You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2016/02/11 18:50:18 UTC
[jira] [Comment Edited] (TS-4192) Coredump in HPACK encoding
[ https://issues.apache.org/jira/browse/TS-4192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143142#comment-15143142 ]
Bryan Call edited comment on TS-4192 at 2/11/16 5:49 PM:
---------------------------------------------------------
I have been looking at this one for few days now. I added some extra code to print out the pointer value of the mime_hdr_field_find() call in mime_hdr_field_detach() if prev is NULL.
{code}
1579 if (prev == NULL)
1580 printf("first: %p\n", first);
{code}
It doesn't look like this is a valid header filed and the name doesn't match what we are trying to add "Via" or what we are trying to delete in the call to mime_hdr_field_detach() "Date".
{code}
first: 0x61d002955578
(gdb) p *(MIMEField *)0x61d002955578
$5 = {m_ptr_name = 0x61d002f5e4b2 "pts1.mm.bing.netts1.mmXXX",
m_ptr_value = 0x61d002f5e4bf "netts1.mm.bing.nethttpthts1.mm.bing.nXXX", m_next_dup = 0x0, m_wks_idx = 10,
m_len_name = 13, m_len_value = 23, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000', m_readiness = 3 '\003', m_flags = 3 '\003'}
(gdb) p *field
$10 = {
m_ptr_name = 0x62100184fd20 "DateFri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-Modifie"...,
m_ptr_value = 0x62100184fd24 "Fri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-ModifiedTue"..., m_next_dup = 0x629002954e88, m_wks_idx = 23, m_len_name = 4, m_len_value = 29, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000',
m_readiness = 2 '\002', m_flags = 0 '\000'}
{code}
was (Author: bcall):
I have been looking at this one for few days now. I added some extra code to print out the pointer value of the mime_hdr_field_find() call in mime_hdr_field_detach() if prev is NULL.
{code}
1579 if (prev == NULL)
1580 printf("first: %p\n", first);
{code}
It doesn't look like this is a valid header filed and the names doesn't match what we are trying to add "Via" or what we are trying to delete in the call to mime_hdr_field_detach() "Date".
{code}
first: 0x61d002955578
(gdb) p *(MIMEField *)0x61d002955578
$5 = {m_ptr_name = 0x61d002f5e4b2 "pts1.mm.bing.netts1.mmXXX",
m_ptr_value = 0x61d002f5e4bf "netts1.mm.bing.nethttpthts1.mm.bing.nXXX", m_next_dup = 0x0, m_wks_idx = 10,
m_len_name = 13, m_len_value = 23, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000', m_readiness = 3 '\003', m_flags = 3 '\003'}
(gdb) p *field
$10 = {
m_ptr_name = 0x62100184fd20 "DateFri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-Modifie"...,
m_ptr_value = 0x62100184fd24 "Fri, 29 Jan 2016 23:43:53 GMTAge1042573Content-Length1038Viahttp/1.0 c4.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])Last-ModifiedTue"..., m_next_dup = 0x629002954e88, m_wks_idx = 23, m_len_name = 4, m_len_value = 29, m_n_v_raw_printable = 0 '\000', m_n_v_raw_printable_pad = 0 '\000',
m_readiness = 2 '\002', m_flags = 0 '\000'}
{code}
> Coredump in HPACK encoding
> --------------------------
>
> Key: TS-4192
> URL: https://issues.apache.org/jira/browse/TS-4192
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP/2
> Affects Versions: 6.1.1
> Reporter: Bryan Call
>
> {code}
> #0 0x0000000000972f44 in mime_hdr_field_detach (mh=0x61d002955508, field=0x629002954de8, detach_all_dups=<optimized out>) at MIME.cc:1582
> name_length = <optimized out>
> prev = 0x0
> first = <optimized out>
> next_dup = <optimized out>
> #1 0x0000000000976daa in mime_hdr_field_delete (heap=0x61d002955480, mh=0x61d002955508, field=field@entry=0x629002954de8, delete_all_dups=delete_all_dups@entry=false) at MIME.cc:1631
> No locals.
> #2 0x0000000000844c6d in field_delete (delete_all_dups=false, field=0x629002954de8, this=<optimized out>) at ../../proxy/hdrs/MIME.h:1169
> No locals.
> #3 Http2DynamicTable::add_header_field (this=0x607000fa8b60, field=<optimized out>) at HPACK.cc:307
> last_field = 0x629002954de8
> new_field = 0x629002954de8
> name = 0x628000009e18 "Via"
> value = 0x625009705142 "http/1.0 c1.ycs.ne1.yahoo.com (ApacheTrafficServer [cRs f ]), https/1.1 l28.ycs.sjb.yahoo.com (ApacheTrafficServer [cRs f ])\r\nServer: ATS\r\nConnection: keep-alive\r\n\r\n", '\276' <repeats 35 times>...
> header_size = <optimized out>
> #4 0x0000000000845112 in add_header_field_to_dynamic_table (field=<optimized out>, this=<optimized out>) at HPACK.cc:253
> No locals.
> #5 encode_literal_header_field_with_indexed_name (buf_start=buf_start@entry=0x7fffedda2487 <incomplete sequence \340>, buf_end=buf_end@entry=0x7fffedda6437 "", header=...,
> index=<optimized out>, indexing_table=..., type=type@entry=HPACK_FIELD_INDEXED_LITERAL) at HPACK.cc:527
> p = 0x7fffedda2487 <incomplete sequence \340>
> len = <optimized out>
> prefix = 0 '\000'
> flag = 0 '\000'
> value = <optimized out>
> __FUNCTION__ = "encode_literal_header_field_with_indexed_name"
> #6 0x000000000080a8ca in http2_write_header_field (out=out@entry=0x7fffedda2487 <incomplete sequence \340>, end=end@entry=0x7fffedda6437 "", header=..., indexing_table=...) at HTTP2.cc:509
> field_type = HPACK_FIELD_INDEXED_LITERAL
> name = <optimized out>
> #7 0x000000000080c616 in http2_write_header_fragment (in=in@entry=0x616000034340, field_iter=..., out=out@entry=0x7fffedda2441 "\354l\226\320z\276\224\020T\276R( \005\265",
> out_len=out_len@entry=16374, indexing_table=..., cont=@0x7fffedda2300: false) at HTTP2.cc:592
> name = 0x628000009e18 "Via"
> p = 0x7fffedda2487 <incomplete sequence \340>
> end = 0x7fffedda6437 ""
> len = <optimized out>
> field = 0x61d0052550a8
> #8 0x00000000008272a0 in Http2ConnectionState::send_headers_frame (this=this@entry=0x618000018ee8, fetch_sm=<optimized out>) at Http2ConnectionState.cc:1009
> type = HTTP2_FRAME_TYPE_HEADERS
> __FUNCTION__ = "send_headers_frame"
> buf_len = 16375
> payload_length = <optimized out>
> flags = 0 '\000'
> stream = 0x60f00003e890
> resp_header = 0x616000034340
> #9 0x00000000008388db in Http2ConnectionState::main_event_handler (this=0x618000018ee8, event=-2, edata=<optimized out>) at Http2ConnectionState.cc:779
> fetch_sm = <optimized out>
> __FUNCTION__ = "main_event_handler"
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)