You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The server should be able to process a GO_AWAY frame from the client without throwing an IllegalReferenceCountException.
Actual behavior
I get an IllegalReferenceCountException, as described below.
Steps to reproduce
Here's what happens when the client (which in my case is nghttp) sends a GOAWAY frame, along with the refCnt of the ByteBuf instance at each step:
The ByteBuf comes in here containing a seventeen byte GO_AWAY frame; it is assigned to the cumulator field, which is initially null (as we are not currently in the middle of processing a frame). refCnt: 1.
The FrameListenercreates an intermediate DefaultHttp2GoAwayFrame object and retains it. refCnt: 2.
The Http2MultiplexCodeccallsonHttp2GoAwayFrame, which broadcasts the frame to all its child streams, followed by fireChannelRead to propagate the GO_AWAY through the rest of the parent channel.
The onHttp2GoAwayFrame method calls release on the supplied frame. refCnt: 1.
The fireChannelRead call will typically end up in the TailContext, which will release the object again in the onUnhandledInboundMessage method. refCnt: 0.
Finally, the ByteToMessageDecoder tries to call release on the cumulator field here, whose refCnt is already zero.
Minimal yet complete reproducer code (or URL to code)
I can attempt to write a repro case if desired. I hope that the above play-by-play will make the bug clear. My guess is that the onHttp2GoAwayFrame method should not be releasing the frame; @normanmaurer mentioned in another context that "all on* methods of this class will 'NOT' take ownership of the buffer."
Netty version
4.1.24
JVM version (e.g. java -version)
1.8.0_161
OS version (e.g. uname -a)
Darwin f40f243a5fab.ant.amazon.com 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64
The text was updated successfully, but these errors were encountered:
… a DefaultHttp2GoAwayFrame with a non empty ByteBuffer is received.
Motivation:
We incorrectly called frame.release() in onHttp2GoAwayFrame which could lead to IllegalReferenceCountExceptions.
Modifications:
- Not call frame.release
- Add a unit test
Result:
Fxies #7892.
… a DefaultHttp2GoAwayFrame with a non empty ByteBuffer is received.
Motivation:
We incorrectly called frame.release() in onHttp2GoAwayFrame which could lead to IllegalReferenceCountExceptions. The call of release() is inappropriate because the fireChannelRead() in onHttp2Frame() will handle it.
Modifications:
- Not call frame.release()
- Add a unit test
Result:
Fxies #7892.
… a DefaultHttp2GoAwayFrame with a non empty ByteBuffer is received. (#7894)
Motivation:
We incorrectly called frame.release() in onHttp2GoAwayFrame which could lead to IllegalReferenceCountExceptions. The call of release() is inappropriate because the fireChannelRead() in onHttp2Frame() will handle it.
Modifications:
- Not call frame.release()
- Add a unit test
Result:
Fxies #7892.
Expected behavior
The server should be able to process a
GO_AWAY
frame from the client without throwing anIllegalReferenceCountException
.Actual behavior
I get an
IllegalReferenceCountException
, as described below.Steps to reproduce
Here's what happens when the client (which in my case is nghttp) sends a
GOAWAY
frame, along with therefCnt
of theByteBuf
instance at each step:ByteBuf
comes in here containing a seventeen byteGO_AWAY
frame; it is assigned to thecumulator
field, which is initially null (as we are not currently in the middle of processing a frame).refCnt
: 1.FrameListener
creates an intermediateDefaultHttp2GoAwayFrame
object andretain
s it.refCnt
: 2.Http2MultiplexCodec
callsonHttp2GoAwayFrame
, which broadcasts the frame to all its child streams, followed byfireChannelRead
to propagate theGO_AWAY
through the rest of the parent channel.onHttp2GoAwayFrame
method callsrelease
on the supplied frame.refCnt
: 1.fireChannelRead
call will typically end up in theTailContext
, which willrelease
the object again in theonUnhandledInboundMessage
method.refCnt
: 0.ByteToMessageDecoder
tries to callrelease
on thecumulator
field here, whoserefCnt
is already zero.Minimal yet complete reproducer code (or URL to code)
I can attempt to write a repro case if desired. I hope that the above play-by-play will make the bug clear. My guess is that the
onHttp2GoAwayFrame
method should not be releasing the frame; @normanmaurer mentioned in another context that "allon*
methods of this class will 'NOT' take ownership of the buffer."Netty version
4.1.24
JVM version (e.g.
java -version
)1.8.0_161
OS version (e.g.
uname -a
)Darwin f40f243a5fab.ant.amazon.com 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64
The text was updated successfully, but these errors were encountered: