Re: [PR] Cancel pending origin connect on client abort [trafficserver]

Thu, 19 Mar 2026 12:03:59 -0700 


Copilot commented on code in PR #12999:
URL: https://github.com/apache/trafficserver/pull/12999#discussion_r2962127397


##########
src/proxy/http/HttpSM.cc:
##########
@@ -922,6 +922,10 @@ HttpSM::state_watch_for_client_abort(int event, void *data)
         vc_table.cleanup_entry(_ua.get_entry());
         _ua.set_entry(nullptr);
         tunnel.kill_tunnel();
+        // Drop any queued multiplexed origin connect immediately so a
+        // completed handshake cannot revive this transaction after the
+        // client has already aborted.

Review Comment:
   Calling cancel_pending_server_connection() here can delete the corresponding 
ConnectingEntry when this HttpSM is the last waiter in connect_sms. If the 
origin connect was started via connect_re() and did not return 
ACTION_RESULT_DONE (i.e., it returned an Action* that is still pending), 
HttpSM::pending_action may still reference that connect Action whose 
continuation is the ConnectingEntry. Deleting the ConnectingEntry before 
canceling that pending Action risks a use-after-free when the net connect later 
dispatches NET_EVENT_OPEN/NET_EVENT_OPEN_FAILED to the freed continuation. 
Consider canceling the pending connect action (e.g., pending_action = nullptr 
when its continuation is a ConnectingEntry) before removing/deleting the 
ConnectingEntry, or otherwise ensure the connect Action is canceled before the 
ConnectingEntry is destroyed.
   



##########
src/proxy/http/HttpSM.cc:
##########
@@ -955,6 +959,7 @@ HttpSM::state_watch_for_client_abort(int event, void *data)
     ATS_PROBE1(milestone_ua_close, sm_id);
     milestones[TS_MILESTONE_UA_CLOSE] = ink_get_hrtime();
     set_ua_abort(HttpTransact::ABORTED, event);

Review Comment:
   Same concern as above: cancel_pending_server_connection() can destroy a 
ConnectingEntry while an asynchronous connect Action is still outstanding (when 
connect_re returned an Action* instead of ACTION_RESULT_DONE). If 
pending_action still holds that connect Action, cancel it before 
removing/deleting the ConnectingEntry to avoid NET_EVENT_OPEN callbacks into 
freed memory.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to