facebook/proxygen

Segfault in HQ server

krainesilluscio opened this issue · 2 comments

OS: macOS-Sonoma 14.3.1
Proxygen install: Homebrew
Proxygen version: 2024.04.01.00

We have created a standalone project that ingrates the HQ sample. We are linking to a brew install of proxygen / mvfst using cmake. All parts of the HQ sample are building without issue. We are able to launch our HQ sample server and wait for clients. If we then connect a client (using the HQ sample in the brew install) the connection will throw a segfault on the server. The segfault is occurring in HQServer.cpp-QuicAcceptCB::onTransportReady() when we call session->setEgressSettings().

Standard output:

k.raines@MacBook-Pro server % ./server --mode=server --port=6666  --protocol h3 --path /
I20240403 14:30:58.867255 254504 HQServer.cpp:286] HQ server started at: [::1]:6666
zsh: segmentation fault  ./server --mode=server --port=6666 --protocol h3 --path /
k.raines@MacBook-Pro server %

Address sanitized output:

k.raines@MacBook-Pro server % ./server --mode=server --port=6666  --protocol h3 --path /
I20240403 14:45:20.877167 260383 HQServer.cpp:286] HQ server started at: [::1]:6666
AddressSanitizer:DEADLYSIGNAL
=================================================================
==26609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001042608fc bp 0x00016df15310 sp 0x00016df152f0 T25)
==26609==The signal is caused by a READ memory access.
==26609==Hint: address points to the zero page.
    #0 0x1042608fc in proxygen::HTTPSettings::setSetting(proxygen::SettingsId, unsigned long long)+0x2c (libproxygen.dylib:arm64+0x408fc)
    #1 0x1042ea1ac in proxygen::HQSession::setEgressSettings(std::__1::vector<proxygen::HTTPSetting, std::__1::allocator<proxygen::HTTPSetting>> const&)+0x40 (libproxygen.dylib:arm64+0xca1ac)
    #2 0x102f39130 in (anonymous namespace)::QuicAcceptCB::onTransportReady() HQServer.cpp:147
    #3 0x10307eee4 in quic::QuicServerTransport::maybeNotifyTransportReady()+0x9c (server:arm64+0x1003eeee4)
    #4 0x10307e140 in quic::QuicServerTransport::onReadData(folly::SocketAddress const&, quic::ReceivedUdpPacket&&)+0x204 (server:arm64+0x1003ee140)
    #5 0x103031728 in quic::QuicTransportBase::onNetworkData(folly::SocketAddress const&, quic::NetworkData&&)+0x2a4 (server:arm64+0x1003a1728)
    #6 0x10308b338 in quic::QuicServerWorker::dispatchPacketData(folly::SocketAddress const&, quic::RoutingData&&, quic::NetworkData&&, folly::Optional<quic::QuicVersion>, bool)::$_3::operator()(quic::QuicServerTransport*) const+0x44 (server:arm64+0x1003fb338)
    #7 0x10308b0c8 in quic::QuicServerWorker::dispatchPacketData(folly::SocketAddress const&, quic::RoutingData&&, quic::NetworkData&&, folly::Optional<quic::QuicVersion>, bool)+0xdf0 (server:arm64+0x1003fb0c8)
    #8 0x103072110 in quic::QuicServer::routeDataToWorker(folly::SocketAddress const&, quic::RoutingData&&, quic::NetworkData&&, folly::Optional<quic::QuicVersion>, folly::EventBase*, bool)+0x354 (server:arm64+0x1003e2110)
    #9 0x103088b24 in quic::QuicServerWorker::forwardNetworkData(folly::SocketAddress const&, quic::RoutingData&&, quic::NetworkData&&, folly::Optional<quic::QuicVersion>, bool)+0xa4 (server:arm64+0x1003f8b24)
    #10 0x103088818 in quic::QuicServerWorker::handleNetworkData(folly::SocketAddress const&, std::__1::unique_ptr<folly::IOBuf, std::__1::default_delete<folly::IOBuf>>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l>>> const&, bool)+0x5b4 (server:arm64+0x1003f8818)
    #11 0x1030881ac in quic::QuicServerWorker::onDataAvailable(folly::SocketAddress const&, unsigned long, bool, folly::AsyncUDPSocket::ReadCallback::OnDataAvailableParams)+0x2c4 (server:arm64+0x1003f81ac)
    #12 0x104daf170 in folly::AsyncUDPSocket::handleRead()+0x188 (libfolly.0.58.0-dev.dylib:arm64+0x123170)
    #13 0x104dbbd00 in folly::EventHandler::libeventCallback(int, short, void*)+0x74 (libfolly.0.58.0-dev.dylib:arm64+0x12fd00)
    #14 0x1041b268c in event_process_active_single_queue+0x3b0 (libevent-2.1.7.dylib:arm64+0x1268c)
    #15 0x1041af55c in event_base_loop+0x3bc (libevent-2.1.7.dylib:arm64+0xf55c)
    #16 0x104db39a4 in folly::EventBase::loopMain(int, folly::EventBase::LoopOptions)+0x128 (libfolly.0.58.0-dev.dylib:arm64+0x1279a4)
    #17 0x104db362c in folly::EventBase::loopBody(int, folly::EventBase::LoopOptions)+0x38 (libfolly.0.58.0-dev.dylib:arm64+0x12762c)
    #18 0x104db35bc in folly::EventBase::loop()+0x54 (libfolly.0.58.0-dev.dylib:arm64+0x1275bc)
    #19 0x104db4770 in folly::EventBase::loopForever()+0x24 (libfolly.0.58.0-dev.dylib:arm64+0x128770)
    #20 0x104dc8a90 in folly::run(folly::EventBaseManager*, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*> const&)+0x54 (libfolly.0.58.0-dev.dylib:arm64+0x13ca90)
    #21 0x104dc8ecc in void* std::__1::__thread_proxy[abi:ue170006]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void (*)(folly::EventBaseManager*, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*> const&), folly::EventBaseManager*, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*>>>(void*)+0x38 (libfolly.0.58.0-dev.dylib:arm64+0x13cecc)
    #22 0x182a1e030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x7030)
    #23 0x182a18e38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1e38)

==26609==Register values:
 x[0] = 0x000000010cb03cd8   x[1] = 0x0000000000000008   x[2] = 0x0000000000000001   x[3] = 0x000000010a336490
 x[4] = 0x000000010a3364c0   x[5] = 0x0000000000000001   x[6] = 0x000000016de94000   x[7] = 0x0000000000000001
 x[8] = 0x0000000000000000   x[9] = 0x000000010a336510  x[10] = 0x0000000000000000  x[11] = 0x000000702dc02b0e
x[12] = 0x000000702dc029e0  x[13] = 0x000000016df147c0  x[14] = 0x0000000000000000  x[15] = 0x0000000000000000
x[16] = 0x0000000000000000  x[17] = 0x0000000000000000  x[18] = 0x0000000000000000  x[19] = 0x000000010cb03cd8
x[20] = 0x0000000000000001  x[21] = 0x0000000000000008  x[22] = 0x000000010a3364c0  x[23] = 0x000000016df15db8
x[24] = 0x0000000107f2e6d8  x[25] = 0xffffffffffffffff  x[26] = 0x0000000000000001  x[27] = 0x0000000000000001
x[28] = 0x00000001041d4448     fp = 0x000000016df15310     lr = 0x00000001042ea1b0     sp = 0x000000016df152f0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libproxygen.dylib:arm64+0x408fc) in proxygen::HTTPSettings::setSetting(proxygen::SettingsId, unsigned long long)+0x2c
Thread T25 created by T0 here:
    #0 0x105a47b70 in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4bb70)
    #1 0x104dc8e24 in std::__1::thread::thread<void (&)(folly::EventBaseManager*, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*> const&), folly::EventBaseManager*&, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*>&, void>(void (&)(folly::EventBaseManager*, folly::EventBase*, folly::Baton<true, std::__1::atomic>*, folly::Range<char const*> const&), folly::EventBaseManager*&, folly::EventBase*&&, folly::Baton<true, std::__1::atomic>*&&, folly::Range<char const*>&)+0x84 (libfolly.0.58.0-dev.dylib:arm64+0x13ce24)
    #2 0x104dc8988 in folly::ScopedEventBaseThread::ScopedEventBaseThread(folly::EventBase::Options, folly::EventBaseManager*, folly::Range<char const*>)+0xec (libfolly.0.58.0-dev.dylib:arm64+0x13c988)
    #3 0x10306fe20 in quic::QuicServer::start(folly::SocketAddress const&, unsigned long)+0x174 (server:arm64+0x1003dfe20)
    #4 0x102f2af58 in quic::samples::HQServer::start() HQServer.cpp:280
    #5 0x102f4c1cc in quic::samples::startServer(quic::samples::HQToolServerParams const&, std::__1::unique_ptr<quic::QuicTransportStatsCallbackFactory, std::__1::default_delete<quic::QuicTransportStatsCallbackFactory>>&&) HQServerModule.cpp:60
    #6 0x102c9b21c in main main.cpp:61
    #7 0x18269d0dc  (<unknown module>)

==26609==ABORTING
zsh: abort      ./server --mode=server --port=6666 --protocol h3 --path /
k.raines@MacBook-Pro server %

Any help addressing this issue would be appreciated,
Thank you

I tried just now on linux and it works fine for me. Can you add -v 4 to the server to get a debug trace and paste it here?