[dart:io, mac] Don't create a thread pool per secure socket.

rmacnak-google · Commit Queue · commit 42d796f7c1b1 · 2025-06-24T12:17:24.000-07:00
TEST=ci Bug: flutter/flutter#170723 Change-Id: I381c0dac8f7e308830c8bba472e11fb20939708e Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/436501 Reviewed-by: Brian Quinlan <bquinlan@google.com> Commit-Queue: Ryan Macnak <rmacnak@google.com>
diff --git a/runtime/bin/secure_socket_filter.cc b/runtime/bin/secure_socket_filter.cc
@@ -10,6 +10,7 @@
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
+#include "bin/io_service.h"
 #include "bin/lockers.h"
 #include "bin/secure_socket_utils.h"
 #include "bin/security_context.h"
@@ -34,6 +35,7 @@ bool SSLFilter::library_initialized_ = false;
 Mutex* SSLFilter::mutex_ = nullptr;
 int SSLFilter::filter_ssl_index;
 int SSLFilter::ssl_cert_context_index;
+Dart_Port SSLFilter::trust_evaluate_reply_port_ = ILLEGAL_PORT;
 
 void SSLFilter::Init() {
   ASSERT(SSLFilter::mutex_ == nullptr);
@@ -44,6 +46,7 @@ void SSLFilter::Cleanup() {
   ASSERT(SSLFilter::mutex_ != nullptr);
   delete SSLFilter::mutex_;
   SSLFilter::mutex_ = nullptr;
+  trust_evaluate_reply_port_ = ILLEGAL_PORT;
 }
 
 const intptr_t SSLFilter::kInternalBIOSize = 10 * KB;
@@ -482,6 +485,17 @@ void SSLFilter::InitializeLibrary() {
   }
 }
 
+Dart_Port SSLFilter::TrustEvaluateReplyPort() {
+  MutexLocker locker(mutex_);
+  if (trust_evaluate_reply_port_ == ILLEGAL_PORT) {
+    trust_evaluate_reply_port_ =
+        Dart_NewConcurrentNativePort("SSLCertContextTrustEvaluate",
+                                     SSLCertContext::GetTrustEvaluateHandler(),
+                                     IOService::max_concurrency());
+  }
+  return trust_evaluate_reply_port_;
+}
+
 void SSLFilter::Connect(const char* hostname,
                         SSLCertContext* context,
                         bool is_server,
@@ -514,13 +528,6 @@ void SSLFilter::Connect(const char* hostname,
   context->RegisterCallbacks(ssl_);
   SSL_set_ex_data(ssl_, ssl_cert_context_index, context);
 
-  TrustEvaluateHandlerFunc trust_evaluate_handler =
-      context->GetTrustEvaluateHandler();
-  if (trust_evaluate_handler != nullptr) {
-    trust_evaluate_reply_port_ = Dart_NewNativePort(
-        "SSLCertContextTrustEvaluate", trust_evaluate_handler,
-        /*handle_concurrently=*/false);
-  }
   if (is_server_) {
     int certificate_mode =
         request_client_certificate ? SSL_VERIFY_PEER : SSL_VERIFY_NONE;
@@ -714,10 +721,6 @@ void SSLFilter::Destroy() {
     Dart_DeletePersistentHandle(bad_certificate_callback_);
     bad_certificate_callback_ = nullptr;
   }
-  if (trust_evaluate_reply_port_ != ILLEGAL_PORT) {
-    Dart_CloseNativePort(trust_evaluate_reply_port_);
-    trust_evaluate_reply_port_ = ILLEGAL_PORT;
-  }
   FreeResources();
 }
 
diff --git a/runtime/bin/secure_socket_filter.h b/runtime/bin/secure_socket_filter.h
@@ -115,14 +115,13 @@ class SSLFilter : public ReferenceCounted<SSLFilter> {
     return certificate_trust_state_.get();
   }
   Dart_Port reply_port() const { return reply_port_; }
-  Dart_Port trust_evaluate_reply_port() const {
-    return trust_evaluate_reply_port_;
-  }
+  static Dart_Port TrustEvaluateReplyPort();
 
  private:
   static const intptr_t kInternalBIOSize;
   static bool library_initialized_;
   static Mutex* mutex_;  // To protect library initialization.
+  static Dart_Port trust_evaluate_reply_port_;
 
   SSL* ssl_;
   BIO* socket_side_;
@@ -143,7 +142,6 @@ class SSLFilter : public ReferenceCounted<SSLFilter> {
   char* hostname_;
 
   Dart_Port reply_port_ = ILLEGAL_PORT;
-  Dart_Port trust_evaluate_reply_port_ = ILLEGAL_PORT;
   Dart_Port key_log_port_ = ILLEGAL_PORT;
 
   static bool IsBufferEncrypted(int i) {
diff --git a/runtime/bin/security_context.h b/runtime/bin/security_context.h
@@ -91,7 +91,7 @@ class SSLCertContext : public ReferenceCounted<SSLCertContext> {
   void set_trust_builtin(bool trust_builtin) { trust_builtin_ = trust_builtin; }
 
   void RegisterCallbacks(SSL* ssl);
-  TrustEvaluateHandlerFunc GetTrustEvaluateHandler() const;
+  static TrustEvaluateHandlerFunc GetTrustEvaluateHandler();
 
   static bool long_ssl_cert_evaluation() { return long_ssl_cert_evaluation_; }
   static void set_long_ssl_cert_evaluation(bool long_ssl_cert_evaluation) {
diff --git a/runtime/bin/security_context_fuchsia.cc b/runtime/bin/security_context_fuchsia.cc
@@ -50,7 +50,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {
   // verification mechanism.
 }
 
-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {
+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {
   return nullptr;
 }
 
diff --git a/runtime/bin/security_context_linux.cc b/runtime/bin/security_context_linux.cc
@@ -107,7 +107,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {
   // verification mechanism.
 }
 
-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {
+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {
   return nullptr;
 }
 
diff --git a/runtime/bin/security_context_macos.cc b/runtime/bin/security_context_macos.cc
@@ -226,7 +226,7 @@ static ssl_verify_result_t CertificateVerificationCallback(SSL* ssl,
                             &dart_cobject_root_cert, &reply_send_port};
   array.value.as_array.values = values;
 
-  Dart_PostCObject(filter->trust_evaluate_reply_port(), &array);
+  Dart_PostCObject(SSLFilter::TrustEvaluateReplyPort(), &array);
   return ssl_verify_retry;
 }
 
@@ -306,7 +306,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {
   SSL_set_custom_verify(ssl, SSL_VERIFY_PEER, CertificateVerificationCallback);
 }
 
-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {
+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {
   return &TrustEvaluateHandler;
 }
 
diff --git a/runtime/bin/security_context_win.cc b/runtime/bin/security_context_win.cc
@@ -227,7 +227,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {
   // verification mechanism.
 }
 
-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {
+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {
   return nullptr;
 }
 
diff --git a/tests/standalone/io/many_pending_secure_sockets_test.dart b/tests/standalone/io/many_pending_secure_sockets_test.dart
@@ -0,0 +1,23 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// https://github.com/flutter/flutter/issues/170723
+
+import "dart:io";
+
+test(int i) async {
+  var socket = await RawSecureSocket.connect("www.google.com", 443);
+  await Future.delayed(
+    Duration(seconds: 6), // More than the thread pool timeout.
+  );
+  socket.close();
+}
+
+main() async {
+  var tests = <Future>[];
+  for (var i = 0; i < 2000; i++) {
+    tests.add(test(i));
+  }
+  await Future.wait(tests);
+}
diff --git a/tests/standalone/standalone_vm.status b/tests/standalone/standalone_vm.status
@@ -14,6 +14,7 @@ no_allow_absolute_addresses_test: SkipByDesign # Not supported.
 io/file_stat_test: Skip # Issue 26376
 io/file_system_watcher_test: Skip # Issue 26376
 io/file_test: Skip # Issue 26376
+io/many_pending_secure_sockets_test: Skip # Too expensive
 io/non_utf8_output_test: Skip # The Android command runner doesn't correctly handle non-UTF8 formatted output. https://github.com/dart-lang/sdk/issues/28872
 io/process_exit_test: Skip # Issue 29578
 io/process_path_environment_test: Skip # Issue 26376

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {`
`50`	`50`	`// verification mechanism.`
`51`	`51`	`}`
`52`	`52`
`53`		`-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {`
	`53`	`+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {`
`54`	`54`	`return nullptr;`
`55`	`55`	`}`
`56`	`56`
Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {`
`107`	`107`	`// verification mechanism.`
`108`	`108`	`}`
`109`	`109`
`110`		`-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {`
	`110`	`+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {`
`111`	`111`	`return nullptr;`
`112`	`112`	`}`
`113`	`113`
Original file line number	Diff line number	Diff line change
`@@ -226,7 +226,7 @@ static ssl_verify_result_t CertificateVerificationCallback(SSL* ssl,`
`226`	`226`	`&dart_cobject_root_cert, &reply_send_port};`
`227`	`227`	`array.value.as_array.values = values;`
`228`	`228`
`229`		`- Dart_PostCObject(filter->trust_evaluate_reply_port(), &array);`
	`229`	`+ Dart_PostCObject(SSLFilter::TrustEvaluateReplyPort(), &array);`
`230`	`230`	`return ssl_verify_retry;`
`231`	`231`	`}`
`232`	`232`
`@@ -306,7 +306,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {`
`306`	`306`	`SSL_set_custom_verify(ssl, SSL_VERIFY_PEER, CertificateVerificationCallback);`
`307`	`307`	`}`
`308`	`308`
`309`		`-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {`
	`309`	`+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {`
`310`	`310`	`return &TrustEvaluateHandler;`
`311`	`311`	`}`
`312`	`312`
Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ void SSLCertContext::RegisterCallbacks(SSL* ssl) {`
`227`	`227`	`// verification mechanism.`
`228`	`228`	`}`
`229`	`229`
`230`		`-TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() const {`
	`230`	`+TrustEvaluateHandlerFunc SSLCertContext::GetTrustEvaluateHandler() {`
`231`	`231`	`return nullptr;`
`232`	`232`	`}`
`233`	`233`