Hi,

I found a segfault when using server-template within 1.9.x and 2.0-dev.
This seems to be related to  "http-reuse" as when I set to "never" it does
not crash anymore.

It appears that idle_orphan_conns is not being properly initialized for the
first server within the server-template.  I was able to confirm this by
creating a small server-template with 4 servers and setting all of the
addresses except for the first 1.  This did not result in a crash.  As soon
as I set and was sent to the first address it resulted in a crash.

I found that server_template_init() establishes everything fine for all
servers (setting id from prefix with srv_set_id_from_prefix() , etc... )
and then at the bottom of the function you can see it calls
srv_set_id_from_prefix() to then establish the id for the first server --
however, the first server doesn't get any of the logic to initialize the
idle_orphan_conns.

My initial fix added the idle_orphan_conns initialization code to the
bottom of server_template_init() (right below the srv_set_id_from_prefix()
which sets the prefix specifically for the first server slot) -- however
this seemed like it might be too messy.

I believe a better option is to remove the check for !srv->tmpl_info.prefix
within server_finalize_init().  Patch attached.

Feel free to correct me if I am wrong on this assumption.

Here is the config which results in a crash:

listen fe_main
    mode http
    bind *:80
    timeout server 5ms
    timeout client 5ms
    timeout connect 5ms
    server-template srv 2 10.1.0.1:80

(Should segfault after the first request)

HA-Proxy version 2.0-dev0-251a6b-97 2019/01/08 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
-Wno-missing-field-initializers -Wtype-limits
  OPTIONS = USE_OPENSSL=1

Backtrace:
[New LWP 14046]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./haproxy -f crash.cfg -d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
244            LIST_ADDQ(&srv->idle_orphan_conns[tid], &conn->list);
(gdb) bt
#0  0x00000000004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
#1  session_free (sess=0x2330970) at src/session.c:90
#2  0x000000000050dca3 in mux_pt_destroy (ctx=0x2330920) at src/mux_pt.c:38
#3  0x0000000000446bdb in cs_destroy (cs=0x2331230) at
include/proto/connection.h:708
#4  si_release_endpoint (si=si@entry=0x2330cd8) at
include/proto/stream_interface.h:170
#5  0x000000000044c9ec in stream_free (s=0x2330a40) at src/stream.c:446
#6  process_stream (t=t@entry=0x2330e30, context=0x2330a40,
state=<optimized out>) at src/stream.c:2610
#7  0x0000000000509955 in process_runnable_tasks () at src/task.c:432
#8  0x000000000048b485 in run_poll_loop () at src/haproxy.c:2619
#9  run_thread_poll_loop (data=data@entry=0x23267d0) at src/haproxy.c:2684
#10 0x000000000040aa0c in main (argc=<optimized out>, argv=0x7fffd8018e48)
at src/haproxy.c:3313

(gdb) frame 0
#0  0x00000000004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
244            LIST_ADDQ(&srv->idle_orphan_conns[tid], &conn->list);

(gdb) print &srv->idle_orphan_conns[tid]
$1 = (struct list *) 0x0

(gdb) print &conn->list
$2 = (struct list *) 0x2331370

Attachment: 0001-BUG-MEDIUM-init-Initialize-idle_orphan_conns-for-fir.patch
Description: Binary data

Reply via email to