search

tatsuhiro-t / spdylay

The experimental SPDY protocol version 2, 3 and 3.1 implementation in C
http://tatsuhiro-t.github.io/spdylay/
MIT License
603 stars 102 forks source link

segfault in spdylay_gzip_inflate #53

Closed life0fun closed 11 years ago

life0fun commented 11 years ago

Inside callback of on_data_chunk_recv_callback(), retrieve request handler req = spdylay_session_get_stream_user_data(session, stream_id);

My Request never sets gzip inflater; (double check by comment out spdylay_gzip_inflate_new();

However, after several msg exchanges, the req->inflater is not null and caused segfault inside spdylay_gzip_inflate;

Looks like some wired memory issues inside spdylay session.

(gdb) bt

0 spdylay_gzip_inflate (inflater=0x534b6d3658377441, out=0x7ffff6ba7b80 "Basic eGn0ms0s8fyCVbQgZ_19F2w5tjAt7X6mKS7BXh3iIjMF4ycpFHdJpI3tQqQtkoBIvE_nDjDqMRdow-46i27omQ==",

outlen_ptr=0x7ffff6ba7b68, 
in=0x7ffff6ba8c88 "push ack success,\"data\":\"hello client: eGn0ms0s8fyCVbQgZ_19F2w5tjAt7X6mKS7BXh3iIjMF4ycpFHdJpI3tQqQtkoBIvE_nDjDqMRdow-46i27omQ== : mcBamw-jkLeDRnZS83GfF9Cy7aM= : u-server : u-worker : undefined\"}", inlen_ptr=0x7ffff6ba7b70) at spdylay_gzip.c:63

1 0x0000000000403f1d in on_data_chunk_recv_callback (session=0x7ffff001ac20, flags=, stream_id=7,

data=0x7ffff6ba8c88 "push ack success,\"data\":\"hello client: eGn0ms0s8fyCVbQgZ_19F2w5tjAt7X6mKS7BXh3iIjMF4ycpFHdJpI3tQqQtkoBIvE_nDjDqMRdow-46i27omQ== : mcBamw-jkLeDRnZS83GfF9Cy7aM= : u-server : u-worker : undefined\"}", len=16, user_data=<optimized out>) at spdycli.c:734

2 0x00007ffff75ae0ea in spdylay_session_mem_recv (session=0x7ffff001ac20, in=0x7ffff6ba8c80 "", inlen=) at spdylay_session.c:2631

3 0x00007ffff75aeac9 in spdylay_session_recv (session=0x7ffff001ac20) at spdylay_session.c:2685

4 0x00000000004039b4 in exec_io (connection=) at spdycli.c:1087

5 initSpdySession (pthrduri=) at spdycli.c:1235

6 0x000000000040463d in createSpdyClient (arg=0x620990) at spdycli.c:1132

7 0x00007ffff738de9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

8 0x00007ffff70bb4bd in clone () from /lib/x86_64-linux-gnu/libc.so.6

9 0x0000000000000000 in ?? ()

life0fun commented 11 years ago

A little bit more info when playing with the issue.

use case is server push data to client, and client ack to the server with some data. From client side, ack's stream id is 5, 7. The first ack works fine. On the second ack, stream 7, somehow data chunk recv callback invoked two times for stream 7. However, on data chunk callback was not invoked for stream 5. see the log.

I am wondering why data chunk recv callback is invoked for client outgoing stream ? (stream 7)

static void on_data_chunk_recv_callback(spdylay_session _session, uint8_t flags, int32_t stream_id, const uint8_t data, size_t len, void userdata) {
int sleeptm; struct Request req; struct ThreadUri \ pthrduri = (struct ThreadUri)pthread_getspecific(tkey);

req = spdylay_session_get_stream_user_data(session, stream_id);
if(req) {                                                                                                                                                                          
  printf("[INFO] C <---------------------------- S (DATA)\n");
  printf("       %lu bytes\n", (unsigned long int)len);

  fprintf(stdout, "on data chunk recv: stream %d inflater: %lx\n", stream_id, req->inflater);

}

push ack read_callback : stream_id : 7, ack {"pushIdx":"0@2","data":"[ 7 ]"}
[INFO] C <---------------------------- S (SYN_REPLY) :status: 200 :version: HTTP/1.1 [INFO] C <---------------------------- S (DATA) 200 bytes

on data chunk recv: stream 7 inflater: 235ca777108f5d4d

[INFO] C <---------------------------- S (DATA) 0 bytes on data chunk recv: stream 7 inflater: 0

tatsuhiro-t commented 11 years ago

It seems you are using modified version of spdycli. Can I have a look at your source code?

life0fun commented 11 years ago

Hi Tatsuhiro, Thank you for your information. Yes, I am using a modified version. I will attach the file to you tomorrow when I get to office.

THanks, -haijin

On Tue, Feb 5, 2013 at 3:45 AM, Tatsuhiro Tsujikawa < notifications@github.com> wrote:

It seems you are using modified version of spdycli. Can I have a look at your source code?

— Reply to this email directly or view it on GitHubhttps://github.com/tatsuhiro-t/spdylay/issues/53#issuecomment-13125672.

life0fun commented 11 years ago

Hi Tatsuhiro, Attached is my client file. Sorry it was a mess. I used it just for stress test my server so did not clean the code at all.

You may check code inside on_data_chunk_recv_callback( )

Please let  me know if you find anything suspicious.

Thanks, -haijin

On Tue, Feb 5, 2013 at 8:40 PM, IwannaFly life0fun@gmail.com wrote:

Hi Tatsuhiro, Thank you for your information. Yes, I am using a modified version. I will attach the file to you tomorrow when I get to office.

THanks, -haijin

On Tue, Feb 5, 2013 at 3:45 AM, Tatsuhiro Tsujikawa < notifications@github.com> wrote:

It seems you are using modified version of spdycli. Can I have a look at your source code?

— Reply to this email directly or view it on GitHubhttps://github.com/tatsuhiro-t/spdylay/issues/53#issuecomment-13125672.

tatsuhiro-t commented 11 years ago

I could not find the attachment. Where is it?

life0fun commented 11 years ago

I did attach it. Is it being removed by github email ?

Let me put it on gist.

THanks, -haijin

On Fri, Feb 8, 2013 at 4:45 AM, Tatsuhiro Tsujikawa < notifications@github.com> wrote:

I could not find the attachment. Where is it?

— Reply to this email directly or view it on GitHubhttps://github.com/tatsuhiro-t/spdylay/issues/53#issuecomment-13288845.

tatsuhiro-t commented 11 years ago

Yes, it seems that github removes any attachment in the mail.

life0fun commented 11 years ago

Hi Tatsunhiro,

I put the source code into this gist.

https://gist.github.com/4752774.git

When I got time, I should contribute this pthread version of client to spdylay.

Thank you very much for the help.

Best, -haijin

On Fri, Feb 8, 2013 at 10:59 PM, Tatsuhiro Tsujikawa < notifications@github.com> wrote:

Yes, it seems that github removes any attachment in the mail.

— Reply to this email directly or view it on GitHubhttps://github.com/tatsuhiro-t/spdylay/issues/53#issuecomment-13327337..

tatsuhiro-t commented 11 years ago

I think the following portion of the code causes the crash:

diff --git a/gistfile1.c b/gistfile1.c
index 25842c9..de145f0 100644
--- a/gistfile1.c
+++ b/gistfile1.c
@@ -1110,7 +1110,7 @@ static void submit_request_pushack(spdylay_session *sessio
   strncpy(datacopy, data, len);
   data_prd.source.ptr = datacopy;
   data_prd.read_callback = data_source_read_callback;
-  rv = spdylay_submit_request(session, pri, nv, &data_prd, &req);
+  rv = spdylay_submit_request(session, pri, nv, &data_prd, req);
   //rv = spdylay_submit_request(session, pri, nv, NULL, req);
   if(rv != 0) {
 diec("spdylay_submit_request_pushack", rv);

Contribution is always welcome!

tatsuhiro-t commented 11 years ago

I just made it compile your code (by commenting out ele_url?) and ran with -u and -f. Also I modified spdyd to push json instead of SYN_REPLY. It seemed working for several server pushes. I did not test other modes.

life0fun commented 11 years ago

Greatly appreciate your help, Tatsuhiro !

I will apply the patch and try stress testing tomorrow.

Thank you very much for the help!

On Mon, Feb 11, 2013 at 1:38 AM, Tatsuhiro Tsujikawa < notifications@github.com> wrote:

I just made it compile your code (by commenting out ele_url?) and ran with -u and -f. Also I modified spdyd to push json instead of SYN_REPLY. It seemed working for several server pushes. I did not test other modes.

— Reply to this email directly or view it on GitHubhttps://github.com/tatsuhiro-t/spdylay/issues/53#issuecomment-13373208..

tatsuhiro-t commented 11 years ago

Can we close this?