Use mayInterruptIfRunning=true on CompletableFuture cancellation to prevent resource leaks

Closes #1188

Author: vladislavsheludchenkov

core/src/main/scala/org/http4s/jdkhttpclient/CancelableAsync.scala

@@ -0,0 +1,53 @@
+package org.http4s.jdkhttpclient
+
+import cats.effect.Async
+import cats.effect.kernel.Cont
+import cats.effect.kernel.MonadCancelThrow
+import cats.~>
+
+import java.util.concurrent.CompletableFuture
+import java.util.concurrent.CompletionException
+
+private[jdkhttpclient] object CancelableAsync {
+
+  /** This is a direct copy-paste of [[cats.effect.kernel.AsyncPlatform.fromCompletableFuture]] with
+    * `mayInterruptIfRunning` set to `true` instead of `false`.
+    *
+    * This is *really* important for JDK HTTP Client, since if you cancel a `CompletableFuture` with
+    * `mayInterruptIfRunning` set to `false`, it will not cancel the actual HTTP request but the
+    * CompletableFuture will still report a successful cancellation, leaking the connection which
+    * will never be cleaned up, taking up resources until the JVM exits and blocking the graceful
+    * finalization of the JDK HTTP Client.
+    */
+  def fromCompletableFuture[F[_], A](fut: F[CompletableFuture[A]])(implicit F: Async[F]): F[A] =
+    F.cont {
+      new Cont[F, A, A] {
+        def apply[G[_]](implicit
+            G: MonadCancelThrow[G]
+        ): (Either[Throwable, A] => Unit, G[A], F ~> G) => G[A] = { (resume, get, lift) =>
+          G.uncancelable { poll =>
+            G.flatMap(poll(lift(fut))) { cf =>
+              val go = F.delay {
+                cf.handle[Unit] {
+                  case (a, null) => resume(Right(a))
+                  case (_, t) =>
+                    resume(Left(t match {
+                      case e: CompletionException if e.getCause ne null => e.getCause
+                      case _ => t
+                    }))
+                }
+              }
+
+              val await = G.onCancel(
+                poll(get),
+                // if cannot cancel, fallback to get
+                G.ifM(lift(F.delay(cf.cancel(true))))(G.unit, G.void(get))
+              )
+
+              G.productR(lift(go))(await)
+            }
+          }
+        }
+      }
+    }
+}

core/src/main/scala/org/http4s/jdkhttpclient/JdkHttpClient.scala

@@ -240,7 +240,7 @@ object JdkHttpClient {
     Client[F] { req =>
       for {
         req <- convertRequest(req)
-        res = F.fromCompletableFuture(
+        res = CancelableAsync.fromCompletableFuture(
           F.delay(jdkHttpClient.sendAsync(req, BodyHandlers.ofPublisher))
         )
         res <- convertResponse(res)

core/src/main/scala/org/http4s/jdkhttpclient/JdkWSClient.scala

@@ -105,7 +105,7 @@ object JdkWSClient {
                 }
               }
               webSocket <- poll(
-                F.fromCompletableFuture(
+                CancelableAsync.fromCompletableFuture(
                   F.delay(wsBuilder.buildAsync(URI.create(req.uri.renderString), wsListener))
                 )
               )

core/src/test/scala/org/http4s/jdkhttpclient/CompletableFutureTerminationTest.scala

@@ -36,11 +36,18 @@ import java.util.concurrent.TimeUnit
 import scala.concurrent.duration._
 
 final class CompletableFutureTerminationTest extends CatsEffectSuite {
+
   import CompletableFutureTerminationTest._
 
   private val duration: FiniteDuration =
     FiniteDuration(50L, TimeUnit.MILLISECONDS)
 
+  /** If test took longer than serverTimeout, it means we leaked a connection, and the client held
+    * onto it even after the cancellation attempt, blocking http client finalization. It got
+    * eventually released after the server force terminated all connections.
+    */
+  override def munitIOTimeout: Duration = serverTimeout
+
   // This test ensures that converting from a
   // java.util.concurrent.CompletableFuture to an effect type, such as IO,
   // will properly terminate the CompletableFuture if the resulting effect is
@@ -65,81 +72,87 @@ final class CompletableFutureTerminationTest extends CatsEffectSuite {
   //
   // See: https://docs.oracle.com/en/java/javase/14/docs/api/java.net.http/java/net/http/HttpResponse.BodySubscriber.html
   test("Terminating an effect generated from a CompletableFuture") {
-    (Semaphore[IO](1L), Deferred[IO, Observation[HttpResponse[String]]], Semaphore[IO](1L)).tupled
-      .flatMap { case (stallServer, observation, gotRequest) =>
-        // Acquire the `stallServer` semaphore so that the server will not
-        // return _any_ bytes until we release a permit.
-        stallServer.acquire *>
-          // Acquire the `gotRequest` semaphore. The server will release this
-          // once it gets our Request. We wait until this happens to start our
-          // timeout logic.
-          gotRequest.acquire *>
-          // Start a Http4s Server, it will be terminated at the conclusion of
-          // this test.
-          stallingServerR[IO](stallServer, gotRequest).use { (server: Server) =>
-            // Call the server, using the JDK client. We call directly with
-            // the JDK client because we need to have low level control over
-            // the result to observe whether or not the
-            // java.util.concurrent.CompletableFuture is still executing (and
-            // holding on to resources).
-            callServer[IO](server).flatMap((cf: CompletableFuture[HttpResponse[String]]) =>
-              // Attach a handler onto the result. This will populate our
-              // `observation` Deferred value when the CompletableFuture
-              // finishes for any reason.
-              //
-              // We start executing this in the background, so that we
-              // asynchronously populate our Observation.
-              observeCompletableFuture(observation, cf).start.flatMap(fiber =>
-                // Wait until we are sure the Http4s Server has received the
-                // request.
-                gotRequest.acquire *>
-                  // Lift the CompletableFuture to a IO value and attach a
-                  // (short) timeout to the termination.
+    JdkHttpClient.defaultHttpClientResource[IO].use { client =>
+      (Semaphore[IO](1L), Deferred[IO, Observation[HttpResponse[String]]], Semaphore[IO](1L)).tupled
+        .flatMap { case (stallServer, observation, gotRequest) =>
+          // Acquire the `stallServer` semaphore so that the server will not
+          // return _any_ bytes until we release a permit.
+          stallServer.acquire *>
+            // Acquire the `gotRequest` semaphore. The server will release this
+            // once it gets our Request. We wait until this happens to start our
+            // timeout logic.
+            gotRequest.acquire *>
+            // Start a Http4s Server, it will be terminated at the conclusion of
+            // this test.
+            stallingServerR[IO](stallServer, gotRequest).use { (server: Server) =>
+              // Call the server, using the JDK client. We call directly with
+              // the JDK client because we need to have low level control over
+              // the result to observe whether or not the
+              // java.util.concurrent.CompletableFuture is still executing (and
+              // holding on to resources).
+              callServer[IO](client, server).flatMap(
+                (cf: CompletableFuture[HttpResponse[String]]) =>
+                  // Attach a handler onto the result. This will populate our
+                  // `observation` Deferred value when the CompletableFuture
+                  // finishes for any reason.
                   //
-                  // Important! The IO result _must_ be terminated via the
-                  // timeout _before any bytes_ have been received by the JDK
-                  // HttpClient in order to validate resource safety. Once we
-                  // start getting bytes back, the CompletableFuture _is
-                  // complete_ and we are in a different context.
-                  //
-                  // Notice that we release stallServer _after_ the
-                  // timeout. _This is the crux of this entire test_. Once
-                  // we release `stallServer`, the Http4s Server will
-                  // attempt to send back an Http Response to our JDK
-                  // client. If the CompletableFuture and associated
-                  // resources were properly cleaned up after the
-                  // timeoutTo terminated the running effect, then the JDK
-                  // client connection will either be closed, or the
-                  // attempt to invoke `complete` on the
-                  // `CompletableFuture` will fail, in both cases
-                  // releasing any resources being held. If not, then it
-                  // will still receive bytes, meaning there is a resource
-                  // leak.
-                  IO.fromCompletableFuture(IO(cf))
-                    .void
-                    .timeoutTo(duration, stallServer.release) *>
-                  // After the timeout has triggered, wait for the observation to complete.
-                  fiber.join *>
-                  // Check our observation. Whether or not there is an exception
-                  // is not actually relevant to the success case. What _is_
-                  // important is that there is no result. If there is a result,
-                  // then that means that _after_ `timeoutTo` released
-                  // `stallServer` the CompletableFuture for the Http response
-                  // body still processed data, which indicates a resource leak.
-                  observation.get.flatMap {
-                    case Observation(None, _) => IO.pure(true)
-                    case otherwise =>
-                      IO.raiseError(new AssertionError(s"Expected no result, got $otherwise"))
-                  }
+                  // We start executing this in the background, so that we
+                  // asynchronously populate our Observation.
+                  observeCompletableFuture(observation, cf).start.flatMap(fiber =>
+                    // Wait until we are sure the Http4s Server has received the
+                    // request.
+                    gotRequest.acquire *>
+                      // Lift the CompletableFuture to a IO value and attach a
+                      // (short) timeout to the termination.
+                      //
+                      // Important! The IO result _must_ be terminated via the
+                      // timeout _before any bytes_ have been received by the JDK
+                      // HttpClient in order to validate resource safety. Once we
+                      // start getting bytes back, the CompletableFuture _is
+                      // complete_ and we are in a different context.
+                      //
+                      // Notice that we release stallServer _after_ the
+                      // timeout. _This is the crux of this entire test_. Once
+                      // we release `stallServer`, the Http4s Server will
+                      // attempt to send back an Http Response to our JDK
+                      // client. If the CompletableFuture and associated
+                      // resources were properly cleaned up after the
+                      // timeoutTo terminated the running effect, then the JDK
+                      // client connection will either be closed, or the
+                      // attempt to invoke `complete` on the
+                      // `CompletableFuture` will fail, in both cases
+                      // releasing any resources being held. If not, then it
+                      // will still receive bytes, meaning there is a resource
+                      // leak.
+                      CancelableAsync
+                        .fromCompletableFuture(IO(cf))
+                        .void
+                        .timeoutTo(duration, stallServer.release) *>
+                      // After the timeout has triggered, wait for the observation to complete.
+                      fiber.join *>
+                      // Check our observation. Whether or not there is an exception
+                      // is not actually relevant to the success case. What _is_
+                      // important is that there is no result. If there is a result,
+                      // then that means that _after_ `timeoutTo` released
+                      // `stallServer` the CompletableFuture for the Http response
+                      // body still processed data, which indicates a resource leak.
+                      observation.get.flatMap {
+                        case Observation(None, _) => IO.pure(true)
+                        case otherwise =>
+                          IO.raiseError(new AssertionError(s"Expected no result, got $otherwise"))
+                      }
+                  )
               )
-            )
-          }
-      }
+            }
+        }
+    }
   }
 }
 
 object CompletableFutureTerminationTest {
 
+  private val serverTimeout = 5.seconds
+
   /** ADT to contain the result of an invocation to
     * [[java.util.concurrent.CompletionStage#handleAsync]]
     *
@@ -179,14 +192,12 @@ object CompletableFutureTerminationTest {
     EmberServerBuilder
       .default[F]
       .withHttpApp(
-        Kleisli(
-          Function.const(
-            gotRequest.release *>
-              semaphore.permit.use(_ => F.pure(Response[F]()))
-          )
+        Kleisli.liftF(
+          gotRequest.release *>
+            semaphore.permit.use(_ => F.pure(Response[F]()))
         )
       )
-      .withShutdownTimeout(1.second)
+      .withShutdownTimeout(serverTimeout)
       .withPort(port"0")
       .build
 
@@ -218,11 +229,11 @@ object CompletableFutureTerminationTest {
     * in a [[java.util.concurrent.CompletableFuture]].
     */
   private def callServer[F[_]](
+      client: HttpClient,
       server: Server
   )(implicit F: Sync[F]): F[CompletableFuture[HttpResponse[String]]] =
     for {
       jURI <- F.catchNonFatal(new URI(server.baseUri.renderString))
-      client <- F.delay(HttpClient.newHttpClient)
       result <- F.delay(
         client.sendAsync(HttpRequest.newBuilder(jURI).build(), HttpResponse.BodyHandlers.ofString)
       )