Use-after-free crash on Linux: `URLSession._MultiHandle` thread-safety bug

[KotlinFactory]

Summary

Concurrent LLM requests crash on Linux with a use-after-free in libFoundationNetworking's URLSession._MultiHandle. This is a known thread-safety bug in swift-corelibs-foundation's libcurl-backed URLSession, and it affects AnyLanguageModel because all model implementations use URLSession for HTTP.

Crash Log

Object 0x71467803b120 of class _MultiHandle deallocated with non-zero retain count 2.
This object's deinit, or something called from it, may have created a strong reference
to self which outlived deinit, resulting in a dangling reference.

💣 Program crashed: Bad pointer dereference at 0x000071412c7a405c

Thread 41 "NIO-SGLTN-1-#7" crashed:
  0 _swift_release_dealloc + 13 in libswiftCore.so
  1 doDecrementSlow + 366 in libswiftCore.so
  2 specialized _NativeDictionary.copy() + 318 in libFoundationNetworking.so
  3 specialized Dictionary._Variant.removeValue(forKey:) + 106 in libFoundationNetworking.so
  4 URLSession._MultiHandle.endOperation(for:) + 55 in libFoundationNetworking.so

Environment

• Platform: x86_64 Linux (Debian 13 trixie)
• Swift 6.2
• AnyLanguageModel 0.6.x

Root Cause

Each model type (Gemini, OpenAI, Anthropic, Ollama) creates its own URLSession(configuration: .default). On Linux, URLSession is backed by libFoundationNetworking which wraps libcurl via a _MultiHandle singleton. When multiple model calls execute concurrently, _MultiHandle.endOperation(for:) corrupts its internal dictionary — a known race condition in swift-corelibs-foundation.

The Linux streaming path in URLSession+Extensions.swift makes it worse by creating an additional URLSession per streaming request (line ~195):

let session = URLSession(
    configuration: self.configuration,
    delegate: delegate,
    delegateQueue: delegateQueue
)

Suggested Fix

Replace URLSession with AsyncHTTPClient (NIO-based, no libcurl dependency). This is the standard HTTP client in the Swift on Server ecosystem and doesn't suffer from _MultiHandle issues.

Alternatively, a shared singleton URLSession with serialized access would reduce (but not fully eliminate) the race window.

Workaround

Serializing all LLM calls so only one URLSession request is in flight at a time avoids the crash, but at the cost of throughput.

[mattt]

@KotlinFactory Thank you for reporting this. It's too bad that FoundationNetworking has so many hidden gotchas. ¹

I appreciate your opening #128. The AsyncHTTPClient dependency and all its NIO transitives are pretty heavy, so I'd want to condition those on a trait.

As a first step, I think it makes sense to apply that minimal fix you suggested, and gate in-flight requests to avoid the crash on Linux. I opened #134 with that change. This way, Linux users aren't totally beholden to that alternative networking stack. And we can also offer AsyncHTTPClient as an additive feature.

What do you think?

Footnotes

1. Maybe we need AnyURLSession? 🫠 ↩

[KotlinFactory]

Perhaps we really do need AnyURLSession haha

[KotlinFactory]

My main worry with #134 is that by gating the requests, we're forcing Linux to be entirely synchronous, which will severely slow down performance. For that reason, I really believe AsyncHTTPClient is the necessary path forward.

We'd be more than happy to contribute the work to make AsyncHTTPClient a package trait.

[JonasProgrammer]

Hey, I'm the guy, who was originally suffering from this bug.

While #134 solves this, I don't think it is a feasible solution. LLM calls are expected to be time-consuming, limiting their concurrency to 1 in the whole application is devastating for many workloads.

I agree AsyncHttpClient is heavy, but it seems to be well-supported for server-side Swift. But I also agree a (basically) no-dependency solution, as this library currently is, has many benefits.
A trait would probably really be a good path forward. You mostly rely on extensions anyway, so it should be fairly doable to abstract the differences between URLSession and async-http-client away.

As for the original PR #128, sorry some internal commits made it in there; for now, I have switched to async-http-client and also changed EventSource to do the same, thus I needed to switch repos.
Let us (@KotlinFactory and me) know if we can be of any help

[mattt]

@JonasProgrammer Hey! Thanks for your work on #128. I saw that you forked EventSource to add AsyncHTTPClient support, so I went ahead and implemented that and cut a new release (1.4.0).

Here's what I'm thinking:

• Merge Serialize Linux URLSession request paths to mitigate _MultiHandle race #134 to mitigate current crashing behavior
• Implement AsyncHTTPClient support behind a trait
• Enable AsyncHTTPClient trait by default on Linux (conditionalize default traits around #if canImport(FoundationNetworking))
• Add #warning or similar to communicate impact of not enabling AsyncHTTPClient trait on Linux

Does that sound reasonable?

Would you like to take another pass at implementing #128?

[KotlinFactory]

We will get back to you and implement the feedback :)

[JonasProgrammer]

I have started to implement bugfix/linux-url-session-2 based off of your other fixes.
Will fix a minor bug in data handling tomorrow.

However, I have not yet found a good way to pass down traits to sub-packages (i.e., how one would properly use the traited or untraited version of EventSource in this case).

Personally, I would not implement a 'fallback' here, as was done in EventSource. The original bug manifested itself in spurious application crashes (and in such a 'bad' way, that swift could not even collect its backtraces). When a user consumes the package with the trait, I'd count this as intent to use it unconditionally

[KotlinFactory]

@mattt Any idea on how on how to properly pass down traits to subpackages perhaps?

[KotlinFactory]

Hey this should be fixed, by #143 now :)