[GitHub] [trafficserver] zizhong opened issue #4258: Double free in Http2ConnectionState::release_stream

Mon, 17 Sep 2018 18:58:37 -0700 

Recently, we encountered a type of crashes in 
Http2ConnectionState::release_stream.
After digging into it more, I think it is already fixed with #pr4147 and 
#pr4178. Thanks, @shinrich. 

The backtrace is
```
#6  0x00000000004ada7e in crash_logger_invoke (signo=11, info=0x2b676c50f730, 
ctx=0x2b676c50f600) at Crash.cc:169
#7  <signal handler called>
#8  0x0000000000000100 in ?? ()
#9  0x0000000000609d72 in Http2ConnectionState::release_stream 
(this=this@entry=0x2b6814d50280, stream=stream@entry=0x2b68625b9280) at 
Http2ConnectionState.cc:1078
#10 0x00000000005f9c5e in Http2Stream::destroy (this=0x2b68625b9280) at 
Http2Stream.cc:665
#11 0x00000000005fd6e7 in Http2Stream::main_event_handler (this=0x2b68625b9280, 
event=104, edata=<optimized out>) at Http2Stream.cc:126
#12 0x0000000000773b80 in handleEvent (data=0x2b67edaadce0, event=104, 
this=<optimized out>) at I_Continuation.h:153
#13 EThread::process_event (this=0x2b6769a08000, e=0x2b67edaadce0, 
calling_code=104) at UnixEThread.cc:148
#14 0x000000000077483b in EThread::execute (this=0x2b6769a08000) at 
UnixEThread.cc:202
#15 0x000000000077362a in spawn_thread_internal (a=0x2b676773bb20) at 
Thread.cc:86
#16 0x00002b6764383dc5 in start_thread () from /lib64/libpthread.so.0
#17 0x00002b676541f76d in clone () from /lib64/libc.so.6
```

The double free happens as follows
```
Http2ConnectionState::release_stream -> 
        ProxyClientSession::handle_api_return->
                SSLNetVConnection::do_io_close->
                        close_UnixNetVConnection() // free the vc

                Http2ClientSession::release_netvc() will write it again. (use 
after free)

                Http2ClientSession::free()
                        if (client_vc) {
                                release_netvc(); // (use after free again)
                                client_vc->do_io_close()
                                        SSLNetVConnection::do_io_close->
                                                close_UnixNetVConnection()  // 
double free the vc
                                client_vc = nullptr
                        }
```

After the #pr4147 and #pr4178,
        all the release_netvc() is removed.
        vc->do_io_close() is removed from  ProxyClientSession::handle_api_return

so the workflow will be:
```
        Http2ConnectionState::release_stream -> 
                ProxyClientSession::handle_api_return->
                        Http2ClientSession::free()
                                if (client_vc) {
                                        client_vc->do_io_close()
                                                SSLNetVConnection::do_io_close->
                                                        
close_UnixNetVConnection() // free the vc
                                        client_vc = nullptr
                                }
```
Though it's fixed, I think keeping this crash on record could be helpful if 
some others observe
the same issue.

[ Full content available at: 
https://github.com/apache/trafficserver/issues/4258 ]
This message was relayed via gitbox.apache.org for [email protected]

Reply via email to