Avoid race condition that can cause RequestAborted not to fire

halter73 · halter73 · commit 4d30367fff9e · 2025-08-15T13:30:18.000-07:00
- With HTTP/1.1 there's a narrow race where if we cancel the _abortedCts on a background thread due to the underlying connection closing between requests, it can be missed because CTS.TryReset is not thread safe with concurrent cancellation https://github.com/dotnet/runtime/blob/2dbdff1a7aebd64b4b265d99b173cd77f088c36e/src/libraries/System.Private.CoreLib/src/System/Threading/CancellationTokenSource.cs#L477-L479
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/HttpProtocol.cs b/src/Servers/Kestrel/Core/src/Internal/Http/HttpProtocol.cs
@@ -407,21 +407,19 @@ public void Reset()
 
         _manuallySetRequestAbortToken = null;
 
-        // Lock to prevent CancelRequestAbortedToken from attempting to cancel a disposed CTS.
-        CancellationTokenSource? localAbortCts = null;
-
         lock (_abortLock)
         {
             _preventRequestAbortedCancellation = false;
-            if (_abortedCts?.TryReset() == false)
+
+            // If the connection has already been aborted, allow that to be observed during the next request.
+            if (!_connectionAborted && _abortedCts is not null)
             {
-                localAbortCts = _abortedCts;
-                _abortedCts = null;
+                // _connectionAborted is terminal and only set inside the _abortLock, so if it isn't set here,
+                // it has not been canceled yet.
+                Trace.Assert(_abortedCts.TryReset());
             }
         }
 
-        localAbortCts?.Dispose();
-
         Output?.Reset();
 
         _requestHeadersParsed = 0;
@@ -760,7 +758,7 @@ private async Task ProcessRequests<TContext>(IHttpApplication<TContext> applicat
                 }
                 else if (!HasResponseStarted)
                 {
-                    // If the request was aborted and no response was sent, we use status code 499 for logging                    
+                    // If the request was aborted and no response was sent, we use status code 499 for logging
                     StatusCode = StatusCodes.Status499ClientClosedRequest;
                 }
             }
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs b/src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs
@@ -129,7 +129,6 @@ public bool ReceivedEmptyRequestBody
     protected override void OnReset()
     {
         _keepAlive = true;
-        _connectionAborted = false;
         _userTrailers = null;
 
         // Reset Http2 Features
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Connection.cs b/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Connection.cs
@@ -602,15 +602,16 @@ private async Task CreateHttp3Stream<TContext>(ConnectionContext streamContext,
 
         // Check whether there is an existing HTTP/3 stream on the transport stream.
         // A stream will only be cached if the transport stream itself is reused.
-        if (!persistentStateFeature.State.TryGetValue(StreamPersistentStateKey, out var s))
+        if (!persistentStateFeature.State.TryGetValue(StreamPersistentStateKey, out var s) ||
+            s is not Http3Stream<TContext> { CanReuse: true } reusableStream)
         {
             stream = new Http3Stream<TContext>(application, CreateHttpStreamContext(streamContext));
             persistentStateFeature.State.Add(StreamPersistentStateKey, stream);
         }
         else
         {
-            stream = (Http3Stream<TContext>)s!;
-            stream.InitializeWithExistingContext(streamContext.Transport);
+            reusableStream.InitializeWithExistingContext(streamContext.Transport);
+            stream = reusableStream;
         }
 
         _streamLifetimeHandler.OnStreamCreated(stream);
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs b/src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs
@@ -66,6 +66,8 @@ internal abstract partial class Http3Stream : HttpProtocol, IHttp3Stream, IHttpS
     private bool IsAbortedRead => (_completionState & StreamCompletionFlags.AbortedRead) == StreamCompletionFlags.AbortedRead;
     public bool IsCompleted => (_completionState & StreamCompletionFlags.Completed) == StreamCompletionFlags.Completed;
 
+    public bool CanReuse => !_connectionAborted && HasResponseCompleted;
+
     public bool ReceivedEmptyRequestBody
     {
         get
@@ -957,7 +959,6 @@ private Task ProcessDataFrameAsync(in ReadOnlySequence<byte> payload)
     protected override void OnReset()
     {
         _keepAlive = true;
-        _connectionAborted = false;
         _userTrailers = null;
         _isWebTransportSessionAccepted = false;
         _isMethodConnect = false;

Original file line number	Diff line number	Diff line change
`@@ -407,21 +407,19 @@ public void Reset()`
`407`	`407`
`408`	`408`	`_manuallySetRequestAbortToken = null;`
`409`	`409`
`410`		`- // Lock to prevent CancelRequestAbortedToken from attempting to cancel a disposed CTS.`
`411`		`- CancellationTokenSource? localAbortCts = null;`
`412`		`-`
`413`	`410`	`lock (_abortLock)`
`414`	`411`	`{`
`415`	`412`	`_preventRequestAbortedCancellation = false;`
`416`		`- if (_abortedCts?.TryReset() == false)`
	`413`	`+`
	`414`	`+ // If the connection has already been aborted, allow that to be observed during the next request.`
	`415`	`+ if (!_connectionAborted && _abortedCts is not null)`
`417`	`416`	`{`
`418`		`- localAbortCts = _abortedCts;`
`419`		`- _abortedCts = null;`
	`417`	`+ // _connectionAborted is terminal and only set inside the _abortLock, so if it isn't set here,`
	`418`	`+ // it has not been canceled yet.`
	`419`	`+ Trace.Assert(_abortedCts.TryReset());`
`420`	`420`	`}`
`421`	`421`	`}`
`422`	`422`
`423`		`- localAbortCts?.Dispose();`
`424`		`-`
`425`	`423`	`Output?.Reset();`
`426`	`424`
`427`	`425`	`_requestHeadersParsed = 0;`
`@@ -760,7 +758,7 @@ private async Task ProcessRequests<TContext>(IHttpApplication<TContext> applicat`
`760`	`758`	`}`
`761`	`759`	`else if (!HasResponseStarted)`
`762`	`760`	`{`
`763`		`- // If the request was aborted and no response was sent, we use status code 499 for logging`
	`761`	`+ // If the request was aborted and no response was sent, we use status code 499 for logging`
`764`	`762`	`StatusCode = StatusCodes.Status499ClientClosedRequest;`
`765`	`763`	`}`
`766`	`764`	`}`
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,6 @@ public bool ReceivedEmptyRequestBody`
`129`	`129`	`protected override void OnReset()`
`130`	`130`	`{`
`131`	`131`	`_keepAlive = true;`
`132`		`- _connectionAborted = false;`
`133`	`132`	`_userTrailers = null;`
`134`	`133`
`135`	`134`	`// Reset Http2 Features`
Original file line number	Diff line number	Diff line change
`@@ -602,15 +602,16 @@ private async Task CreateHttp3Stream<TContext>(ConnectionContext streamContext,`
`602`	`602`
`603`	`603`	`// Check whether there is an existing HTTP/3 stream on the transport stream.`
`604`	`604`	`// A stream will only be cached if the transport stream itself is reused.`
`605`		`- if (!persistentStateFeature.State.TryGetValue(StreamPersistentStateKey, out var s))`
	`605`	`+ if (!persistentStateFeature.State.TryGetValue(StreamPersistentStateKey, out var s) \|\|`
	`606`	`+ s is not Http3Stream<TContext> { CanReuse: true } reusableStream)`
`606`	`607`	`{`
`607`	`608`	`stream = new Http3Stream<TContext>(application, CreateHttpStreamContext(streamContext));`
`608`	`609`	`persistentStateFeature.State.Add(StreamPersistentStateKey, stream);`
`609`	`610`	`}`
`610`	`611`	`else`
`611`	`612`	`{`
`612`		`- stream = (Http3Stream<TContext>)s!;`
`613`		`- stream.InitializeWithExistingContext(streamContext.Transport);`
	`613`	`+ reusableStream.InitializeWithExistingContext(streamContext.Transport);`
	`614`	`+ stream = reusableStream;`
`614`	`615`	`}`
`615`	`616`
`616`	`617`	`_streamLifetimeHandler.OnStreamCreated(stream);`