Avoid send empty body to ext_proc server if decodeData() never called

[yanjunxiang-google]

If decodeData() is not called, currently ext_proc filter is still possible to send an empty body to ext_proc server with

envoy/source/extensions/filters/http/ext_proc/ext_proc.cc

Line 480 in b8853df

sendBufferedData(state, ProcessorState::CallbackState::BufferedBodyCallback, true);

and

envoy/source/extensions/filters/http/ext_proc/ext_proc.cc

Line 565 in b8853df

sendBodyChunk(state, data, new_state, end_stream);

After body mutation from ext_proc server is received by ext_proc filter, it will modify the decoding buffer, which leads to an ASSERT() in filter manager
common/http/filter_manager.cc:426] assert failure: parent_.state_.latest_data_decoding_filter_ == this

The condition to trigger this ASSERT is ext_proc filter is configured to send body, but client only sends headers and trailers.

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #28672 was opened by yanjunxiang-google.

see: more, trace.

[yanjunxiang-google]

The solution is to add a bufferedData() check before sending body to ext_proc server. bufferedData() will only become valid pointer if decodeData() is every called.

If no data received, and decodeData() is never called, it will be nullptr.

[yanjunxiang-google]

/retest

[yanjunxiang-google]

/assign @tyxia @yanavlasov

[yanjunxiang-google]

/assign @stevenzzzz

[yanjunxiang-google]

The other utility function hasBufferedData() can not be used here since it not only check bufferedData() not nullptr, also checks the data->length >0. Using hasBufferedData() here will break the decodeData() with an empty chunk case.

[tyxia]

QQ: I am wondering when do we need to decodeData() with an empty chunk case? What are the use cases for this?

[stevenzzzz]

bufferedData()!=nullptr

[yanjunxiang-google]

This is the crash log and crash traceback decode:

test_ext_proc copy.odt

[yanjunxiang-google]

The root cause of the issue is this:

If ext_proc filter is configured to send body, and if only headers and trailers are received, no body is received by the ext_proc filter, it will send an empty boy to the ext_proc server.
The ext_proc server will mutate the body, and send back a body response. The body response will modify the decoding buffer, which trigger the ASSERT there:

envoy/source/common/http/filter_manager.cc

Line 426 in 522f991

ASSERT(parent_.state_.latest_data_decoding_filter_ == this);

So, filter_manager carefully maintain state_.latest_data_decoding_filter_ during decodeData():

envoy/source/common/http/filter_manager.cc

Line 658 in 522f991

recordLatestDataFilter(entry, state_.latest_data_decoding_filter_, decoder_filters_);

In this case, decodeData() is never called due to client is not sending data, and data is constructed by ext_proc filter itself. That leads to latest_data_decoding_filter_ is an empty pointer not pointing the ext_proc filter

Thus the ASSERT failed, and crashed there.

Overall, the ext_proc filter should not send data based on the ext_proc filter configuration. It should only send data if the data presents. Concept wise, this issue is similar to sending trailer when trailer is not present case : #28592

[yanjunxiang-google]

/assign @mattklein123

[yanjunxiang-google]

Kind Ping

[tyxia]

Nice work!

[tyxia]

QQ: I am wondering when do we need to decodeData() with an empty chunk case? What are the use cases for this?

[tyxia]

LGTM, Thanks!

[stevenzzzz]

The "skipping body" approach in this PR feels like a behavior change that we can avoid by calling de/encodeData(dataMutations, false); on receiving the data mutation response from ext_server.

But no strong feelings.

[stevenzzzz]

bufferedData()!=nullptr

[yanjunxiang-google]

The "skipping body" approach in this PR feels like a behavior change that we can avoid by calling de/encodeData(dataMutations, false); on receiving the data mutation response from ext_server.

But no strong feelings.

Thanks for the comments!

The ext_proc behavior is now changed into "if configured as such, deliver body/trailer to the ext_proc server if they are present".

[yanjunxiang-google]

@envoyproxy/api-shepherds PTAL

[yanavlasov]

API change is comment only.