[
https://issues.apache.org/jira/browse/TS-3363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sudheer Vinukonda updated TS-3363:
----------------------------------
Description:
The core dump is caused by missing null check for *c* here
{{https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5250}}
although, it seems that *c* shouldn't be null at this point (if *tunnel* is
active).
{code}
(gdb) bt
#0 0x00000000005daca9 in HttpSM::handle_server_setup_error
(this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:5188
#1 0x00000000005cf16f in HttpSM::state_read_server_response_header
(this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:1750
#2 0x00000000005d19ae in HttpSM::main_handler (this=0x2b906c5d8f10, event=105,
data=0x2b8e183b8300) at HttpSM.cc:2522
#3 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b906c5d8f10,
event=105, data=0x2b8e183b8300) at ../iocore/eventsystem/I_Continuation.h:146
#4 0x00000000007379b3 in read_signal_and_update (event=105, vc=0x2b8e183b81f0)
at UnixNetVConnection.cc:141
#5 0x000000000073a928 in UnixNetVConnection::mainEvent (this=0x2b8e183b81f0,
event=1, e=0x2771150) at UnixNetVConnection.cc:1071
#6 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b8e183b81f0,
event=1, data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
#7 0x0000000000731eba in InactivityCop::check_inactivity (this=0x2647ba0,
event=2, e=0x2771150) at UnixNet.cc:100
#8 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2647ba0, event=2,
data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
#9 0x000000000075858e in EThread::process_event (this=0x2b8c9eb56010,
e=0x2771150, calling_code=2) at UnixEThread.cc:145
#10 0x00000000007588a9 in EThread::execute (this=0x2b8c9eb56010) at
UnixEThread.cc:224
#11 0x0000000000757b0c in spawn_thread_internal (a=0x2642360) at Thread.cc:88
#12 0x00002b8c9c6d8851 in __free_tcb () from /lib64/libpthread.so.0
#13 0x0000000000000000 in ?? ()
(gdb) print c
$1 = (HttpTunnelConsumer *) 0x0
(gdb) p post_transform_info.vc
$2 = (VConnection *) 0x0
(gdb) p post_transform_info
$3 = {entry = 0x0, vc = 0x0}
(gdb) p tunnel
$4 = {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top =
0x7900d0}, handler = (int (Continuation::*)(Continuation *, int, void *))
0x61a23e
<HttpTunnel::main_handler(int, void*)>, mutex = {m_ptr = 0x2b8db912c7e0},
link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}}, num_producers = 1,
num_consumers = 1, consumers = {{
link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer
= 0x2b906c5d9d30, self_producer = 0x0, vc_type = HT_HTTP_CLIENT, vc =
0x2b8ec5e96d50,
buffer_reader = 0x2b8db3149e50, vc_handler = (int (HttpSM::*)(HttpSM *,
int, HttpTunnelConsumer *)) 0x5d3078
<HttpSM::tunnel_handler_100_continue_ua(int, HttpTunnelConsumer*)>,
write_vio = 0x2b8e1883baf8, skip_bytes = 0, bytes_written = 0,
handler_state = 0, alive = true, write_success = false, name = 0x78e839 "user
agent"}, {
link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer
= 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc = 0x0, buffer_reader =
0x0, vc_handler = NULL,
write_vio = 0x0, skip_bytes = 0, bytes_written = 0, handler_state = 0,
alive = false, write_success = false, name = 0x0}, {link =
{<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0},
producer = 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc = 0x0,
buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0, skip_bytes = 0,
bytes_written = 0, handler_state = 0,
alive = false, write_success = false, name = 0x0}, {link =
{<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer = 0x0,
self_producer = 0x0, vc_type = HT_HTTP_SERVER,
vc = 0x0, buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0,
skip_bytes = 0, bytes_written = 0, handler_state = 0, alive = false,
write_success = false, name = 0x0}}, producers = {{
consumer_list = {head = 0x2b906c5d9b70}, self_consumer = 0x0, vc = 0x1,
vc_handler = NULL, read_vio = 0x0, read_buffer = 0x2b8db3149e10, buffer_start =
0x0, vc_type = HT_STATIC,
chunked_handler = {static DEFAULT_MAX_CHUNK_SIZE = 4096, action =
ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0, dechunked_buffer = 0x0,
dechunked_size = 0, dechunked_reader = 0x0,
chunked_buffer = 0x0, chunked_size = 0, truncation = false, skip_bytes
= 0, state = ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left =
0, last_server_event = 0,
running_sum = 0, num_digits = 0, max_chunk_size = 0, max_chunk_header =
'\000' <repeats 15 times>, max_chunk_header_len = 0}, chunking_action =
TCA_PASSTHRU_DECHUNKED_CONTENT,
do_chunking = false, do_dechunking = false, do_chunked_passthru = false,
init_bytes_done = 75, nbytes = 75, ntodo = 0, bytes_read = 0, handler_state =
0, last_event = 0,
num_consumers = 1, alive = false, read_success = true,
flow_control_source = 0x0, name = 0x78e8b6 "internal msg - 100 continue"},
{consumer_list = {head = 0x0}, self_consumer = 0x0,
vc = 0x0, vc_handler = NULL, read_vio = 0x0, read_buffer = 0x0,
buffer_start = 0x0, vc_type = HT_HTTP_SERVER, chunked_handler = {static
DEFAULT_MAX_CHUNK_SIZE = 4096,
action = ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0,
dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0,
chunked_buffer = 0x0, chunked_size = 0,
truncation = false, skip_bytes = 0, state =
ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left = 0,
last_server_event = 0, running_sum = 0, num_digits = 0,
max_chunk_size = 0, max_chunk_header = '\000' <repeats 15 times>,
max_chunk_header_len = 0}, chunking_action = TCA_CHUNK_CONTENT, do_chunking =
false, do_dechunking = false,
do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0,
bytes_read = 0, handler_state = 0, last_event = 0, num_consumers = 0, alive =
false, read_success = false,
flow_control_source = 0x0, name = 0x0}}, sm = 0x2b906c5d8f10, active =
true, flow_state = {static DEFAULT_WATER_MARK = 65536, high_water = 65536,
low_water = 65536, enabled_p = false},
postbuf = 0x0}
{code}
was:
The core dump is caused by missing null check for *c* here {{
https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5250}}
although, it seems that *c* shouldn't be null at this point (if *tunnel* is
active).
{code}
(gdb) bt
#0 0x00000000005daca9 in HttpSM::handle_server_setup_error
(this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:5188
#1 0x00000000005cf16f in HttpSM::state_read_server_response_header
(this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:1750
#2 0x00000000005d19ae in HttpSM::main_handler (this=0x2b906c5d8f10, event=105,
data=0x2b8e183b8300) at HttpSM.cc:2522
#3 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b906c5d8f10,
event=105, data=0x2b8e183b8300) at ../iocore/eventsystem/I_Continuation.h:146
#4 0x00000000007379b3 in read_signal_and_update (event=105, vc=0x2b8e183b81f0)
at UnixNetVConnection.cc:141
#5 0x000000000073a928 in UnixNetVConnection::mainEvent (this=0x2b8e183b81f0,
event=1, e=0x2771150) at UnixNetVConnection.cc:1071
#6 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b8e183b81f0,
event=1, data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
#7 0x0000000000731eba in InactivityCop::check_inactivity (this=0x2647ba0,
event=2, e=0x2771150) at UnixNet.cc:100
#8 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2647ba0, event=2,
data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
#9 0x000000000075858e in EThread::process_event (this=0x2b8c9eb56010,
e=0x2771150, calling_code=2) at UnixEThread.cc:145
#10 0x00000000007588a9 in EThread::execute (this=0x2b8c9eb56010) at
UnixEThread.cc:224
#11 0x0000000000757b0c in spawn_thread_internal (a=0x2642360) at Thread.cc:88
#12 0x00002b8c9c6d8851 in __free_tcb () from /lib64/libpthread.so.0
#13 0x0000000000000000 in ?? ()
(gdb) print c
$1 = (HttpTunnelConsumer *) 0x0
(gdb) p post_transform_info.vc
$2 = (VConnection *) 0x0
(gdb) p post_transform_info
$3 = {entry = 0x0, vc = 0x0}
(gdb) p tunnel
$4 = {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top =
0x7900d0}, handler = (int (Continuation::*)(Continuation *, int, void *))
0x61a23e
<HttpTunnel::main_handler(int, void*)>, mutex = {m_ptr = 0x2b8db912c7e0},
link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}}, num_producers = 1,
num_consumers = 1, consumers = {{
link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer
= 0x2b906c5d9d30, self_producer = 0x0, vc_type = HT_HTTP_CLIENT, vc =
0x2b8ec5e96d50,
buffer_reader = 0x2b8db3149e50, vc_handler = (int (HttpSM::*)(HttpSM *,
int, HttpTunnelConsumer *)) 0x5d3078
<HttpSM::tunnel_handler_100_continue_ua(int, HttpTunnelConsumer*)>,
write_vio = 0x2b8e1883baf8, skip_bytes = 0, bytes_written = 0,
handler_state = 0, alive = true, write_success = false, name = 0x78e839 "user
agent"}, {
link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer
= 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc = 0x0, buffer_reader =
0x0, vc_handler = NULL,
write_vio = 0x0, skip_bytes = 0, bytes_written = 0, handler_state = 0,
alive = false, write_success = false, name = 0x0}, {link =
{<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0},
producer = 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc = 0x0,
buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0, skip_bytes = 0,
bytes_written = 0, handler_state = 0,
alive = false, write_success = false, name = 0x0}, {link =
{<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer = 0x0,
self_producer = 0x0, vc_type = HT_HTTP_SERVER,
vc = 0x0, buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0,
skip_bytes = 0, bytes_written = 0, handler_state = 0, alive = false,
write_success = false, name = 0x0}}, producers = {{
consumer_list = {head = 0x2b906c5d9b70}, self_consumer = 0x0, vc = 0x1,
vc_handler = NULL, read_vio = 0x0, read_buffer = 0x2b8db3149e10, buffer_start =
0x0, vc_type = HT_STATIC,
chunked_handler = {static DEFAULT_MAX_CHUNK_SIZE = 4096, action =
ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0, dechunked_buffer = 0x0,
dechunked_size = 0, dechunked_reader = 0x0,
chunked_buffer = 0x0, chunked_size = 0, truncation = false, skip_bytes
= 0, state = ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left =
0, last_server_event = 0,
running_sum = 0, num_digits = 0, max_chunk_size = 0, max_chunk_header =
'\000' <repeats 15 times>, max_chunk_header_len = 0}, chunking_action =
TCA_PASSTHRU_DECHUNKED_CONTENT,
do_chunking = false, do_dechunking = false, do_chunked_passthru = false,
init_bytes_done = 75, nbytes = 75, ntodo = 0, bytes_read = 0, handler_state =
0, last_event = 0,
num_consumers = 1, alive = false, read_success = true,
flow_control_source = 0x0, name = 0x78e8b6 "internal msg - 100 continue"},
{consumer_list = {head = 0x0}, self_consumer = 0x0,
vc = 0x0, vc_handler = NULL, read_vio = 0x0, read_buffer = 0x0,
buffer_start = 0x0, vc_type = HT_HTTP_SERVER, chunked_handler = {static
DEFAULT_MAX_CHUNK_SIZE = 4096,
action = ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0,
dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0,
chunked_buffer = 0x0, chunked_size = 0,
truncation = false, skip_bytes = 0, state =
ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left = 0,
last_server_event = 0, running_sum = 0, num_digits = 0,
max_chunk_size = 0, max_chunk_header = '\000' <repeats 15 times>,
max_chunk_header_len = 0}, chunking_action = TCA_CHUNK_CONTENT, do_chunking =
false, do_dechunking = false,
do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0,
bytes_read = 0, handler_state = 0, last_event = 0, num_consumers = 0, alive =
false, read_success = false,
flow_control_source = 0x0, name = 0x0}}, sm = 0x2b906c5d8f10, active =
true, flow_state = {static DEFAULT_WATER_MARK = 65536, high_water = 65536,
low_water = 65536, enabled_p = false},
postbuf = 0x0}
{code}
> core dump in HttpSM::handle_server_setup_error when handling inactivity timer
> expiry
> ------------------------------------------------------------------------------------
>
> Key: TS-3363
> URL: https://issues.apache.org/jira/browse/TS-3363
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Sudheer Vinukonda
>
> The core dump is caused by missing null check for *c* here
> {{https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5250}}
> although, it seems that *c* shouldn't be null at this point (if *tunnel* is
> active).
> {code}
> (gdb) bt
> #0 0x00000000005daca9 in HttpSM::handle_server_setup_error
> (this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:5188
> #1 0x00000000005cf16f in HttpSM::state_read_server_response_header
> (this=0x2b906c5d8f10, event=105, data=0x2b8e183b8300) at HttpSM.cc:1750
> #2 0x00000000005d19ae in HttpSM::main_handler (this=0x2b906c5d8f10,
> event=105, data=0x2b8e183b8300) at HttpSM.cc:2522
> #3 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b906c5d8f10,
> event=105, data=0x2b8e183b8300) at ../iocore/eventsystem/I_Continuation.h:146
> #4 0x00000000007379b3 in read_signal_and_update (event=105,
> vc=0x2b8e183b81f0) at UnixNetVConnection.cc:141
> #5 0x000000000073a928 in UnixNetVConnection::mainEvent (this=0x2b8e183b81f0,
> event=1, e=0x2771150) at UnixNetVConnection.cc:1071
> #6 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2b8e183b81f0,
> event=1, data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
> #7 0x0000000000731eba in InactivityCop::check_inactivity (this=0x2647ba0,
> event=2, e=0x2771150) at UnixNet.cc:100
> #8 0x00000000004f6bb8 in Continuation::handleEvent (this=0x2647ba0, event=2,
> data=0x2771150) at ../iocore/eventsystem/I_Continuation.h:146
> #9 0x000000000075858e in EThread::process_event (this=0x2b8c9eb56010,
> e=0x2771150, calling_code=2) at UnixEThread.cc:145
> #10 0x00000000007588a9 in EThread::execute (this=0x2b8c9eb56010) at
> UnixEThread.cc:224
> #11 0x0000000000757b0c in spawn_thread_internal (a=0x2642360) at Thread.cc:88
> #12 0x00002b8c9c6d8851 in __free_tcb () from /lib64/libpthread.so.0
> #13 0x0000000000000000 in ?? ()
> (gdb) print c
> $1 = (HttpTunnelConsumer *) 0x0
> (gdb) p post_transform_info.vc
> $2 = (VConnection *) 0x0
> (gdb) p post_transform_info
> $3 = {entry = 0x0, vc = 0x0}
> (gdb) p tunnel
> $4 = {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top =
> 0x7900d0}, handler = (int (Continuation::*)(Continuation *, int, void *))
> 0x61a23e
> <HttpTunnel::main_handler(int, void*)>, mutex = {m_ptr =
> 0x2b8db912c7e0}, link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}},
> num_producers = 1, num_consumers = 1, consumers = {{
> link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0},
> producer = 0x2b906c5d9d30, self_producer = 0x0, vc_type = HT_HTTP_CLIENT, vc
> = 0x2b8ec5e96d50,
> buffer_reader = 0x2b8db3149e50, vc_handler = (int (HttpSM::*)(HttpSM *,
> int, HttpTunnelConsumer *)) 0x5d3078
> <HttpSM::tunnel_handler_100_continue_ua(int, HttpTunnelConsumer*)>,
> write_vio = 0x2b8e1883baf8, skip_bytes = 0, bytes_written = 0,
> handler_state = 0, alive = true, write_success = false, name = 0x78e839 "user
> agent"}, {
> link = {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0},
> producer = 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc = 0x0,
> buffer_reader = 0x0, vc_handler = NULL,
> write_vio = 0x0, skip_bytes = 0, bytes_written = 0, handler_state = 0,
> alive = false, write_success = false, name = 0x0}, {link =
> {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0},
> producer = 0x0, self_producer = 0x0, vc_type = HT_HTTP_SERVER, vc =
> 0x0, buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0, skip_bytes = 0,
> bytes_written = 0, handler_state = 0,
> alive = false, write_success = false, name = 0x0}, {link =
> {<SLink<HttpTunnelConsumer>> = {next = 0x0}, prev = 0x0}, producer = 0x0,
> self_producer = 0x0, vc_type = HT_HTTP_SERVER,
> vc = 0x0, buffer_reader = 0x0, vc_handler = NULL, write_vio = 0x0,
> skip_bytes = 0, bytes_written = 0, handler_state = 0, alive = false,
> write_success = false, name = 0x0}}, producers = {{
> consumer_list = {head = 0x2b906c5d9b70}, self_consumer = 0x0, vc = 0x1,
> vc_handler = NULL, read_vio = 0x0, read_buffer = 0x2b8db3149e10, buffer_start
> = 0x0, vc_type = HT_STATIC,
> chunked_handler = {static DEFAULT_MAX_CHUNK_SIZE = 4096, action =
> ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0, dechunked_buffer = 0x0,
> dechunked_size = 0, dechunked_reader = 0x0,
> chunked_buffer = 0x0, chunked_size = 0, truncation = false,
> skip_bytes = 0, state = ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0,
> bytes_left = 0, last_server_event = 0,
> running_sum = 0, num_digits = 0, max_chunk_size = 0, max_chunk_header
> = '\000' <repeats 15 times>, max_chunk_header_len = 0}, chunking_action =
> TCA_PASSTHRU_DECHUNKED_CONTENT,
> do_chunking = false, do_dechunking = false, do_chunked_passthru =
> false, init_bytes_done = 75, nbytes = 75, ntodo = 0, bytes_read = 0,
> handler_state = 0, last_event = 0,
> num_consumers = 1, alive = false, read_success = true,
> flow_control_source = 0x0, name = 0x78e8b6 "internal msg - 100 continue"},
> {consumer_list = {head = 0x0}, self_consumer = 0x0,
> vc = 0x0, vc_handler = NULL, read_vio = 0x0, read_buffer = 0x0,
> buffer_start = 0x0, vc_type = HT_HTTP_SERVER, chunked_handler = {static
> DEFAULT_MAX_CHUNK_SIZE = 4096,
> action = ChunkedHandler::ACTION_DOCHUNK, chunked_reader = 0x0,
> dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0,
> chunked_buffer = 0x0, chunked_size = 0,
> truncation = false, skip_bytes = 0, state =
> ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left = 0,
> last_server_event = 0, running_sum = 0, num_digits = 0,
> max_chunk_size = 0, max_chunk_header = '\000' <repeats 15 times>,
> max_chunk_header_len = 0}, chunking_action = TCA_CHUNK_CONTENT, do_chunking =
> false, do_dechunking = false,
> do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo =
> 0, bytes_read = 0, handler_state = 0, last_event = 0, num_consumers = 0,
> alive = false, read_success = false,
> flow_control_source = 0x0, name = 0x0}}, sm = 0x2b906c5d8f10, active =
> true, flow_state = {static DEFAULT_WATER_MARK = 65536, high_water = 65536,
> low_water = 65536, enabled_p = false},
> postbuf = 0x0}
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
