You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2016/02/11 18:50:18 UTC

[jira] [Comment Edited] (TS-4192) Coredump in HPACK encoding

    [ https://issues.apache.org/jira/browse/TS-4192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143142#comment-15143142 ] 

Bryan Call edited comment on TS-4192 at 2/11/16 5:49 PM:
---------------------------------------------------------

I have been looking at this one for few days now.  I added some extra code to print out the pointer value of the mime_hdr_field_find() call in mime_hdr_field_detach() if prev is NULL.

{code}
1579        if (prev == NULL)
1580          printf("first: %p\n", first);
{code}

It doesn't look like this is a valid header filed and the name doesn't match what we are trying to add "Via" or what we are trying to delete in the call to mime_hdr_field_detach() "Date".
{code}
first: 0x61d002955578
(gdb) p *(MIMEField *)0x61d002955578
$5 = {m_ptr_name = 0x61d002f5e4b2 "pts1.mm.bing.netts1.mmXXX",
  m_ptr_value = 0x61d002f5e4bf "netts1.mm.bing.nethttpthts1.mm.bing.nXXX", m_next_dup = 0x0, m_wks_idx = 10,
  m_len_name = 13, m_len_value = 23, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000', m_readiness = 3 '\003', m_flags = 3 '\003'}
(gdb) p *field
$10 = {
  m_ptr_name = 0x62100184fd20 "DateFri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-Modifie"...,
  m_ptr_value = 0x62100184fd24 "Fri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-ModifiedTue"..., m_next_dup = 0x629002954e88, m_wks_idx = 23, m_len_name = 4, m_len_value = 29, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000',
  m_readiness = 2 '\002', m_flags = 0 '\000'}
{code}


was (Author: bcall):
I have been looking at this one for few days now.  I added some extra code to print out the pointer value of the mime_hdr_field_find() call in mime_hdr_field_detach() if prev is NULL.

{code}
1579        if (prev == NULL)
1580          printf("first: %p\n", first);
{code}

It doesn't look like this is a valid header filed and the names doesn't match what we are trying to add "Via" or what we are trying to delete in the call to mime_hdr_field_detach() "Date".
{code}
first: 0x61d002955578
(gdb) p *(MIMEField *)0x61d002955578
$5 = {m_ptr_name = 0x61d002f5e4b2 "pts1.mm.bing.netts1.mmXXX",
  m_ptr_value = 0x61d002f5e4bf "netts1.mm.bing.nethttpthts1.mm.bing.nXXX", m_next_dup = 0x0, m_wks_idx = 10,
  m_len_name = 13, m_len_value = 23, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000', m_readiness = 3 '\003', m_flags = 3 '\003'}
(gdb) p *field
$10 = {
  m_ptr_name = 0x62100184fd20 "DateFri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-Modifie"...,
  m_ptr_value = 0x62100184fd24 "Fri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-ModifiedTue"..., m_next_dup = 0x629002954e88, m_wks_idx = 23, m_len_name = 4, m_len_value = 29, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000',
  m_readiness = 2 '\002', m_flags = 0 '\000'}
{code}

> Coredump in HPACK encoding
> --------------------------
>
>                 Key: TS-4192
>                 URL: https://issues.apache.org/jira/browse/TS-4192
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP/2
>    Affects Versions: 6.1.1
>            Reporter: Bryan Call
>
> {code}
> #0  0x0000000000972f44 in mime_hdr_field_detach (mh=0x61d002955508, field=0x629002954de8, detach_all_dups=<optimized out>) at MIME.cc:1582
>         name_length = <optimized out>
>         prev = 0x0
>         first = <optimized out>
>         next_dup = <optimized out>
> #1  0x0000000000976daa in mime_hdr_field_delete (heap=0x61d002955480, mh=0x61d002955508, field=field@entry=0x629002954de8, delete_all_dups=delete_all_dups@entry=false) at MIME.cc:1631
> No locals.
> #2  0x0000000000844c6d in field_delete (delete_all_dups=false, field=0x629002954de8, this=<optimized out>) at ../../proxy/hdrs/MIME.h:1169
> No locals.
> #3  Http2DynamicTable::add_header_field (this=0x607000fa8b60, field=<optimized out>) at HPACK.cc:307
>         last_field = 0x629002954de8
>         new_field = 0x629002954de8
>         name = 0x628000009e18 "Via"
>         value = 0x625009705142 "http/1.0 c1.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])\r\nServer: ATS\r\nConnection: keep-alive\r\n\r\n", '\276' <repeats 35 times>...
>         header_size = <optimized out>
> #4  0x0000000000845112 in add_header_field_to_dynamic_table (field=<optimized out>, this=<optimized out>) at HPACK.cc:253
> No locals.
> #5  encode_literal_header_field_with_indexed_name (buf_start=buf_start@entry=0x7fffedda2487 <incomplete sequence \340>, buf_end=buf_end@entry=0x7fffedda6437 "", header=...,
>     index=<optimized out>, indexing_table=..., type=type@entry=HPACK_FIELD_INDEXED_LITERAL) at HPACK.cc:527
>         p = 0x7fffedda2487 <incomplete sequence \340>
>         len = <optimized out>
>         prefix = 0 '\000'
>         flag = 0 '\000'
>         value = <optimized out>
>         __FUNCTION__ = "encode_literal_header_field_with_indexed_name"
> #6  0x000000000080a8ca in http2_write_header_field (out=out@entry=0x7fffedda2487 <incomplete sequence \340>, end=end@entry=0x7fffedda6437 "", header=..., indexing_table=...) at HTTP2.cc:509
>         field_type = HPACK_FIELD_INDEXED_LITERAL
>         name = <optimized out>
> #7  0x000000000080c616 in http2_write_header_fragment (in=in@entry=0x616000034340, field_iter=..., out=out@entry=0x7fffedda2441 "\354l\226\320z\276\224\020T\276R( \005\265",
>     out_len=out_len@entry=16374, indexing_table=..., cont=@0x7fffedda2300: false) at HTTP2.cc:592
>         name = 0x628000009e18 "Via"
>         p = 0x7fffedda2487 <incomplete sequence \340>
>         end = 0x7fffedda6437 ""
>         len = <optimized out>
>         field = 0x61d0052550a8
> #8  0x00000000008272a0 in Http2ConnectionState::send_headers_frame (this=this@entry=0x618000018ee8, fetch_sm=<optimized out>) at Http2ConnectionState.cc:1009
>         type = HTTP2_FRAME_TYPE_HEADERS
>         __FUNCTION__ = "send_headers_frame"
>         buf_len = 16375
>         payload_length = <optimized out>
>         flags = 0 '\000'
>         stream = 0x60f00003e890
>         resp_header = 0x616000034340
> #9  0x00000000008388db in Http2ConnectionState::main_event_handler (this=0x618000018ee8, event=-2, edata=<optimized out>) at Http2ConnectionState.cc:779
>         fetch_sm = <optimized out>
>         __FUNCTION__ = "main_event_handler"
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)