

webknjaz · 2026-06-23T14:32:57Z

+            # Handle EBADF and other acceptable socket shutdown errors
+            if err.errno in _errors.acceptable_sock_shutdown_error_codes:
+                return


@julianz- do you know if error codes listed there contain things that aren't represented by ConnectionError? I'm wondering if newer Python versions would ever hit this code branch — is it possible that the above ConnectionError will handle this?

Also, do we know what's causing the tests to always hit this line?
https://app.codecov.io/gh/cherrypy/cheroot/pull/779?dropdown=coverage&src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=checks&utm_campaign=pr+comments&utm_term=cherrypy#d99a7689c2159eab73db39f9e5b89a1d-R70.

It's best to make sure that this isn't due to some mocks but a real simulated scenario.

EPIPE/ESHUTDOWN -> BrokenPipeError and ECONNRESET -> ConnectionResetError are ConnectionError subclasses. But EBADF and ENOTCONN are plain OSErrors, so the except OSError branch is needed for those. I added test_close_error_handling[ebadf] to cover this path.

Regarding the coverage, the Codecov report is for an older commit — the code has been significantly refactored since then. Not sure whether your question is still a concern?

webknjaz · 2026-06-23T14:36:03Z

+            # Handle EBADF and other acceptable socket shutdown errors
+            if err.errno in _errors.acceptable_sock_shutdown_error_codes:
+                return
+            raise


I wish we have proper logging infra here to see what can actually happen. The coverage report shows that this line is never exercised in the tests.

Perhaps, we could have a warning emitted, though..

Covered now. Logging would be nice but maybe for another PR?

webknjaz · 2026-06-23T14:36:46Z

+        try:
+            super().close()
+        except ConnectionError:
+            return


Looks like tests never hit this.

Stale code i think. All lines in makefile.py covered now.

webknjaz · 2026-06-23T14:48:27Z

+            if n == 0:
+                # If nothing was written we need to break
+                # to avoid infinte loops
+                break


The tests never hit this line. We should come up with a new regression test.

julianz- · 2026-06-24T05:29:07Z

+            if not n:
+                # Defensive: write() returned None or other falsy value,
+                # which shouldn't happen but could cause an infinite loop.
+                break


I think CodeQL is assuming n is an int but it's not clear that it has to be.

read-the-docs-community · 2026-06-24T00:44:53Z

Documentation build overview

📚 cheroot | 🛠️ Build #33282579 | 📁 Comparing 7fb95c2 against latest (3937fe1)

🔍 Preview build

8 files changed · ± 8 modified

± Modified

Fixes to make socket I/O more resilient during connection teardown. 1. BufferedWriter's write(): Added error handling to ignore common socket errors (e.g., ECONNRESET, EPIPE, ENOTCONN, EBADF) that occur when the underlying connection has been unexpectedly closed by the client or OS. This prevents a crash when attempting to write to a defunct socket. 2. BufferedWriters's close(): Made idempotent, allowing safe repeated calls without raising exceptions. 3. Needed to add explicit handling of WINDOWS environments as these are seen to throw Windows specific WSAENOTSOCK errors. Includes new unit tests to cover the idempotency and graceful handling of already closed underlying buffers.

julianz- closed this Oct 5, 2025

julianz- reopened this Oct 5, 2025

julianz- changed the title ~~Fix race condition and improve robustness during socket I/O~~ [DRAFT] Fix race condition and improve robustness during socket I/O Oct 5, 2025

julianz- force-pushed the fix-socket-teardown branch 2 times, most recently from 887399d to 4f1662e Compare October 5, 2025 19:04

julianz- force-pushed the fix-socket-teardown branch from 4f1662e to 4833dac Compare October 5, 2025 19:09

psf-chronographer Bot added the bot:chronographer:provided A mark meaning that a new change log entry is present within the patch. label Oct 5, 2025

julianz- marked this pull request as draft October 5, 2025 19:09

julianz- changed the title ~~[DRAFT] Fix race condition and improve robustness during socket I/O~~ Fix race condition and improve robustness during socket I/O Oct 5, 2025

julianz- changed the title ~~Fix race condition and improve robustness during socket I/O~~ Fix race conditions and improve robustness during socket I/O Oct 5, 2025

julianz- marked this pull request as ready for review October 5, 2025 19:26