Segfault when updating cluster to TLS with SDS

[sschepens]

We've noticed a segfault in our envoys when updating a cluster via CDS from using plain TCP to TLS with validation context provided via SDS.

Attached are the initial version, the update that caused the segfault and the printed stack, the only thing added is the transport socket configuration pointing to SDS.
previous_version.txt
updated_version.txt
stack.txt

Some comments:

• Crashing envoys are registered to updates of this cluster but not all are actively handling traffic for this cluster
• Not all our envoys subscribed to this cluster crash, haven't found a relation yet.
• We've had this happen in envoys running 1.14.1 and 1.15 from master, but we've seen similar issues since envoy 1.12 I recall.
• We're using DeltaXds with ADS and everything in v3.
• The SDS resource named "validation_context" is used by multiple clusters and is actually loaded statically by envoy during bootstrap
• The logs are from an envoy running 1.15 built from master, our logging system looses order, so the logs could be somehow unordered.
• Envoy was not built with debugging symbols so we cannot translate to lines, but we'll try to reproduce this.

[sschepens]

Update: we've managed to reproduce this locally and it would appear that the crash is triggered when controlplane is also pushing an EDS update for the same cluster.
It would seem that there is a conflict when updating endpoints for a cluster while the cluster itself is being updated.

Is this a known issue?
Should control-planes handle this somehow?

[snowp]

Given that you're now able to reproduce it locally, any chance you could provide a stack trace, core dump or a simple reproducer? It's hard to say what the issue is without some detail.

In general a segfault is never expected, so this is a bug of some kind.

[sschepens]

@snowp can't seem to get stack_decode.py to work, but here is a more verbose stack printed by envoy debug:

stack2.txt

Can anyone give me a hand getting stack_decode to work or generating a core dump please?

[vikaschoudhary16]

unrelated to the issue, +1 on stack_decode.py not working, #11889

[snowp]

I'm not able to make much of the stack trace, maybe @alyssawilk has an idea? It seems to somehow be related to UpstreamRequest destruction during a GOAWAY? Hard to decipher

If you're able to reproduce this locally under gdb a stack trace produced by the bt command might prove more useful

[sschepens]

@snowp thanks, that was a huge help, managed to get the stacktrace via gdb:

#0  0x0000559d0e7a0d74 in Envoy::Config::WatchMap::onConfigUpdate (this=0x559d130ca3c0, added_resources=..., removed_resources=..., system_version_info=...)
    at external/envoy/source/common/config/watch_map.cc:153
#1  0x0000559d0e79595a in Envoy::Config::DeltaSubscriptionState::handleGoodResponse (this=0x559d130ca458, message=...) at external/envoy/source/common/config/delta_subscription_state.cc:84
#2  0x0000559d0e795230 in Envoy::Config::DeltaSubscriptionState::handleResponse (this=0x559d130ca458, message=...) at external/envoy/source/common/config/delta_subscription_state.cc:52
#3  0x0000559d0e78728c in Envoy::Config::NewGrpcMuxImpl::onDiscoveryResponse (this=0x559d12b52858, message=...) at external/envoy/source/common/config/new_grpc_mux_impl.cc:84
#4  0x0000559d0e3fdf77 in Envoy::Config::GrpcStream<envoy::service::discovery::v3::DeltaDiscoveryRequest, envoy::service::discovery::v3::DeltaDiscoveryResponse>::onReceiveMessage (this=0x559d12b528f8,
    message=...) at bazel-out/k8-dbg/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:84
#5  0x0000559d0e3fdd49 in Envoy::Grpc::AsyncStreamCallbacks<envoy::service::discovery::v3::DeltaDiscoveryResponse>::onReceiveMessageRaw (this=0x559d12b528f8, response=...)
    at bazel-out/k8-dbg/bin/external/envoy/source/common/grpc/_virtual_includes/typed_async_client_lib/common/grpc/typed_async_client.h:151
#6  0x0000559d0e81fc63 in Envoy::Grpc::AsyncStreamImpl::onData (this=0x559d13296360, data=..., end_stream=false) at external/envoy/source/common/grpc/async_client_impl.cc:144
#7  0x0000559d0e82c00b in Envoy::Http::AsyncStreamImpl::encodeData (this=0x559d132c2d80, data=..., end_stream=false) at external/envoy/source/common/http/async_client_impl.cc:117
#8  0x0000559d0e847d8b in Envoy::Router::Filter::onUpstreamData (this=0x559d132c2dd0, data=..., upstream_request=..., end_stream=false) at external/envoy/source/common/router/router.cc:1298
#9  0x0000559d0e870114 in Envoy::Router::UpstreamRequest::decodeData (this=0x559d12de4a80, data=..., end_stream=false) at external/envoy/source/common/router/upstream_request.cc:148
#10 0x0000559d0e6c2cac in Envoy::Http::ResponseDecoderWrapper::decodeData (this=0x559d13248660, data=..., end_stream=false)
    at bazel-out/k8-dbg/bin/external/envoy/source/common/http/_virtual_includes/codec_wrappers_lib/common/http/codec_wrappers.h:35
#11 0x0000559d0ea0dabb in Envoy::Http::Http2::ConnectionImpl::onFrameReceived (this=0x559d13296250, frame=0x559d1311dfa0) at external/envoy/source/common/http/http2/codec_impl.cc:657
#12 0x0000559d0ea13218 in Envoy::Http::Http2::ConnectionImpl::Http2Callbacks::Http2Callbacks()::$_14::operator()(nghttp2_session*, nghttp2_frame const*, void*) const (this=0x559d1311de00,
    frame=0x559d1311dfa0, user_data=0x559d13296250) at external/envoy/source/common/http/http2/codec_impl.cc:1067
#13 0x0000559d0ea131e5 in Envoy::Http::Http2::ConnectionImpl::Http2Callbacks::Http2Callbacks()::$_14::__invoke(nghttp2_session*, nghttp2_frame const*, void*) (frame=0x559d1311dfa0,
    user_data=0x559d13296250) at external/envoy/source/common/http/http2/codec_impl.cc:1066
#14 0x0000559d0ee81de2 in session_call_on_frame_received (session=0x559d1311de00, frame=0x559d1311dfa0)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/175/execroot/fury_sidecar_proxy/external/com_github_nghttp2_nghttp2/lib/nghttp2_session.c:3299
#15 0x0000559d0ee8388e in nghttp2_session_on_data_received (session=0x559d1311de00, frame=0x559d1311dfa0)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/175/execroot/fury_sidecar_proxy/external/com_github_nghttp2_nghttp2/lib/nghttp2_session.c:4975
#16 0x0000559d0ee88567 in session_process_data_frame (session=0x559d1311de00)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/175/execroot/fury_sidecar_proxy/external/com_github_nghttp2_nghttp2/lib/nghttp2_session.c:4994
#17 0x0000559d0ee8655c in nghttp2_session_mem_recv (session=0x559d1311de00, in=0x559d130da34e "", inlen=806)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/175/execroot/fury_sidecar_proxy/external/com_github_nghttp2_nghttp2/lib/nghttp2_session.c:6614
#18 0x0000559d0ea0c441 in Envoy::Http::Http2::ConnectionImpl::innerDispatch (this=0x559d13296250, data=...) at external/envoy/source/common/http/http2/codec_impl.cc:495
#19 0x0000559d0ea18dba in Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&)::$_5::operator()(Envoy::Buffer::Instance&) const (this=0x7ffc7d9ed1c8, data=...)
    at external/envoy/source/common/http/http2/codec_impl.cc:483
#20 0x0000559d0ea18d5b in _ZNSt3__18__invokeIRZN5Envoy4Http5Http214ConnectionImpl8dispatchERNS1_6Buffer8InstanceEE3$_5JS7_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOSA_DpOSB_
    (__f=..., __args=...) at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#21 0x0000559d0ea18cdb in std::__1::__invoke_void_return_wrapper<absl::Status>::__call<Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&)::$_5(Envoy::Buffer::Instance&)&>(Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&)::$_5(Envoy::Buffer::Instance&)&) (__args=..., __args=...) at /opt/llvm/bin/../include/c++/v1/__functional_base:317
#22 0x0000559d0ea18c7b in std::__1::__function::__alloc_func<Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&)::$_5(std::__1::allocator<std::__1::allocator>, absl::Status (Envoy::Buffer::Instance&))>::operator()(Envoy::Buffer::Instance&) (this=0x7ffc7d9ed1c8, __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:1540
#23 0x0000559d0ea17d9d in std::__1::__function::__func<Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&)::$_5(std::__1::allocator<std::__1::allocator>, absl::Status (Envoy::Buffer::Instance&))>::operator()(Envoy::Buffer::Instance&) (this=0x7ffc7d9ed1c0, __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:1714
#24 0x0000559d0ec3ab4b in std::__1::__function::__value_func<absl::Status (Envoy::Buffer::Instance&)>::operator()(Envoy::Buffer::Instance&) const (this=0x7ffc7d9ed1c0, __args=...)
    at /opt/llvm/bin/../include/c++/v1/functional:1867
#25 0x0000559d0ec34116 in std::__1::function<absl::Status (Envoy::Buffer::Instance&)>::operator()(Envoy::Buffer::Instance&) const (this=0x7ffc7d9ed1c0, __arg=...)
    at /opt/llvm/bin/../include/c++/v1/functional:2473
#26 0x0000559d0ec28e28 in Envoy::Http::Utility::exceptionToStatus(std::__1::function<absl::Status (Envoy::Buffer::Instance&)>, Envoy::Buffer::Instance&) (dispatch=..., data=...)
    at external/envoy/source/common/http/utility.cc:41
#27 0x0000559d0ea0c0c2 in Envoy::Http::Http2::ConnectionImpl::dispatch (this=0x559d13296250, data=...) at external/envoy/source/common/http/http2/codec_impl.cc:482
#28 0x0000559d0ea0c19b in virtual thunk to Envoy::Http::Http2::ConnectionImpl::dispatch(Envoy::Buffer::Instance&) ()
#29 0x0000559d0e7ff39b in Envoy::Http::CodecClient::onData (this=0x559d13220ea0, data=...) at external/envoy/source/common/http/codec_client.cc:125
#30 0x0000559d0e802a47 in Envoy::Http::CodecClient::CodecReadFilter::onData (this=0x559d13087d70, data=...)
    at bazel-out/k8-dbg/bin/external/envoy/source/common/http/_virtual_includes/codec_client_lib/common/http/codec_client.h:174
#31 0x0000559d0e2e1dd5 in Envoy::Network::FilterManagerImpl::onContinueReading (this=0x559d130d8878, filter=0x0, buffer_source=...) at external/envoy/source/common/network/filter_manager_impl.cc:66
#32 0x0000559d0e2e1fd7 in Envoy::Network::FilterManagerImpl::onRead (this=0x559d130d8878) at external/envoy/source/common/network/filter_manager_impl.cc:76
#33 0x0000559d0e2cb0b8 in Envoy::Network::ConnectionImpl::onRead (this=0x559d130d8800, read_buffer_size=806) at external/envoy/source/common/network/connection_impl.cc:297
#34 0x0000559d0e2ce969 in Envoy::Network::ConnectionImpl::onReadReady (this=0x559d130d8800) at external/envoy/source/common/network/connection_impl.cc:579
#35 0x0000559d0e2cd56c in Envoy::Network::ConnectionImpl::onFileEvent (this=0x559d130d8800, events=3) at external/envoy/source/common/network/connection_impl.cc:539
#36 0x0000559d0e2d916e in Envoy::Network::ConnectionImpl::ConnectionImpl(Envoy::Event::Dispatcher&, std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, std::__1::unique_ptr<Envoy::Network::TransportSocket, std::__1::default_delete<Envoy::Network::TransportSocket> >&&, Envoy::StreamInfo::StreamInfo&, bool)::$_6::operator()(unsigned int) const (this=0x559d1328ac88, events=3) at external/envoy/source/common/network/connection_impl.cc:77
#37 0x0000559d0e2d9131 in _ZNSt3__18__invokeIRZN5Envoy7Network14ConnectionImplC1ERNS1_5Event10DispatcherEONS_10unique_ptrINS2_16ConnectionSocketENS_14default_deleteIS8_EEEEONS7_INS2_15TransportSocketENS9_ISD_EEEERNS1_10StreamInfo10StreamInfoEbE3$_6JjEEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOSM_DpOSN_ (__f=..., __args=@0x7ffc7d9edaf4: 3)
    at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#38 0x0000559d0e2d90d2 in std::__1::__invoke_void_return_wrapper<void>::__call<Envoy::Network::ConnectionImpl::ConnectionImpl(Envoy::Event::Dispatcher&, std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, std::__1::unique_ptr<Envoy::Network::TransportSocket, std::__1::default_delete<Envoy::Network::TransportSocket> >&&, Envoy::StreamInfo::StreamInfo&, bool)::$_6(unsigned int)&>(Envoy::Network::ConnectionImpl::ConnectionImpl(Envoy::Event::Dispatcher&, std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, std::__1::unique_ptr<Envoy::Network::TransportSocket, std::__1::default_delete<Envoy::Network::TransportSocket> >&&, Envoy::StreamInfo::StreamInfo&, bool)::$_6(unsigned int)&) (__args=@0x7ffc7d9edaf4: 3, __args=@0x7ffc7d9edaf4: 3) at /opt/llvm/bin/../include/c++/v1/__functional_base:348
#39 0x0000559d0e2d9092 in std::__1::__function::__alloc_func<Envoy::Network::ConnectionImpl::ConnectionImpl(Envoy::Event::Dispatcher&, std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, std::__1::unique_ptr<Envoy::Network::TransportSocket, std::__1::default_delete<Envoy::Network::TransportSocket> >&&, Envoy::StreamInfo::StreamInfo&, bool)::$_6(std::__1::allocator<std::__1::allocator>, void (unsigned int))>::operator()(unsigned int&&) (this=0x559d1328ac88, __arg=@0x7ffc7d9edaf4: 3) at /opt/llvm/bin/../include/c++/v1/functional:1540
#40 0x0000559d0e2d81d3 in std::__1::__function::__func<Envoy::Network::ConnectionImpl::ConnectionImpl(Envoy::Event::Dispatcher&, std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, std::__1::unique_ptr<Envoy::Network::TransportSocket, std::__1::default_delete<Envoy::Network::TransportSocket> >&&, Envoy::StreamInfo::StreamInfo&, bool)::$_6(std::__1::allocator<std::__1::allocator>, void (unsigned int))>::operator()(unsigned int&&) (this=0x559d1328ac80, __arg=@0x7ffc7d9edaf4: 3) at /opt/llvm/bin/../include/c++/v1/functional:1714
#41 0x0000559d0e2c048d in std::__1::__function::__value_func<void (unsigned int)>::operator()(unsigned int&&) const (this=0x559d1328ac80, __args=@0x7ffc7d9edaf4: 3)
    at /opt/llvm/bin/../include/c++/v1/functional:1867
#42 0x0000559d0e2c042f in std::__1::function<void (unsigned int)>::operator()(unsigned int) const (this=0x559d1328ac80, __arg=3) at /opt/llvm/bin/../include/c++/v1/functional:2473
#43 0x0000559d0e2c010a in Envoy::Event::FileEventImpl::assignEvents(unsigned int, event_base*)::$_0::operator()(int, short, void*) const (this=0x1e, what=38, arg=0x559d1328ac00)
    at external/envoy/source/common/event/file_event_impl.cc:66
#44 0x0000559d0e2bff06 in Envoy::Event::FileEventImpl::assignEvents(unsigned int, event_base*)::$_0::__invoke(int, short, void*) (what=38, arg=0x559d1328ac00)
    at external/envoy/source/common/event/file_event_impl.cc:50
#45 0x0000559d0ee64fbe in event_persist_closure (base=0x559d12d12000, ev=0x559d1328ac08)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2465/execroot/fury_sidecar_proxy/external/com_github_libevent_libevent/event.c:1639
#46 0x0000559d0ee645e8 in event_process_active_single_queue (base=0x559d12d12000, activeq=0x559d12a64550, max_to_process=2147483647, endtime=0x0)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2465/execroot/fury_sidecar_proxy/external/com_github_libevent_libevent/event.c:1698
#47 0x0000559d0ee5edaa in event_process_active (base=0x559d12d12000)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2465/execroot/fury_sidecar_proxy/external/com_github_libevent_libevent/event.c:1799
#48 0x0000559d0ee5dc5c in event_base_loop (base=0x559d12d12000, flags=0)
    at /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2465/execroot/fury_sidecar_proxy/external/com_github_libevent_libevent/event.c:2041
#49 0x0000559d0e2f9a88 in Envoy::Event::LibeventScheduler::run (this=0x559d12c9cde0, mode=Envoy::Event::Dispatcher::RunType::Block) at external/envoy/source/common/event/libevent_scheduler.cc:47
#50 0x0000559d0e2b45ea in Envoy::Event::DispatcherImpl::run (this=0x559d12c9cd80, type=Envoy::Event::Dispatcher::RunType::Block) at external/envoy/source/common/event/dispatcher_impl.cc:203
#51 0x0000559d0e0c9b26 in Envoy::Server::InstanceImpl::run (this=0x559d12d0c000) at external/envoy/source/server/server.cc:645
#52 0x0000559d0c34ee78 in Envoy::MainCommonBase::run (this=0x559d12ab25d8) at external/envoy/source/exe/main_common.cc:162
#53 0x0000559d0c3547de in Envoy::MainCommon::run (this=0x559d12ab2000) at bazel-out/k8-dbg/bin/external/envoy/source/exe/_virtual_includes/envoy_main_common_lib/exe/main_common.h:101
#54 0x0000559d0c34f8dc in Envoy::MainCommon::main(int, char**, std::__1::function<void (Envoy::Server::Instance&)>) (argc=9, argv=0x7ffc7d9ee398, hook=...) at external/envoy/source/exe/main_common.cc:234
#55 0x0000559d0c34d61b in main (argc=9, argv=0x7ffc7d9ee398) at external/envoy/source/exe/main.cc:12

[sschepens]

If my limited understanding it would seem that it's indeed trying to dispatch an update to a watch that has been destroyed.
This would be caused because the CDS update is causing the cluster to be recreated

[snowp]

Awesome, this is a much more sane backtrace than the original one. @htuch any idea what's going on here or who would?

Seems problematic that the trace emitted by Envoy itself is so off, but that can likely be handled separately.

[yanavlasov]

My guess is that this is EDS response from ADS and the watch map has a dangling pointer to previous cluster. Does your core file have any PII? It may make diagnostics easier if you can post it. If not we will need to work on a repo case. Sounds like this is not a deterministic failure.

[lambdai]

My two cents:

1. The initial stack.txt is going through hot-restart. This add the complexity.

2. From the updated config, the SDS config source is not exactly the statically loaded as you expected. It's actually read from ADS. Are you moving from static cert to dynamical SDS? I am not sure it is designed to be allowed.

"common_tls_context": {
    "validation_context_sds_secret_config": {
     "name": "validation_context",
     "sds_config": {
      "ads": {},
      "resource_api_version": "V3"
     }
    }

[sschepens]

@lambdai

1. we're not hot reloading envoy
2. what i meant is we have a statically defined cluster that depends on that SDS Secret, so it has already been fetched on bootstrap

[sschepens]

@yanavlasov this is certainly non deterministic, my machine is currently not dumping cores, but I'll get it done