Attachment curl_server_push_test.zip is code modified from https://curl.haxx.se/libcurl/c/http2-serverpush.html.
The difference is that, it will remove easy handle before transfer is finished, instead of waiting for "CURLMSG_DONE".
In this case, it cause crash within curl_multi_remove_handle().
Here are part of the trace infromation from valgrind:
==23947== Process terminating with default action of signal 11 (SIGSEGV)
==23947== Access not within mapped region at address 0xC
==23947== at 0x40922B4: http2_disconnect (http2.c:137)
==23947== by 0x405A1D6: Curl_disconnect (url.c:3024)
==23947== by 0x40741FE: multi_done (multi.c:626)
==23947== by 0x407440B: curl_multi_remove_handle (multi.c:727)
==23947== by 0x804930D: main (curl_server_push_test.c:332)
==23947== If you believe this happened as a result of a stack
==23947== overflow in your program's main thread (unlikely but
==23947== possible), you can try to increase the size of the
==23947== main thread stack using the --main-stacksize= flag.
==23947== The main thread stack size used in this run was 16777216.
Here is the quick patch, works fine for me:
--- a/lib/http2.c 2016-12-19 15:27:56.000000000 +0800
+++ b/lib/http2.c 2017-02-07 10:11:20.882128999 +0800
@@ -415,6 +415,7 @@ static int push_promise(struct Curl_easy
stream->push_headers = NULL;
+ stream->push_headers_used = 0;
/* denied, kill off the new handle again */
http2: reset push header counter fixes crash
When removing an easy handler from a multi before it completed its
transfer, and it had pushed streams, it would segfault due to the pushed
counted not being cleared.
Thanks! The fix is perfectly sensible.