http: connection pool - Allow a cancel callback of a request cancel other requests

[yuval-k]

Fixes an ASSERT crash with the connection pool in the following scenario:

• while using the JWT filter
• with two providers (under requires_all) set to the same remote JWKS
• remote JWKS server was down
• sending a request to with a JWT triggers an ASSERT in envoy (specifically in LinkedObject::removeFromList).

After a gdb session I found out the following:

• the two providers try to fetch the key. There is no connection to the host, so two pending requests are created with ConnPoolImplBase::newPendingRequest
• the host is down so ConnPoolImplBase::purgePendingRequests is called
• request->callbacks_.onPoolFailure is called for the first request
• this propagates to the JWT filter, that issues a failure back to the client (sendLocalReply in Filter::onComplete)
• sendLocalReply ends the stream which calls the JWT filter onDestory
• onDestory (eventually) cancels the pending requests
• the pending requests calls ConnPoolImplBase::onPendingRequestCancel (all of this from the middle of ConnPoolImplBase::purgePendingRequests's call to UpstreamRequest::onPoolFailure)
• ConnPoolImplBase::onPendingRequestCancel tries to remove the pending request for the list, but it is not there any-more as purgePendingRequests moved the list to a stack variable
• this triggers an ASSERT in LinkedObject::removeFromList as it cannot find the element in the list.

The fix is to move the cancelling requests their own list, and remove pending requests from that new list as long as it is not empty.

Risk Level: Mid\High
Testing: Added unit test
Docs Changes: N\A
Release Notes: N\A

stacktrace.txt

[snowp]

This seems reasonable to me, @mattklein123 WDYT?

[mattklein123]

From a very quick look I'm not convinced this is the fix we want, but at a high level I think I understand what is going on and I think this is on the right track. Thanks a ton for digging in so deeply.

I think the next step is can you write a test that crashes? I think that will help better understand the scenario and then we can walk through what the right solution is? Thank you!

/wait

[yuval-k]

@mattklein123 - added a test that crashes.
I tried to extend the tests in http1/conn_pool_test.cc, but it was a bit complicated. so instead created a new test file for the base class.
also undid my changes so the test will indeed crash.

[mattklein123]

@yuval-k sorry why can't you add an HTTP/1 test? I understand the problem and it seems like you should be able to setup a test that repros the problem without going directly into the base class?

/wait-any

[yuval-k]

Hi @mattklein123 , I will be out of the office (big family event) this coming week so I'll have to get back to this on the following week (week of June30th).

[yuval-k]

Hi @mattklein123, I added a failing test via the http1 conn-pool. would love your insight on how to fix this bug.
My initial idea (in the first commit) was to move the cancelling handles to a separate list pending_requests_to_purge_, and remove from this new list if it isn't empty.
The idea being that if the new list isn't empty, it must be because it was called in the loop in purgePendingRequests, so it must be for one of the existing handles.

[mattklein123]

@yuval-k I think my original comment still stands: can you get a test for the HTTP/1.1 that fails? I don't think we should be testing the base class. Also, once that works, feel free to put your proposed fix back and then we can look at it all together. Thank you!

/wait

[yuval-k]

Hi @mattklein123 See my last commit - I added a failing http1 unit test here: 458c4fb - Did you mean adding an integration test?
In the mean time i'll remove the base class test (The reason I left it there was thinking that we want to verify this behaviour across different sub classes).

[mattklein123]

Ah OK sorry, I missed that. Can you add your fix now? The I can take a look. Thank you!

/wait

[mattklein123]

Thanks, at a high level this makes sense to me but some more comments and cleanups will help me solidify my understanding. Thanks for working on this!

/wait

[mattklein123]

You should be able to use WillOnce here and below? This should be deterministic?

[yuval-k]

essentially one and only one of those of callbacks should be called (as one of them cancels the other).
it depends on the implementation of the conn pool which one is first; while i can check the impl to see which one it will be, i thought it is better that the test covers the accepted behaviour to allow the impl to change without breaking the test.

[mattklein123]

Point taken, but my preference would be simplify the test for now. Feel free to leave a comment about how it's tied to the implementation.

[mattklein123]

I think I asked this above. Why is this not deterministic?

[yuval-k]

yes, see my answer above; essentially we need to see that only one of the callbacks was called.

[mattklein123]

Sorry am traveling will get to this next week.

[mattklein123]

Thanks, this LGTM. Please update the PR title (and description if needed) to be more descriptive of the actual problem.

/wait

[mattklein123]

Thanks, one follow up question.

/wait-any

[mattklein123]

Thanks!