[http] add llhttp parser implementation

[asraa]

Signed-off-by: Asra Ali asraa@google.com

Commit Message: Add llhttp parser implementation.
Risk Level: High, but off by default.
Testing: H/1 codec impl and unit tests that use actual codecs have two targets now, a legacy and new version. Integration tests are parametrized by enabling the runtime flag via the config setting and is enabled in compile_time_options. Codec fuzz test enables the new parser.
Release Notes: Added
Runtime guard: envoy.reloadable_features.enable_new_http1_parser. Off by default.
Fixes: #5155
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25777 (see note below)

CHANGES

• We use llhttp to detect and reject invalid header characters. Thus, http1.invalid_characters response codes appear as http1.codec_error. and the status message reads HPE_INVALID_HEADER_TOKEN.
• It also appears that llhttp handles invalid methods errors after message begin, whereas http-parser handles it at message begin. I only noticed this when it triggered a codec fuzzer failure when a second H/1 stream started. http-parser catches the invalid method failure and exits early, whereas llhttp hits the latent bug: there were no stream resets when responses were completed before requests are finished. In the normal case, we expect higher level code to reset the stream.

NOTES FOR CLEANUP

• Our invalid character check in the codec can be removed when the legacy code is removed.
• The secondary impl layer can be removed when the legacy code is removed. Actually, the parser interface should totally be removed since there's a slight performance dip from using it.

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #15814 was opened by asraa.

see: more, trace.

[moderation]

/lgtm deps

[asraa]

Very confused about the ASan error. It is reproducible via bazel test, but not by gdb or running the binary directly.

When I bazel test, it appears the function doesn't enter llhttp_execute at all but somehow returns from it causing undefined behavior using error after.

envoy/source/common/http/http1/parser_impl.cc

Lines 102 to 106 in 591811f

	error = llhttp_execute(&parser_, slice, len);
	}
	size_t nread = len;
	// Adjust number of bytes read in case of error.
	if (error != HPE_OK) {

[antoniovicente]

It is really exciting to see progress on Envoy moving to a http1 parser that is under active development.

[antoniovicente]

What happens if a request has both transfer-encoding: chunked and content-length?

[asraa]

https://github.com/nodejs/llhttp/blob/aa07189d39b8d0da9d5a887d93761014a45804bf/test/request/content-length.md#error-on-simultaneous-content-length-and-transfer-encoding-identity

It's handled with an error. Actually this is just because llhttp doesn't have an initial value for unset content length. http_parser uses all 1 bits set to indicate there is no content length. Added comment.

[antoniovicente]

We should have tests in envoy to cover these cases. This is related to my question regarding use of lenient parsing further down in this file. It seems that those lenient options were added for the benefit of Envoy's H1 implementation.

[asraa]

envoy/test/common/http/http1/codec_impl_test.cc

Line 1945 in 56d3f8a

TEST_F(Http1ServerConnectionImplTest, TestSmugglingDisallowChunkedContentLength0) {

There are tests for both content length and chunked.

[antoniovicente]

Should we do something to reconcile this behavior with http_parser? How do we ensure that nothing depends on this function having side effects for http_parser?

[asraa]

The http_parser implementation of pause() uses the http parser method to pause (https://github.com/nodejs/http-parser/blob/ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d/http_parser.h#L438) and an OK. That's the same as returning pause from llhttp parser. I think it's already reconciled

[antoniovicente]

I guess this is an area to cleanup once llhttp is the only implementation.

In the current world I would consider something like:
ParserStatus maybePause(ParserStatus status);

The http_parser version would detect status == Paused and call its pause method and return Success, while the llhttp version would just return the status that was passed in.

[asraa]

In the current world I would consider something like:

To me that seems strange because Paused is the only status that maybePause would ever call.

Technically returning HPE_PAUSED from http-parser will also cause the parser to pause, but I don't trust making the change because there's very little http-parser docs and I don't know if it changes how it handles errors. (All http_parser_pause() does is cause HPE_PAUSED to be returning from execute. we could just return it directly).

[indutny]

I would appreciate if you could upgrade llhttp to 5.1.0 or 4.1.0, which was just released: nodejs/llhttp#95

[asraa]

Updated, sorry for the delay! (This is an evening thing right now)

• For unit test dupes: only mixed_conn_pool test used an actual parser (I added an ASSERT(false) in the default parser and ran all the http/... conn_pool/... to grab failures).
• A latent codec fuzz bug needed fixing, I noted why it came up in the PR description.
• llhttp version's bumped.
• Let me know what you think about the lenient chunked length setting. I switched over to llhttp's strict header validation since Envoy no longer provides the option to disable that.

[asraa]

Still working on the asan issue (comment above) and a tsan one. TSan is from running existing parser, reproducible, so something must have went wrong there... all the issues are about allowing chunked... and run into data race at destruction

[antoniovicente]

What code in Envoy is generating the error response when both transfer-encoding: chunked and content-length is set?

[antoniovicente]

What fixes are needed to make this corpus entry run successfully? I assume it's the changes to the fuzz harness?

[asraa]

It does run successfully now, with the changes in the diff that close that reset stream when the response ends before the request does.

[antoniovicente]

I tried to do some debugging but the conclusion I got to was along the lines that the stall happens even if I disable the cache filter. This may be a real issue processing multiple requests on the same connection with the new parser. Is there a chance that some state is not being reset in the parser between requests?

Debugging the state of the llhttp parser isn't easy between the typescript to c transcoding and it being an external dep for the build. Would it be possible to add methods to dump info about the state of the parser or debug accessors which can be used to implement said debug methods in ParserImpl?

[moderation]

llhttp 6.0.3 is out - https://github.com/nodejs/llhttp/releases/tag/release%2Fv6.0.3

[antoniovicente]

Please see precheck format presubmit error.

/wait

021-06-17T20:30:38.8262526Z ERROR: ./docs/root/version_history/current.rst:82: Version history not in alphabetical order (crash support vs admission control): please check placement of line
2021-06-17T20:30:38.8264348Z  * admission control: added :ref:`admission control <envoy_v3_api_field_extensions.filters.http.admission_control.v3alpha.AdmissionControl.rps_threshold>` option that when average RPS of the sampling window is below this threshold, the filter will not throttle requests. Added :ref:`admission control <envoy_v3_api_field_extensions.filters.http.admission_control.v3alpha.AdmissionControl.max_rejection_probability>` option to set an upper limit on the probability of rejection.. 

[antoniovicente]

cache filter integration test still failing

/wait

[moderation]

llhttp 6.0.4 is out - https://github.com/nodejs/llhttp/releases/tag/release%2Fv6.0.4

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[moderation]

llhttp 6.0.5 is out - https://github.com/nodejs/llhttp/releases/tag/release%2Fv6.0.5

[yanavlasov]

Obsolete. QUICHE H/1 code (Balsa) is currently being integrated.