Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2_filter_module.c @ 6891:749bcfdf097a stable-1.10
HTTP/2: fixed posted streams handling.
A bug was introduced by 82efcedb310b that could lead to timing out of
responses or segmentation fault, when accept_mutex was enabled.
The output queue in HTTP/2 can contain frames from different streams.
When the queue is sent, all related write handlers need to be called.
In order to do so, the streams were added to the h2c->posted queue
after handling sent frames. Then this queue was processed in
ngx_http_v2_write_handler().
If accept_mutex is enabled, the event's "ready" flag is set but its
handler is not called immediately. Instead, the event is added to
the ngx_posted_events queue. At the same time in this queue can be
events from upstream connections. Such events can result in sending
output queue before ngx_http_v2_write_handler() is triggered. And
at the time ngx_http_v2_write_handler() is called, the output queue
can be already empty with some streams added to h2c->posted.
But after 82efcedb310b, these streams weren't processed if all frames
have already been sent and the output queue was empty. This might lead
to a situation when a number of streams were get stuck in h2c->posted
queue for a long time. Eventually these streams might get closed by
the send timeout.
In the worst case this might also lead to a segmentation fault, if
already freed stream was left in the h2c->posted queue. This could
happen if one of the streams was terminated but wasn't closed, due to
the HEADERS frame or a partially sent DATA frame left in the output
queue. If this happened the ngx_http_v2_filter_cleanup() handler
removed the stream from the h2c->waiting or h2c->posted queue on
termination stage, before the frame has been sent, and the stream
was again added to the h2c->posted queue after the frame was sent.
In order to fix all these problems and simplify the code, write
events of fake stream connections are now added to ngx_posted_events
instead of using a custom h2c->posted queue.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Mon, 28 Nov 2016 20:58:14 +0300 |
| parents | 73e62bd2ce69 |
| children |
comparison
equal
deleted
inserted
replaced
| 6890:16487f9e6665 | 6891:749bcfdf097a |
|---|---|
| 1120 ngx_http_v2_stream_t *stream) | 1120 ngx_http_v2_stream_t *stream) |
| 1121 { | 1121 { |
| 1122 ngx_queue_t *q; | 1122 ngx_queue_t *q; |
| 1123 ngx_http_v2_stream_t *s; | 1123 ngx_http_v2_stream_t *s; |
| 1124 | 1124 |
| 1125 if (stream->handled) { | 1125 if (stream->waiting) { |
| 1126 return; | 1126 return; |
| 1127 } | 1127 } |
| 1128 | 1128 |
| 1129 stream->handled = 1; | 1129 stream->waiting = 1; |
| 1130 | 1130 |
| 1131 for (q = ngx_queue_last(&h2c->waiting); | 1131 for (q = ngx_queue_last(&h2c->waiting); |
| 1132 q != ngx_queue_sentinel(&h2c->waiting); | 1132 q != ngx_queue_sentinel(&h2c->waiting); |
| 1133 q = ngx_queue_prev(q)) | 1133 q = ngx_queue_prev(q)) |
| 1134 { | 1134 { |
| 1315 | 1315 |
| 1316 static ngx_inline void | 1316 static ngx_inline void |
| 1317 ngx_http_v2_handle_stream(ngx_http_v2_connection_t *h2c, | 1317 ngx_http_v2_handle_stream(ngx_http_v2_connection_t *h2c, |
| 1318 ngx_http_v2_stream_t *stream) | 1318 ngx_http_v2_stream_t *stream) |
| 1319 { | 1319 { |
| 1320 ngx_event_t *wev; | |
| 1320 ngx_connection_t *fc; | 1321 ngx_connection_t *fc; |
| 1321 | 1322 |
| 1322 if (stream->handled || stream->blocked) { | 1323 if (stream->waiting || stream->blocked) { |
| 1323 return; | 1324 return; |
| 1324 } | 1325 } |
| 1325 | 1326 |
| 1326 fc = stream->request->connection; | 1327 fc = stream->request->connection; |
| 1327 | 1328 |
| 1328 if (!fc->error && (stream->exhausted || fc->write->delayed)) { | 1329 if (!fc->error && stream->exhausted) { |
| 1329 return; | 1330 return; |
| 1330 } | 1331 } |
| 1331 | 1332 |
| 1332 stream->handled = 1; | 1333 wev = fc->write; |
| 1333 ngx_queue_insert_tail(&h2c->posted, &stream->queue); | 1334 |
| 1335 wev->active = 0; | |
| 1336 wev->ready = 1; | |
| 1337 | |
| 1338 if (!fc->error && wev->delayed) { | |
| 1339 return; | |
| 1340 } | |
| 1341 | |
| 1342 ngx_post_event(wev, &ngx_posted_events); | |
| 1334 } | 1343 } |
| 1335 | 1344 |
| 1336 | 1345 |
| 1337 static void | 1346 static void |
| 1338 ngx_http_v2_filter_cleanup(void *data) | 1347 ngx_http_v2_filter_cleanup(void *data) |
| 1339 { | 1348 { |
| 1340 ngx_http_v2_stream_t *stream = data; | 1349 ngx_http_v2_stream_t *stream = data; |
| 1341 | 1350 |
| 1342 size_t window; | 1351 size_t window; |
| 1352 ngx_event_t *wev; | |
| 1353 ngx_queue_t *q; | |
| 1343 ngx_http_v2_out_frame_t *frame, **fn; | 1354 ngx_http_v2_out_frame_t *frame, **fn; |
| 1344 ngx_http_v2_connection_t *h2c; | 1355 ngx_http_v2_connection_t *h2c; |
| 1345 | 1356 |
| 1346 if (stream->handled) { | 1357 if (stream->waiting) { |
| 1347 stream->handled = 0; | 1358 stream->waiting = 0; |
| 1348 ngx_queue_remove(&stream->queue); | 1359 ngx_queue_remove(&stream->queue); |
| 1349 } | 1360 } |
| 1350 | 1361 |
| 1351 if (stream->queued == 0) { | 1362 if (stream->queued == 0) { |
| 1352 return; | 1363 return; |
| 1376 } | 1387 } |
| 1377 | 1388 |
| 1378 fn = &frame->next; | 1389 fn = &frame->next; |
| 1379 } | 1390 } |
| 1380 | 1391 |
| 1381 if (h2c->send_window == 0 && window && !ngx_queue_empty(&h2c->waiting)) { | 1392 if (h2c->send_window == 0 && window) { |
| 1382 ngx_queue_add(&h2c->posted, &h2c->waiting); | 1393 |
| 1383 ngx_queue_init(&h2c->waiting); | 1394 while (!ngx_queue_empty(&h2c->waiting)) { |
| 1395 q = ngx_queue_head(&h2c->waiting); | |
| 1396 | |
| 1397 ngx_queue_remove(q); | |
| 1398 | |
| 1399 stream = ngx_queue_data(q, ngx_http_v2_stream_t, queue); | |
| 1400 | |
| 1401 stream->waiting = 0; | |
| 1402 | |
| 1403 wev = stream->request->connection->write; | |
| 1404 | |
| 1405 wev->active = 0; | |
| 1406 wev->ready = 1; | |
| 1407 | |
| 1408 if (!wev->delayed) { | |
| 1409 ngx_post_event(wev, &ngx_posted_events); | |
| 1410 } | |
| 1411 } | |
| 1384 } | 1412 } |
| 1385 | 1413 |
| 1386 h2c->send_window += window; | 1414 h2c->send_window += window; |
| 1387 } | 1415 } |
| 1388 | 1416 |