make sure HttpStreamOverHTTP2.onFailure() cannot work on recycled channels (#14202)

lorban · web-flow · commit d75e47edbddd · 2025-12-19T07:47:59.000+01:00
make sure onFailure() cannot work on recycled channels

Signed-off-by: Ludovic Orban &lt;lorban@bitronix.be&gt;
diff --git a/jetty-core/jetty-http2/jetty-http2-server/src/main/java/org/eclipse/jetty/http2/server/internal/HttpStreamOverHTTP2.java b/jetty-core/jetty-http2/jetty-http2-server/src/main/java/org/eclipse/jetty/http2/server/internal/HttpStreamOverHTTP2.java
@@ -17,6 +17,7 @@
 import java.nio.ByteBuffer;
 import java.util.Objects;
 import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.BiConsumer;
 import java.util.function.Supplier;
 
@@ -63,16 +64,17 @@ public class HttpStreamOverHTTP2 implements HttpStream, HTTP2Channel.Server
 {
     private static final Logger LOG = LoggerFactory.getLogger(HttpStreamOverHTTP2.class);
 
-    private final AutoLock lock = new AutoLock();
+    private final AutoLock _lock = new AutoLock();
     private final HTTP2ServerConnection _connection;
     private final HttpChannel _httpChannel;
+    private final AtomicBoolean _recycle = new AtomicBoolean(); // Set to true when _httpChannel has been recycled or cannot be recycled anymore.
     private final HTTP2Stream _stream;
     private MetaData.Request _requestMetaData;
     private MetaData.Response _responseMetaData;
-    private TunnelSupport tunnelSupport;
+    private TunnelSupport _tunnelSupport;
     private Content.Chunk _chunk;
     private Content.Chunk _trailer;
-    private boolean committed;
+    private boolean _committed;
     private boolean _demand;
 
     public HttpStreamOverHTTP2(HTTP2ServerConnection connection, HttpChannel httpChannel, HTTP2Stream stream)
@@ -105,7 +107,7 @@ public Runnable onRequest(HeadersFrame frame)
 
             if (frame.isEndStream())
             {
-                try (AutoLock ignored = lock.lock())
+                try (AutoLock ignored = _lock.lock())
                 {
                     _chunk = Content.Chunk.EOF;
                 }
@@ -114,7 +116,7 @@ public Runnable onRequest(HeadersFrame frame)
             HttpFields fields = _requestMetaData.getHttpFields();
 
             if (_requestMetaData instanceof MetaData.ConnectRequest)
-                tunnelSupport = new TunnelSupportOverHTTP2(_requestMetaData.getProtocol());
+                _tunnelSupport = new TunnelSupportOverHTTP2(_requestMetaData.getProtocol());
 
             if (LOG.isDebugEnabled())
             {
@@ -161,20 +163,20 @@ private Runnable onBadMessage(HttpException x)
             LOG.debug("badMessage {} {}", this, x);
 
         Throwable failure = (Throwable)x;
-        return _httpChannel.onFailure(failure);
+        return onFailure(failure, Callback.NOOP);
     }
 
     @Override
     public Content.Chunk read()
     {
         // Tunnel requests do not have HTTP content, avoid
         // returning chunks meant for a different protocol.
-        if (tunnelSupport != null)
+        if (_tunnelSupport != null)
             return null;
 
         // Check if there already is a chunk, e.g. EOF.
         Content.Chunk chunk;
-        try (AutoLock ignored = lock.lock())
+        try (AutoLock ignored = _lock.lock())
         {
             chunk = _chunk;
             _chunk = Content.Chunk.next(chunk);
@@ -190,7 +192,7 @@ public Content.Chunk read()
         if (data.frame().isEndStream())
         {
             Content.Chunk trailer;
-            try (AutoLock ignored = lock.lock())
+            try (AutoLock ignored = _lock.lock())
             {
                 trailer = _trailer;
                 if (trailer != null)
@@ -207,7 +209,7 @@ public Content.Chunk read()
         // the two actions cancel each other, no need to further retain or release.
         chunk = createChunk(data);
 
-        try (AutoLock ignored = lock.lock())
+        try (AutoLock ignored = _lock.lock())
         {
             _chunk = Content.Chunk.next(chunk);
         }
@@ -219,7 +221,7 @@ public void demand()
     {
         boolean notify = false;
         boolean demand = false;
-        try (AutoLock ignored = lock.lock())
+        try (AutoLock ignored = _lock.lock())
         {
             if (_chunk != null || _trailer != null)
                 notify = true;
@@ -245,7 +247,7 @@ else if (demand)
     @Override
     public Runnable onDataAvailable()
     {
-        try (AutoLock ignored = lock.lock())
+        try (AutoLock ignored = _lock.lock())
         {
             _demand = false;
         }
@@ -264,7 +266,7 @@ public Runnable onDataAvailable()
     public Runnable onTrailer(HeadersFrame frame)
     {
         HttpFields trailers = frame.getMetaData().getHttpFields().asImmutable();
-        try (AutoLock ignored = lock.lock())
+        try (AutoLock ignored = _lock.lock())
         {
             _trailer = new Trailers(trailers);
         }
@@ -331,7 +333,7 @@ private void sendHeaders(MetaData.Request request, MetaData.Response response, B
         }
         else
         {
-            committed = true;
+            _committed = true;
             if (last)
             {
                 long realContentLength = BufferUtil.length(content);
@@ -580,7 +582,7 @@ private void sendTrailersFrame(MetaData metaData, Callback callback)
     @Override
     public boolean isCommitted()
     {
-        return committed;
+        return _committed;
     }
 
     @Override
@@ -593,13 +595,13 @@ public boolean isIdle()
     @Override
     public TunnelSupport getTunnelSupport()
     {
-        return tunnelSupport;
+        return _tunnelSupport;
     }
 
     @Override
     public Throwable consumeAvailable()
     {
-        if (tunnelSupport != null)
+        if (_tunnelSupport != null)
             return null;
         Throwable result = HttpStream.consumeAvailable(this, _httpChannel.getConnectionMetaData().getHttpConfiguration());
         if (result != null)
@@ -615,13 +617,22 @@ public Throwable consumeAvailable()
     @Override
     public void onTimeout(TimeoutException timeout, BiConsumer<Runnable, Boolean> consumer)
     {
+        boolean wasRecycled = !_recycle.compareAndSet(false, true);
+        if (wasRecycled)
+        {
+            consumer.accept(null, true);
+            return;
+        }
         HttpChannel.IdleTimeoutTask task = _httpChannel.onIdleTimeout(timeout);
         consumer.accept(task.action(), !task.handlingRequest());
     }
 
     @Override
     public Runnable onFailure(Throwable failure, Callback callback)
     {
+        boolean wasRecycled = !_recycle.compareAndSet(false, true);
+        if (wasRecycled)
+            return new FailureTask(null, callback);
         boolean remote = failure instanceof EOFException;
         Runnable task = remote ? _httpChannel.onRemoteFailure(new EofException(failure)) : _httpChannel.onFailure(failure);
         return new FailureTask(task, callback);
@@ -643,7 +654,7 @@ public void succeeded()
                 }
                 else
                 {
-                    EndPoint endPoint = tunnelSupport.getEndPoint();
+                    EndPoint endPoint = _tunnelSupport.getEndPoint();
                     _stream.setAttachment(endPoint);
                     endPoint.upgrade(connection);
                 }
@@ -673,8 +684,13 @@ public void succeeded()
                 }
             }
         }
-        _httpChannel.recycle();
-        _connection.offerHttpChannel(_httpChannel);
+
+        boolean canRecycle = _recycle.compareAndSet(false, true);
+        if (canRecycle)
+        {
+            _httpChannel.recycle();
+            _connection.offerHttpChannel(_httpChannel);
+        }
     }
 
     @Override
@@ -700,6 +716,7 @@ public void failed(Throwable x)
                 LOG.atDebug().setCause(x).log("HTTP2 response #{}/{}: failed {}", _stream.getId(), Integer.toHexString(_stream.getSession().hashCode()), errorCode);
             _stream.reset(new ResetFrame(_stream.getId(), errorCode.code), Callback.NOOP);
         }
+        _recycle.set(true);
     }
 
     private class SendTrailers extends Callback.Nested
diff --git a/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java b/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java
@@ -433,7 +433,7 @@ private Runnable onFailure(Throwable x, boolean remote)
         try (AutoLock ignored = _lock.lock())
         {
             if (LOG.isDebugEnabled())
-                LOG.atDebug().setCause(x).log("onFailure {}", this);
+                LOG.atDebug().setCause(x).log("onFailure remote={} {}", remote, this);
 
             // If the channel doesn't have a stream, then the error is ignored.
             stream = _stream;

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`import java.nio.ByteBuffer;`
`18`	`18`	`import java.util.Objects;`
`19`	`19`	`import java.util.concurrent.TimeoutException;`
	`20`	`+import java.util.concurrent.atomic.AtomicBoolean;`
`20`	`21`	`import java.util.function.BiConsumer;`
`21`	`22`	`import java.util.function.Supplier;`
`22`	`23`
`@@ -63,16 +64,17 @@ public class HttpStreamOverHTTP2 implements HttpStream, HTTP2Channel.Server`
`63`	`64`	`{`
`64`	`65`	`private static final Logger LOG = LoggerFactory.getLogger(HttpStreamOverHTTP2.class);`
`65`	`66`
`66`		`- private final AutoLock lock = new AutoLock();`
	`67`	`+ private final AutoLock _lock = new AutoLock();`
`67`	`68`	`private final HTTP2ServerConnection _connection;`
`68`	`69`	`private final HttpChannel _httpChannel;`
	`70`	`+ private final AtomicBoolean _recycle = new AtomicBoolean(); // Set to true when _httpChannel has been recycled or cannot be recycled anymore.`
`69`	`71`	`private final HTTP2Stream _stream;`
`70`	`72`	`private MetaData.Request _requestMetaData;`
`71`	`73`	`private MetaData.Response _responseMetaData;`
`72`		`- private TunnelSupport tunnelSupport;`
	`74`	`+ private TunnelSupport _tunnelSupport;`
`73`	`75`	`private Content.Chunk _chunk;`
`74`	`76`	`private Content.Chunk _trailer;`
`75`		`- private boolean committed;`
	`77`	`+ private boolean _committed;`
`76`	`78`	`private boolean _demand;`
`77`	`79`
`78`	`80`	`public HttpStreamOverHTTP2(HTTP2ServerConnection connection, HttpChannel httpChannel, HTTP2Stream stream)`
`@@ -105,7 +107,7 @@ public Runnable onRequest(HeadersFrame frame)`
`105`	`107`
`106`	`108`	`if (frame.isEndStream())`
`107`	`109`	`{`
`108`		`- try (AutoLock ignored = lock.lock())`
	`110`	`+ try (AutoLock ignored = _lock.lock())`
`109`	`111`	`{`
`110`	`112`	`_chunk = Content.Chunk.EOF;`
`111`	`113`	`}`
`@@ -114,7 +116,7 @@ public Runnable onRequest(HeadersFrame frame)`
`114`	`116`	`HttpFields fields = _requestMetaData.getHttpFields();`
`115`	`117`
`116`	`118`	`if (_requestMetaData instanceof MetaData.ConnectRequest)`
`117`		`- tunnelSupport = new TunnelSupportOverHTTP2(_requestMetaData.getProtocol());`
	`119`	`+ _tunnelSupport = new TunnelSupportOverHTTP2(_requestMetaData.getProtocol());`
`118`	`120`
`119`	`121`	`if (LOG.isDebugEnabled())`
`120`	`122`	`{`
`@@ -161,20 +163,20 @@ private Runnable onBadMessage(HttpException x)`
`161`	`163`	`LOG.debug("badMessage {} {}", this, x);`
`162`	`164`
`163`	`165`	`Throwable failure = (Throwable)x;`
`164`		`- return _httpChannel.onFailure(failure);`
	`166`	`+ return onFailure(failure, Callback.NOOP);`
`165`	`167`	`}`
`166`	`168`
`167`	`169`	`@Override`
`168`	`170`	`public Content.Chunk read()`
`169`	`171`	`{`
`170`	`172`	`// Tunnel requests do not have HTTP content, avoid`
`171`	`173`	`// returning chunks meant for a different protocol.`
`172`		`- if (tunnelSupport != null)`
	`174`	`+ if (_tunnelSupport != null)`
`173`	`175`	`return null;`
`174`	`176`
`175`	`177`	`// Check if there already is a chunk, e.g. EOF.`
`176`	`178`	`Content.Chunk chunk;`
`177`		`- try (AutoLock ignored = lock.lock())`
	`179`	`+ try (AutoLock ignored = _lock.lock())`
`178`	`180`	`{`
`179`	`181`	`chunk = _chunk;`
`180`	`182`	`_chunk = Content.Chunk.next(chunk);`
`@@ -190,7 +192,7 @@ public Content.Chunk read()`
`190`	`192`	`if (data.frame().isEndStream())`
`191`	`193`	`{`
`192`	`194`	`Content.Chunk trailer;`
`193`		`- try (AutoLock ignored = lock.lock())`
	`195`	`+ try (AutoLock ignored = _lock.lock())`
`194`	`196`	`{`
`195`	`197`	`trailer = _trailer;`
`196`	`198`	`if (trailer != null)`
`@@ -207,7 +209,7 @@ public Content.Chunk read()`
`207`	`209`	`// the two actions cancel each other, no need to further retain or release.`
`208`	`210`	`chunk = createChunk(data);`
`209`	`211`
`210`		`- try (AutoLock ignored = lock.lock())`
	`212`	`+ try (AutoLock ignored = _lock.lock())`
`211`	`213`	`{`
`212`	`214`	`_chunk = Content.Chunk.next(chunk);`
`213`	`215`	`}`
`@@ -219,7 +221,7 @@ public void demand()`
`219`	`221`	`{`
`220`	`222`	`boolean notify = false;`
`221`	`223`	`boolean demand = false;`
`222`		`- try (AutoLock ignored = lock.lock())`
	`224`	`+ try (AutoLock ignored = _lock.lock())`
`223`	`225`	`{`
`224`	`226`	`if (_chunk != null \|\| _trailer != null)`
`225`	`227`	`notify = true;`
`@@ -245,7 +247,7 @@ else if (demand)`
`245`	`247`	`@Override`
`246`	`248`	`public Runnable onDataAvailable()`
`247`	`249`	`{`
`248`		`- try (AutoLock ignored = lock.lock())`
	`250`	`+ try (AutoLock ignored = _lock.lock())`
`249`	`251`	`{`
`250`	`252`	`_demand = false;`
`251`	`253`	`}`
`@@ -264,7 +266,7 @@ public Runnable onDataAvailable()`
`264`	`266`	`public Runnable onTrailer(HeadersFrame frame)`
`265`	`267`	`{`
`266`	`268`	`HttpFields trailers = frame.getMetaData().getHttpFields().asImmutable();`
`267`		`- try (AutoLock ignored = lock.lock())`
	`269`	`+ try (AutoLock ignored = _lock.lock())`
`268`	`270`	`{`
`269`	`271`	`_trailer = new Trailers(trailers);`
`270`	`272`	`}`
`@@ -331,7 +333,7 @@ private void sendHeaders(MetaData.Request request, MetaData.Response response, B`
`331`	`333`	`}`
`332`	`334`	`else`
`333`	`335`	`{`
`334`		`- committed = true;`
	`336`	`+ _committed = true;`
`335`	`337`	`if (last)`
`336`	`338`	`{`
`337`	`339`	`long realContentLength = BufferUtil.length(content);`
`@@ -580,7 +582,7 @@ private void sendTrailersFrame(MetaData metaData, Callback callback)`
`580`	`582`	`@Override`
`581`	`583`	`public boolean isCommitted()`
`582`	`584`	`{`
`583`		`- return committed;`
	`585`	`+ return _committed;`
`584`	`586`	`}`
`585`	`587`
`586`	`588`	`@Override`
`@@ -593,13 +595,13 @@ public boolean isIdle()`
`593`	`595`	`@Override`
`594`	`596`	`public TunnelSupport getTunnelSupport()`
`595`	`597`	`{`
`596`		`- return tunnelSupport;`
	`598`	`+ return _tunnelSupport;`
`597`	`599`	`}`
`598`	`600`
`599`	`601`	`@Override`
`600`	`602`	`public Throwable consumeAvailable()`
`601`	`603`	`{`
`602`		`- if (tunnelSupport != null)`
	`604`	`+ if (_tunnelSupport != null)`
`603`	`605`	`return null;`
`604`	`606`	`Throwable result = HttpStream.consumeAvailable(this, _httpChannel.getConnectionMetaData().getHttpConfiguration());`
`605`	`607`	`if (result != null)`
`@@ -615,13 +617,22 @@ public Throwable consumeAvailable()`
`615`	`617`	`@Override`
`616`	`618`	`public void onTimeout(TimeoutException timeout, BiConsumer<Runnable, Boolean> consumer)`
`617`	`619`	`{`
	`620`	`+ boolean wasRecycled = !_recycle.compareAndSet(false, true);`
	`621`	`+ if (wasRecycled)`
	`622`	`+ {`
	`623`	`+ consumer.accept(null, true);`
	`624`	`+ return;`
	`625`	`+ }`
`618`	`626`	`HttpChannel.IdleTimeoutTask task = _httpChannel.onIdleTimeout(timeout);`
`619`	`627`	`consumer.accept(task.action(), !task.handlingRequest());`
`620`	`628`	`}`
`621`	`629`
`622`	`630`	`@Override`
`623`	`631`	`public Runnable onFailure(Throwable failure, Callback callback)`
`624`	`632`	`{`
	`633`	`+ boolean wasRecycled = !_recycle.compareAndSet(false, true);`
	`634`	`+ if (wasRecycled)`
	`635`	`+ return new FailureTask(null, callback);`
`625`	`636`	`boolean remote = failure instanceof EOFException;`
`626`	`637`	`Runnable task = remote ? _httpChannel.onRemoteFailure(new EofException(failure)) : _httpChannel.onFailure(failure);`
`627`	`638`	`return new FailureTask(task, callback);`
`@@ -643,7 +654,7 @@ public void succeeded()`
`643`	`654`	`}`
`644`	`655`	`else`
`645`	`656`	`{`
`646`		`- EndPoint endPoint = tunnelSupport.getEndPoint();`
	`657`	`+ EndPoint endPoint = _tunnelSupport.getEndPoint();`
`647`	`658`	`_stream.setAttachment(endPoint);`
`648`	`659`	`endPoint.upgrade(connection);`
`649`	`660`	`}`
`@@ -673,8 +684,13 @@ public void succeeded()`
`673`	`684`	`}`
`674`	`685`	`}`
`675`	`686`	`}`
`676`		`- _httpChannel.recycle();`
`677`		`- _connection.offerHttpChannel(_httpChannel);`
	`687`	`+`
	`688`	`+ boolean canRecycle = _recycle.compareAndSet(false, true);`
	`689`	`+ if (canRecycle)`
	`690`	`+ {`
	`691`	`+ _httpChannel.recycle();`
	`692`	`+ _connection.offerHttpChannel(_httpChannel);`
	`693`	`+ }`
`678`	`694`	`}`
`679`	`695`
`680`	`696`	`@Override`
`@@ -700,6 +716,7 @@ public void failed(Throwable x)`
`700`	`716`	`LOG.atDebug().setCause(x).log("HTTP2 response #{}/{}: failed {}", _stream.getId(), Integer.toHexString(_stream.getSession().hashCode()), errorCode);`
`701`	`717`	`_stream.reset(new ResetFrame(_stream.getId(), errorCode.code), Callback.NOOP);`
`702`	`718`	`}`
	`719`	`+ _recycle.set(true);`
`703`	`720`	`}`
`704`	`721`
`705`	`722`	`private class SendTrailers extends Callback.Nested`
Original file line number	Diff line number	Diff line change
`@@ -433,7 +433,7 @@ private Runnable onFailure(Throwable x, boolean remote)`
`433`	`433`	`try (AutoLock ignored = _lock.lock())`
`434`	`434`	`{`
`435`	`435`	`if (LOG.isDebugEnabled())`
`436`		`- LOG.atDebug().setCause(x).log("onFailure {}", this);`
	`436`	`+ LOG.atDebug().setCause(x).log("onFailure remote={} {}", remote, this);`
`437`	`437`
`438`	`438`	`// If the channel doesn't have a stream, then the error is ignored.`
`439`	`439`	`stream = _stream;`