185717 – [Curl] Crash due to broken Curl_easy handle since WinCairoRequirements v2018.05.16

Bug 185717 - [Curl] Crash due to broken Curl_easy handle since WinCairoRequirements v2018.05.16

Summary: [Curl] Crash due to broken Curl_easy handle since WinCairoRequirements v2018....

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Basuke Suzuki

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-05-17 01:32 PDT by Fujii Hironori
Modified:	2018-08-01 21:19 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2018-05-17 01:32:21 PDT

[Curl] Crash due to broken Curl_easy handle since WinCairoRequirements v2018.05.16

After WinCairoRequirements v2018.05.16, crash happens in libcurl.
https://github.com/WebKitForWindows/WinCairoRequirements/releases/tag/v2018.05.16

1) Start MiniBrowser
2) Go to https://youtube.com/
3) Crash

Callstack:

> libcurl.dll!Curl_set_in_callback(Curl_easy * easy, bool value) Line 3109	C
> libcurl.dll!showit(Curl_easy * data, curl_infotype type, char * ptr, unsigned __int64 size) Line 811	C
> libcurl.dll!Curl_debug(Curl_easy * data, curl_infotype type, char * ptr, unsigned __int64 size, connectdata * conn) Line 874	C
> libcurl.dll!Curl_infof(Curl_easy * data, const char * fmt, ...) Line 245	C
> [Inline Frame] libcurl.dll!http2_connisdead(connectdata *) Line 214	C
> libcurl.dll!http2_conncheck(connectdata * check, unsigned int checks_to_perform) Line 236	C
> libcurl.dll!extract_if_dead(connectdata * conn, Curl_easy * data) Line 973	C
> libcurl.dll!ConnectionExists(Curl_easy * data, connectdata * needle, connectdata * * usethis, bool * force_reuse, bool * waitpipe) Line 1140	C
> libcurl.dll!create_conn(Curl_easy * data, connectdata * * in_connect, bool * async) Line 4401	C
> libcurl.dll!Curl_connect(Curl_easy * data, connectdata * * in_connect, bool * asyncp, bool * protocol_done) Line 4660	C
> libcurl.dll!multi_runsingle(Curl_multi * multi, curltime now, Curl_easy * data) Line 1421	C
> libcurl.dll!curl_multi_perform(Curl_multi * multi, int * running_handles) Line 2165	C
> WebKit.dll!WebCore::CurlRequestScheduler::workerThread() Line 169	C++
> [Inline Frame] WebKit.dll!WebCore::CurlRequestScheduler::startThreadIfNeeded::__l5::<lambda_759a9b0dbc5d1b4468a3b240cce0f503>::operator()() Line 88	C++
> WebKit.dll!WTF::Function<void __cdecl(void)>::CallableWrapper<<lambda_759a9b0dbc5d1b4468a3b240cce0f503> >::call() Line 101	C++
> [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 56	C++
> WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 136	C++
> WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 156	C++
> [External Code]	


Callstack:

> [Inline Frame] libcurl.dll!h2_pri_spec(Curl_easy *) Line 1440	C
> libcurl.dll!h2_session_send(Curl_easy * data, nghttp2_session * h2) Line 1466	C
> libcurl.dll!h2_process_pending_input(connectdata * conn, http_conn * httpc, CURLcode * err) Line 1304	C
> [Inline Frame] libcurl.dll!http2_connisdead(connectdata *) Line 219	C
> libcurl.dll!http2_conncheck(connectdata * check, unsigned int checks_to_perform) Line 236	C
> libcurl.dll!extract_if_dead(connectdata * conn, Curl_easy * data) Line 973	C
> libcurl.dll!call_extract_if_dead(connectdata * conn, void * param) Line 1003	C
> libcurl.dll!Curl_conncache_foreach(Curl_easy * data, conncache * connc, void * param, int(*)(connectdata *, void *) func) Line 382	C
> [Inline Frame] libcurl.dll!prune_dead_connections(Curl_easy *) Line 1025	C
> libcurl.dll!create_conn(Curl_easy * data, connectdata * * in_connect, bool * async) Line 4382	C
> libcurl.dll!Curl_connect(Curl_easy * data, connectdata * * in_connect, bool * asyncp, bool * protocol_done) Line 4660	C
> libcurl.dll!multi_runsingle(Curl_multi * multi, curltime now, Curl_easy * data) Line 1421	C
> libcurl.dll!curl_multi_perform(Curl_multi * multi, int * running_handles) Line 2165	C
> WebKit.dll!WebCore::CurlRequestScheduler::workerThread() Line 169	C++
> [Inline Frame] WebKit.dll!WebCore::CurlRequestScheduler::startThreadIfNeeded::__l5::<lambda_759a9b0dbc5d1b4468a3b240cce0f503>::operator()() Line 88	C++
> WebKit.dll!WTF::Function<void __cdecl(void)>::CallableWrapper<<lambda_759a9b0dbc5d1b4468a3b240cce0f503> >::call() Line 101	C++
> [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 56	C++
> WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 136	C++
> WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 156	C++
> [External Code]

Comment 1 Fujii Hironori 2018-05-17 01:32:54 PDT

It seems that elements of `conn_list` of `connectbundle` are broken.

Comment 2 Fujii Hironori 2018-05-17 02:39:06 PDT

I have confirmed this crash can be solved by replacing libcurl.dll with one disabled USE_NGHTTP2.
This is a critical issue, USE_NGHTTP2 should be disabled until it will be addressed.

Comment 3 Basuke Suzuki 2018-05-17 08:37:23 PDT

I'll look into this today, thank you for reporting.

Comment 4 Fujii Hironori 2018-05-24 03:08:04 PDT

I wouldn't see such crashes if I replaced with libcurl.dll built by me without any modificaitons.

Don, check it in your env.

Comment 5 Basuke Suzuki 2018-05-24 17:38:43 PDT

Can you give me your build option? Or is that same with WinCairoRequirements? I can reproduce this crash with libs build by myself locally using vcpkg.exe.

Comment 6 Fujii Hironori 2018-05-24 19:57:11 PDT

Thanks for confirming, Basuke. It's my mistake. 
I should invoke `vcpkg install curl[ssl]` instead of `vcpkg install curl`.

Comment 7 Fujii Hironori 2018-05-25 00:00:26 PDT

A connectdata stored in a conncache holds a deleted Curl_easy.
http2_connisdead accesses the deleted Curl_easy.

Comment 8 Basuke Suzuki 2018-05-25 08:42:08 PDT

Wait a minute. That's reminds me my patch to the curl. https://github.com/curl/curl/pull/2221/files

I'll take a look inside it.

Comment 9 Basuke Suzuki 2018-05-25 14:52:26 PDT

No, my patch doesn't related with this crash. Sigh.

Comment 10 Fujii Hironori 2018-07-03 04:01:35 PDT

url: fix dangling conn->data pointer · curl/curl@2c15693
https://github.com/curl/curl/commit/2c15693a3c355d8296a1828123a864397296460b

[WIP] Avoid using free'd easy handles referenced from connection cache by dtzWill · Pull Request #2669 · curl/curl
https://github.com/curl/curl/pull/2669

I haven't tried it yet. But, sounds promising.

Comment 11 Don Olmstead 2018-07-03 13:52:56 PDT

(In reply to Fujii Hironori from comment #10)
> url: fix dangling conn->data pointer · curl/curl@2c15693
> https://github.com/curl/curl/commit/2c15693a3c355d8296a1828123a864397296460b
> 
> [WIP] Avoid using free'd easy handles referenced from connection cache by
> dtzWill · Pull Request #2669 · curl/curl
> https://github.com/curl/curl/pull/2669
> 
> I haven't tried it yet. But, sounds promising.

https://github.com/WebKitForWindows/WinCairoRequirements/releases/tag/v2018.07.03

That has the commit referenced. It appears there might be more problems there but it should be a start.

Comment 12 Don Olmstead 2018-07-03 18:31:03 PDT

(In reply to Don Olmstead from comment #11)
> (In reply to Fujii Hironori from comment #10)
> > url: fix dangling conn->data pointer · curl/curl@2c15693
> > https://github.com/curl/curl/commit/2c15693a3c355d8296a1828123a864397296460b
> > 
> > [WIP] Avoid using free'd easy handles referenced from connection cache by
> > dtzWill · Pull Request #2669 · curl/curl
> > https://github.com/curl/curl/pull/2669
> > 
> > I haven't tried it yet. But, sounds promising.
> 
> https://github.com/WebKitForWindows/WinCairoRequirements/releases/tag/v2018.
> 07.03
> 
> That has the commit referenced. It appears there might be more problems
> there but it should be a start.

There seems to be more crashing after the SSL cert patch. There is also some work in https://github.com/curl/curl/issues/2674 that looks like it might be in the ballpark of the crashes I'm seeing in the debug build.

Hopefully they have a patch this week. We should probably roll to that or request a release from them including the changes since 7.60.0.

Comment 13 Fujii Hironori 2018-07-03 19:56:46 PDT

WinCairoRequirements.zip v2018.07.03 (the second release)

1) Start MiniBrowser
2) Open WebKitLegacy Window
2) Go to https://youtube.com/
3) Crash

Callstack:

> libcurl.dll!Curl_conncache_bundle_size(connectdata * conn) Line 206	C
> libcurl.dll!create_conn(Curl_easy * data, connectdata * * in_connect, bool * async) Line 4407	C
> libcurl.dll!Curl_connect(Curl_easy * data, connectdata * * in_connect, bool * asyncp, bool * protocol_done) Line 4660	C
> libcurl.dll!multi_runsingle(Curl_multi * multi, curltime now, Curl_easy * data) Line 1421	C
> libcurl.dll!curl_multi_perform(Curl_multi * multi, int * running_handles) Line 2165	C
> WebKit.dll!WebCore::CurlRequestScheduler::workerThread() Line 169	C++
> [Inline Frame] WebKit.dll!WebCore::CurlRequestScheduler::startThreadIfNeeded::__l5::<lambda_759a9b0dbc5d1b4468a3b240cce0f503>::operator()() Line 88	C++
> WebKit.dll!WTF::Function<void __cdecl(void)>::CallableWrapper<<lambda_759a9b0dbc5d1b4468a3b240cce0f503> >::call() Line 101	C++
> [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 56	C++
> WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 136	C++
> WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 156	C++
> [External Code]

Comment 14 Fujii Hironori 2018-08-01 21:19:46 PDT

Fixed in the latest WinCairoRequirements.
https://github.com/WebKitForWindows/WinCairoRequirements/releases/tag/v2018.08.01