Envoy segfaults when a dynamic listener fails to bind to a port and gRPC access logging is enabled

[chriskuehl]

Envoy segfaults for me when a dynamic listener fails to bind to a port (e.g. because another process is already bound to that port) and gRPC access logging is enabled for that listener. This is happening since at least Envoy 07fa5e0 (Jan 15 2020) and continues today on master (f958d39).

I'm not sure if this is truly related to gRPC access logging, but I wasn't able to narrow down the cause further.

Repro steps:

The smallest reproduction I can find is using the envoy.yaml and listeners.yaml posted here:
https://gist.github.com/chriskuehl/a0672bd237216f5b339daa2980fc3f17

1. Copy envoy.yaml and listeners.yaml from the gist.
2. Start any process (not envoy) listening on port 25000. This will conflict with the dynamic listener from the config above and cause the segfault. For example you can run nc -l -p 25000.
3. With the port still occupied, start Envoy with envoy --config-path envoy.yaml; the Envoy worker should segfault immediately upon start (see the gist for output logs).

Note that the listener needs to be defined as a dynamic resource for this to happen. If you comment out the "access_log" settings from the listener's config and try starting Envoy, you will see an error about the port being unavailable, but no segfault.

I tested this using the envoyproxy/envoy-alpine-debug-dev Docker image today with Envoy sha f958d39 and linux kernel 4.4.0-1094-aws.

Config:
https://gist.github.com/chriskuehl/a0672bd237216f5b339daa2980fc3f17

Logs:
https://gist.github.com/chriskuehl/a0672bd237216f5b339daa2980fc3f17

Call Stack:
Unfortunately I have not been able to get a backtrace to be printed.

[mattklein123]

This is the same problem we have had multiple times now where we do a TLS set, capture this, and have it go away before the set completes. I'm going to see if I can figure out a safer way of handling this generically.

(gdb) bt
#0  Envoy::Extensions::AccessLoggers::HttpGrpc::HttpGrpcAccessLog::HttpGrpcAccessLog(std::__1::unique_ptr<Envoy::AccessLog::Filter, std::__1::default_delete<Envoy::AccessLog::Filter> >&&, envoy::extensions::access_loggers::grpc::v3::HttpGrpcAccessLogConfig, Envoy::ThreadLocal::SlotAllocator&, std::__1::shared_ptr<Envoy::Extensions::AccessLoggers::GrpcCommon::GrpcAccessLoggerCache>, Envoy::Stats::Scope&)::$_0::operator()(Envoy::Event::Dispatcher&) const (this=0x55555d7e5e18)
    at source/extensions/access_loggers/grpc/http_grpc_access_log_impl.cc:46
#1  0x0000555558a5576b in _ZNSt3__18__invokeIRZN5Envoy10Extensions13AccessLoggers8HttpGrpc17HttpGrpcAccessLogC1EONS_10unique_ptrINS1_9AccessLog6FilterENS_14default_deleteIS8_EEEEN5envoy10extensions14access_loggers4grpc2v323HttpGrpcAccessLogConfigERNS1_11ThreadLocal13SlotAllocatorENS_10shared_ptrINS3_10GrpcCommon21GrpcAccessLoggerCacheEEERNS1_5Stats5ScopeEE3$_0JRNS1_5Event10DispatcherEEEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOSY_DpOSZ_ (__f=..., __args=...)
    at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#2  0x0000555558a556bb in std::__1::__invoke_void_return_wrapper<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> >::__call<Envoy::Extensions::AccessLoggers::HttpGrpc::HttpGrpcAccessLog::HttpGrpcAccessLog(std::__1::unique_ptr<Envoy::AccessLog::Filter, std::__1::default_delete<Envoy::AccessLog::Filter> >&&, envoy::extensions::access_loggers::grpc::v3::HttpGrpcAccessLogConfig, Envoy::ThreadLocal::SlotAllocator&, std::__1::shared_ptr<Envoy::Extensions::AccessLoggers::GrpcCommon::GrpcAccessLoggerCache>, Envoy::Stats::Scope&)::$_0(Envoy::Event::Dispatcher&)&>(Envoy::Extensions::AccessLoggers::HttpGrpc::HttpGrpcAccessLog::HttpGrpcAccessLog(std::__1::unique_ptr<Envoy::AccessLog::Filter, std::__1::default_delete<Envoy::AccessLog::Filter> >&&, envoy::extensions::access_loggers::grpc::v3::HttpGrpcAccessLogConfig, Envoy::ThreadLocal::SlotAllocator&, std::__1::shared_ptr<Envoy::Extensions::AccessLoggers::GrpcCommon::GrpcAccessLoggerCache>, Envoy::Stats::Scope&)::$_0(Envoy::Event::Dispatcher&)&) (__args=..., __args=...)
    at /opt/llvm/bin/../include/c++/v1/__functional_base:317
#3  0x0000555558a5565b in std::__1::__function::__alloc_func<Envoy::Extensions::AccessLoggers::HttpGrpc::HttpGrpcAccessLog::HttpGrpcAccessLog(std::__1::unique_ptr<Envoy::AccessLog::Filter, std::__1::default_delete<Envoy::AccessLog::Filter> >&&, envoy::extensions::access_loggers::grpc::v3::HttpGrpcAccessLogConfig, Envoy::ThreadLocal::SlotAllocator&, std::__1::shared_ptr<Envoy::Extensions::AccessLoggers::GrpcCommon::GrpcAccessLoggerCache>, Envoy::Stats::Scope&)::$_0(std::__1::allocator<std::__1::allocator>, std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&))>::operator()(std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)) (
    this=0x55555d7e5e18, __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:1540
#4  0x0000555558a5477d in std::__1::__function::__func<Envoy::Extensions::AccessLoggers::HttpGrpc::HttpGrpcAccessLog::HttpGrpcAccessLog(std::__1::unique_ptr<Envoy::AccessLog::Filter, std::__1::default_delete<Envoy::AccessLog::Filter> >&&, envoy::extensions::access_loggers::grpc::v3::HttpGrpcAccessLogConfig, Envoy::ThreadLocal::SlotAllocator&, std::__1::shared_ptr<Envoy::Extensions::AccessLoggers::GrpcCommon::GrpcAccessLoggerCache>, Envoy::Stats::Scope&)::$_0(std::__1::allocator<std::__1::allocator>, std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&))>::operator()(std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)) (this=0x55555d7e5e10, 
    __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:1714
#5  0x000055555a7cee0b in std::__1::__function::__value_func<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>::operator()(Envoy::Event::Dispatcher&) const (this=0x55555d7e5e10, __args=...)
    at /opt/llvm/bin/../include/c++/v1/functional:1867
#6  0x000055555a7cbc56 in std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>::operator()(Envoy::Event::Dispatcher&) const
    (this=0x55555d7e5e10, __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:2473
#7  0x000055555a7c328b in Envoy::ThreadLocal::InstanceImpl::Bookkeeper::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_7::operator()(Envoy::Event::Dispatcher&) const (this=0x55555d7e5e10, 
    dispatcher=...) at source/common/thread_local/thread_local_impl.cc:101
#8  0x000055555a7c323b in _ZNSt3__18__invokeIRZN5Envoy11ThreadLocal12InstanceImpl10Bookkeeper3setENS_8functionIFNS_10shared_ptrINS2_17ThreadLocalObjectEEERNS1_5Event10DispatcherEEEEE3$_7JSB_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOSG_DpOSH_ (__f=..., __args=...) at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#9  0x000055555a7c31bb in std::__1::__invoke_void_return_wrapper<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> >::__call<Envoy::ThreadLocal::InstanceImpl::Bookkeeper::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_7(Envoy::Event::Dispatcher&)&>(Envoy::ThreadLocal::InstanceImpl::Bookkeeper::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_7(Envoy::Event::Dispatcher&)&) (__args=..., 
    __args=...) at /opt/llvm/bin/../include/c++/v1/__functional_base:317
#10 0x000055555a7c315b in std::__1::__function::__alloc_func<Envoy::ThreadLocal::InstanceImpl::Bookkeeper::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_7(std::__1::allocator<std::__1::allocator>, std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&))>::operator()(Envoy::Event::Dispatcher&) (this=0x55555d7e5e10, __arg=...)
    at /opt/llvm/bin/../include/c++/v1/functional:1540
#11 0x000055555a7c232d in std::__1::__function::__func<Envoy::ThreadLocal::InstanceImpl::Bookkeeper::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_7(std::__1::allocator<std::__1::allocator>, std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&))>::operator()(Envoy::Event::Dispatcher&) (this=0x55555d7e5e00, __arg=...)
    at /opt/llvm/bin/../include/c++/v1/functional:1714
#12 0x000055555a7cee0b in std::__1::__function::__value_func<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>::operator()(Envoy::Event::Dispatcher&) const (this=0x55555dc90e60, __args=...)
---Type <return> to continue, or q <return> to quit---
    at /opt/llvm/bin/../include/c++/v1/functional:1867
#13 0x000055555a7cbc56 in std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>::operator()(Envoy::Event::Dispatcher&) const
    (this=0x55555dc90e60, __arg=...) at /opt/llvm/bin/../include/c++/v1/functional:2473
#14 0x000055555a7ca833 in Envoy::ThreadLocal::InstanceImpl::SlotImpl::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_13::operator()() const (this=0x55555dc90e50)
    at source/common/thread_local/thread_local_impl.cc:214
#15 0x000055555a7ca7dd in _ZNSt3__18__invokeIRZN5Envoy11ThreadLocal12InstanceImpl8SlotImpl3setENS_8functionIFNS_10shared_ptrINS2_17ThreadLocalObjectEEERNS1_5Event10DispatcherEEEEE4$_13JEEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOSG_DpOSH_ (
    __f=...) at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#16 0x000055555a7ca78d in std::__1::__invoke_void_return_wrapper<void>::__call<Envoy::ThreadLocal::InstanceImpl::SlotImpl::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_13&>(Envoy::ThreadLocal::InstanceImpl::SlotImpl::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_13&) (__args=...)
    at /opt/llvm/bin/../include/c++/v1/__functional_base:348
#17 0x000055555a7ca75d in std::__1::__function::__alloc_func<Envoy::ThreadLocal::InstanceImpl::SlotImpl::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_13(std::__1::allocator<std::__1::allocator>, void ())>::operator()() (this=0x55555dc90e50)
    at /opt/llvm/bin/../include/c++/v1/functional:1540
#18 0x000055555a7c993e in std::__1::__function::__func<Envoy::ThreadLocal::InstanceImpl::SlotImpl::set(std::__1::function<std::__1::shared_ptr<Envoy::ThreadLocal::ThreadLocalObject> (Envoy::Event::Dispatcher&)>)::$_13(std::__1::allocator<std::__1::allocator>, void ())>::operator()() (this=0x55555dc90e40) at /opt/llvm/bin/../include/c++/v1/functional:1714
#19 0x0000555558c1b3c5 in std::__1::__function::__value_func<void ()>::operator()() const
    (this=0x7ffff4801050) at /opt/llvm/bin/../include/c++/v1/functional:1867
#20 0x0000555558c1b385 in std::__1::function<void ()>::operator()() const (
    this=0x7ffff4801050) at /opt/llvm/bin/../include/c++/v1/functional:2473
#21 0x000055555a9fbe19 in Envoy::Event::DispatcherImpl::runPostCallbacks (
    this=0x55555d863980) at source/common/event/dispatcher_impl.cc:234
#22 0x000055555a9fbd15 in Envoy::Event::DispatcherImpl::run (this=0x55555d863980, 
    type=Envoy::Event::Dispatcher::RunType::Block)
    at source/common/event/dispatcher_impl.cc:203
#23 0x000055555a9cb20a in Envoy::Server::WorkerImpl::threadRoutine (this=0x55555d74bbd0, 
    guard_dog=...) at source/server/worker_impl.cc:133
#24 0x000055555a9d27ec in Envoy::Server::WorkerImpl::start(Envoy::Server::GuardDog&)::$_4::operator()() const (this=0x55555d6ab0b8) at source/server/worker_impl.cc:99
#25 0x000055555a9d27ad in _ZNSt3__18__invokeIRZN5Envoy6Server10WorkerImpl5startERNS2_8GuardDogEE3$_4JEEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS8_DpOS9_ (__f=...) at /opt/llvm/bin/../include/c++/v1/type_traits:3539
#26 0x000055555a9d275d in std::__1::__invoke_void_return_wrapper<void>::__call<Envoy::Server::WorkerImpl::start(Envoy::Server::GuardDog&)::$_4&>(Envoy::Server::WorkerImpl::start(Envoy::Server::GuardDog&)::$_4&) (__args=...)
    at /opt/llvm/bin/../include/c++/v1/__functional_base:348
#27 0x000055555a9d272d in std::__1::__function::__alloc_func<Envoy::Server::WorkerImpl::start(Envoy::Server::GuardDog&)::$_4(std::__1::allocator<std::__1::allocator>, void ())>::operator()() (this=0x55555d6ab0b8) at /opt/llvm/bin/../include/c++/v1/functional:1540
#28 0x000055555a9d185e in std::__1::__function::__func<Envoy::Server::WorkerImpl::start(Envoy::Server::GuardDog&)::$_4(std::__1::allocator<std::__1::allocator>, void ())>::operator()() (this=0x55555d6ab0b0) at /opt/llvm/bin/../include/c++/v1/functional:1714
#29 0x0000555558c1b3c5 in std::__1::__function::__value_func<void ()>::operator()() const
    (this=0x55555d6ab0b0) at /opt/llvm/bin/../include/c++/v1/functional:1867
#30 0x0000555558c1b385 in std::__1::function<void ()>::operator()() const (
    this=0x55555d6ab0b0) at /opt/llvm/bin/../include/c++/v1/functional:2473
#31 0x000055555b87d0e2 in Envoy::Thread::ThreadImplPosix::ThreadImplPosix(std::__1::function<void ()>, std::__1::optional<Envoy::Thread::Options> const&)::{lambda(void*)#1}::operator()(void*) const (this=0x55555d6ab0a0, arg=0x55555d6ab0a0)
    at source/common/common/posix/thread_impl.cc:49
#32 0x000055555b87d0b5 in Envoy::Thread::ThreadImplPosix::ThreadImplPosix(std::__1::function<void ()>, std::__1::optional<Envoy::Thread::Options> const&)::{lambda(void*)#1}::__invoke(void*) (arg=0x55555d6ab0a0) at source/common/common/posix/thread_impl.cc:48
#33 0x00007ffff74136db in start_thread (arg=0x7ffff4815700) at pthread_create.c:463
#34 0x00007ffff713ca3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[mattklein123]

(Thanks for the awesome repro instructions btw!)

[mattklein123]

I'm going to prototype a change to TLS that I think will make this type of problem impossible: I'm going to cause slot destruction on the main thread to block until any pending callbacks have run on the workers. This has the downside of introducing blocking behavior that could conceivably deadlock. On the upside, it is a rare operation and should make this type of bug impossible. If we do this, a lot of the complexity inside TLS around "bookkeeper" can be removed. I've thought about it a bunch and unless we do this I think it's impossible to generically prevent this problem from happening as we can't control what callers capture in their lambdas. cc @envoyproxy/maintainers and @lambdai who I think worked on the bookkeeper fix.

[lambdai]

+1 for TLS change.
If TLS could make the destroy in master thread, there might be some code be simplified by maintaining a shared_ptr at main thread. I think I used it beside TLS before bookkeeper.

CC @stevenzzzz who initially introduced bookkeeper. I forgot the very first cases where bookkeeper is used.

[stevenzzzz]

I need some more context, does this happen on the envoy quit path?

this doesnt seems like a bookeeper problem,rather a problem tries to resolve :P

Bookkeeper is there to defense the race when a callback on a slotimpl is flying in worker threads while the slotimpl is destructed on the main thread, it achieves this by storing the slotimpl instance in a deferred deletion queue.
when this deferred deletion queue is also deleted on main thread, there is no way for the bookkeeper to resolve this race.

[stevenzzzz]

/cc stevenzzzz

[mattklein123]

I need some more context, does this happen on the envoy quit path?

No, this is during normal operation, for instance during listener/filter chain tear down due to listener add failure, LDS update, etc.

there is no way for the bookkeeper to resolve this race.

Right, that's what I'm trying to fix. :) We have had a variant of this bug at least 3 times if not more. I'm proposing that instead of the Bookkeeper model, we just block the main thread during slot destruction until all pending worker callbacks drain. This will defend against what Bookkeper was implemented for, as well as prevent the entire class of bug where someone captures "this" (or similar) and let's it go out of scope while the callbacks are draining.

[stevenzzzz]

is there an integration test that could reproduce this? I am curious how the race could form.

If a worker thread holds a reference to the slot and never let go, we cant block forever in the main thread. I'd say it's a anti pattern to actually hold something that's supposed to be owned(create/teardown) by mainthread only.

[mattklein123]

is there an integration test that could reproduce this? I am curious how the race could form.

I will make one as part of this fix. It's not that complicated. Basically:

1. Create slot
2. Initiate run/update on workers, capturing this.
3. Delete slot.
4. Crash. Bookeeper does not help here.

If a worker thread holds a reference to the slot and never let go, we cant block forever in the main thread. I'd say it's a anti pattern to actually hold something that's supposed to be owned(create/teardown) by mainthread only.

This is not how I will implement it. The blocking will only be until the callback runs or has already run. The worker will not be able to control the lifetime. I think this is acceptable, and as an additional benefit all of the bookeeper complexity is no longer needed and can be removed. I will prototype a change this week and we can look at it.