8263031: HttpClient throws Exception if it receives a Push Promise that is too large

[c-cleary]

Problem
When a Continuation Frame is received by the httpclient using HTTP/2 after a Push Promise frame (can happen if the amount of headers to be sent in a single Push Promise frame exceeds the maximum frame size, so a Continuation frame is required), the following exception occurs:

java.io.IOException: no statuscode in response
at java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:565)
at java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:119)
...

This exception occurs because there is no existing flow in jdk/internal/net/http/Http2Connection.java which accounts for the case where a PushPromiseFrame is received with the END_HEADERS flag set to 0x0. When this occurs, the only acceptable frame/s (as multiple continuations are also acceptable) that can be received by the client on the same stream is a continuation frame.

Fix
To ensure correct behavior, the following changes were made to jdk/internal/net/http/Http2Connection.java.

• The existing method handlePushPromise() was modified so that if the END_HEADERS flag is unset (flags equal to 0x0), then a record used to track the state of the Push Promise containing a shared HeaderDecoder and the received PushPromiseFrame is initialised.
• When the subsequent ContinuationFrame is received in processFrame(), the method handlePushContinuation() is called instead of the default flow resulting in stream.incoming(frame) being called (the source of the incorrect behaviour originally).
• In handlePushContinuation(), the shared decoder is used to decode the received ContinuationFrame headers and if the END_HEADERS flag is set (flags equal to 0x4), the HttpHeaders object for the Push Promise as a whole is constructed which serves to combine the headers from both the PushPromiseFrame and the ContinuationFrame.

A regression test was included which verifies that the exception is not thrown and that the headers arrive correctly.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8263031: HttpClient throws Exception if it receives a Push Promise that is too large

Reviewers

• Daniel Fuchs (@dfuch - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/7696/head:pull/7696
$ git checkout pull/7696

Update a local copy of the PR:
$ git checkout pull/7696
$ git pull https://git.openjdk.java.net/jdk pull/7696/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 7696

View PR using the GUI difftool:
$ git pr show -t 7696

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/7696.diff

[bridgekeeper]

👋 Welcome back ccleary! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@c-cleary The following label will be automatically applied to this pull request:

• net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 06: Full - Incremental (b6d34d8e)
• 05: Full - Incremental (55e2d993)
• 04: Full - Incremental (c0543da9)
• 03: Full - Incremental (c2ae1e56)
• 02: Full - Incremental (c14f599e)
• 01: Full - Incremental (664a1105)
• 00: Full (527cfacb)

[c-cleary]

I see that a couple of imports got changed by my IDE, will address that shortly

[c-cleary]

I see that a couple of imports got changed by my IDE, will address that shortly

Now resolved

[c-cleary]

Could create all of the headers here instead of in Http2LPPTestExchangeImpl, might improve readability of test.

[dfuch]

Could we keep the original alphabetical ordering and have the java.* imports come before the jdk.* imports?

[c-cleary]

Done, this was just an IDE hiccup

[dfuch]

We should either do it or remove the TODO. @Michael-Mc-Mahon what would you suggest here?

[dfuch]

IOException should probably be caught and transformed in protocol error here to?
In case of protocol error when handling push promise (or their continuation) - should pcs be reset to null?
Maybe it doesn't matter since we're closing the connection anyway.

[c-cleary]

In my opinion it would probably be safest to set pcs to null here yes.

[dfuch]

It would be good to add an @summary tag to explain the purpose of this test

[dfuch]

missing newline at end of file?

[dfuch]

It would be good to have a test-case that creates 2 continuation frames too.

[c-cleary]

Good idea yes, to check that the repeat continuation still behaves as expected. Should hopefully be straight forward to create another test case.

[c-cleary]

On this issue, there is a case where a faulty server might send an indefinite number of Continuations (maybe the server never sets an END_HEADERS flag). Should a safe guard for the Push Promise with Continuation/s case be put in place to prevent the faulty scenario?

[dfuch]

It would be impossible to detect, but if the server is faulty and "forget" to set the END_HEADERS flag, then we will detect that because the next frame we receive won't be the ContinuationFrame we expect.

[dfuch]

I'd prefer to have a longer name than pcs - pushContinuationState would make it less mysterious at the place where it's used. Also it could be good to move these declarations (linew 854 and 855) higher in the file, where other instance variables are declared.

[c-cleary]

Changed to pushContinuationState, its a long name but definitely clearer

[dfuch]

In all other places in this method we have return; just after a call to protocolError, except in the two places where your changes added one. For consistency you should probably add this return; statement, even if it's not strictly needed. It would avoid having to have to analyze the whole structure of the nested if - then - else to figure out that it's actually not needed.

[dfuch]

I suggest declaring a local variable here to avoid reading pushContinuationState more than once.
Something like:

var pcs = pushContinuationState;

then use pcs wherever needed in that method.

[dfuch]

Since these three static variables are set by one thread and read by another - they should all be volatile.

[dfuch]

Thanks for making these changes! Still a few comments...

[dfuch]

Could this line be pushed down to where other jdk.* imports are made?

[dfuch]

I'd suggest checking that we received the expected response code + body too

[c-cleary]

Further changes made to check response codes and bodies of both the response and push promise.

[dfuch]

I believe it would more clear to use ErrorFrame.PROTOCOL_ERROR or GoAwayFrame.PROTOCOL_ERRROR here and in the other calls to protocolError below, since we're not resetting the stream here but closing the whole connection with a GoAwayFrame.

[c-cleary]

Oh yes, good point. I think ErrorFrame.PROTOCOL_ERROR would be the most appropriate here. I'll amend the change accordingly.

[c-cleary]

However, I'll look into the specification further for the other cases and see if they need be changed as well. Though closing the whole connection with GoAwayFrame seems correct

[c-cleary]

I changed three more occurences to ErrorFrame.PROTOCOL_ERROR, its easier to understand and lines up more clearly with specification

[dfuch]

Make sure to run tier1, tier2 before integrating. Drop me a note when you are ready I will sponsor the change.

[openjdk]

@c-cleary This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8263031: HttpClient throws Exception if it receives a Push Promise that is too large

Reviewed-by: dfuchs

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 425 new commits pushed to the master branch:

• 8567266: 8283683: Make ThreadLocalRandom a final class
• f4eaa16: 8283728: jdk.hotspot.agent: Wrong location for RISCV64ThreadContext.java
• cdef087: 8283727: P11KeyGenerator has import statement with two semicolons after JDK-8267319
• 7f12537: 8283558: Parallel: Pass PSIsAliveClosure to ReferenceProcessor constructor
• 66f1da1: 8281222: ciTypeFlow::profiled_count fails "assert(0 <= i && i < _len) failed: illegal index"
• c2c0cb2: 8282668: HotSpot Style Guide should permit unrestricted unions
• b0daf70: 8263134: HotSpot Style Guide should disallow inheriting constructors
• c587b29: 8283720: ProblemList java/time/test/java/time/TestZoneOffset.java
• d5f9059: 8283695: [AIX] Build failure due to name conflict in test_arguments.cpp
• f520b4f: 8283668: Update IllegalFormatException to use sealed classes
• ... and 415 more: https://git.openjdk.java.net/jdk/compare/bc6148407e629bd99fa5a8577ebd90320610f349...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@dfuch) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[c-cleary]

/integrate

[openjdk]

@c-cleary
Your change (at version b6d34d8) is now ready to be sponsored by a Committer.

[dfuch]

/sponsor

[openjdk]

Going to push as commit 4d2cd26.
Since your change was applied there have been 564 commits pushed to the master branch:

• 61fcf2f: 8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
• d5cd4a3: 8283387: [macos] a11y : Screen magnifier does not show selected Tab
• 5a21397: 8284387: Fix formatting of doc comments in jdk.javadoc
• 4451257: 8284437: Building from different users/workspace is not always deterministic
• dd4a1bb: 8284299: Handle inheritDoc misuse more gracefully
• 46ce2ef: 8277517: Bump minimum boot jdk to JDK 18
• 77388ea: 8284368: Remove finalizer method in jdk.crypto.cryptoki
• 8e4fab0: 8284303: runtime/Thread/AsyncExceptionTest.java timed out
• 3cd3a83: 8284167: Make internal javac exceptions stackless
• a385142: 8177107: Reduce memory footprint of java.lang.reflect.Constructor/Method
• ... and 554 more: https://git.openjdk.java.net/jdk/compare/bc6148407e629bd99fa5a8577ebd90320610f349...master

Your commit was automatically rebased without conflicts.

[openjdk]

@dfuch @c-cleary Pushed as commit 4d2cd26.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.