Haproxy crashing on OpenBSD

[wizard-it]

Detailed Description of the Problem

Have Installed haproxy on openbsd. Service is started normally but after one hour i always get segfault.

uname -a

OpenBSD 7.5 GENERIC.MP#82 amd64

I also tried to build 2.7 version, there was same problem.

Expected Behavior

_

Steps to Reproduce the Behavior

1. Install on openbsd
2. Run and wait

Do you have any idea what may have caused this?

I think it connected to ssl or crypto func, same version on freebsd with same config and same vm does not have this problem.

Do you have an idea how to solve the issue?

_

What is your configuration?

global
    maxconn     4096
#    log         127.0.0.1 local0
#    log         /dev/log local0
#    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
#    user        haproxy
#    group       haproxy
    daemon


    ssl-default-bind-options no-tlsv11 no-tlsv10 no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-server-options no-tlsv11 no-tlsv10 no-sslv3 no-tls-tickets
    ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout queue           60s
    timeout connect         5s
    timeout client          15s
    timeout server          60s
    timeout http-request    10s
    timeout http-keep-alive 55s
    timeout check           10s
    maxconn                 4096

#listen stats
#  no log
#  bind :9000
#  stats enable
#  stats refresh 30s
#  stats show-node
#  stats hide-version
#  stats uri /stats

frontend HTTP
  option forwardfor
  mode http
  bind :80
  default_backend DEFAULT-EXCHANGE

frontend HTTPS
  option forwardfor
  mode http
  bind :443 ssl crt /usr/local/ssl/certs/letsencrypt.pem

  default_backend DEFAULT-EXCHANGE

frontend EXCHANGE-SMTP
  mode tcp
  bind :25 name smtp
  option tcplog
  default_backend EXCHANGE-SMTP

frontend EXCHANGE-SMTP-RESERVE
  mode tcp
  bind :8025 name smtp
  option tcplog
  default_backend EXCHANGE-SMTP-RESERVE

frontend EXCHANGE-CLIENT
  mode tcp
  bind :587 name smtp
  option tcplog
  default_backend EXCHANGE-CLIENT

Output of haproxy -vv

HAProxy version 2.8.6-f6bd011 2024/02/15 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.6.html
Running on: OpenBSD 7.5 GENERIC.MP#82 amd64
Build options :
  TARGET  = openbsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wnull-dereference -fwrapv -Wno-unknown-warning-option -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_LIBATOMIC= USE_QUIC=1 USE_PCRE2=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM -CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 -PCRE2_JIT -PCRE_JIT +POLL -PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT -RT -SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=1).
Built with OpenSSL version : LibreSSL 3.9.0
Running on OpenSSL version : LibreSSL 3.9.0
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with zlib version : 1.3.1.1-motley
Running on zlib version : 1.3.1.1-motley
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: SO_BINDANY
Built with PCRE2 version : 10.37 2021-05-26
PCRE2 library supports JIT : no (USE_PCRE2_JIT not set)
Encrypted password support via crypt(3): yes
Built with clang compiler version 16.0.6

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : none

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

Last Outputs and Backtraces

Core was generated by `haproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  contract (lh=0x8f40a5503c0) at /usr/src/lib/libcrypto/lhash/lhash.c:394
394     /usr/src/lib/libcrypto/lhash/lhash.c: No such file or directory.
(gdb) t a a bt full

Thread 1 (process 393337):
#0  contract (lh=0x8f40a5503c0) at /usr/src/lib/libcrypto/lhash/lhash.c:394
        np = 0x0
        n = <optimized out>
        n1 = 0xdfdfdfdfdfdfdfdf
#1  0x000008f3dd30c469 in SSL_CTX_flush_sessions (s=<optimized out>, t=<optimized out>) at /usr/src/lib/libssl/ssl_sess.c:1171
        tp = {ctx = 0x8f3bb126500, time = 1714906939, cache = 0x8f40a5503c0}
#2  0x000008f3dd2f5a62 in ssl3_connect (s=0x8f4123c1500) at /usr/src/lib/libssl/ssl_clnt.c:595
        skip = <error reading variable skip (Cannot access memory at address 0x0)>
        ret = <optimized out>
        state = 3
        new_state = <optimized out>
#3  0x000008f1539160f5 in ssl_sock_handshake (conn=0x8f3dc9cf000, flag=<error reading variable: Cannot access memory at address 0x8000000>) at src/ssl_sock.c:5994
        ctx = 0x8f35c22b780
        counters = 0x8f3bb130420
        counters_px = 0x8f40a550900
        li = <optimized out>
        srv = <optimized out>
        skerr = <optimized out>
        lskerr = 4
        ret = <optimized out>
        read_data = <optimized out>
        area = <optimized out>
        __ptr = <optimized out>
        c = <optimized out>
        s = <optimized out>
        __lk_r = <optimized out>
        __set_r = <optimized out>
        __msk_r = <optimized out>
        __pl_l = <optimized out>
        ret = <optimized out>
        __x = <optimized out>
#4  ssl_sock_io_cb (t=0x8f3ddbee6c0, context=<optimized out>, state=<optimized out>) at src/ssl_sock.c:6329
        _ = {func = 0x8f1538911a1 "ssl_sock_io_cb", file = 0x8f15389d247 "src/ssl_sock.c", line = 6346, what = 3 '\003', arg8 = 0 '\000', arg32 = 0}
        _ = {func = 0x8f1538911a1 "ssl_sock_io_cb", file = 0x8f15389d247 "src/ssl_sock.c", line = 6369, what = 3 '\003', arg8 = 0 '\000', arg32 = 0}
        ret = <error reading variable ret (Cannot access memory at address 0x0)>
        conn = 0x8f3dc9cf000
        conn_in_list = 0
        tl = <optimized out>
        ctx = <optimized out>
#5  0x000008f153ad4fe2 in run_tasks_from_lists (budgets=0x730d3ccff9c0) at src/task.c:596
        _ = {func = 0x8f1538b9488 "run_tasks_from_lists", file = 0x8f1538c4807 "src/task.c", line = 658, what = 5 '\005', arg8 = 0 '\000', arg32 = 0}
        tl_queues = 0x8f153d9d090 <ha_thread_ctx+144>
        budget_mask = 15 '\017'
--Type <RET> for more, q to quit, c to continue without paging--c
        profile_entry = 0x0
        done = 3
        queue = 3
        t = 0x8f3ddbee6c0
        process = <optimized out>
        ctx = 0x8f35c22b780
        state = 3755991007
#6  0x000008f153ad5a19 in process_runnable_tasks () at src/task.c:876
        max = {273, 0, 0, 0}
        tt = 0x8f153d9d000 <ha_thread_ctx>
        default_weights = <error reading variable default_weights (Cannot access memory at address 0x40)>
        heavy_queued = <error reading variable heavy_queued (Cannot access memory at address 0x1)>
        max_processed = 280
        max_total = <optimized out>
        queue = <error reading variable queue (Cannot access memory at address 0x4)>
        budget = 0
        grq = <optimized out>
        lrq = <optimized out>
        gpicked = <optimized out>
        lpicked = <optimized out>
        t = <optimized out>
        tmp_list = <optimized out>
#7  0x000008f153a98b74 in run_poll_loop () at src/haproxy.c:2970
        _ = {func = 0x8f15389c939 "run_poll_loop", file = 0x8f1538b8c53 "src/haproxy.c", line = 3001, what = 1 '\001', arg8 = 0 '\000', arg32 = 0}
        wake = <optimized out>
        next = <optimized out>
#8  0x000008f153a9d111 in run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:3169
        init_left = 0
        init_mutex = 0x8f3ddc23fc0
        init_cond = 0x0
        warn_fail = 0
        ptaf = <optimized out>
        ptif = <optimized out>
        ptdf = <optimized out>
        ptff = <optimized out>
#9  0x000008f153a9c3d0 in main (argc=<optimized out>, argv=0x730d3ccffe58) at src/haproxy.c:3859
        limit = {rlim_cur = 8241, rlim_max = 8241}
        pidfd = <optimized out>
        retry = <optimized out>
        err = <optimized out>
        intovf = <optimized out>

Additional Information

Also server uses CARP interface , w/o firewall.

Trace for app when server without load(usually i see this segfault):

GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd7.5"...
Core was generated by `haproxy'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libpthread.so.27.1...done.
Loaded symbols for /usr/lib/libpthread.so.27.1
Loaded symbols for /usr/local/sbin/haproxy
Reading symbols from /usr/lib/libssl.so.56.0...done.
Loaded symbols for /usr/lib/libssl.so.56.0
Reading symbols from /usr/lib/libcrypto.so.53.0...done.
Loaded symbols for /usr/lib/libcrypto.so.53.0
Reading symbols from /usr/lib/libz.so.7.0...done.
Loaded symbols for /usr/lib/libz.so.7.0
Reading symbols from /usr/local/lib/libpcre2-8.so.0.6...done.
Loaded symbols for /usr/local/lib/libpcre2-8.so.0.6
Reading symbols from /usr/local/lib/libpcre2-posix.so.1.0...done.
Loaded symbols for /usr/local/lib/libpcre2-posix.so.1.0
Symbols already loaded for /usr/lib/libpthread.so.27.1
Reading symbols from /usr/lib/libc.so.99.0...done.
Loaded symbols for /usr/lib/libc.so.99.0
Reading symbols from /usr/libexec/ld.so...Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in module /usr/libexec/ld.so]
#0  contract (lh=0x8a8df7d3240) at /usr/src/lib/libcrypto/lhash/lhash.c:394
394     /usr/src/lib/libcrypto/lhash/lhash.c: No such file or directory.
        in /usr/src/lib/libcrypto/lhash/lhash.c
(gdb) bt full
#0  contract (lh=0x8a8df7d3240) at /usr/src/lib/libcrypto/lhash/lhash.c:394
        np = (LHASH_NODE *) 0x0
        n = Variable "n" is not available.

[danieljakots]

Hey,

I discussed this with a libressl developer, they said

#0 0x000005406d738313 in BN_mod_exp_simple (r=0x8, a=0xfffffffffffffff0, p=0xffffffffffffffff, m=0xdfdfdfdfdfdfdfdf, ctx=0x10) at /usr/src/lib/libcrypto/bn/bn_exp.c:182
this makes no sense. this function is not public and unused internally.

tell them to get a backtrace with egdb and not to reboot the system before doing so.
the other thing would be for them to figure out the minimal config that triggers this.

[chipitsine]

alternatively, it might be easier to examine core dump on linux.
if that's an option,

I'd suggest something like that

LIBRESSL_VERSION=3.9.1 scripts/build-ssl.sh
make CC=gcc V=1 TARGET=linux-glibc USE_OPENSSL=1 USE_QUIC=1 USE_ZLIB=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_LUA=1 USE_SYSTEMD=1 ADDLIB="-Wl,-rpath,${HOME}/opt/lib" SSL_LIB=${HOME}/opt/lib SSL_INC=${HOME}/opt/include

that should install LibreSSL to ~/opt and link haproxy against it using rpath

[wizard-it]

Hey,

I discussed this with a libressl developer, they said

#0 0x000005406d738313 in BN_mod_exp_simple (r=0x8, a=0xfffffffffffffff0, p=0xffffffffffffffff, m=0xdfdfdfdfdfdfdfdf, ctx=0x10) at /usr/src/lib/libcrypto/bn/bn_exp.c:182
this makes no sense. this function is not public and unused internally.

tell them to get a backtrace with egdb and not to reboot the system before doing so.
the other thing would be for them to figure out the minimal config that triggers this.

i can confirm, first dump took place one time. I waited few dumps at row, and mostly it return second one (/usr/src/lib/libcrypto/lhash/lhash.c:394). First dump looks like fake. If needs additional info from problem host please let me know.

[botovq]

Please pkg_add gdb and get a backtrace using egdb haproxy rather than gdb. Also, is there really only one frame, i.e., only #0, no #1, etc in the backtrace output?

[chipitsine]

@wizard-it , can you please provide full config ? are there any activities, i.e. queries to haproxy ? I tried your config, haproxy runs without any queries, it never crashed by itself

[wizard-it]

egdb:

Core was generated by `haproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  contract (lh=0x8f40a5503c0) at /usr/src/lib/libcrypto/lhash/lhash.c:394
394     /usr/src/lib/libcrypto/lhash/lhash.c: No such file or directory.
(gdb) t a a bt full

Thread 1 (process 393337):
#0  contract (lh=0x8f40a5503c0) at /usr/src/lib/libcrypto/lhash/lhash.c:394
        np = 0x0
        n = <optimized out>
        n1 = 0xdfdfdfdfdfdfdfdf
#1  0x000008f3dd30c469 in SSL_CTX_flush_sessions (s=<optimized out>, t=<optimized out>) at /usr/src/lib/libssl/ssl_sess.c:1171
        tp = {ctx = 0x8f3bb126500, time = 1714906939, cache = 0x8f40a5503c0}
#2  0x000008f3dd2f5a62 in ssl3_connect (s=0x8f4123c1500) at /usr/src/lib/libssl/ssl_clnt.c:595
        skip = <error reading variable skip (Cannot access memory at address 0x0)>
        ret = <optimized out>
        state = 3
        new_state = <optimized out>
#3  0x000008f1539160f5 in ssl_sock_handshake (conn=0x8f3dc9cf000, flag=<error reading variable: Cannot access memory at address 0x8000000>) at src/ssl_sock.c:5994
        ctx = 0x8f35c22b780
        counters = 0x8f3bb130420
        counters_px = 0x8f40a550900
        li = <optimized out>
        srv = <optimized out>
        skerr = <optimized out>
        lskerr = 4
        ret = <optimized out>
        read_data = <optimized out>
        area = <optimized out>
        __ptr = <optimized out>
        c = <optimized out>
        s = <optimized out>
        __lk_r = <optimized out>
        __set_r = <optimized out>
        __msk_r = <optimized out>
        __pl_l = <optimized out>
        ret = <optimized out>
        __x = <optimized out>
#4  ssl_sock_io_cb (t=0x8f3ddbee6c0, context=<optimized out>, state=<optimized out>) at src/ssl_sock.c:6329
        _ = {func = 0x8f1538911a1 "ssl_sock_io_cb", file = 0x8f15389d247 "src/ssl_sock.c", line = 6346, what = 3 '\003', arg8 = 0 '\000', arg32 = 0}
        _ = {func = 0x8f1538911a1 "ssl_sock_io_cb", file = 0x8f15389d247 "src/ssl_sock.c", line = 6369, what = 3 '\003', arg8 = 0 '\000', arg32 = 0}
        ret = <error reading variable ret (Cannot access memory at address 0x0)>
        conn = 0x8f3dc9cf000
        conn_in_list = 0
        tl = <optimized out>
        ctx = <optimized out>
#5  0x000008f153ad4fe2 in run_tasks_from_lists (budgets=0x730d3ccff9c0) at src/task.c:596
        _ = {func = 0x8f1538b9488 "run_tasks_from_lists", file = 0x8f1538c4807 "src/task.c", line = 658, what = 5 '\005', arg8 = 0 '\000', arg32 = 0}
        tl_queues = 0x8f153d9d090 <ha_thread_ctx+144>
        budget_mask = 15 '\017'
--Type <RET> for more, q to quit, c to continue without paging--c
        profile_entry = 0x0
        done = 3
        queue = 3
        t = 0x8f3ddbee6c0
        process = <optimized out>
        ctx = 0x8f35c22b780
        state = 3755991007
#6  0x000008f153ad5a19 in process_runnable_tasks () at src/task.c:876
        max = {273, 0, 0, 0}
        tt = 0x8f153d9d000 <ha_thread_ctx>
        default_weights = <error reading variable default_weights (Cannot access memory at address 0x40)>
        heavy_queued = <error reading variable heavy_queued (Cannot access memory at address 0x1)>
        max_processed = 280
        max_total = <optimized out>
        queue = <error reading variable queue (Cannot access memory at address 0x4)>
        budget = 0
        grq = <optimized out>
        lrq = <optimized out>
        gpicked = <optimized out>
        lpicked = <optimized out>
        t = <optimized out>
        tmp_list = <optimized out>
#7  0x000008f153a98b74 in run_poll_loop () at src/haproxy.c:2970
        _ = {func = 0x8f15389c939 "run_poll_loop", file = 0x8f1538b8c53 "src/haproxy.c", line = 3001, what = 1 '\001', arg8 = 0 '\000', arg32 = 0}
        wake = <optimized out>
        next = <optimized out>
#8  0x000008f153a9d111 in run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:3169
        init_left = 0
        init_mutex = 0x8f3ddc23fc0
        init_cond = 0x0
        warn_fail = 0
        ptaf = <optimized out>
        ptif = <optimized out>
        ptdf = <optimized out>
        ptff = <optimized out>
#9  0x000008f153a9c3d0 in main (argc=<optimized out>, argv=0x730d3ccffe58) at src/haproxy.c:3859
        limit = {rlim_cur = 8241, rlim_max = 8241}
        pidfd = <optimized out>
        retry = <optimized out>
        err = <optimized out>
        intovf = <optimized out>

[botovq]

Thanks. This points at one of these two commits, which unfortunately can't easily be reverted at this point: openbsd/src@91a7e77 openbsd/src@20273a9 @4a6f656c could you please take a look when you get a chance?

[wizard-it]

@chipitsine ,
yep, i send full config by mail.
About activities, should i provide last log of haproxy? I disabled it because of i did not find any keys in log and log grows to fast. The main load for haproxy is https from Outlook internal clients and external sources, smtp traffic.
Certificate for 443 frontend is letsencrypt , again, it works on gentoo and freebsd. But i can provide it if it needs.

Also,
host is VM of Hyper-V (gen1, i cant run install process of obsd on gen2 system). All my test vm for linux and freebsd are gen2 VM of same hyperv... Maybe it usefull.

[chipitsine]

  default_backend DEFAULT-EXCHANGE

frontend EXCHANGE-SMTP
  mode tcp
  bind :25 name smtp
  option tcplog
  default_backend EXCHANGE-SMTP

frontend EXCHANGE-SMTP-RESERVE
  mode tcp
  bind :8025 name smtp
  option tcplog
  default_backend EXCHANGE-SMTP-RESERVE

frontend EXCHANGE-CLIENT
  mode tcp
  bind :587 name smtp
  option tcplog
  default_backend EXCHANGE-CLIENT

config does not have backend definitions: DEFAULT-EXCHANGE, EXCHANGE-SMTP, EXCHANGE-SMTP-RESERVE, EXCHANGE-CLIENT

no need to provide certificate, I can issue my own.

nevermind, "egdb" backtrace looks useful, hopefully it will help

[wizard-it]

@chipitsine , i send full config(without changes) by mail, for some security reason.

[wizard-it]

Also i did some experiments with cfg. I cut this options at all ssl-default-bind-options ssl-default-bind-ciphers ssl-default-server-options ssl-default-server-ciphers tune.ssl.default-dh-param , but it did not get any changes, still segfaulting.
Anyway, big thanks to all for helping me.

[chipitsine]

I understand reasons of running OpenBSD, I used it for CARP which is lovely.

while the issue is being investigated by LibreSSL developers, I can suggest to try OpenBSD + OpenSSL + haproxy, which most probably will resolve your current situation.

you can install OpenSSL to some special folder not mixing system ssl library.
full investigation and fix (thanks to bt provided) will take maybe few days

[wizard-it]

I understand reasons of running OpenBSD, I used it for CARP which is lovely.

while the issue is being investigated by LibreSSL developers, I can suggest to try OpenBSD + OpenSSL + haproxy, which most probably will resolve your current situation.

you can install OpenSSL to some special folder not mixing system ssl library. full investigation and fix (thanks to bt provided) will take maybe few days

Roger that

[botovq]

Could you perhaps try this diff?

Index: lhash/lhash.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/lhash/lhash.c,v
diff -u -p -r1.22 lhash.c
--- lhash/lhash.c	2 Mar 2024 11:11:11 -0000	1.22
+++ lhash/lhash.c	5 May 2024 15:10:17 -0000
@@ -294,7 +294,9 @@ doall_util_fn(_LHASH *lh, int use_arg, L
 
 	/* Restore down load factor and trigger contraction. */
 	lh->down_load = down_load;
-	contract(lh);
+	if ((lh->num_nodes > MIN_NODES) &&
+	    (lh->down_load >= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)))
+		contract(lh);
 }
 
 void

[botovq]

This should be fixed with openbsd/src@7b25026 and the fix is available in -stable via a syspatch. There will be also be a LibreSSL release including this fix soon.

[wizard-it]

Ok, I'll check it on my node in a few days.

[wizard-it]

So, i have updated system and reinstalled haproxy (+LibreSSL) on master node. There are no crashes under load in last five hours.

HAProxy version 2.8.6-f6bd011 2024/02/15 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.6.html
Running on: OpenBSD 7.5 GENERIC.MP#82 amd64
Build options :
  TARGET  = openbsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wnull-dereference -fwrapv -Wno-unknown-warning-option -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_LIBATOMIC= USE_QUIC=1 USE_PCRE2=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM -CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 -PCRE2_JIT -PCRE_JIT +POLL -PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT -RT -SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=1).
Built with OpenSSL version : LibreSSL 3.9.0
Running on OpenSSL version : LibreSSL 3.9.0
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with zlib version : 1.3.1.1-motley
Running on zlib version : 1.3.1.1-motley
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: SO_BINDANY
Built with PCRE2 version : 10.37 2021-05-26
PCRE2 library supports JIT : no (USE_PCRE2_JIT not set)
Encrypted password support via crypt(3): yes
Built with clang compiler version 16.0.6

I think it's solved.

Thanks to all for the quick response!

[botovq]

On Tue, May 14, 2024 at 03:23:36AM -0700, wizard-it wrote: Thanks to all for the quick response!

Thanks for the report, testing and confirming.