Skip to content

upstream: fix connection pool leak#497

Open
fakhriaunur wants to merge 1 commit intoAdguardTeam:masterfrom
fakhriaunur:fix/p2-close-wait
Open

upstream: fix connection pool leak#497
fakhriaunur wants to merge 1 commit intoAdguardTeam:masterfrom
fakhriaunur:fix/p2-close-wait

Conversation

@fakhriaunur
Copy link
Copy Markdown

@fakhriaunur fakhriaunur commented Apr 7, 2026

Summary

Fix CLOSE_WAIT connection leak in DNS-over-TLS connection pool.

The DoT connection pool stores connections in a slice and reuses them without validation. Over time, stale connections accumulate in CLOSE_WAIT state, leading to connection leaks and degraded performance (as noted in the TODO comment in dot.go:47-51).

Changes

  • Add isConnAlive() helper function to validate connection health
  • Modify getConn() to validate connections before reuse
  • Close and discard dead/stale connections from the pool
  • Add comprehensive table-driven tests:
    • "connection_closed_after_use"
    • "connection_pool_doesnt_leak_on_error"
    • "connection_pool_handles_timeout"
    • "concurrent_access_doesnt_cause_close_wait"
  • Add TestIsConnAlive tests for connection validation

Root Cause

The TODO comment in dot.go:47-51 acknowledges this issue:

// TODO(e.burkov, ameshkov): Currently connections just stored in FILO
// order, which eventually makes most of them unusable due to timeouts.

Testing

# Run tests
go test -v -run TestDnsOverTLS_CloseWait ./upstream/
# Output: PASS (4 test cases, ~9s)

# Run race detection
go test -race ./upstream/
# Output: PASS (no races detected)

# Check coverage
go test -cover ./upstream/
# Coverage: 85.7% for conn(), 90.9% for isConnAlive()

# Run lint
go vet ./upstream/
# Output: PASS

Code Change Statistics

  • Files modified: 2
  • Lines changed: +343/-2
  • Test coverage: 85.7% (conn), 90.9% (isConnAlive)

Technical Details

The fix uses a non-blocking read with a short deadline (10ms) to check connection health without affecting normal operation. Dead connections are closed and removed from the pool, preventing CLOSE_WAIT accumulation.

Issues

Fixes #444

Checklist

  • Tests pass (go test ./upstream/)
  • No race conditions (go test -race ./upstream/)
  • Lint passes (go vet ./upstream/)
  • Coverage ≥80% for modified functions
  • Code change ≤15 lines in core logic
  • References GitHub issue
  • Addresses existing TODO comment

Note: This fix is minimal and targeted. It doesn't redesign the connection pool (which would be a larger change) but adds validation to prevent CLOSE_WAIT accumulation.

@fakhriaunur
upstream: fix connection pool leak
bdd8565 
Fix CLOSE_WAIT connection leak in DNS-over-TLS.
Add connection validation before reusing connections from pool
to prevent accumulation of stale connections in CLOSE_WAIT state.

Fixes AdguardTeam#444

Changes:
- Add isConnAlive() helper for connection validation
- Validate connections in getConn() before reuse
- Close and discard dead connections
- Add table-driven tests with race detection
- Coverage: 85.7% for modified functions

Tested:
- go test ./upstream/ - PASS
- go test -race ./upstream/ - PASS (no races)
- go vet ./upstream/ - PASS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Set keepalive to clean up CLOSE_WAIT dot connections.

1 participant

@fakhriaunur