New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation fault when sending http3-only request by multi interface #11449
Comments
sorry, forget print the |
Thanks for the details and test program. I modified this a bit to compile it in plain C (see below). With this, I am unable to reproduce the issue. Do you see the crash every time?:
|
@icing yes, I tried the test program aboved and compiled with
|
And found a new crash stack, with the same c test program:
|
fix: not always crash, but high probability |
On my machine, it never does. Still looking. What are the values of |
rebuild with
|
By the way, I found that although the previous version
|
quiche seems to have bugs handling more than one connection: cloudflare/quiche#1554 I see this in local tests that quiche events get mixed up and some requests stall. Until we have verified that quiche is fixed, I would rest the analysis here. |
Thanks! |
- refs curl#11449 where weirdness in quiche multi connection tranfers was observed - fixes lookup of transfer for a quiche event to take the connection into account - formerly, a transfer with the same stream_id, but on another connection could be found
Well, at least the |
I understood the problem now. It was staring me in the face from the beginning: Your example runs into several failed CONNECT attempts for ipv6 addresses before finally succeeding for ipv4. A bug in curl's quiche implementation did H3 initialization for the transfer too early, before the CONNECT was successful. This led to references from the H3 state to a connect attempt that had failed and was free'ed. My attempts to reproduce never had these failed connects, so the error did not show up. Please see #11469 for the fix of this issue. |
@icing Great! The test program is never crashed after update. It seems this bug introduced from #10772 in I am using |
#11469 is only applicable on newer versions. I do not recommend sprinkling individual PRs onto releases they are not made for. It leads to code configurations that have never been tested by anyone. |
Get it, thanks again! |
- refs curl#11449 where weirdness in quiche multi connection tranfers was observed - fixes lookup of transfer for a quiche event to take the connection into account - formerly, a transfer with the same stream_id, but on another connection could be found Closes curl#11462
- refs curl#11449 where a segfault is reported when IP Eyeballing did not immediately connect but made several attempts - The transfer initiating the eyeballing was initialized too early, leadding to references to the filter instance that was then replaced in the subsequent eyeball attempts. That led to a use after free in the buffer handling for the transfer - transfers are initiated now more lazy (like in the ngtcp2 filter), when the stream is actually opened - suppress reporting on quiche event errors for "other" transfers than the current one to not fail a transfer due to faults in another one. - revert recent return value handling for quiche_h3_recv_body() to not indicate an error but an EAGAIN situation. We wish quiche would document what functions return. Fixes curl#11449 Closes curl#11469 Reported-by: ウさん
- refs curl#11449 where weirdness in quiche multi connection tranfers was observed - fixes lookup of transfer for a quiche event to take the connection into account - formerly, a transfer with the same stream_id, but on another connection could be found Closes curl#11462
- refs curl#11449 where a segfault is reported when IP Eyeballing did not immediately connect but made several attempts - The transfer initiating the eyeballing was initialized too early, leadding to references to the filter instance that was then replaced in the subsequent eyeball attempts. That led to a use after free in the buffer handling for the transfer - transfers are initiated now more lazy (like in the ngtcp2 filter), when the stream is actually opened - suppress reporting on quiche event errors for "other" transfers than the current one to not fail a transfer due to faults in another one. - revert recent return value handling for quiche_h3_recv_body() to not indicate an error but an EAGAIN situation. We wish quiche would document what functions return. Fixes curl#11449 Closes curl#11469 Reported-by: ウさん
I did this
CURL_HTTP_VERSION_3ONLY
request parallelly by using multi interfacelibcurl/8.1.2+quiche/0.17.1
), but not found in previous version(libcurl/8.0.1+quiche/0.16.0
)I expected the following
gdb
, the segmentation fault info:Test code
curl/libcurl version
operating system
Linux mylinux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: