Set timeout for helper subprocesses to enhance stability #11125
Conversation
github-actions
bot
added
L: go:modules
kbukum1
force-pushed
the
jurre/helper-sub-process-timeout
branch
from
77e08d4 to
132fedd
Compare
…elpers_command_timeout`
kbukum1
force-pushed
the
jurre/helper-sub-process-timeout
branch
from
ad5d950 to
dbb517d
Compare
fix spec issues
kbukum1
requested review from
jeffwidman,
abdulapopoola,
jurre,
jakecoffman,
brettfo,
JamieMagee,
jonabc and
honeyankit
and removed request for
jakecoffman and
jurre
| ) | ||
| .returns(T.nilable(T.any(String, T::Hash[String, T.untyped], T::Array[T::Hash[String, T.untyped]]))) | ||
| end | ||
| def self.run_helper_subprocess(command:, function:, args:, env: nil, | ||
| stderr_to_stdout: false, | ||
| allow_unsafe_shell_command: false, | ||
| error_class: HelperSubprocessFailed) | ||
| error_class: HelperSubprocessFailed, | ||
| command_type: :network, |
There was a problem hiding this comment.
Review Tip: We set the default timeout to 120 seconds (using :network).
Note: The timeout applies to the time between outputs to stdout or stderr, not the overall execution duration of the command. Each time the command produces output, the timeout is reset, and it waits for the next response.
There was a problem hiding this comment.
TBH this feels more complex/confusing than it needs to be. This introduces magic symbols that callers must know to use, where those symbols are mapped to timeout values in the new command helpers class.
There's also some complexity coming from the addition of both command type and timeout arguments. As a caller if I didn't know the internals of this function I would be confused that a command that was run with timeout: -1 would have a timeout applied because command_type: :network has a special meaning. Is timeout an explicit value? An implicit value? I need to dig into the code to know how to call this.
WDYT about creating constants for different common timeout values and having callers use those constants to set a timeout value when needed. This removes having two params, makes the timeout field explicit, and maintains named common timeout values.
module CommandTimeouts
NETWORK = 120 # seconds
LONG_RUNNING = 300 # seconds
NONE = -1 # seconds
LOCAL_TASK = 30 # seconds
DEFAULT = NETWORK
end
def self.run_helper_subprocess(... timeout: CommandTimeouts::DEFAULT...)There was a problem hiding this comment.
It is fixed. Please let me know if you see any issue now.
| # Use IO.select with a dynamically calculated short timeout | ||
| ready_ios = IO.select(ios, nil, nil, [0.1, remaining_timeout].min) |
There was a problem hiding this comment.
I've never worked with IO.select before, but the docs suggest the arguments should be Arrays of IO objects. What's the effect of using nil instead?
There was a problem hiding this comment.
We are not monitoring for write readiness (nil) because writing is already completed at the beginning, and we do not perform incremental writes. Similarly, we do not monitor error conditions (nil) as they are not required in this context. For read readiness, we monitor the output streams (stdout and stderr) using a timeout to avoid blocking indefinitely. The timeout is set to the shorter of 0.1 seconds or the remaining timeout ([0.1, remaining_timeout].min), ensuring responsiveness while respecting the overall timeout limit.
| Process.kill("KILL", pid) # Forcefully kill if still running | ||
| end | ||
| rescue Errno::EPERM | ||
| Dependabot.logger.error("Insufficient permissions to terminate process: #{pid}") |
There was a problem hiding this comment.
What happens in this case? Will the job still terminate?
There was a problem hiding this comment.
In natural way if it terminates (old way) we don't do anything. If it doesn't then the operation is going to get canceled after hanging out as how it was before. But generally we should have permission to do it since we initiated the command in this thread.
There was a problem hiding this comment.
I would be surprised if this ever triggers TBH. This is only ever going to terminate a sub-process, and AFAIK the parent process should always have perms to terminate a child process.
| DEFAULT_TIMEOUTS = T.let({ | ||
| no_time_out: -1, # No timeout | ||
| local: 30, # Local commands | ||
| network: 120, # Network-dependent commands | ||
| long_running: 300 # Long-running tasks (e.g., builds) | ||
| }.freeze, T::Hash[T.untyped, T.untyped]) |
There was a problem hiding this comment.
Any reason to keep these as T::Hash[T.untyped, T.untyped]? We're controlling them and all the values suggest to me that T::Hash[Symbol, Integer] would be the signature.
There was a problem hiding this comment.
Thanks. Will fix it.
| let(:output_hang_cmd) { command_fixture("output_hang.sh") } | ||
| let(:error_hang_cmd) { command_fixture("error_hang.sh") } | ||
| let(:invalid_cmd) { "non_existent_command" } | ||
| let(:timeout) { 2 } # Timeout for hanging commands |
| ) | ||
| .returns(T.nilable(T.any(String, T::Hash[String, T.untyped], T::Array[T::Hash[String, T.untyped]]))) | ||
| end | ||
| def self.run_helper_subprocess(command:, function:, args:, env: nil, | ||
| stderr_to_stdout: false, | ||
| allow_unsafe_shell_command: false, | ||
| error_class: HelperSubprocessFailed) | ||
| error_class: HelperSubprocessFailed, | ||
| command_type: :network, |
There was a problem hiding this comment.
TBH this feels more complex/confusing than it needs to be. This introduces magic symbols that callers must know to use, where those symbols are mapped to timeout values in the new command helpers class.
There's also some complexity coming from the addition of both command type and timeout arguments. As a caller if I didn't know the internals of this function I would be confused that a command that was run with timeout: -1 would have a timeout applied because command_type: :network has a special meaning. Is timeout an explicit value? An implicit value? I need to dig into the code to know how to call this.
WDYT about creating constants for different common timeout values and having callers use those constants to set a timeout value when needed. This removes having two params, makes the timeout field explicit, and maintains named common timeout values.
module CommandTimeouts
NETWORK = 120 # seconds
LONG_RUNNING = 300 # seconds
NONE = -1 # seconds
LOCAL_TASK = 30 # seconds
DEFAULT = NETWORK
end
def self.run_helper_subprocess(... timeout: CommandTimeouts::DEFAULT...)
kbukum1
force-pushed
the
jurre/helper-sub-process-timeout
branch
from
b6aef5f to
78c2014
Compare
reduce timeout parameter complexity
Thanks for the thorough review! I'll merge once the CI is happy. |
abdulapopoola
changed the title
What are you trying to accomplish?
This PR introduces a timeout mechanism for running helper subprocesses to ensure they do not run indefinitely, enhancing system stability and robustness. The change is gated behind the feature flag:
enable_shared_helpers_command_timeout.What and Why:
capture3_with_timeoutmethod to manage subprocess execution with a configurable timeout.run_helper_subprocessmethod by replacing the existingOpen3.capture3call withcapture3_with_timeout.Note: The timeout applies to the time between outputs to
stdoutorstderr, not the overall execution duration of the command. Each time the command produces output, the timeout is reset, and it waits for the next response.enable_shared_helpers_command_timeoutfeature flag. This ensures no impact to existing workflows unless the flag is enabled.Related Issues:
Anything you want to highlight for special attention from reviewers?
enable_shared_helpers_command_timeoutfeature flag to ensure it can be toggled on/off safely.Process.killandProcess.wait) to avoid zombie processes.How will you know you've accomplished your goal?
Checklist