shinrich commented on a change in pull request #7845:
URL: https://github.com/apache/trafficserver/pull/7845#discussion_r661832695
##########
File path: proxy/http2/Http2Stream.cc
##########
@@ -190,22 +191,34 @@ Http2Stream::main_event_handler(int event, void *edata)
case VC_EVENT_READ_COMPLETE:
case VC_EVENT_READ_READY:
_timeout.update_inactivity();
- if (e->cookie == &read_vio) {
+ if (e && e->cookie == &read_vio) {
if (read_vio.mutex && read_vio.cont && this->_sm) {
signal_read_event(event);
}
} else {
this->update_read_request(true);
}
break;
+ case VC_EVENT_ERROR:
case VC_EVENT_EOS:
- if (e->cookie == &read_vio) {
+ if (e && e->cookie == &read_vio) {
SCOPED_MUTEX_LOCK(lock, read_vio.mutex, this_ethread());
- read_vio.cont->handleEvent(VC_EVENT_EOS, &read_vio);
- } else if (e->cookie == &write_vio) {
+ read_vio.cont->handleEvent(event, &read_vio);
+ } else if (e && e->cookie == &write_vio) {
SCOPED_MUTEX_LOCK(lock, write_vio.mutex, this_ethread());
- write_vio.cont->handleEvent(VC_EVENT_EOS, &write_vio);
+ write_vio.cont->handleEvent(event, &write_vio);
+ }
+
+ // This assuming stream on inbound side
+ // TODO: make appropriate state
+ if (recv_end_stream && write_vio.cont && write_vio.op == VIO::WRITE &&
write_vio.nbytes != 0) {
+ SCOPED_MUTEX_LOCK(lock, write_vio.cont->mutex, this_ethread());
+ write_vio.cont->handleEvent(event, &write_vio);
+ } else if (read_vio.cont && read_vio.op == VIO::READ) {
+ SCOPED_MUTEX_LOCK(lock, read_vio.cont->mutex, this_ethread());
+ read_vio.cont->handleEvent(event, &read_vio);
}
Review comment:
This second clause is causing our use after free. Like 209 sends the
EOS to our HttpTunnel which then causes everything to cleanup. Then in line
215 we try to access the HttpSM via the write_vio. Don't unnderstand why we
need to do this two times.
```
case VC_EVENT_ERROR:
case VC_EVENT_EOS:
if (e && e->cookie == &read_vio) {
SCOPED_MUTEX_LOCK(lock, read_vio.mutex, this_ethread());
read_vio.cont->handleEvent(event, &read_vio);
} else if (e && e->cookie == &write_vio) {
SCOPED_MUTEX_LOCK(lock, write_vio.mutex, this_ethread());
write_vio.cont->handleEvent(event, &write_vio);
}
// This assuming stream on inbound side
// TODO: make appropriate state
if (recv_end_stream && write_vio.cont && write_vio.op == VIO::WRITE &&
write_vio.nbytes != 0) {
SCOPED_MUTEX_LOCK(lock, write_vio.cont->mutex, this_ethread());
write_vio.cont->handleEvent(event, &write_vio);
} else if (read_vio.cont && read_vio.op == VIO::READ) {
SCOPED_MUTEX_LOCK(lock, read_vio.cont->mutex, this_ethread());
read_vio.cont->handleEvent(event, &read_vio);
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
