Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-4444

Segfault accessing NULL connection buffer reader

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 6.2.0, 7.0.0
    • None
    • None

    Description

      A few days ago, we found a segfault trying to use the master branch in staging. Using ATS as a proxy to another http server, we managed to segfault ATS with simple client requests.

      This problem is hard to reproduce, we've seen it connecting clients from Mac OS X and Linux, but it doesn't always happen.

      This is the crash:

      Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff2f83700 (LWP 20224)]
HttpTunnel::consumer_handler (this=this@entry=0x7fffe8fa4d28, event=103, c=0x7fffe8fa4dd8) at HttpTunnel.cc:1340
1340        c->buffer_reader->mbuf->dealloc_reader(c->buffer_reader);
(gdb) bt
#0  HttpTunnel::consumer_handler (this=this@entry=0x7fffe8fa4d28, event=103, c=0x7fffe8fa4dd8) at HttpTunnel.cc:1340
#1  0x00000000005ea395 in HttpTunnel::main_handler (this=0x7fffe8fa4d28, event=<optimized out>, data=<optimized out>) at HttpTunnel.cc:1574
#2  0x000000000068df8f in handleEvent (data=0x7fffe4218e00, event=<optimized out>, this=<optimized out>) at ../../iocore/eventsystem/I_Continuation.h:153
#3  CacheVC::calluser (this=0x7fffe4218bb0, event=<optimized out>) at ../../iocore/cache/P_CacheInternal.h:628
#4  0x0000000000704c95 in CacheVC::openWriteMain (this=0x7fffe4218bb0) at CacheWrite.cc:1350
#5  0x00000000007627d0 in handleEvent (data=0x7fffe41d4f80, event=1, this=<optimized out>) at I_Continuation.h:153
#6  EThread::process_event (this=0x7ffff3085010, e=0x7fffe41d4f80, calling_code=1) at UnixEThread.cc:130
#7  0x000000000076348b in EThread::execute (this=0x7ffff3085010) at UnixEThread.cc:184
#8  0x000000000076224a in spawn_thread_internal (a=0x10affa0) at Thread.cc:86
#9  0x00007ffff6890182 in start_thread (arg=0x7ffff2f83700) at pthread_create.c:312
#10 0x00007ffff5b9947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

      We were able to reproduce the issue with this simple Go program:

      package main

import (
	"fmt"
	"html"
	"log"
	"net/http"
)

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "text/html; charset=UTF-8")
		w.Header().Set("Cache-Control", "public, max-age=0, must-revalidate")
		fmt.Fprintf(w, "Hello, %q", html.EscapeString(r.URL.Path))
	})
	log.Fatal(http.ListenAndServe(":9393", nil))
}

      We redirect ATS to this program with a very simple remap rule:

      regex_map http://.*  http://10.1.10.17:9393

      Using `git bisect` we found that the issue was introduced in this commit, although we don't really understand why:

      https://github.com/apache/trafficserver/commit/af76977adb9f3c0296a232688bbcb5a1421a6768

      I have a patch ready that seems to fix the problem and that I'll push as a pull request to GitHub asap.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. TS-4454 iobuffer readers are being cleared

          • Major - Major loss of function.
          • Open
          links to

          Web Link GitHub Pull Request #638

          Web Link GitHub Pull Request #638

          Web Link GitHub Pull Request #638

          Activity

            People

              shinrich Susan Hinrichs
              calavera David Calavera
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: