httpLbs is not interruptable by timeout when dns is down

[u0-uu-0u]

When I do timeout 1000000 (httpLbs req httpman) and have bad dns settings, the request can take much longer than those 1000000 microseconds (1s), and in fact only fails when the local dns times out (which on my system is 20 seconds)

(I thought this was just an inherent issue in timeout, but nh2 at https://old.reddit.com/r/haskell/comments/1ierl0f/myth_and_truth_in_haskell_asynchronous_exceptions/ indicated it might actually be a bug in the network library, so reporting here in case it actually is unexpected.)

To reproduce

$ cat dnsbug.cabal
cabal-version:       2.4
name:                dnsbug
version:             0.1.0.0
build-type:          Simple

executable dnsbug
  main-is:             Bug.hs
  build-depends:       base >=4.12 && <5
                     , http-client
  default-language:    GHC2021

$ cat Bug.hs
{-# LANGUAGE OverloadedStrings #-}

module Main where

import Network.HTTP.Client
import System.Timeout (timeout)

main = do
  httpman <- newManager defaultManagerSettings
  req <- parseRequest "http://example.com"
  res <- timeout 1000000 (httpLbs req httpman)
  print res

$ grep ^PRETTY /etc/os-release 
PRETTY_NAME="Ubuntu 24.04.1 LTS"

$ ghc --version
The Glorious Glasgow Haskell Compilation System, version 9.12.1

(also tested on 9.2.8)

With working DNS this does the expected thing:

$ cabal build
Up to date

$ cabal run
Just (Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1, responseHeaders = [("Accept-Ranges","bytes"),("Content-Type","text/html"),("ETag","\"84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134\""),("Last-Modified","Mon, 13 Jan 2025 20:11:20 GMT"),("Vary","Accept-Encoding"),("Content-Encoding","gzip"),("Content-Length","648"),("Cache-Control","max-age=1158"),("Date","Thu, 06 Feb 2025 10:17:28 GMT"),("Connection","keep-alive")], responseBody = "<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <style type=\"text/css\">\n    body {\n        background-color: #f0f0f2;\n        margin: 0;\n        padding: 0;\n        font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n        \n    }\n    div {\n        width: 600px;\n        margin: 5em auto;\n        padding: 2em;\n        background-color: #fdfdff;\n        border-radius: 0.5em;\n        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n    }\n    a:link, a:visited {\n        color: #38488f;\n        text-decoration: none;\n    }\n    @media (max-width: 700px) {\n        div {\n            margin: 0 auto;\n            width: auto;\n        }\n    }\n    </style>    \n</head>\n\n<body>\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is for use in illustrative examples in documents. You may use this\n    domain in literature without prior coordination or asking for permission.</p>\n    <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n", responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose, responseOriginalRequest = Request {
host                 = "example.com"
port                 = 80
secure               = False
requestHeaders       = []
path                 = "/"
queryString          = ""
method               = "GET"
proxy                = Nothing
rawBody              = False
redirectCount        = 10
responseTimeout      = ResponseTimeoutDefault
requestVersion       = HTTP/1.1
proxySecureMode      = ProxySecureWithConnect
}
, responseEarlyHints = []})

Now change DNS to a fake IP, so that DNS requests will hang (until the local resolver times out):

$ sudo resolvectl dns eth0 192.0.2.1

$ time cabal run
dnsbug: Uncaught exception http-client-0.7.18-8b51d1b15e5c25165b3bb85934d446140d1bbf69417f7f85bf9c607f9642027b:Network.HTTP.Client.Types.HttpException:

HttpExceptionRequest Request {
host                 = "example.com"
port                 = 80
secure               = False
requestHeaders       = []
path                 = "/"
queryString          = ""
method               = "GET"
proxy                = Nothing
rawBody              = False
redirectCount        = 10
responseTimeout      = ResponseTimeoutDefault
requestVersion       = HTTP/1.1
proxySecureMode      = ProxySecureWithConnect
}
(ConnectionFailure Network.Socket.getAddrInfo (called with preferred socket type/protocol: AddrInfo {addrFlags = [], addrFamily = AF_UNSPEC, addrSocketType = Stream, addrProtocol = 0, addrAddress = 0.0.0.0:0, addrCanonName = Nothing}, host name: "example.com", service name: "80"): does not exist (Name or service not known))

While handling HttpExceptionContentWrapper {unHttpExceptionContentWrapper = ConnectionFailure Network.Socket.getAddrInfo (called with preferred socket type/protocol: AddrInfo {addrFlags = [], addrFamily = AF_UNSPEC, addrSocketType = Stream, addrProtocol = 0, addrAddress = 0.0.0.0:0, addrCanonName = Nothing}, host name: "example.com", service name: "80"): does not exist (Name or service not known)}

HasCallStack backtrace:
throwIO, called at ./Network/HTTP/Client/Core.hs:214:29 in http-client-0.7.18-8b51d1b15e5c25165b3bb85934d446140d1bbf69417f7f85bf9c607f9642027b:Network.HTTP.Client.Core


real    0m20,164s
user    0m0,093s
sys     0m0,063s

So that took 20s to time out where I asked for 1s.

strace of the above: https://termbin.com/n2y2

Now I re-enable working DNS and try again:

$ sudo systemctl restart systemd-resolved

$ time cabal run
Just (Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1, responseHeaders = [("Accept-Ranges","bytes"),("Content-Type","text/html"),("ETag","\"84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134\""),("Last-Modified","Mon, 13 Jan 2025 20:11:20 GMT"),("Vary","Accept-Encoding"),("Content-Encoding","gzip"),("Cache-Control","max-age=2835"),("Date","Thu, 06 Feb 2025 10:19:15 GMT"),("Content-Length","648"),("Connection","keep-alive")], responseBody = "<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <style type=\"text/css\">\n    body {\n        background-color: #f0f0f2;\n        margin: 0;\n        padding: 0;\n        font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n        \n    }\n    div {\n        width: 600px;\n        margin: 5em auto;\n        padding: 2em;\n        background-color: #fdfdff;\n        border-radius: 0.5em;\n        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n    }\n    a:link, a:visited {\n        color: #38488f;\n        text-decoration: none;\n    }\n    @media (max-width: 700px) {\n        div {\n            margin: 0 auto;\n            width: auto;\n        }\n    }\n    </style>    \n</head>\n\n<body>\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is for use in illustrative examples in documents. You may use this\n    domain in literature without prior coordination or asking for permission.</p>\n    <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n", responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose, responseOriginalRequest = Request {
host                 = "example.com"
port                 = 80
secure               = False
requestHeaders       = []
path                 = "/"
queryString          = ""
method               = "GET"
proxy                = Nothing
rawBody              = False
redirectCount        = 10
responseTimeout      = ResponseTimeoutDefault
requestVersion       = HTTP/1.1
proxySecureMode      = ProxySecureWithConnect
}
, responseEarlyHints = []})

real    0m0,442s
user    0m0,090s
sys     0m0,037s

And if I shorten the timeout even more, still with working dns, it times out the expected way:

$ vim Bug.hs 

$ cabal build &>/dev/null

$ time cabal run
Nothing

real    0m0,222s
user    0m0,078s
sys     0m0,046s

[nh2]

(I thought this was just an inherent issue in timeout, but nh2 at https://old.reddit.com/r/haskell/comments/1ierl0f/myth_and_truth_in_haskell_asynchronous_exceptions/ indicated it might actually be a bug in the network library, so reporting here in case it actually is unexpected.)

To clarify:

timeout just sends the async exception. That should always work. It looks like the code that receives the exception blocks it. We should find out which code that is, in http-client or some underlying function that it uses.

[u0-uu-0u]

throwIO, called at ./Network/HTTP/Client/Core.hs:214:29 in http-client-0.7.18-8b51d1b15e5c25165b3bb85934d446140d1bbf69417f7f85bf9c607f9642027b:Network.HTTP.Client.Core

looks like

http-client/http-client/Network/HTTP/Client/Core.hs

Line 214 in b589492

wrapExc req0 = handle $ throwIO . toHttpException req0

the throwIO , I guess on calling httpRaw', a function which I do not at all comprehend.

[Yuras]

I'm 99% sure it's getAddrInfo being uninterruptible. It's a C functions, and AFAIK it doesn't provide any mean of interrupting it.
We can run it in a separate thread of course, and just abandon the thread on timeout. There are two questions:

1. Where should we do that? One can argue that network package should do that. But there could be objections, in which case we'll need to do it both in http-client and in crypton-connection (an possibly somewhere else.)
2. Do we really need to do this? Looks like you don't have any particular use case. (For the record: reporting this issue was the right thing to do regardless.)

[nh2]

Technically, getaddrinfo() is probably interruptible at least on Linux, where it invokes these sycalls (sorted by name) on my system:

bind
close
connect
futex
getsockname
openat
poll
read
recvmsg
sendto
socket

I got that from this C example.

Running that with a bad nameserver, the hang happens here in strace -fyy:

read(0</dev/pts/17<char 136:17>>, google.com
"google.com\n", 1024) = 11
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3<UNIX-STREAM:[46107150]>
connect(3<UNIX-STREAM:[46107150]>, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = 0
sendto(3<UNIX-STREAM:[46107150->46105479]>, "\2\0\0\0\r\0\0\0\6\0\0\0hosts\0", 18, MSG_NOSIGNAL, NULL, 0) = 18
poll([{fd=3<UNIX-STREAM:[46107150->46105479]>, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN|POLLHUP}])
recvmsg(3<UNIX-STREAM:[46107150->46105479]>, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="", iov_len=6}, {iov_base="", iov_len=8}], msg_iovlen=2, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 0
close(3<UNIX-STREAM:[46107150->46105479]>) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3<UNIX-STREAM:[46107155]>
connect(3<UNIX-STREAM:[46107155]>, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = 0
sendto(3<UNIX-STREAM:[46107155->46107153]>, "\2\0\0\0\16\0\0\0\v\0\0\0google.com\0", 23, MSG_NOSIGNAL, NULL, 0) = 23
poll([{fd=3<UNIX-STREAM:[46107155->46107153]>, events=POLLIN|POLLERR|POLLHUP}], 1, 5000

So on my system it does a sendto() to a UNIX socket and then waits for a reply.

Ctrl+C on this works well, so that's another proof fhat it is indeed interruptible fundamentally.

So foreign import ccall interruptible might work with this implementation.

Of course, that's an implementation detail, and the getaddrinfo() C function indeed does not document cancelability.

That said, given that Ctrl+C works on this and is standard practice for C programs, I'm inclined to think that foreign import ccall interruptible might be a good idea to use around getaddrinfo() in network (on Linux only).

It would have to be tested a bit.

We can run it in a separate thread of course, and just abandon the thread on timeout.

A problem is that it may create an underlying resource that may live for some time, thus "leaking" that resource (problematic if happening in a loop, e.g. too many of the socket() invocations might have us run out of sockets).

So I like the foreign import ccall interruptible.

Do we really need to do this?

I think so, because timeout should just work on all IO operations. It is not possible to write reliable systems without reliable timeouts.

[nh2]

Aside: I also quickly thought about whether GHC should provide a way to properly kill a whole OS thread with e.g. pthread_cancel(). However, after re-reading https://mazzo.li/posts/stopping-linux-threads.html, I am convinced that that wouldn't be a idea, as e.g. for this case we have no guarantee that getaddrinfo() doesn't take some lock somewhere inside, which would deadlock on pthread-cancellation.

[Yuras]

Technically, getaddrinfo() is probably interruptible

Even if you can interrupt it, it doesn't mean it's a good idea. The function is not even fully thread-safe. Something like getaddrinfo_a might be a better fit if you want to go that path. Anyway, it's up to network to decide.

I think so, because timeout should just work on all IO operations. It is not possible to write reliable systems without reliable timeouts.

I meant to ask whether we want to do the "separate thread" thing. As you correctly pointed out the approach is not without drawbacks. It'd be nice if timeout just worked, but IMO it's not enough to justify shenanigan like that.

[nh2]

The function is not even fully thread-safe.

What exactly are you referring to, the MT-Safe env locale parts? I also don't fully understand how/why thread safety would be relevant for foreign import ccall interruptible / interruption by signals.

Even if you can interrupt it, it doesn't mean it's a good idea.

I thought that first as well, but after considering that every C program in existence must handle it the same way with Ctrl+C interrupts, terminal size interrupts, and so on, it seems OK to me now.

[Yuras]

What exactly are you referring to, the MT-Safe env locale parts?

Yes, that's what I was referring to.

I also don't fully understand how/why thread safety would be relevant

From my experience it's much harder to make C code work correctly with signals and interrupts then to make it thread-safe. So if it's not even thread-safe, then I'd not expect much from it with respect to interrupts. But it could be my prejudgement.

every C program in existence must handle it the same way with Ctrl+C

Every C program in existence pretty much pretends interrupts don't exist and lets the default handler kill the application :)
Any way, you don't need to convince me, instead create a ticket here.