Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2.c @ 6891:749bcfdf097a stable-1.10
HTTP/2: fixed posted streams handling.
A bug was introduced by 82efcedb310b that could lead to timing out of
responses or segmentation fault, when accept_mutex was enabled.
The output queue in HTTP/2 can contain frames from different streams.
When the queue is sent, all related write handlers need to be called.
In order to do so, the streams were added to the h2c->posted queue
after handling sent frames. Then this queue was processed in
ngx_http_v2_write_handler().
If accept_mutex is enabled, the event's "ready" flag is set but its
handler is not called immediately. Instead, the event is added to
the ngx_posted_events queue. At the same time in this queue can be
events from upstream connections. Such events can result in sending
output queue before ngx_http_v2_write_handler() is triggered. And
at the time ngx_http_v2_write_handler() is called, the output queue
can be already empty with some streams added to h2c->posted.
But after 82efcedb310b, these streams weren't processed if all frames
have already been sent and the output queue was empty. This might lead
to a situation when a number of streams were get stuck in h2c->posted
queue for a long time. Eventually these streams might get closed by
the send timeout.
In the worst case this might also lead to a segmentation fault, if
already freed stream was left in the h2c->posted queue. This could
happen if one of the streams was terminated but wasn't closed, due to
the HEADERS frame or a partially sent DATA frame left in the output
queue. If this happened the ngx_http_v2_filter_cleanup() handler
removed the stream from the h2c->waiting or h2c->posted queue on
termination stage, before the frame has been sent, and the stream
was again added to the h2c->posted queue after the frame was sent.
In order to fix all these problems and simplify the code, write
events of fake stream connections are now added to ngx_posted_events
instead of using a custom h2c->posted queue.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Mon, 28 Nov 2016 20:58:14 +0300 |
| parents | 16487f9e6665 |
| children | 169fef913184 |
comparison
equal
deleted
inserted
replaced
| 6890:16487f9e6665 | 6891:749bcfdf097a |
|---|---|
| 284 | 284 |
| 285 h2c->state.handler = hc->proxy_protocol ? ngx_http_v2_state_proxy_protocol | 285 h2c->state.handler = hc->proxy_protocol ? ngx_http_v2_state_proxy_protocol |
| 286 : ngx_http_v2_state_preface; | 286 : ngx_http_v2_state_preface; |
| 287 | 287 |
| 288 ngx_queue_init(&h2c->waiting); | 288 ngx_queue_init(&h2c->waiting); |
| 289 ngx_queue_init(&h2c->posted); | |
| 290 ngx_queue_init(&h2c->dependencies); | 289 ngx_queue_init(&h2c->dependencies); |
| 291 ngx_queue_init(&h2c->closed); | 290 ngx_queue_init(&h2c->closed); |
| 292 | 291 |
| 293 c->data = h2c; | 292 c->data = h2c; |
| 294 | 293 |
| 413 | 412 |
| 414 static void | 413 static void |
| 415 ngx_http_v2_write_handler(ngx_event_t *wev) | 414 ngx_http_v2_write_handler(ngx_event_t *wev) |
| 416 { | 415 { |
| 417 ngx_int_t rc; | 416 ngx_int_t rc; |
| 418 ngx_queue_t *q; | |
| 419 ngx_connection_t *c; | 417 ngx_connection_t *c; |
| 420 ngx_http_v2_stream_t *stream; | |
| 421 ngx_http_v2_connection_t *h2c; | 418 ngx_http_v2_connection_t *h2c; |
| 422 | 419 |
| 423 c = wev->data; | 420 c = wev->data; |
| 424 h2c = c->data; | 421 h2c = c->data; |
| 425 | 422 |
| 448 rc = ngx_http_v2_send_output_queue(h2c); | 445 rc = ngx_http_v2_send_output_queue(h2c); |
| 449 | 446 |
| 450 if (rc == NGX_ERROR) { | 447 if (rc == NGX_ERROR) { |
| 451 ngx_http_v2_finalize_connection(h2c, 0); | 448 ngx_http_v2_finalize_connection(h2c, 0); |
| 452 return; | 449 return; |
| 453 } | |
| 454 | |
| 455 while (!ngx_queue_empty(&h2c->posted)) { | |
| 456 q = ngx_queue_head(&h2c->posted); | |
| 457 | |
| 458 ngx_queue_remove(q); | |
| 459 | |
| 460 stream = ngx_queue_data(q, ngx_http_v2_stream_t, queue); | |
| 461 | |
| 462 stream->handled = 0; | |
| 463 | |
| 464 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
| 465 "run http2 stream %ui", stream->node->id); | |
| 466 | |
| 467 wev = stream->request->connection->write; | |
| 468 | |
| 469 wev->active = 0; | |
| 470 wev->ready = 1; | |
| 471 | |
| 472 wev->handler(wev); | |
| 473 } | 450 } |
| 474 | 451 |
| 475 h2c->blocked = 0; | 452 h2c->blocked = 0; |
| 476 | 453 |
| 477 if (rc == NGX_AGAIN) { | 454 if (rc == NGX_AGAIN) { |
| 2238 | 2215 |
| 2239 ngx_queue_remove(q); | 2216 ngx_queue_remove(q); |
| 2240 | 2217 |
| 2241 stream = ngx_queue_data(q, ngx_http_v2_stream_t, queue); | 2218 stream = ngx_queue_data(q, ngx_http_v2_stream_t, queue); |
| 2242 | 2219 |
| 2243 stream->handled = 0; | 2220 stream->waiting = 0; |
| 2244 | 2221 |
| 2245 wev = stream->request->connection->write; | 2222 wev = stream->request->connection->write; |
| 2246 | 2223 |
| 2247 wev->active = 0; | 2224 wev->active = 0; |
| 2248 wev->ready = 1; | 2225 wev->ready = 1; |
| 4257 | 4234 |
| 4258 if (stream == NULL) { | 4235 if (stream == NULL) { |
| 4259 continue; | 4236 continue; |
| 4260 } | 4237 } |
| 4261 | 4238 |
| 4262 stream->handled = 0; | 4239 stream->waiting = 0; |
| 4263 | 4240 |
| 4264 r = stream->request; | 4241 r = stream->request; |
| 4265 fc = r->connection; | 4242 fc = r->connection; |
| 4266 | 4243 |
| 4267 fc->error = 1; | 4244 fc->error = 1; |