network: catch SIGPIPEs via SO_NOSIGPIPE on Darwin

[rebello95]

With Envoy Mobile, we have started seeing some SIGPIPE fatal crashes in our iOS application. This is a bit strange considering Envoy attempts to suppress SIGPIPE errors. However, this is done at the global process-wide level, meaning something else could be re-setting it.

It's worth noting that:

• We only started seeing this after updating Envoy Mobile's Envoy submodule with this diff. Binary searches unfortunately were not of much help since this is a pretty rare crash that we've only seen reported from production users' devices (no reproducible steps).
• The above diff also includes some socket changes (and a few others), which could potentially be related to why we just now started seeing this issue (cc @florincoras in case you have ideas!).
• The earliest build where we started seeing this issue was built with Xcode 11.5 rather than Xcode 11.3.1. Though unlikely, it is possible that this affected the effectiveness of Envoy's ignoring of SIGPIPE if something changed there.

This fix takes advantage of Apple's SO_NOSIGPIPE setting on a per-socket level to catch the SIGPIPEs that we're now seeing. It's being set on the upstream and listener socket creation codepaths in line with Envoy's existing setup to catch all SIGPIPEs.

SO_NOSIGPIPE is an option that prevents SIGPIPE from being raised when a write fails on a socket to which there is no reader; instead, the write to the socket returns with the error EPIPE when there is no reader.

Risk Level: Low, Envoy was already attempting to suppress SIGPIPEs
Testing: Existing tests
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Michael Rebello me@michaelrebello.com
Co-authored-by: Jose Nino jnino@lyft.com

[rebello95]

cc @junr03 @goaway @florincoras

[florincoras]

@rebello95 interesting. As far as I know, we are not trying to re-set SIGPIPE (and a quick code search seems to confirm that). So, I guess that SIGPIPE suppression never worked but something else changed, maybe event scheduling/handling, and this is now surfacing.

[rebello95]

Definitely possible. Unfortunately I haven't been able to confirm the exact root cause since it hasn't been reproducible.

[junr03]

@rebello95 I think the master merge is missing DCO

[rebello95]

@junr03 yep, rebased and fixed DCO just now

[junr03]

@ggreenway I was wondering if you could take a look at this. I feel this is up your alley.

[rebello95]

I think CI failures are unrelated - updated with master 🤷‍♂️

[mattklein123]

LGTM with a few small comments, thanks.

/wait

[mattklein123]

If we have this here and on the listener side, do we still need the process-wide signal() call that attempts to ignore SIGPIPE? I suppose that would be a riskier change, but can you add a TODO above that call to consider removing it and maybe also add some comments here and on the listener side of why we set this?

[rebello95]

I think we'll always need the process-wide signal() call since this additional socket option only applies on certain OSes, as gated by #ifdef SO_NOSIGPIPE in this PR, so it probably doesn't make sense to have a todo. I updated with additional documentation as requested.

[mattklein123]

LGTM please check format.

/wait

[rebello95]

@mattklein123 fixed

[rebello95]

And thank you for the reviews!

[mattklein123]

CI failures look legit.

/wait

[rebello95]

Fixed most of the tests, but still working with @junr03 to resolve the rest

[rebello95]

Should be good now!

[mattklein123]

Thanks!