Buy commercial curl support from
WolfSSL. We help you work out your issues, debug your libcurl
applications, use the API, port to new platforms, add new features and more.
With a team lead by the curl founder himself.
SIGSEGV in curl-8.6.0/lib/http2.c:288 (curl_multi_perform->extract_if_dead->http2_data_done)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Aleksander Mazur via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 20 Mar 2024 00:01:53 +0100
Hello,
Recently I observe my program crashing (sometimes) during system startup.
(During system startup internet connection is down so a few first https/HTTP2 requests fail with CURLE_COULDNT_RESOLVE_HOST. Then internet connection goes up.)
Then the program is restarted by supervisor and works fine.
The program is cross-compiled for i686 and linked against libcurl 8.6.0, openssl 3.2.1, nghttp2 1.60.0, uClibc-ng 1.0.46. I don't have a full-blown debugging environment in this toolchain but managed to capture a backtrace:
0xb7b7f07f
0xb7f00c2d http2_data_done.isra.0+0x4D
0xb7f017d3 cf_h2_cntrl+0x199
0xb7ef063f Curl_conn_cf_cntrl+0x41
0xb7ef0685 cf_cntrl_all.constprop.0+0x2D
0xb7f07b3d Curl_detach_connection+0x2D
0xb7f1487e extract_if_dead+0x142
0xb7f148b4 call_extract_if_dead+0x11
0xb7ef1116 Curl_conncache_foreach+0x89
0xb7f16c31 Curl_connect+0x1948
0xb7f094a8 multi_runsingle+0x1E5
0xb7f0a398 curl_multi_perform+0xBB
0x804bd6f main+0x26F
0xb7ba6e83 __uClibc_main+0x15E
0x804be33 _start+0x21
(half of which looks similar to #12951)
Using objdump -d -S libcurl.so I found this:
1ec2a: 52 push %edx
1ec2b: 6a 00 push $0x0
-> 1ec2d: ff 36 push (%esi)
1ec2f: 50 push %eax
1ec30: e8 2b 84 fe ff call 7060 <nghttp2_session_set_stream_user_data_at_plt>
... what most probably matches accessing stream->id in lib/http2.c:288:
> (void)nghttp2_session_set_stream_user_data(ctx->h2, stream->id, NULL);
meaning that stream must have been not NULL but held an invalid pointer.
Are you aware of a scenario in which a stale pointer to Curl_easy.req.p.http is kept in connection cache and then reused?
Do you think https://github.com/curl/curl/pull/13096 may be related to this issue?
Date: Wed, 20 Mar 2024 00:01:53 +0100
Hello,
Recently I observe my program crashing (sometimes) during system startup.
(During system startup internet connection is down so a few first https/HTTP2 requests fail with CURLE_COULDNT_RESOLVE_HOST. Then internet connection goes up.)
Then the program is restarted by supervisor and works fine.
The program is cross-compiled for i686 and linked against libcurl 8.6.0, openssl 3.2.1, nghttp2 1.60.0, uClibc-ng 1.0.46. I don't have a full-blown debugging environment in this toolchain but managed to capture a backtrace:
0xb7b7f07f
0xb7f00c2d http2_data_done.isra.0+0x4D
0xb7f017d3 cf_h2_cntrl+0x199
0xb7ef063f Curl_conn_cf_cntrl+0x41
0xb7ef0685 cf_cntrl_all.constprop.0+0x2D
0xb7f07b3d Curl_detach_connection+0x2D
0xb7f1487e extract_if_dead+0x142
0xb7f148b4 call_extract_if_dead+0x11
0xb7ef1116 Curl_conncache_foreach+0x89
0xb7f16c31 Curl_connect+0x1948
0xb7f094a8 multi_runsingle+0x1E5
0xb7f0a398 curl_multi_perform+0xBB
0x804bd6f main+0x26F
0xb7ba6e83 __uClibc_main+0x15E
0x804be33 _start+0x21
(half of which looks similar to #12951)
Using objdump -d -S libcurl.so I found this:
1ec2a: 52 push %edx
1ec2b: 6a 00 push $0x0
-> 1ec2d: ff 36 push (%esi)
1ec2f: 50 push %eax
1ec30: e8 2b 84 fe ff call 7060 <nghttp2_session_set_stream_user_data_at_plt>
... what most probably matches accessing stream->id in lib/http2.c:288:
> (void)nghttp2_session_set_stream_user_data(ctx->h2, stream->id, NULL);
meaning that stream must have been not NULL but held an invalid pointer.
Are you aware of a scenario in which a stale pointer to Curl_easy.req.p.http is kept in connection cache and then reused?
Do you think https://github.com/curl/curl/pull/13096 may be related to this issue?
-- Aleksander Mazur -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-03-20