We found a bug in the hyper HTTP library (blog.cloudflare.com)
144 points by Pop_- 4 days ago
Twey 5 hours ago
This would have been flagged by Clippy lints `let_underscore_untyped` or `let_underscore_must_use`, which sadly are not enabled by default.
microgpt 4 hours ago
Or just by not writing let _ =
Twey 4 hours ago
All recurrent people problems are system problems.
microgpt 2 hours ago
pwdisswordfishq 5 hours ago
Ehh, easy fix
#[allow(clippy::let_underscore_untyped,clippy::let_underscore_must_use)]
let _ = self.poll_flush(cx)?;Twey 4 hours ago
I said ‘flagged’, not ‘fixed’ :)
You can always write the wrong code if you want it enough. But hopefully a warning would have prompted someone to think harder about this flow.
pwdisswordfishq 4 hours ago
PoignardAzur 3 hours ago
And this is why you should warn on `clippy::allow_attributes_without_reason` in your projects.
lunar_mycroft 5 hours ago
You can set the lints to `forbid` instead of `deny`, which means they can't be `allowed` like that.
nesarkvechnep 5 hours ago
Yeah, but you must know about them and the possible bug first in order to allow them...
Twey 4 hours ago
Joker_vD 5 hours ago
turboponyy 3 hours ago
edelbitter 9 hours ago
Cloudflare does not notice (until a customer complains) that they are sending broken responses at scale? I would have thought they would notice this from sampling and linting a few replies.. just in case they did something like Cloudbleed again.
ramon156 6 hours ago
Can you get reasonable results without exposing sensitive info? I'm asking because I genuinely have no idea what it's like at their scale
worldsavior 6 hours ago
> We spent six weeks chasing a nearly invisible bug — a race condition that occurred only under specific conditions — in the hyper library that impacted how the Images binding returned processed image data back to the client. In the end, it took four lines of code to fix it.
That's a long time, must be frustrating.
gmueckl 33 minutes ago
It is a long time and it gets frustrating when there is significant time where there is flailing with no visible progress.
I have had long bug hunts (~a month each) and witnessed ones that took much, much longer. But the longest one I witnessed was drawn out because reproduction was initially unreliable and could take weeks to months. Thankfully, reproduction was by letting a box sit in a corner while tje people involved moved on to other tasks. This kept everybody sane.
microgpt 6 hours ago
Would using Rust have prevented this?
testdelacc1 an hour ago
I get that it’s fun to dunk on Rust when a Rust bug surfaces. But is it a bit petty to bring this out when there’s any type of bug of any severity in any Rust software?
In this case a small minority of requests were getting truncated responses.
No one said Rust software is bug free. If someone thinks that they’ve been seriously misled.
geodel 4 hours ago
Agree. This is warning to people who thought Rust is optional at cloud scale.
re-thc 5 hours ago
Isn't this already Rust?
pjmlp 5 hours ago
That was obviously a joke question, pointing that Rust isn't the solution for everything.
lelanthran 5 hours ago
Woosh :-)
Ygg2 3 hours ago
No. Anyone expecting that hasn't read No Silver Bullet essay.
tialaramex 3 hours ago
Actually I suspect that Rust is a Silver Bullet in that sense. That essay seems to be a case where people know of the essay but haven't read it. Normally in English a "Silver Bullet" is something much bigger, a panacea or cure all which entirely solves a problem but in his essay Brooks is talking about order-of-magnitude improvements, and that looks a lot like Rust.
Brooks was expecting such "Silver Bullet" improvements as often as every few decades, we're arguably overdue significantly. He cites Ada as an example of where such an improvement might come from, well, Rust isn't Ada but a lot of the same ideas about correctness are present.
Google reports order of magnitude changes from their Rust work for example.
HumanOstrich 3 hours ago
Cthulhu_ 5 hours ago
The Hyper library in question is a Rust library.
Did you read the article, or are you a "use rust" parrot / bot based on titles?
waysa 5 hours ago
Sarcasm. (I guess)
frankharv 4 hours ago
pseudony 5 hours ago
So “fearless concurrency” still only happens when one just decides to not be afraid… :)
c0balt 5 hours ago
This does not appear to be a concurrency bug though?
microgpt 4 hours ago
Of course it's a concurrency bug. It races sending data to the kernel against the kernel sending data to the network. If the wrong one wins the bug occurs.
inexcf 14 minutes ago
pseudony 4 hours ago
“ a race condition that occurred only under specific conditions — in the hyper library”
nopurpose 5 hours ago
Nice writeup, but I don't understand how `curl` didn't trigger bug for them (or any other hyper HTTP server out there), given the explanation in the article.
`curl --http1.1` sends `Connection: Close` so sender (hyper) must attempt to shutdown connection after sending whole body. Surely any network is slower than memory copy into socket kernel buffers, so it must reliably trigger condition "buffer flush can't be done in one go" and thus trigger early TCP shutdown.
100ms 8 hours ago
> The failure was caused by a timing-dependent race condition in hyper’s HTTP/1 connection handling. When the reader was slower and the socket buffer filled, poll_flush returned Poll::Pending, but the dispatch loop discarded that result. Hyper then treated the response as complete and shut down the socket while data remained buffered internally, causing the client to receive an EOF before the full body arrived.
https://github.com/hyperium/hyper/issues/4022
Saved you 3000 words
michalc 6 hours ago
Reminds me of another “slow client”-related bug in gunicorn: https://github.com/benoitc/gunicorn/issues/3334
microgpt 6 hours ago
That's not even a bug. That's how TCP works. If you keep sending data to a socket the other side has closed, you get RST.
edelbitter 5 hours ago
NooneAtAll3 4 hours ago
moralestapia 30 minutes ago
Hey, you have to justify three engineers full time's worth of salary.
Thaxll 5 hours ago
So much for Rust forcing you to handle errors.
Matl 4 hours ago
Go does force you too, but it also supports _ as a bypass - because sometimes you do know better. Just not in this case.
Rust never promised it'll let programmers turn off their brain, that's what LLMs are for.
wongarsu 5 hours ago
You could argue the bug happened exactly because hyper's poll_flush treats flushing some but not all data as a successful return, not an error case.
jerf 3 hours ago
There's a hidden equivocation there. "Handling" errors, as far as the language is concerned, mean you do something with them, but explicitly discarding them is most definitely a "something".
From a human perspective we can consider that not handling the error.
But the language has no mechanism for "knowing" that discarding the error is wrong. Discarding errors is a fully valid mechanism that we must be able to do in a program because it is sometimes correct. There really isn't even a sensible way to define a way to "force" a user to "handle" errors. The language can only be designed to make it hard to forget to "handle" them somehow in the way the language sees, but it is always possible for the user to incorrectly handle them, of which discarding them when they shouldn't have is only one particularly cognitively-available option but is hardly the full scope of possibilities. Probably isn't even the most common mistake to make, I would imagine there are far more errors that are not handled "correctly" than ones that are spuriously discarded.
Note I keep saying "language" rather than Rust. All a language can do is surface the issue, and Rust does that. It can't force good code. No language can.
atoav 5 hours ago
You could say the exact same thing about safety belts and airbags in cars after someone has died in a crash.
Why even bother with measures that prevent many problems if they won't prevent all of them, right?
chlorion 4 hours ago
This is the argument I like too.
It's the same argument anti-vaxers love to make. "Well you can still get covid after getting the shot", which is something I read and heard quite a lot. That doesn't make the thing useless.
Humans are really dumb.
algoth1 7 hours ago
I wonder if this bug was found via project glasswing
re-thc 5 hours ago
> I wonder if this bug was found via project glasswing
Did you read how they said it took weeks? Would run out of tokens at that rate...
xacky 3 hours ago
Yet Cloudflare relies on bugs in browsers to "verify" you.