Memory leak on SslProvider instantiation with netty-tcnative-boringssl-static

Question

Memory leak on SslProvider instantiation with netty-tcnative-boringssl-static

notdryft opened this issue a year ago · comments

We observed a memory leak that happens by switching from netty-tcnative-boringssl-static version 2.0.56.Final to 2.0.57.Final (or later, we tested up to 2.0.60.Final).

Scenario is as follow:

Create a SslContextBuilder once

SslContextBuilder sslContextBuilder = SslContextBuilder.forClient.sslProvider(SslProvider.OPENSSL_REFCNT)
sslContextBuilder.ciphers(null, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS)

For us the issue happened with both SslProvider.OPENSSL_REFCNT and SslProvider.OPENSSL.

Then, inside a loop:

SslContext sslContext = sslContextBuilder.build()
ReferenceCountUtil.release(sslContext)

Do that millions of times and you can see the following happen, left is 2.0.56.Final and after the memory drop, 2.0.57.Final:

In our test case, -Xms and -Xmx were both 1G so memory shouldn't be expected to grow that much more as everything is recycled right after instantiation.

Sample project that reproduces the issue provided as an attachment: test-netty-tcnative-leak.zip

Command to run the project: mvn compile exec:java -Dexec.mainClass=Main

Guillaume Corré · Answer 1 · Thu May 04 2023 21:33:44 GMT+0800 (China Standard Time)

Forgot to mention something. When trying to pin down the issue, we used -Dio.netty.leakDetection.level=paranoid but it printed nothing!

Stephane Landelle · Answer 2 · Thu May 04 2023 22:35:19 GMT+0800 (China Standard Time)

Caused by #759 ?

Norman Maurer · Answer 3 · Thu May 04 2023 22:43:07 GMT+0800 (China Standard Time)

Please upgrade to 2.0.60.Final Am 04.05.2023 um 16:35 schrieb Stephane Landelle ***@***.***>: Caused by #759 ? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Stephane Landelle · Answer 4 · Thu May 04 2023 22:46:07 GMT+0800 (China Standard Time)

@normanmaurer

or later, we tested up to 2.0.60.Final

Included. 2.0.60 is the version we currently have in production and where we originally detected the issue. We were able to figure out the regression was introduced in 2.0.57.

Stephane Landelle · Answer 5 · Thu May 04 2023 22:50:09 GMT+0800 (China Standard Time)

Context: for Gatling's most common use case, we want to have distinct SSLContexts per virtual user so we generate the proper number of handshakes and SSLSessions. The leak goes probably unnoticed for the more standard use case of having one static SSLContext per client application.

Norman Maurer · Answer 6 · Thu May 04 2023 23:36:05 GMT+0800 (China Standard Time)

Got it... will have a look

Stephane Landelle · Answer 7 · Thu May 04 2023 23:49:35 GMT+0800 (China Standard Time)

Thanks a lot! 🙇

Norman Maurer · Answer 8 · Fri May 05 2023 16:48:47 GMT+0800 (China Standard Time)

Should be fixed by #790 🤦

Guillaume Corré · Answer 9 · Fri May 05 2023 18:46:29 GMT+0800 (China Standard Time)

Can still observe a leak after the fix:

Not sure if it's because I compiled the fix branch badly or because there is more to the actual fix... will continue digging.

Norman Maurer · Answer 10 · Fri May 05 2023 18:57:26 GMT+0800 (China Standard Time)

Are you sure you changed the dependency to point tot the snapshot and add the classifier ?Am 05.05.2023 um 12:46 schrieb Guillaume Corré ***@***.***>: Can still observe a leak after the fix: Not sure if it's because I compiled the fix branch badly or because there is more to the actual fix... will continue digging. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you modified the open/close state.Message ID: ***@***.***>

Guillaume Corré · Answer 11 · Fri May 05 2023 19:00:06 GMT+0800 (China Standard Time)

Actually had clashing lib loading paths. Compiling again and confirming soon!

Guillaume Corré · Answer 12 · Fri May 05 2023 19:25:49 GMT+0800 (China Standard Time)

Confirming it was a path clash, everything looks good on 10M iterations:

calloc was also present in async-profiler's nativemem mode (built from the malloc branch in their own repo) before the fix. It's now all gone 🎉

Francesco Nigro · Answer 13 · Fri May 05 2023 19:47:58 GMT+0800 (China Standard Time)

Many thanks for double checking @notdryft