search

varnishcache / varnish-cache

Varnish Cache source code repository
https://www.varnish-cache.org
Other
3.68k stars 377 forks source link

Assert error in HTC_RxStuff(), cache/cache_session.c line 296 #2624

Closed fgsch closed 6 years ago

fgsch commented 6 years ago 
Assert error in HTC_RxStuff(), cache/cache_session.c line 296:
  Condition(z >= 0) not true.
version = varnish-6.0.0 revision 5e2b0d8abda18e807b73ed2f6c0746688001e85b, vrt api = 7.0
ident = Darwin,17.4.0,x86_64,-jnone,-sdefault,-sdefault,-hcritbit,kqueue
now = 1032608.898370 (mono), 1521572311.301582 (real)
Backtrace:
  0x105d02f6c: 0   varnishd                            0x0000000105d02f6c pan_backtrace + 348
  0x105d02b46: 0   varnishd                            0x0000000105d02b46 pan_ic + 1446
  0x1060dc549: 0   varnishd                            0x00000001060dc549 VAS_Fail + 361
  0x105d5520e: 0   varnishd                            0x0000000105d5520e HTC_RxStuff + 10254
  0x105ec182f: 0   varnishd                            0x0000000105ec182f h2_rxframe + 2335
  0x105edf20f: 0   varnishd                            0x0000000105edf20f h2_new_session + 9807
  0x105e0a662: 0   varnishd                            0x0000000105e0a662 Pool_Work_Thread + 15858
  0x105e0649f: 0   varnishd                            0x0000000105e0649f WRK_Thread + 1903
  0x105e05cab: 0   varnishd                            0x0000000105e05cab pool_thread + 891
  0x7fff64cf16c1: 0   libsystem_pthread.dylib             0x00007fff64cf16c1 _pthread_body + 340
thread = (cache-worker)
thr.req = 0x631000050820 {
  vxid = 1000, transport = H2
  step = 0x0,
  req_body = R_BODY_INIT,
  err_code = 1, err_reason = (null),
  restarts = 0, esi_level = 0,
  sp = 0x61500000ffa0 {
    fd = 25, vxid = 1000,
    t_open = 1521572311.300687,
    t_idle = 1521572311.301546,
    ws = 0x61500000ffe0 {
      id = "ses",
      {s, f, r, e} = {0x615000010018, +104, 0x0, +352},
    },
    transport = H2 {
      streams {
        0x00000000 idle  
      }
    }
    client = 127.0.0.1 58497 127.0.0.1:58492,
  },
  ws = 0x631000050968 {
    id = "req",
    {s, f, r, e} = {0x631000052898, +20088, +57184, +57184},
  },
  http_conn = 0x631000052838 {
    fd = 25 (@0x61500000ffc4),
    doclose = NULL,
    ws = 0x631000050968 {
      [Already dumped, see above]
    },
    {rxbuf_b, rxbuf_e} = {0x631000057710, 0x63100005c457},
    {pipeline_b, pipeline_e} = {0x0, 0x0},
    content_length = 0,
    body_status = none,
    first_byte_timeout = 0.000000,
    between_bytes_timeout = 0.000000,
  },
  http[req] = 0x631000050a08 {
    ws = 0x0 {
    },
    hdrs {
    },
  },
  vmods = {
  },
  flags = {
  },
  privs = 0x6310000509f0 {
  },
},
thr.busyobj = 0x0 {
},
fgsch commented 6 years ago

Also found while fuzzing. Seen on Linux as well. Varnish configured with --enable-asan --enable-ubsan. http2 enabled. Contact me offline for input.

fgsch commented 6 years ago

Input sent to @daghf for further analysis.