[jira] [Commented] (TS-3958) HTTP/2 coredump with NULL FetchSM

Fri, 09 Oct 2015 09:28:15 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14950649#comment-14950649
 ] 

Masakazu Kitajo commented on TS-3958:
-------------------------------------

{quote}
it should have allocated a fetch_sm after calling Http2Stream::init_fetcher()
{quote}
Did you confirm that? Is a fetch_sm really allocated before the core dump?

I found a scenario which cause the core.

The scenario is below:
Step 1. Send a HEADERS frame with an END_HEADERS flag and empty header blocks 
on stream 1.
Step 2. Send a WINDOW_UPDATE frame on stream 0.

In this scenario, fetch_sm don't become non-null. Because step 1 causes a 
stream error before calling init_fetcher(). The error doesn't close the 
connection, so the stream will be left open with uninitialized fetch_sm, and 
this state accepts other frames.

In short, window updating after a stream error caused by bad header blocks (or 
some other reasons) will cause the core dump.

Also, ignoring null fetch_sm is not enough.
https://tools.ietf.org/html/rfc7540#section-5.4.2
{quote}
A RST_STREAM is the last frame that an endpoint can send on a stream.
   The peer that sends the RST_STREAM frame MUST be prepared to receive
   any frames that were sent or enqueued for sending by the remote peer.
   These frames can be ignored, except where they modify connection
   state (such as the state maintained for header compression
   (Section 4.3) or flow control).
{quote}


> HTTP/2 coredump with NULL FetchSM
> ---------------------------------
>
>                 Key: TS-3958
>                 URL: https://issues.apache.org/jira/browse/TS-3958
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP/2
>            Reporter: Bryan Call
>            Assignee: Bryan Call
>             Fix For: 6.0.1
>
>
> {code}
> (gdb) bt
> #0  0x00000000005107b0 in FetchSM::ext_get_user_data (this=0x0) at 
> FetchSM.cc:689
> #1  0x000000000064552e in Http2ConnectionState::send_data_frame 
> (this=0x2b940b27ac30, fetch_sm=0x0) at Http2ConnectionState.cc:891
> #2  0x0000000000645250 in Http2ConnectionState::restart_streams 
> (this=0x2b940b27ac30) at Http2ConnectionState.cc:845
> #3  0x000000000064437a in rcv_window_update_frame (cs=..., cstate=..., 
> frame=...) at Http2ConnectionState.cc:539
> #4  0x0000000000644de5 in Http2ConnectionState::main_event_handler 
> (this=0x2b940b27ac30, event=2253, edata=0x2b931ca087e0) at 
> Http2ConnectionState.cc:733
> #5  0x0000000000510f78 in Continuation::handleEvent (this=0x2b940b27ac30, 
> event=2253, data=0x2b931ca087e0) at ../iocore/eventsystem/I_Continuation.h:150
> #6  0x000000000063f655 in send_connection_event (cont=0x2b940b27ac30, 
> event=2253, edata=0x2b931ca087e0) at Http2ClientSession.cc:59
> #7  0x00000000006415e7 in Http2ClientSession::state_complete_frame_read 
> (this=0x2b940b27a9d0, event=100, edata=0x2b949c39b438) at 
> Http2ClientSession.cc:398
> #8  0x00000000006403bd in Http2ClientSession::main_event_handler 
> (this=0x2b940b27a9d0, event=100, edata=0x2b949c39b438) at 
> Http2ClientSession.cc:222
> #9  0x0000000000510f78 in Continuation::handleEvent (this=0x2b940b27a9d0, 
> event=100, data=0x2b949c39b438) at ../iocore/eventsystem/I_Continuation.h:150
> #10 0x000000000064132f in Http2ClientSession::state_start_frame_read 
> (this=0x2b940b27a9d0, event=100, edata=0x2b949c39b438) at 
> Http2ClientSession.cc:371
> #11 0x00000000006403bd in Http2ClientSession::main_event_handler 
> (this=0x2b940b27a9d0, event=100, edata=0x2b949c39b438) at 
> Http2ClientSession.cc:222
> #12 0x0000000000510f78 in Continuation::handleEvent (this=0x2b940b27a9d0, 
> event=100, data=0x2b949c39b438) at ../iocore/eventsystem/I_Continuation.h:150
> #13 0x0000000000779f9e in read_signal_and_update (event=100, 
> vc=0x2b949c39b320) at UnixNetVConnection.cc:148
> #14 0x000000000077ce08 in UnixNetVConnection::readSignalAndUpdate 
> (this=0x2b949c39b320, event=100) at UnixNetVConnection.cc:1020
> #15 0x0000000000761b45 in SSLNetVConnection::net_read_io 
> (this=0x2b949c39b320, nh=0x2b93165858f0, lthread=0x2b9316582010) at 
> SSLNetVConnection.cc:587
> #16 0x0000000000773a72 in NetHandler::mainNetEvent (this=0x2b93165858f0, 
> event=5, e=0x3053270) at UnixNet.cc:547
> #17 0x0000000000510f78 in Continuation::handleEvent (this=0x2b93165858f0, 
> event=5, data=0x3053270) at ../iocore/eventsystem/I_Continuation.h:150
> #18 0x000000000079ae6a in EThread::process_event (this=0x2b9316582010, 
> e=0x3053270, calling_code=5) at UnixEThread.cc:128
> #19 0x000000000079b374 in EThread::execute (this=0x2b9316582010) at 
> UnixEThread.cc:252
> #20 0x000000000079a415 in spawn_thread_internal (a=0x2f209e0) at Thread.cc:85
> #21 0x00002b9313db39d1 in start_thread () from /lib64/libpthread.so.0
> #22 0x00000034884e88fd in clone () from /lib64/libc.so.6
> (gdb) frame 1
> #1  0x000000000064552e in Http2ConnectionState::send_data_frame 
> (this=0x2b940b27ac30, fetch_sm=0x0) at Http2ConnectionState.cc:891
> 891   in Http2ConnectionState.cc
> (gdb) p fetch_sm
> $24 = (FetchSM *) 0x0
> (gdb) frame 2
> #2  0x0000000000645250 in Http2ConnectionState::restart_streams 
> (this=0x2b940b27ac30) at Http2ConnectionState.cc:845
> 845   in Http2ConnectionState.cc
> (gdb) p *this
> $21 = {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top = 
> 0x7ddbf0}, handler = (int (Continuation::*)(Continuation *, int,
>     void *)) 0x644ac6 <Http2ConnectionState::main_event_handler(int, void*)>, 
> mutex = {m_ptr = 0x2b94042f0d50}, link = {<SLink<Continuation>> = {next = 
> 0x0},
>       prev = 0x0}, debug_override = false}, ua_session = 0x2b940b27a9d0, 
> local_dynamic_table = 0x2b940f50cda0, remote_dynamic_table = 0x2b940c780fc0,
>   server_settings = {settings = {4096, 0, 100, 1048576, 16384, 4294967295}}, 
> client_settings = {settings = {4096, 0, 100, 65535, 16384, 4294967295}},
>   client_rwnd = 11398558, server_rwnd = 1048576, stream_list = {head = 
> 0x2b940f473fd0}, latest_streamid = 77, client_streams_count = 28, 
> continued_stream_id = 0,
>   continued_buffer = {iov_base = 0x0, iov_len = 0}}
> (gdb) p s
> $22 = (Http2Stream *) 0x2b940cd46a20
> (gdb) p *s
> $23 = {client_rwnd = 65535, server_rwnd = 1048576, link = 
> {<SLink<Http2Stream>> = {next = 0x2b940e1bb2c0}, prev = 0x2b940c0157b0},
>   header_blocks = "XXX", header_blocks_length = 96,
>   request_header_length = 96, end_stream = true, _start_time = 0, _thread = 
> 0x2b9316582010, _id = 47, _state = HTTP2_STREAM_STATE_HALF_CLOSED_REMOTE,
>   _req_header = {<MIMEHdr> = {<HdrHeapSDKHandle> = {m_heap = 0x2b9414aa1ed0}, 
> m_mime = 0x2b9414aa1f88}, m_http = 0x2b9414aa1f58,
>     m_url_cached = {<HdrHeapSDKHandle> = {m_heap = 0x0}, m_url_impl = 0x0}, 
> m_host_mime = 0x4632256567616d69, m_host_length = 1734701162, m_port = 
> 1684629030,
>     m_target_cached = false, m_target_in_url = 83, m_port_in_header = 101, 
> static USE_HDR_HEAP_MAGIC = 0x1}, _fetch_sm = 0x0, body_done = false, 
> data_length = 0}
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to