server.go

     1  // Copyright 2014 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // TODO: turn off the serve goroutine when idle, so
     6  // an idle conn only has the readFrames goroutine active. (which could
     7  // also be optimized probably to pin less memory in crypto/tls). This
     8  // would involve tracking when the serve goroutine is active (atomic
     9  // int32 read/CAS probably?) and starting it up when frames arrive,
    10  // and shutting it down when all handlers exit. the occasional PING
    11  // packets could use time.AfterFunc to call sc.wakeStartServeLoop()
    12  // (which is a no-op if already running) and then queue the PING write
    13  // as normal. The serve loop would then exit in most cases (if no
    14  // Handlers running) and not be woken up again until the PING packet
    15  // returns.
    16  
    17  // TODO (maybe): add a mechanism for Handlers to going into
    18  // half-closed-local mode (rw.(io.Closer) test?) but not exit their
    19  // handler, and continue to be able to read from the
    20  // Request.Body. This would be a somewhat semantic change from HTTP/1
    21  // (or at least what we expose in net/http), so I'd probably want to
    22  // add it there too. For now, this package says that returning from
    23  // the Handler ServeHTTP function means you're both done reading and
    24  // done writing, without a way to stop just one or the other.
    25  
    26  package http2
    27  
    28  import (
    29  	"bufio"
    30  	"bytes"
    31  	"context"
    32  	"crypto/rand"
    33  	"crypto/tls"
    34  	"errors"
    35  	"fmt"
    36  	"io"
    37  	"log"
    38  	"math"
    39  	"net"
    40  	"net/http/internal"
    41  	"net/http/internal/httpcommon"
    42  	"net/textproto"
    43  	"net/url"
    44  	"os"
    45  	"reflect"
    46  	"runtime"
    47  	"slices"
    48  	"strconv"
    49  	"strings"
    50  	"sync"
    51  	"time"
    52  
    53  	"golang.org/x/net/http/httpguts"
    54  	"golang.org/x/net/http2/hpack"
    55  )
    56  
    57  const (
    58  	prefaceTimeout        = 10 * time.Second
    59  	firstSettingsTimeout  = 2 * time.Second // should be in-flight with preface anyway
    60  	handlerChunkWriteSize = 4 << 10
    61  	defaultMaxStreams     = 250 // TODO: make this 100 as the GFE seems to?
    62  
    63  	// maxQueuedControlFrames is the maximum number of control frames like
    64  	// SETTINGS, PING and RST_STREAM that will be queued for writing before
    65  	// the connection is closed to prevent memory exhaustion attacks.
    66  	maxQueuedControlFrames = 10000
    67  )
    68  
    69  var (
    70  	errClientDisconnected = errors.New("client disconnected")
    71  	errClosedBody         = errors.New("body closed by handler")
    72  	errHandlerComplete    = errors.New("http2: request body closed due to handler exiting")
    73  	errStreamClosed       = errors.New("http2: stream closed")
    74  )
    75  
    76  var responseWriterStatePool = sync.Pool{
    77  	New: func() any {
    78  		rws := &responseWriterState{}
    79  		rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize)
    80  		return rws
    81  	},
    82  }
    83  
    84  // Test hooks.
    85  var (
    86  	testHookOnConn    func()
    87  	testHookOnPanicMu *sync.Mutex // nil except in tests
    88  	testHookOnPanic   func(sc *serverConn, panicVal any) (rePanic bool)
    89  )
    90  
    91  // Server is an HTTP/2 server.
    92  type Server struct {
    93  	// MaxHandlers limits the number of http.Handler ServeHTTP goroutines
    94  	// which may run at a time over all connections.
    95  	// Negative or zero no limit.
    96  	// TODO: implement
    97  	MaxHandlers int
    98  
    99  	// MaxConcurrentStreams optionally specifies the number of
   100  	// concurrent streams that each client may have open at a
   101  	// time. This is unrelated to the number of http.Handler goroutines
   102  	// which may be active globally, which is MaxHandlers.
   103  	// If zero, MaxConcurrentStreams defaults to at least 100, per
   104  	// the HTTP/2 spec's recommendations.
   105  	MaxConcurrentStreams uint32
   106  
   107  	// MaxDecoderHeaderTableSize optionally specifies the http2
   108  	// SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It
   109  	// informs the remote endpoint of the maximum size of the header compression
   110  	// table used to decode header blocks, in octets. If zero, the default value
   111  	// of 4096 is used.
   112  	MaxDecoderHeaderTableSize uint32
   113  
   114  	// MaxEncoderHeaderTableSize optionally specifies an upper limit for the
   115  	// header compression table used for encoding request headers. Received
   116  	// SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero,
   117  	// the default value of 4096 is used.
   118  	MaxEncoderHeaderTableSize uint32
   119  
   120  	// MaxReadFrameSize optionally specifies the largest frame
   121  	// this server is willing to read. A valid value is between
   122  	// 16k and 16M, inclusive. If zero or otherwise invalid, a
   123  	// default value is used.
   124  	MaxReadFrameSize uint32
   125  
   126  	// PermitProhibitedCipherSuites, if true, permits the use of
   127  	// cipher suites prohibited by the HTTP/2 spec.
   128  	PermitProhibitedCipherSuites bool
   129  
   130  	// IdleTimeout specifies how long until idle clients should be
   131  	// closed with a GOAWAY frame. PING frames are not considered
   132  	// activity for the purposes of IdleTimeout.
   133  	// If zero or negative, there is no timeout.
   134  	IdleTimeout time.Duration
   135  
   136  	// ReadIdleTimeout is the timeout after which a health check using a ping
   137  	// frame will be carried out if no frame is received on the connection.
   138  	// If zero, no health check is performed.
   139  	ReadIdleTimeout time.Duration
   140  
   141  	// PingTimeout is the timeout after which the connection will be closed
   142  	// if a response to a ping is not received.
   143  	// If zero, a default of 15 seconds is used.
   144  	PingTimeout time.Duration
   145  
   146  	// WriteByteTimeout is the timeout after which a connection will be
   147  	// closed if no data can be written to it. The timeout begins when data is
   148  	// available to write, and is extended whenever any bytes are written.
   149  	// If zero or negative, there is no timeout.
   150  	WriteByteTimeout time.Duration
   151  
   152  	// MaxUploadBufferPerConnection is the size of the initial flow
   153  	// control window for each connections. The HTTP/2 spec does not
   154  	// allow this to be smaller than 65535 or larger than 2^32-1.
   155  	// If the value is outside this range, a default value will be
   156  	// used instead.
   157  	MaxUploadBufferPerConnection int32
   158  
   159  	// MaxUploadBufferPerStream is the size of the initial flow control
   160  	// window for each stream. The HTTP/2 spec does not allow this to
   161  	// be larger than 2^32-1. If the value is zero or larger than the
   162  	// maximum, a default value will be used instead.
   163  	MaxUploadBufferPerStream int32
   164  
   165  	// NewWriteScheduler constructs a write scheduler for a connection.
   166  	// If nil, a default scheduler is chosen.
   167  	NewWriteScheduler func() WriteScheduler
   168  
   169  	// CountError, if non-nil, is called on HTTP/2 server errors.
   170  	// It's intended to increment a metric for monitoring, such
   171  	// as an expvar or Prometheus metric.
   172  	// The errType consists of only ASCII word characters.
   173  	CountError func(errType string)
   174  
   175  	// Internal state. This is a pointer (rather than embedded directly)
   176  	// so that we don't embed a Mutex in this struct, which will make the
   177  	// struct non-copyable, which might break some callers.
   178  	state *serverInternalState
   179  }
   180  
   181  type serverInternalState struct {
   182  	mu          sync.Mutex
   183  	activeConns map[*serverConn]struct{}
   184  
   185  	// Pool of error channels. This is per-Server rather than global
   186  	// because channels can't be reused across synctest bubbles.
   187  	errChanPool sync.Pool
   188  }
   189  
   190  func (s *serverInternalState) registerConn(sc *serverConn) {
   191  	if s == nil {
   192  		return // if the Server was used without calling ConfigureServer
   193  	}
   194  	s.mu.Lock()
   195  	s.activeConns[sc] = struct{}{}
   196  	s.mu.Unlock()
   197  }
   198  
   199  func (s *serverInternalState) unregisterConn(sc *serverConn) {
   200  	if s == nil {
   201  		return // if the Server was used without calling ConfigureServer
   202  	}
   203  	s.mu.Lock()
   204  	delete(s.activeConns, sc)
   205  	s.mu.Unlock()
   206  }
   207  
   208  func (s *serverInternalState) startGracefulShutdown() {
   209  	if s == nil {
   210  		return // if the Server was used without calling ConfigureServer
   211  	}
   212  	s.mu.Lock()
   213  	for sc := range s.activeConns {
   214  		sc.startGracefulShutdown()
   215  	}
   216  	s.mu.Unlock()
   217  }
   218  
   219  // Global error channel pool used for uninitialized Servers.
   220  // We use a per-Server pool when possible to avoid using channels across synctest bubbles.
   221  var errChanPool = sync.Pool{
   222  	New: func() any { return make(chan error, 1) },
   223  }
   224  
   225  func (s *serverInternalState) getErrChan() chan error {
   226  	if s == nil {
   227  		return errChanPool.Get().(chan error) // Server used without calling ConfigureServer
   228  	}
   229  	return s.errChanPool.Get().(chan error)
   230  }
   231  
   232  func (s *serverInternalState) putErrChan(ch chan error) {
   233  	if s == nil {
   234  		errChanPool.Put(ch) // Server used without calling ConfigureServer
   235  		return
   236  	}
   237  	s.errChanPool.Put(ch)
   238  }
   239  
   240  func (s *Server) Configure(conf ServerConfig, tcfg *tls.Config) error {
   241  	s.state = &serverInternalState{
   242  		activeConns: make(map[*serverConn]struct{}),
   243  		errChanPool: sync.Pool{New: func() any { return make(chan error, 1) }},
   244  	}
   245  
   246  	if tcfg.CipherSuites != nil && tcfg.MinVersion < tls.VersionTLS13 {
   247  		// If they already provided a TLS 1.0–1.2 CipherSuite list, return an
   248  		// error if it is missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
   249  		// ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
   250  		haveRequired := false
   251  		for _, cs := range tcfg.CipherSuites {
   252  			switch cs {
   253  			case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   254  				// Alternative MTI cipher to not discourage ECDSA-only servers.
   255  				// See http://golang.org/cl/30721 for further information.
   256  				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
   257  				haveRequired = true
   258  			}
   259  		}
   260  		if !haveRequired {
   261  			return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)")
   262  		}
   263  	}
   264  
   265  	// Note: not setting MinVersion to tls.VersionTLS12,
   266  	// as we don't want to interfere with HTTP/1.1 traffic
   267  	// on the user's server. We enforce TLS 1.2 later once
   268  	// we accept a connection. Ideally this should be done
   269  	// during next-proto selection, but using TLS <1.2 with
   270  	// HTTP/2 is still the client's bug.
   271  
   272  	return nil
   273  }
   274  
   275  func (s *Server) GracefulShutdown() {
   276  	s.state.startGracefulShutdown()
   277  }
   278  
   279  // ServeConnOpts are options for the Server.ServeConn method.
   280  type ServeConnOpts struct {
   281  	// Context is the base context to use.
   282  	// If nil, context.Background is used.
   283  	Context context.Context
   284  
   285  	// BaseConfig optionally sets the base configuration
   286  	// for values. If nil, defaults are used.
   287  	BaseConfig ServerConfig
   288  
   289  	// Handler specifies which handler to use for processing
   290  	// requests. If nil, BaseConfig.Handler is used. If BaseConfig
   291  	// or BaseConfig.Handler is nil, http.DefaultServeMux is used.
   292  	Handler Handler
   293  
   294  	// Settings is the decoded contents of the HTTP2-Settings header
   295  	// in an h2c upgrade request.
   296  	Settings []byte
   297  
   298  	// SawClientPreface is set if the HTTP/2 connection preface
   299  	// has already been read from the connection.
   300  	SawClientPreface bool
   301  }
   302  
   303  func (o *ServeConnOpts) context() context.Context {
   304  	if o != nil && o.Context != nil {
   305  		return o.Context
   306  	}
   307  	return context.Background()
   308  }
   309  
   310  // ServeConn serves HTTP/2 requests on the provided connection and
   311  // blocks until the connection is no longer readable.
   312  //
   313  // ServeConn starts speaking HTTP/2 assuming that c has not had any
   314  // reads or writes. It writes its initial settings frame and expects
   315  // to be able to read the preface and settings frame from the
   316  // client. If c has a ConnectionState method like a *tls.Conn, the
   317  // ConnectionState is used to verify the TLS ciphersuite and to set
   318  // the Request.TLS field in Handlers.
   319  //
   320  // ServeConn does not support h2c by itself. Any h2c support must be
   321  // implemented in terms of providing a suitably-behaving net.Conn.
   322  //
   323  // The opts parameter is optional. If nil, default values are used.
   324  func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
   325  	if opts == nil {
   326  		opts = &ServeConnOpts{}
   327  	}
   328  
   329  	var newf func(*serverConn)
   330  	if inTests {
   331  		// Fetch NewConnContextKey if set, leave newf as nil otherwise.
   332  		newf, _ = opts.Context.Value(NewConnContextKey).(func(*serverConn))
   333  	}
   334  
   335  	s.serveConn(c, opts, newf)
   336  }
   337  
   338  type contextKey string
   339  
   340  var (
   341  	NewConnContextKey         = new("NewConnContextKey")
   342  	ConnectionStateContextKey = new("ConnectionStateContextKey")
   343  )
   344  
   345  func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverConn)) {
   346  	baseCtx, cancel := serverConnBaseContext(c, opts)
   347  	defer cancel()
   348  
   349  	conf := configFromServer(opts.BaseConfig, s)
   350  	sc := &serverConn{
   351  		srv:                         s,
   352  		hs:                          opts.BaseConfig,
   353  		conn:                        c,
   354  		baseCtx:                     baseCtx,
   355  		remoteAddrStr:               c.RemoteAddr().String(),
   356  		bw:                          newBufferedWriter(c, conf.WriteByteTimeout),
   357  		handler:                     opts.Handler,
   358  		streams:                     make(map[uint32]*stream),
   359  		readFrameCh:                 make(chan readFrameResult),
   360  		wantWriteFrameCh:            make(chan FrameWriteRequest, 8),
   361  		serveMsgCh:                  make(chan any, 8),
   362  		wroteFrameCh:                make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync
   363  		bodyReadCh:                  make(chan bodyReadMsg),         // buffering doesn't matter either way
   364  		doneServing:                 make(chan struct{}),
   365  		clientMaxStreams:            math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value"
   366  		advMaxStreams:               uint32(conf.MaxConcurrentStreams),
   367  		initialStreamSendWindowSize: initialWindowSize,
   368  		initialStreamRecvWindowSize: int32(conf.MaxReceiveBufferPerStream),
   369  		maxFrameSize:                initialMaxFrameSize,
   370  		pingTimeout:                 conf.PingTimeout,
   371  		countErrorFunc:              conf.CountError,
   372  		serveG:                      newGoroutineLock(),
   373  		pushEnabled:                 true,
   374  		sawClientPreface:            opts.SawClientPreface,
   375  	}
   376  	if newf != nil {
   377  		newf(sc)
   378  	}
   379  
   380  	s.state.registerConn(sc)
   381  	defer s.state.unregisterConn(sc)
   382  
   383  	// The net/http package sets the write deadline from the
   384  	// http.Server.WriteTimeout during the TLS handshake, but then
   385  	// passes the connection off to us with the deadline already set.
   386  	// Write deadlines are set per stream in serverConn.newStream.
   387  	// Disarm the net.Conn write deadline here.
   388  	if sc.hs.WriteTimeout() > 0 {
   389  		sc.conn.SetWriteDeadline(time.Time{})
   390  	}
   391  
   392  	switch {
   393  	case s.NewWriteScheduler != nil:
   394  		sc.writeSched = s.NewWriteScheduler()
   395  	case sc.hs.DisableClientPriority():
   396  		sc.writeSched = newRoundRobinWriteScheduler()
   397  	default:
   398  		sc.writeSched = newPriorityWriteSchedulerRFC9218()
   399  	}
   400  
   401  	// These start at the RFC-specified defaults. If there is a higher
   402  	// configured value for inflow, that will be updated when we send a
   403  	// WINDOW_UPDATE shortly after sending SETTINGS.
   404  	sc.flow.add(initialWindowSize)
   405  	sc.inflow.init(initialWindowSize)
   406  	sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf)
   407  	sc.hpackEncoder.SetMaxDynamicTableSizeLimit(uint32(conf.MaxEncoderHeaderTableSize))
   408  
   409  	fr := NewFramer(sc.bw, c)
   410  	if conf.CountError != nil {
   411  		fr.countError = conf.CountError
   412  	}
   413  	fr.ReadMetaHeaders = hpack.NewDecoder(uint32(conf.MaxDecoderHeaderTableSize), nil)
   414  	fr.MaxHeaderListSize = sc.maxHeaderListSize()
   415  	fr.SetMaxReadFrameSize(uint32(conf.MaxReadFrameSize))
   416  	sc.framer = fr
   417  
   418  	if tc, ok := c.(connectionStater); ok {
   419  		sc.tlsState = new(tls.ConnectionState)
   420  		*sc.tlsState = tc.ConnectionState()
   421  
   422  		// Optionally override the ConnectionState in tests.
   423  		if inTests {
   424  			f, ok := opts.Context.Value(ConnectionStateContextKey).(func() tls.ConnectionState)
   425  			if ok {
   426  				*sc.tlsState = f()
   427  			}
   428  		}
   429  
   430  		// 9.2 Use of TLS Features
   431  		// An implementation of HTTP/2 over TLS MUST use TLS
   432  		// 1.2 or higher with the restrictions on feature set
   433  		// and cipher suite described in this section. Due to
   434  		// implementation limitations, it might not be
   435  		// possible to fail TLS negotiation. An endpoint MUST
   436  		// immediately terminate an HTTP/2 connection that
   437  		// does not meet the TLS requirements described in
   438  		// this section with a connection error (Section
   439  		// 5.4.1) of type INADEQUATE_SECURITY.
   440  		if sc.tlsState.Version < tls.VersionTLS12 {
   441  			sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low")
   442  			return
   443  		}
   444  
   445  		if sc.tlsState.ServerName == "" {
   446  			// Client must use SNI, but we don't enforce that anymore,
   447  			// since it was causing problems when connecting to bare IP
   448  			// addresses during development.
   449  			//
   450  			// TODO: optionally enforce? Or enforce at the time we receive
   451  			// a new request, and verify the ServerName matches the :authority?
   452  			// But that precludes proxy situations, perhaps.
   453  			//
   454  			// So for now, do nothing here again.
   455  		}
   456  
   457  		if !conf.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) {
   458  			// "Endpoints MAY choose to generate a connection error
   459  			// (Section 5.4.1) of type INADEQUATE_SECURITY if one of
   460  			// the prohibited cipher suites are negotiated."
   461  			//
   462  			// We choose that. In my opinion, the spec is weak
   463  			// here. It also says both parties must support at least
   464  			// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no
   465  			// excuses here. If we really must, we could allow an
   466  			// "AllowInsecureWeakCiphers" option on the server later.
   467  			// Let's see how it plays out first.
   468  			sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite))
   469  			return
   470  		}
   471  	}
   472  
   473  	if opts.Settings != nil {
   474  		fr := &SettingsFrame{
   475  			FrameHeader: FrameHeader{valid: true},
   476  			p:           opts.Settings,
   477  		}
   478  		if err := fr.ForeachSetting(sc.processSetting); err != nil {
   479  			sc.rejectConn(ErrCodeProtocol, "invalid settings")
   480  			return
   481  		}
   482  		opts.Settings = nil
   483  	}
   484  
   485  	sc.serve(conf)
   486  }
   487  
   488  func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) {
   489  	return context.WithCancel(opts.context())
   490  }
   491  
   492  func (sc *serverConn) rejectConn(err ErrCode, debug string) {
   493  	sc.vlogf("http2: server rejecting conn: %v, %s", err, debug)
   494  	// ignoring errors. hanging up anyway.
   495  	sc.framer.WriteGoAway(0, err, []byte(debug))
   496  	sc.bw.Flush()
   497  	sc.conn.Close()
   498  }
   499  
   500  type serverConn struct {
   501  	// Immutable:
   502  	srv              *Server
   503  	hs               ServerConfig
   504  	conn             net.Conn
   505  	bw               *bufferedWriter // writing to conn
   506  	handler          Handler
   507  	baseCtx          context.Context
   508  	framer           *Framer
   509  	doneServing      chan struct{}          // closed when serverConn.serve ends
   510  	readFrameCh      chan readFrameResult   // written by serverConn.readFrames
   511  	wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve
   512  	wroteFrameCh     chan frameWriteResult  // from writeFrameAsync -> serve, tickles more frame writes
   513  	bodyReadCh       chan bodyReadMsg       // from handlers -> serve
   514  	serveMsgCh       chan any               // misc messages & code to send to / run on the serve loop
   515  	flow             outflow                // conn-wide (not stream-specific) outbound flow control
   516  	inflow           inflow                 // conn-wide inbound flow control
   517  	tlsState         *tls.ConnectionState   // shared by all handlers, like net/http
   518  	remoteAddrStr    string
   519  	writeSched       WriteScheduler
   520  	countErrorFunc   func(errType string)
   521  
   522  	// Everything following is owned by the serve loop; use serveG.check():
   523  	serveG                      goroutineLock // used to verify funcs are on serve()
   524  	pushEnabled                 bool
   525  	sawClientPreface            bool // preface has already been read, used in h2c upgrade
   526  	sawFirstSettings            bool // got the initial SETTINGS frame after the preface
   527  	needToSendSettingsAck       bool
   528  	unackedSettings             int    // how many SETTINGS have we sent without ACKs?
   529  	queuedControlFrames         int    // control frames in the writeSched queue
   530  	clientMaxStreams            uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
   531  	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
   532  	curClientStreams            uint32 // number of open streams initiated by the client
   533  	curPushedStreams            uint32 // number of open streams initiated by server push
   534  	curHandlers                 uint32 // number of running handler goroutines
   535  	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
   536  	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
   537  	streams                     map[uint32]*stream
   538  	unstartedHandlers           []unstartedHandler
   539  	initialStreamSendWindowSize int32
   540  	initialStreamRecvWindowSize int32
   541  	maxFrameSize                int32
   542  	peerMaxHeaderListSize       uint32            // zero means unknown (default)
   543  	canonHeader                 map[string]string // http2-lower-case -> Go-Canonical-Case
   544  	canonHeaderKeysSize         int               // canonHeader keys size in bytes
   545  	writingFrame                bool              // started writing a frame (on serve goroutine or separate)
   546  	writingFrameAsync           bool              // started a frame on its own goroutine but haven't heard back on wroteFrameCh
   547  	needsFrameFlush             bool              // last frame write wasn't a flush
   548  	inGoAway                    bool              // we've started to or sent GOAWAY
   549  	inFrameScheduleLoop         bool              // whether we're in the scheduleFrameWrite loop
   550  	needToSendGoAway            bool              // we need to schedule a GOAWAY frame write
   551  	pingSent                    bool
   552  	sentPingData                [8]byte
   553  	goAwayCode                  ErrCode
   554  	shutdownTimer               *time.Timer // nil until used
   555  	idleTimer                   *time.Timer // nil if unused
   556  	readIdleTimeout             time.Duration
   557  	pingTimeout                 time.Duration
   558  	readIdleTimer               *time.Timer // nil if unused
   559  
   560  	// Owned by the writeFrameAsync goroutine:
   561  	headerWriteBuf bytes.Buffer
   562  	hpackEncoder   *hpack.Encoder
   563  
   564  	// Used by startGracefulShutdown.
   565  	shutdownOnce sync.Once
   566  
   567  	// Used for RFC 9218 prioritization.
   568  	hasIntermediary bool // connection is done via an intermediary / proxy
   569  	priorityAware   bool // the client has sent priority signal, meaning that it is aware of it.
   570  }
   571  
   572  func (sc *serverConn) writeSchedIgnoresRFC7540() bool {
   573  	switch sc.writeSched.(type) {
   574  	case *priorityWriteSchedulerRFC9218:
   575  		return true
   576  	case *roundRobinWriteScheduler:
   577  		return true
   578  	default:
   579  		return false
   580  	}
   581  }
   582  
   583  const DefaultMaxHeaderBytes = 1 << 20 // keep this in sync with net/http
   584  
   585  func (sc *serverConn) maxHeaderListSize() uint32 {
   586  	n := sc.hs.MaxHeaderBytes()
   587  	if n <= 0 {
   588  		n = DefaultMaxHeaderBytes
   589  	}
   590  	return uint32(adjustHTTP1MaxHeaderSize(int64(n)))
   591  }
   592  
   593  func (sc *serverConn) curOpenStreams() uint32 {
   594  	sc.serveG.check()
   595  	return sc.curClientStreams + sc.curPushedStreams
   596  }
   597  
   598  // stream represents a stream. This is the minimal metadata needed by
   599  // the serve goroutine. Most of the actual stream state is owned by
   600  // the http.Handler's goroutine in the responseWriter. Because the
   601  // responseWriter's responseWriterState is recycled at the end of a
   602  // handler, this struct intentionally has no pointer to the
   603  // *responseWriter{,State} itself, as the Handler ending nils out the
   604  // responseWriter's state field.
   605  type stream struct {
   606  	// immutable:
   607  	sc        *serverConn
   608  	id        uint32
   609  	body      *pipe       // non-nil if expecting DATA frames
   610  	cw        closeWaiter // closed wait stream transitions to closed state
   611  	ctx       context.Context
   612  	cancelCtx func()
   613  
   614  	// owned by serverConn's serve loop:
   615  	bodyBytes        int64   // body bytes seen so far
   616  	declBodyBytes    int64   // or -1 if undeclared
   617  	flow             outflow // limits writing from Handler to client
   618  	inflow           inflow  // what the client is allowed to POST/etc to us
   619  	state            streamState
   620  	resetQueued      bool        // RST_STREAM queued for write; set by sc.resetStream
   621  	gotTrailerHeader bool        // HEADER frame for trailers was seen
   622  	wroteHeaders     bool        // whether we wrote headers (not status 100)
   623  	readDeadline     *time.Timer // nil if unused
   624  	writeDeadline    *time.Timer // nil if unused
   625  	closeErr         error       // set before cw is closed
   626  
   627  	trailer    Header // accumulated trailers
   628  	reqTrailer Header // handler's Request.Trailer
   629  }
   630  
   631  func (sc *serverConn) Framer() *Framer  { return sc.framer }
   632  func (sc *serverConn) CloseConn() error { return sc.conn.Close() }
   633  func (sc *serverConn) Flush() error     { return sc.bw.Flush() }
   634  func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) {
   635  	return sc.hpackEncoder, &sc.headerWriteBuf
   636  }
   637  
   638  func (sc *serverConn) state(streamID uint32) (streamState, *stream) {
   639  	sc.serveG.check()
   640  	// http://tools.ietf.org/html/rfc7540#section-5.1
   641  	if st, ok := sc.streams[streamID]; ok {
   642  		return st.state, st
   643  	}
   644  	// "The first use of a new stream identifier implicitly closes all
   645  	// streams in the "idle" state that might have been initiated by
   646  	// that peer with a lower-valued stream identifier. For example, if
   647  	// a client sends a HEADERS frame on stream 7 without ever sending a
   648  	// frame on stream 5, then stream 5 transitions to the "closed"
   649  	// state when the first frame for stream 7 is sent or received."
   650  	if streamID%2 == 1 {
   651  		if streamID <= sc.maxClientStreamID {
   652  			return stateClosed, nil
   653  		}
   654  	} else {
   655  		if streamID <= sc.maxPushPromiseID {
   656  			return stateClosed, nil
   657  		}
   658  	}
   659  	return stateIdle, nil
   660  }
   661  
   662  // setConnState calls the net/http ConnState hook for this connection, if configured.
   663  // Note that the net/http package does StateNew and StateClosed for us.
   664  // There is currently no plan for StateHijacked or hijacking HTTP/2 connections.
   665  func (sc *serverConn) setConnState(state ConnState) {
   666  	sc.hs.ConnState(sc.conn, state)
   667  }
   668  
   669  func (sc *serverConn) vlogf(format string, args ...any) {
   670  	if VerboseLogs {
   671  		sc.logf(format, args...)
   672  	}
   673  }
   674  
   675  func (sc *serverConn) logf(format string, args ...any) {
   676  	if lg := sc.hs.ErrorLog(); lg != nil {
   677  		lg.Printf(format, args...)
   678  	} else {
   679  		log.Printf(format, args...)
   680  	}
   681  }
   682  
   683  // errno returns v's underlying uintptr, else 0.
   684  //
   685  // TODO: remove this helper function once http2 can use build
   686  // tags. See comment in isClosedConnError.
   687  func errno(v error) uintptr {
   688  	if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr {
   689  		return uintptr(rv.Uint())
   690  	}
   691  	return 0
   692  }
   693  
   694  // isClosedConnError reports whether err is an error from use of a closed
   695  // network connection.
   696  func isClosedConnError(err error) bool {
   697  	if err == nil {
   698  		return false
   699  	}
   700  
   701  	if errors.Is(err, net.ErrClosed) {
   702  		return true
   703  	}
   704  
   705  	// TODO(bradfitz): x/tools/cmd/bundle doesn't really support
   706  	// build tags, so I can't make an http2_windows.go file with
   707  	// Windows-specific stuff. Fix that and move this, once we
   708  	// have a way to bundle this into std's net/http somehow.
   709  	if runtime.GOOS == "windows" {
   710  		if oe, ok := err.(*net.OpError); ok && oe.Op == "read" {
   711  			if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" {
   712  				const WSAECONNABORTED = 10053
   713  				const WSAECONNRESET = 10054
   714  				if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED {
   715  					return true
   716  				}
   717  			}
   718  		}
   719  	}
   720  	return false
   721  }
   722  
   723  func (sc *serverConn) condlogf(err error, format string, args ...any) {
   724  	if err == nil {
   725  		return
   726  	}
   727  	if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) || err == errPrefaceTimeout {
   728  		// Boring, expected errors.
   729  		sc.vlogf(format, args...)
   730  	} else {
   731  		sc.logf(format, args...)
   732  	}
   733  }
   734  
   735  // maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size
   736  // of the entries in the canonHeader cache.
   737  // This should be larger than the size of unique, uncommon header keys likely to
   738  // be sent by the peer, while not so high as to permit unreasonable memory usage
   739  // if the peer sends an unbounded number of unique header keys.
   740  const maxCachedCanonicalHeadersKeysSize = 2048
   741  
   742  func (sc *serverConn) canonicalHeader(v string) string {
   743  	sc.serveG.check()
   744  	cv, ok := httpcommon.CachedCanonicalHeader(v)
   745  	if ok {
   746  		return cv
   747  	}
   748  	cv, ok = sc.canonHeader[v]
   749  	if ok {
   750  		return cv
   751  	}
   752  	if sc.canonHeader == nil {
   753  		sc.canonHeader = make(map[string]string)
   754  	}
   755  	cv = textproto.CanonicalMIMEHeaderKey(v)
   756  	size := 100 + len(v)*2 // 100 bytes of map overhead + key + value
   757  	if sc.canonHeaderKeysSize+size <= maxCachedCanonicalHeadersKeysSize {
   758  		sc.canonHeader[v] = cv
   759  		sc.canonHeaderKeysSize += size
   760  	}
   761  	return cv
   762  }
   763  
   764  type readFrameResult struct {
   765  	f   Frame // valid until readMore is called
   766  	err error
   767  
   768  	// readMore should be called once the consumer no longer needs or
   769  	// retains f. After readMore, f is invalid and more frames can be
   770  	// read.
   771  	readMore func()
   772  }
   773  
   774  // readFrames is the loop that reads incoming frames.
   775  // It takes care to only read one frame at a time, blocking until the
   776  // consumer is done with the frame.
   777  // It's run on its own goroutine.
   778  func (sc *serverConn) readFrames() {
   779  	gate := make(chan struct{})
   780  	gateDone := func() { gate <- struct{}{} }
   781  	for {
   782  		f, err := sc.framer.ReadFrame()
   783  		select {
   784  		case sc.readFrameCh <- readFrameResult{f, err, gateDone}:
   785  		case <-sc.doneServing:
   786  			return
   787  		}
   788  		select {
   789  		case <-gate:
   790  		case <-sc.doneServing:
   791  			return
   792  		}
   793  		if terminalReadFrameError(err) {
   794  			return
   795  		}
   796  	}
   797  }
   798  
   799  // frameWriteResult is the message passed from writeFrameAsync to the serve goroutine.
   800  type frameWriteResult struct {
   801  	_   incomparable
   802  	wr  FrameWriteRequest // what was written (or attempted)
   803  	err error             // result of the writeFrame call
   804  }
   805  
   806  // writeFrameAsync runs in its own goroutine and writes a single frame
   807  // and then reports when it's done.
   808  // At most one goroutine can be running writeFrameAsync at a time per
   809  // serverConn.
   810  func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) {
   811  	var err error
   812  	if wd == nil {
   813  		err = wr.write.writeFrame(sc)
   814  	} else {
   815  		err = sc.framer.endWrite()
   816  	}
   817  	sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err}
   818  }
   819  
   820  func (sc *serverConn) closeAllStreamsOnConnClose() {
   821  	sc.serveG.check()
   822  	for _, st := range sc.streams {
   823  		sc.closeStream(st, errClientDisconnected)
   824  	}
   825  }
   826  
   827  func (sc *serverConn) stopShutdownTimer() {
   828  	sc.serveG.check()
   829  	if t := sc.shutdownTimer; t != nil {
   830  		t.Stop()
   831  	}
   832  }
   833  
   834  func (sc *serverConn) notePanic() {
   835  	// Note: this is for serverConn.serve panicking, not http.Handler code.
   836  	if testHookOnPanicMu != nil {
   837  		testHookOnPanicMu.Lock()
   838  		defer testHookOnPanicMu.Unlock()
   839  	}
   840  	if testHookOnPanic != nil {
   841  		if e := recover(); e != nil {
   842  			if testHookOnPanic(sc, e) {
   843  				panic(e)
   844  			}
   845  		}
   846  	}
   847  }
   848  
   849  func (sc *serverConn) serve(conf Config) {
   850  	sc.serveG.check()
   851  	defer sc.notePanic()
   852  	defer sc.conn.Close()
   853  	defer sc.closeAllStreamsOnConnClose()
   854  	defer sc.stopShutdownTimer()
   855  	defer close(sc.doneServing) // unblocks handlers trying to send
   856  
   857  	if VerboseLogs {
   858  		sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs)
   859  	}
   860  
   861  	settings := writeSettings{
   862  		{SettingMaxFrameSize, uint32(conf.MaxReadFrameSize)},
   863  		{SettingMaxConcurrentStreams, sc.advMaxStreams},
   864  		{SettingMaxHeaderListSize, sc.maxHeaderListSize()},
   865  		{SettingHeaderTableSize, uint32(conf.MaxDecoderHeaderTableSize)},
   866  		{SettingInitialWindowSize, uint32(sc.initialStreamRecvWindowSize)},
   867  	}
   868  	if !disableExtendedConnectProtocol {
   869  		settings = append(settings, Setting{SettingEnableConnectProtocol, 1})
   870  	}
   871  	if sc.writeSchedIgnoresRFC7540() {
   872  		settings = append(settings, Setting{SettingNoRFC7540Priorities, 1})
   873  	}
   874  	sc.writeFrame(FrameWriteRequest{
   875  		write: settings,
   876  	})
   877  	sc.unackedSettings++
   878  
   879  	// Each connection starts with initialWindowSize inflow tokens.
   880  	// If a higher value is configured, we add more tokens.
   881  	if diff := conf.MaxReceiveBufferPerConnection - initialWindowSize; diff > 0 {
   882  		sc.sendWindowUpdate(nil, int(diff))
   883  	}
   884  
   885  	if err := sc.readPreface(); err != nil {
   886  		sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err)
   887  		return
   888  	}
   889  	// Now that we've got the preface, get us out of the
   890  	// "StateNew" state. We can't go directly to idle, though.
   891  	// Active means we read some data and anticipate a request. We'll
   892  	// do another Active when we get a HEADERS frame.
   893  	sc.setConnState(ConnStateActive)
   894  	sc.setConnState(ConnStateIdle)
   895  
   896  	if sc.srv.IdleTimeout > 0 {
   897  		sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
   898  		defer sc.idleTimer.Stop()
   899  	}
   900  
   901  	if conf.SendPingTimeout > 0 {
   902  		sc.readIdleTimeout = conf.SendPingTimeout
   903  		sc.readIdleTimer = time.AfterFunc(conf.SendPingTimeout, sc.onReadIdleTimer)
   904  		defer sc.readIdleTimer.Stop()
   905  	}
   906  
   907  	go sc.readFrames() // closed by defer sc.conn.Close above
   908  
   909  	settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
   910  	defer settingsTimer.Stop()
   911  
   912  	lastFrameTime := time.Now()
   913  	loopNum := 0
   914  	for {
   915  		loopNum++
   916  		select {
   917  		case wr := <-sc.wantWriteFrameCh:
   918  			if se, ok := wr.write.(StreamError); ok {
   919  				sc.resetStream(se)
   920  				break
   921  			}
   922  			sc.writeFrame(wr)
   923  		case res := <-sc.wroteFrameCh:
   924  			sc.wroteFrame(res)
   925  		case res := <-sc.readFrameCh:
   926  			lastFrameTime = time.Now()
   927  			// Process any written frames before reading new frames from the client since a
   928  			// written frame could have triggered a new stream to be started.
   929  			if sc.writingFrameAsync {
   930  				select {
   931  				case wroteRes := <-sc.wroteFrameCh:
   932  					sc.wroteFrame(wroteRes)
   933  				default:
   934  				}
   935  			}
   936  			if !sc.processFrameFromReader(res) {
   937  				return
   938  			}
   939  			res.readMore()
   940  			if settingsTimer != nil {
   941  				settingsTimer.Stop()
   942  				settingsTimer = nil
   943  			}
   944  		case m := <-sc.bodyReadCh:
   945  			sc.noteBodyRead(m.st, m.n)
   946  		case msg := <-sc.serveMsgCh:
   947  			switch v := msg.(type) {
   948  			case func(int):
   949  				v(loopNum) // for testing
   950  			case *serverMessage:
   951  				switch v {
   952  				case settingsTimerMsg:
   953  					sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
   954  					return
   955  				case idleTimerMsg:
   956  					sc.vlogf("connection is idle")
   957  					sc.goAway(ErrCodeNo)
   958  				case readIdleTimerMsg:
   959  					sc.handlePingTimer(lastFrameTime)
   960  				case shutdownTimerMsg:
   961  					sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
   962  					return
   963  				case gracefulShutdownMsg:
   964  					sc.startGracefulShutdownInternal()
   965  				case handlerDoneMsg:
   966  					sc.handlerDone()
   967  				default:
   968  					panic("unknown timer")
   969  				}
   970  			case *startPushRequest:
   971  				sc.startPush(v)
   972  			case func(*serverConn):
   973  				v(sc)
   974  			default:
   975  				panic(fmt.Sprintf("unexpected type %T", v))
   976  			}
   977  		}
   978  
   979  		// If the peer is causing us to generate a lot of control frames,
   980  		// but not reading them from us, assume they are trying to make us
   981  		// run out of memory.
   982  		if sc.queuedControlFrames > maxQueuedControlFrames {
   983  			sc.vlogf("http2: too many control frames in send queue, closing connection")
   984  			return
   985  		}
   986  
   987  		// Start the shutdown timer after sending a GOAWAY. When sending GOAWAY
   988  		// with no error code (graceful shutdown), don't start the timer until
   989  		// all open streams have been completed.
   990  		sentGoAway := sc.inGoAway && !sc.needToSendGoAway && !sc.writingFrame
   991  		gracefulShutdownComplete := sc.goAwayCode == ErrCodeNo && sc.curOpenStreams() == 0
   992  		if sentGoAway && sc.shutdownTimer == nil && (sc.goAwayCode != ErrCodeNo || gracefulShutdownComplete) {
   993  			sc.shutDownIn(goAwayTimeout)
   994  		}
   995  	}
   996  }
   997  
   998  func (sc *serverConn) handlePingTimer(lastFrameReadTime time.Time) {
   999  	if sc.pingSent {
  1000  		sc.logf("timeout waiting for PING response")
  1001  		if f := sc.countErrorFunc; f != nil {
  1002  			f("conn_close_lost_ping")
  1003  		}
  1004  		sc.conn.Close()
  1005  		return
  1006  	}
  1007  
  1008  	pingAt := lastFrameReadTime.Add(sc.readIdleTimeout)
  1009  	now := time.Now()
  1010  	if pingAt.After(now) {
  1011  		// We received frames since arming the ping timer.
  1012  		// Reset it for the next possible timeout.
  1013  		sc.readIdleTimer.Reset(pingAt.Sub(now))
  1014  		return
  1015  	}
  1016  
  1017  	sc.pingSent = true
  1018  	// Ignore crypto/rand.Read errors: It generally can't fail, and worse case if it does
  1019  	// is we send a PING frame containing 0s.
  1020  	_, _ = rand.Read(sc.sentPingData[:])
  1021  	sc.writeFrame(FrameWriteRequest{
  1022  		write: &writePing{data: sc.sentPingData},
  1023  	})
  1024  	sc.readIdleTimer.Reset(sc.pingTimeout)
  1025  }
  1026  
  1027  type serverMessage int
  1028  
  1029  // Message values sent to serveMsgCh.
  1030  var (
  1031  	settingsTimerMsg    = new(serverMessage)
  1032  	idleTimerMsg        = new(serverMessage)
  1033  	readIdleTimerMsg    = new(serverMessage)
  1034  	shutdownTimerMsg    = new(serverMessage)
  1035  	gracefulShutdownMsg = new(serverMessage)
  1036  	handlerDoneMsg      = new(serverMessage)
  1037  )
  1038  
  1039  func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
  1040  func (sc *serverConn) onIdleTimer()     { sc.sendServeMsg(idleTimerMsg) }
  1041  func (sc *serverConn) onReadIdleTimer() { sc.sendServeMsg(readIdleTimerMsg) }
  1042  func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) }
  1043  
  1044  func (sc *serverConn) sendServeMsg(msg any) {
  1045  	sc.serveG.checkNotOn() // NOT
  1046  	select {
  1047  	case sc.serveMsgCh <- msg:
  1048  	case <-sc.doneServing:
  1049  	}
  1050  }
  1051  
  1052  var errPrefaceTimeout = errors.New("timeout waiting for client preface")
  1053  
  1054  // readPreface reads the ClientPreface greeting from the peer or
  1055  // returns errPrefaceTimeout on timeout, or an error if the greeting
  1056  // is invalid.
  1057  func (sc *serverConn) readPreface() error {
  1058  	if sc.sawClientPreface {
  1059  		return nil
  1060  	}
  1061  	errc := make(chan error, 1)
  1062  	go func() {
  1063  		// Read the client preface
  1064  		buf := make([]byte, len(ClientPreface))
  1065  		if _, err := io.ReadFull(sc.conn, buf); err != nil {
  1066  			errc <- err
  1067  		} else if !bytes.Equal(buf, clientPreface) {
  1068  			errc <- fmt.Errorf("bogus greeting %q", buf)
  1069  		} else {
  1070  			errc <- nil
  1071  		}
  1072  	}()
  1073  	timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server?
  1074  	defer timer.Stop()
  1075  	select {
  1076  	case <-timer.C:
  1077  		return errPrefaceTimeout
  1078  	case err := <-errc:
  1079  		if err == nil {
  1080  			if VerboseLogs {
  1081  				sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr())
  1082  			}
  1083  		}
  1084  		return err
  1085  	}
  1086  }
  1087  
  1088  var writeDataPool = sync.Pool{
  1089  	New: func() any { return new(writeData) },
  1090  }
  1091  
  1092  // writeDataFromHandler writes DATA response frames from a handler on
  1093  // the given stream.
  1094  func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
  1095  	ch := sc.srv.state.getErrChan()
  1096  	writeArg := writeDataPool.Get().(*writeData)
  1097  	*writeArg = writeData{stream.id, data, endStream}
  1098  	err := sc.writeFrameFromHandler(FrameWriteRequest{
  1099  		write:  writeArg,
  1100  		stream: stream,
  1101  		done:   ch,
  1102  	})
  1103  	if err != nil {
  1104  		return err
  1105  	}
  1106  	var frameWriteDone bool // the frame write is done (successfully or not)
  1107  	select {
  1108  	case err = <-ch:
  1109  		frameWriteDone = true
  1110  	case <-sc.doneServing:
  1111  		return errClientDisconnected
  1112  	case <-stream.cw:
  1113  		// If both ch and stream.cw were ready (as might
  1114  		// happen on the final Write after an http.Handler
  1115  		// ends), prefer the write result. Otherwise this
  1116  		// might just be us successfully closing the stream.
  1117  		// The writeFrameAsync and serve goroutines guarantee
  1118  		// that the ch send will happen before the stream.cw
  1119  		// close.
  1120  		select {
  1121  		case err = <-ch:
  1122  			frameWriteDone = true
  1123  		default:
  1124  			return errStreamClosed
  1125  		}
  1126  	}
  1127  	sc.srv.state.putErrChan(ch)
  1128  	if frameWriteDone {
  1129  		writeDataPool.Put(writeArg)
  1130  	}
  1131  	return err
  1132  }
  1133  
  1134  // writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts
  1135  // if the connection has gone away.
  1136  //
  1137  // This must not be run from the serve goroutine itself, else it might
  1138  // deadlock writing to sc.wantWriteFrameCh (which is only mildly
  1139  // buffered and is read by serve itself). If you're on the serve
  1140  // goroutine, call writeFrame instead.
  1141  func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error {
  1142  	sc.serveG.checkNotOn() // NOT
  1143  	select {
  1144  	case sc.wantWriteFrameCh <- wr:
  1145  		return nil
  1146  	case <-sc.doneServing:
  1147  		// Serve loop is gone.
  1148  		// Client has closed their connection to the server.
  1149  		return errClientDisconnected
  1150  	}
  1151  }
  1152  
  1153  // writeFrame schedules a frame to write and sends it if there's nothing
  1154  // already being written.
  1155  //
  1156  // There is no pushback here (the serve goroutine never blocks). It's
  1157  // the http.Handlers that block, waiting for their previous frames to
  1158  // make it onto the wire
  1159  //
  1160  // If you're not on the serve goroutine, use writeFrameFromHandler instead.
  1161  func (sc *serverConn) writeFrame(wr FrameWriteRequest) {
  1162  	sc.serveG.check()
  1163  
  1164  	// If true, wr will not be written and wr.done will not be signaled.
  1165  	var ignoreWrite bool
  1166  
  1167  	// We are not allowed to write frames on closed streams. RFC 7540 Section
  1168  	// 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on
  1169  	// a closed stream." Our server never sends PRIORITY, so that exception
  1170  	// does not apply.
  1171  	//
  1172  	// The serverConn might close an open stream while the stream's handler
  1173  	// is still running. For example, the server might close a stream when it
  1174  	// receives bad data from the client. If this happens, the handler might
  1175  	// attempt to write a frame after the stream has been closed (since the
  1176  	// handler hasn't yet been notified of the close). In this case, we simply
  1177  	// ignore the frame. The handler will notice that the stream is closed when
  1178  	// it waits for the frame to be written.
  1179  	//
  1180  	// As an exception to this rule, we allow sending RST_STREAM after close.
  1181  	// This allows us to immediately reject new streams without tracking any
  1182  	// state for those streams (except for the queued RST_STREAM frame). This
  1183  	// may result in duplicate RST_STREAMs in some cases, but the client should
  1184  	// ignore those.
  1185  	if wr.StreamID() != 0 {
  1186  		_, isReset := wr.write.(StreamError)
  1187  		if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset {
  1188  			ignoreWrite = true
  1189  		}
  1190  	}
  1191  
  1192  	// Don't send a 100-continue response if we've already sent headers.
  1193  	// See golang.org/issue/14030.
  1194  	switch wr.write.(type) {
  1195  	case *writeResHeaders:
  1196  		wr.stream.wroteHeaders = true
  1197  	case write100ContinueHeadersFrame:
  1198  		if wr.stream.wroteHeaders {
  1199  			// We do not need to notify wr.done because this frame is
  1200  			// never written with wr.done != nil.
  1201  			if wr.done != nil {
  1202  				panic("wr.done != nil for write100ContinueHeadersFrame")
  1203  			}
  1204  			ignoreWrite = true
  1205  		}
  1206  	}
  1207  
  1208  	if !ignoreWrite {
  1209  		if wr.isControl() {
  1210  			sc.queuedControlFrames++
  1211  			// For extra safety, detect wraparounds, which should not happen,
  1212  			// and pull the plug.
  1213  			if sc.queuedControlFrames < 0 {
  1214  				sc.conn.Close()
  1215  			}
  1216  		}
  1217  		sc.writeSched.Push(wr)
  1218  	}
  1219  	sc.scheduleFrameWrite()
  1220  }
  1221  
  1222  // startFrameWrite starts a goroutine to write wr (in a separate
  1223  // goroutine since that might block on the network), and updates the
  1224  // serve goroutine's state about the world, updated from info in wr.
  1225  func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
  1226  	sc.serveG.check()
  1227  	if sc.writingFrame {
  1228  		panic("internal error: can only be writing one frame at a time")
  1229  	}
  1230  
  1231  	st := wr.stream
  1232  	if st != nil {
  1233  		switch st.state {
  1234  		case stateHalfClosedLocal:
  1235  			switch wr.write.(type) {
  1236  			case StreamError, handlerPanicRST, writeWindowUpdate:
  1237  				// RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE
  1238  				// in this state. (We never send PRIORITY from the server, so that is not checked.)
  1239  			default:
  1240  				panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr))
  1241  			}
  1242  		case stateClosed:
  1243  			panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr))
  1244  		}
  1245  	}
  1246  	if wpp, ok := wr.write.(*writePushPromise); ok {
  1247  		var err error
  1248  		wpp.promisedID, err = wpp.allocatePromisedID()
  1249  		if err != nil {
  1250  			sc.writingFrameAsync = false
  1251  			wr.replyToWriter(err)
  1252  			return
  1253  		}
  1254  	}
  1255  
  1256  	sc.writingFrame = true
  1257  	sc.needsFrameFlush = true
  1258  	if wr.write.staysWithinBuffer(sc.bw.Available()) {
  1259  		sc.writingFrameAsync = false
  1260  		err := wr.write.writeFrame(sc)
  1261  		sc.wroteFrame(frameWriteResult{wr: wr, err: err})
  1262  	} else if wd, ok := wr.write.(*writeData); ok {
  1263  		// Encode the frame in the serve goroutine, to ensure we don't have
  1264  		// any lingering asynchronous references to data passed to Write.
  1265  		// See https://go.dev/issue/58446.
  1266  		sc.framer.startWriteDataPadded(wd.streamID, wd.endStream, wd.p, nil)
  1267  		sc.writingFrameAsync = true
  1268  		go sc.writeFrameAsync(wr, wd)
  1269  	} else {
  1270  		sc.writingFrameAsync = true
  1271  		go sc.writeFrameAsync(wr, nil)
  1272  	}
  1273  }
  1274  
  1275  // errHandlerPanicked is the error given to any callers blocked in a read from
  1276  // Request.Body when the main goroutine panics. Since most handlers read in the
  1277  // main ServeHTTP goroutine, this will show up rarely.
  1278  var errHandlerPanicked = errors.New("http2: handler panicked")
  1279  
  1280  // wroteFrame is called on the serve goroutine with the result of
  1281  // whatever happened on writeFrameAsync.
  1282  func (sc *serverConn) wroteFrame(res frameWriteResult) {
  1283  	sc.serveG.check()
  1284  	if !sc.writingFrame {
  1285  		panic("internal error: expected to be already writing a frame")
  1286  	}
  1287  	sc.writingFrame = false
  1288  	sc.writingFrameAsync = false
  1289  
  1290  	if res.err != nil {
  1291  		sc.conn.Close()
  1292  	}
  1293  
  1294  	wr := res.wr
  1295  
  1296  	if writeEndsStream(wr.write) {
  1297  		st := wr.stream
  1298  		if st == nil {
  1299  			panic("internal error: expecting non-nil stream")
  1300  		}
  1301  		switch st.state {
  1302  		case stateOpen:
  1303  			// Here we would go to stateHalfClosedLocal in
  1304  			// theory, but since our handler is done and
  1305  			// the net/http package provides no mechanism
  1306  			// for closing a ResponseWriter while still
  1307  			// reading data (see possible TODO at top of
  1308  			// this file), we go into closed state here
  1309  			// anyway, after telling the peer we're
  1310  			// hanging up on them. We'll transition to
  1311  			// stateClosed after the RST_STREAM frame is
  1312  			// written.
  1313  			st.state = stateHalfClosedLocal
  1314  			// Section 8.1: a server MAY request that the client abort
  1315  			// transmission of a request without error by sending a
  1316  			// RST_STREAM with an error code of NO_ERROR after sending
  1317  			// a complete response.
  1318  			sc.resetStream(streamError(st.id, ErrCodeNo))
  1319  		case stateHalfClosedRemote:
  1320  			sc.closeStream(st, errHandlerComplete)
  1321  		}
  1322  	} else {
  1323  		switch v := wr.write.(type) {
  1324  		case StreamError:
  1325  			// st may be unknown if the RST_STREAM was generated to reject bad input.
  1326  			if st, ok := sc.streams[v.StreamID]; ok {
  1327  				sc.closeStream(st, v)
  1328  			}
  1329  		case handlerPanicRST:
  1330  			sc.closeStream(wr.stream, errHandlerPanicked)
  1331  		}
  1332  	}
  1333  
  1334  	// Reply (if requested) to unblock the ServeHTTP goroutine.
  1335  	wr.replyToWriter(res.err)
  1336  
  1337  	sc.scheduleFrameWrite()
  1338  }
  1339  
  1340  // scheduleFrameWrite tickles the frame writing scheduler.
  1341  //
  1342  // If a frame is already being written, nothing happens. This will be called again
  1343  // when the frame is done being written.
  1344  //
  1345  // If a frame isn't being written and we need to send one, the best frame
  1346  // to send is selected by writeSched.
  1347  //
  1348  // If a frame isn't being written and there's nothing else to send, we
  1349  // flush the write buffer.
  1350  func (sc *serverConn) scheduleFrameWrite() {
  1351  	sc.serveG.check()
  1352  	if sc.writingFrame || sc.inFrameScheduleLoop {
  1353  		return
  1354  	}
  1355  	sc.inFrameScheduleLoop = true
  1356  	for !sc.writingFrameAsync {
  1357  		if sc.needToSendGoAway {
  1358  			sc.needToSendGoAway = false
  1359  			sc.startFrameWrite(FrameWriteRequest{
  1360  				write: &writeGoAway{
  1361  					maxStreamID: sc.maxClientStreamID,
  1362  					code:        sc.goAwayCode,
  1363  				},
  1364  			})
  1365  			continue
  1366  		}
  1367  		if sc.needToSendSettingsAck {
  1368  			sc.needToSendSettingsAck = false
  1369  			sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}})
  1370  			continue
  1371  		}
  1372  		if !sc.inGoAway || sc.goAwayCode == ErrCodeNo {
  1373  			if wr, ok := sc.writeSched.Pop(); ok {
  1374  				if wr.isControl() {
  1375  					sc.queuedControlFrames--
  1376  				}
  1377  				sc.startFrameWrite(wr)
  1378  				continue
  1379  			}
  1380  		}
  1381  		if sc.needsFrameFlush {
  1382  			sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}})
  1383  			sc.needsFrameFlush = false // after startFrameWrite, since it sets this true
  1384  			continue
  1385  		}
  1386  		break
  1387  	}
  1388  	sc.inFrameScheduleLoop = false
  1389  }
  1390  
  1391  // startGracefulShutdown gracefully shuts down a connection. This
  1392  // sends GOAWAY with ErrCodeNo to tell the client we're gracefully
  1393  // shutting down. The connection isn't closed until all current
  1394  // streams are done.
  1395  //
  1396  // startGracefulShutdown returns immediately; it does not wait until
  1397  // the connection has shut down.
  1398  func (sc *serverConn) startGracefulShutdown() {
  1399  	sc.serveG.checkNotOn() // NOT
  1400  	sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) })
  1401  }
  1402  
  1403  // After sending GOAWAY with an error code (non-graceful shutdown), the
  1404  // connection will close after goAwayTimeout.
  1405  //
  1406  // If we close the connection immediately after sending GOAWAY, there may
  1407  // be unsent data in our kernel receive buffer, which will cause the kernel
  1408  // to send a TCP RST on close() instead of a FIN. This RST will abort the
  1409  // connection immediately, whether or not the client had received the GOAWAY.
  1410  //
  1411  // Ideally we should delay for at least 1 RTT + epsilon so the client has
  1412  // a chance to read the GOAWAY and stop sending messages. Measuring RTT
  1413  // is hard, so we approximate with 1 second. See golang.org/issue/18701.
  1414  //
  1415  // This is a var so it can be shorter in tests, where all requests uses the
  1416  // loopback interface making the expected RTT very small.
  1417  //
  1418  // TODO: configurable?
  1419  var goAwayTimeout = 1 * time.Second
  1420  
  1421  func (sc *serverConn) startGracefulShutdownInternal() {
  1422  	sc.goAway(ErrCodeNo)
  1423  }
  1424  
  1425  func (sc *serverConn) goAway(code ErrCode) {
  1426  	sc.serveG.check()
  1427  	if sc.inGoAway {
  1428  		if sc.goAwayCode == ErrCodeNo {
  1429  			sc.goAwayCode = code
  1430  		}
  1431  		return
  1432  	}
  1433  	sc.inGoAway = true
  1434  	sc.needToSendGoAway = true
  1435  	sc.goAwayCode = code
  1436  	sc.scheduleFrameWrite()
  1437  }
  1438  
  1439  func (sc *serverConn) shutDownIn(d time.Duration) {
  1440  	sc.serveG.check()
  1441  	sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
  1442  }
  1443  
  1444  func (sc *serverConn) resetStream(se StreamError) {
  1445  	sc.serveG.check()
  1446  	sc.writeFrame(FrameWriteRequest{write: se})
  1447  	if st, ok := sc.streams[se.StreamID]; ok {
  1448  		st.resetQueued = true
  1449  	}
  1450  }
  1451  
  1452  // processFrameFromReader processes the serve loop's read from readFrameCh from the
  1453  // frame-reading goroutine.
  1454  // processFrameFromReader returns whether the connection should be kept open.
  1455  func (sc *serverConn) processFrameFromReader(res readFrameResult) bool {
  1456  	sc.serveG.check()
  1457  	err := res.err
  1458  	if err != nil {
  1459  		if err == ErrFrameTooLarge {
  1460  			sc.goAway(ErrCodeFrameSize)
  1461  			return true // goAway will close the loop
  1462  		}
  1463  		clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err)
  1464  		if clientGone {
  1465  			// TODO: could we also get into this state if
  1466  			// the peer does a half close
  1467  			// (e.g. CloseWrite) because they're done
  1468  			// sending frames but they're still wanting
  1469  			// our open replies?  Investigate.
  1470  			// TODO: add CloseWrite to crypto/tls.Conn first
  1471  			// so we have a way to test this? I suppose
  1472  			// just for testing we could have a non-TLS mode.
  1473  			return false
  1474  		}
  1475  	} else {
  1476  		f := res.f
  1477  		if VerboseLogs {
  1478  			sc.vlogf("http2: server read frame %v", summarizeFrame(f))
  1479  		}
  1480  		err = sc.processFrame(f)
  1481  		if err == nil {
  1482  			return true
  1483  		}
  1484  	}
  1485  
  1486  	switch ev := err.(type) {
  1487  	case StreamError:
  1488  		sc.resetStream(ev)
  1489  		return true
  1490  	case goAwayFlowError:
  1491  		sc.goAway(ErrCodeFlowControl)
  1492  		return true
  1493  	case ConnectionError:
  1494  		if res.f != nil {
  1495  			if id := res.f.Header().StreamID; id > sc.maxClientStreamID {
  1496  				sc.maxClientStreamID = id
  1497  			}
  1498  		}
  1499  		sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev)
  1500  		sc.goAway(ErrCode(ev))
  1501  		return true // goAway will handle shutdown
  1502  	default:
  1503  		if res.err != nil {
  1504  			sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err)
  1505  		} else {
  1506  			sc.logf("http2: server closing client connection: %v", err)
  1507  		}
  1508  		return false
  1509  	}
  1510  }
  1511  
  1512  func (sc *serverConn) processFrame(f Frame) error {
  1513  	sc.serveG.check()
  1514  
  1515  	// First frame received must be SETTINGS.
  1516  	if !sc.sawFirstSettings {
  1517  		if _, ok := f.(*SettingsFrame); !ok {
  1518  			return sc.countError("first_settings", ConnectionError(ErrCodeProtocol))
  1519  		}
  1520  		sc.sawFirstSettings = true
  1521  	}
  1522  
  1523  	// Discard frames for streams initiated after the identified last
  1524  	// stream sent in a GOAWAY, or all frames after sending an error.
  1525  	// We still need to return connection-level flow control for DATA frames.
  1526  	// RFC 9113 Section 6.8.
  1527  	if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || f.Header().StreamID > sc.maxClientStreamID) {
  1528  
  1529  		if f, ok := f.(*DataFrame); ok {
  1530  			if !sc.inflow.take(f.Length) {
  1531  				return sc.countError("data_flow", streamError(f.Header().StreamID, ErrCodeFlowControl))
  1532  			}
  1533  			sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
  1534  		}
  1535  		return nil
  1536  	}
  1537  
  1538  	switch f := f.(type) {
  1539  	case *SettingsFrame:
  1540  		return sc.processSettings(f)
  1541  	case *MetaHeadersFrame:
  1542  		return sc.processHeaders(f)
  1543  	case *WindowUpdateFrame:
  1544  		return sc.processWindowUpdate(f)
  1545  	case *PingFrame:
  1546  		return sc.processPing(f)
  1547  	case *DataFrame:
  1548  		return sc.processData(f)
  1549  	case *RSTStreamFrame:
  1550  		return sc.processResetStream(f)
  1551  	case *PriorityFrame:
  1552  		return sc.processPriority(f)
  1553  	case *GoAwayFrame:
  1554  		return sc.processGoAway(f)
  1555  	case *PushPromiseFrame:
  1556  		// A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE
  1557  		// frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
  1558  		return sc.countError("push_promise", ConnectionError(ErrCodeProtocol))
  1559  	case *PriorityUpdateFrame:
  1560  		return sc.processPriorityUpdate(f)
  1561  	default:
  1562  		sc.vlogf("http2: server ignoring frame: %v", f.Header())
  1563  		return nil
  1564  	}
  1565  }
  1566  
  1567  func (sc *serverConn) processPing(f *PingFrame) error {
  1568  	sc.serveG.check()
  1569  	if f.IsAck() {
  1570  		if sc.pingSent && sc.sentPingData == f.Data {
  1571  			// This is a response to a PING we sent.
  1572  			sc.pingSent = false
  1573  			sc.readIdleTimer.Reset(sc.readIdleTimeout)
  1574  		}
  1575  		// 6.7 PING: " An endpoint MUST NOT respond to PING frames
  1576  		// containing this flag."
  1577  		return nil
  1578  	}
  1579  	if f.StreamID != 0 {
  1580  		// "PING frames are not associated with any individual
  1581  		// stream. If a PING frame is received with a stream
  1582  		// identifier field value other than 0x0, the recipient MUST
  1583  		// respond with a connection error (Section 5.4.1) of type
  1584  		// PROTOCOL_ERROR."
  1585  		return sc.countError("ping_on_stream", ConnectionError(ErrCodeProtocol))
  1586  	}
  1587  	sc.writeFrame(FrameWriteRequest{write: writePingAck{f}})
  1588  	return nil
  1589  }
  1590  
  1591  func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error {
  1592  	sc.serveG.check()
  1593  	switch {
  1594  	case f.StreamID != 0: // stream-level flow control
  1595  		state, st := sc.state(f.StreamID)
  1596  		if state == stateIdle {
  1597  			// Section 5.1: "Receiving any frame other than HEADERS
  1598  			// or PRIORITY on a stream in this state MUST be
  1599  			// treated as a connection error (Section 5.4.1) of
  1600  			// type PROTOCOL_ERROR."
  1601  			return sc.countError("stream_idle", ConnectionError(ErrCodeProtocol))
  1602  		}
  1603  		if st == nil {
  1604  			// "WINDOW_UPDATE can be sent by a peer that has sent a
  1605  			// frame bearing the END_STREAM flag. This means that a
  1606  			// receiver could receive a WINDOW_UPDATE frame on a "half
  1607  			// closed (remote)" or "closed" stream. A receiver MUST
  1608  			// NOT treat this as an error, see Section 5.1."
  1609  			return nil
  1610  		}
  1611  		if !st.flow.add(int32(f.Increment)) {
  1612  			return sc.countError("bad_flow", streamError(f.StreamID, ErrCodeFlowControl))
  1613  		}
  1614  	default: // connection-level flow control
  1615  		if !sc.flow.add(int32(f.Increment)) {
  1616  			return goAwayFlowError{}
  1617  		}
  1618  	}
  1619  	sc.scheduleFrameWrite()
  1620  	return nil
  1621  }
  1622  
  1623  func (sc *serverConn) processResetStream(f *RSTStreamFrame) error {
  1624  	sc.serveG.check()
  1625  
  1626  	state, st := sc.state(f.StreamID)
  1627  	if state == stateIdle {
  1628  		// 6.4 "RST_STREAM frames MUST NOT be sent for a
  1629  		// stream in the "idle" state. If a RST_STREAM frame
  1630  		// identifying an idle stream is received, the
  1631  		// recipient MUST treat this as a connection error
  1632  		// (Section 5.4.1) of type PROTOCOL_ERROR.
  1633  		return sc.countError("reset_idle_stream", ConnectionError(ErrCodeProtocol))
  1634  	}
  1635  	if st != nil {
  1636  		st.cancelCtx()
  1637  		sc.closeStream(st, streamError(f.StreamID, f.ErrCode))
  1638  	}
  1639  	return nil
  1640  }
  1641  
  1642  func (sc *serverConn) closeStream(st *stream, err error) {
  1643  	sc.serveG.check()
  1644  	if st.state == stateIdle || st.state == stateClosed {
  1645  		panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state))
  1646  	}
  1647  	st.state = stateClosed
  1648  	if st.readDeadline != nil {
  1649  		st.readDeadline.Stop()
  1650  	}
  1651  	if st.writeDeadline != nil {
  1652  		st.writeDeadline.Stop()
  1653  	}
  1654  	if st.isPushed() {
  1655  		sc.curPushedStreams--
  1656  	} else {
  1657  		sc.curClientStreams--
  1658  	}
  1659  	delete(sc.streams, st.id)
  1660  	if len(sc.streams) == 0 {
  1661  		sc.setConnState(ConnStateIdle)
  1662  		if sc.srv.IdleTimeout > 0 && sc.idleTimer != nil {
  1663  			sc.idleTimer.Reset(sc.srv.IdleTimeout)
  1664  		}
  1665  		if h1ServerKeepAlivesDisabled(sc.hs) {
  1666  			sc.startGracefulShutdownInternal()
  1667  		}
  1668  	}
  1669  	if p := st.body; p != nil {
  1670  		// Return any buffered unread bytes worth of conn-level flow control.
  1671  		// See golang.org/issue/16481
  1672  		sc.sendWindowUpdate(nil, p.Len())
  1673  
  1674  		p.CloseWithError(err)
  1675  	}
  1676  	if e, ok := err.(StreamError); ok {
  1677  		if e.Cause != nil {
  1678  			err = e.Cause
  1679  		} else {
  1680  			err = errStreamClosed
  1681  		}
  1682  	}
  1683  	st.closeErr = err
  1684  	st.cancelCtx()
  1685  	st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc
  1686  	sc.writeSched.CloseStream(st.id)
  1687  }
  1688  
  1689  func (sc *serverConn) processSettings(f *SettingsFrame) error {
  1690  	sc.serveG.check()
  1691  	if f.IsAck() {
  1692  		sc.unackedSettings--
  1693  		if sc.unackedSettings < 0 {
  1694  			// Why is the peer ACKing settings we never sent?
  1695  			// The spec doesn't mention this case, but
  1696  			// hang up on them anyway.
  1697  			return sc.countError("ack_mystery", ConnectionError(ErrCodeProtocol))
  1698  		}
  1699  		return nil
  1700  	}
  1701  	if f.NumSettings() > 100 || f.HasDuplicates() {
  1702  		// This isn't actually in the spec, but hang up on
  1703  		// suspiciously large settings frames or those with
  1704  		// duplicate entries.
  1705  		return sc.countError("settings_big_or_dups", ConnectionError(ErrCodeProtocol))
  1706  	}
  1707  	if err := f.ForeachSetting(sc.processSetting); err != nil {
  1708  		return err
  1709  	}
  1710  	// TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be
  1711  	// acknowledged individually, even if multiple are received before the ACK.
  1712  	sc.needToSendSettingsAck = true
  1713  	sc.scheduleFrameWrite()
  1714  	return nil
  1715  }
  1716  
  1717  func (sc *serverConn) processSetting(s Setting) error {
  1718  	sc.serveG.check()
  1719  	if err := s.Valid(); err != nil {
  1720  		return err
  1721  	}
  1722  	if VerboseLogs {
  1723  		sc.vlogf("http2: server processing setting %v", s)
  1724  	}
  1725  	switch s.ID {
  1726  	case SettingHeaderTableSize:
  1727  		sc.hpackEncoder.SetMaxDynamicTableSize(s.Val)
  1728  	case SettingEnablePush:
  1729  		sc.pushEnabled = s.Val != 0
  1730  	case SettingMaxConcurrentStreams:
  1731  		sc.clientMaxStreams = s.Val
  1732  	case SettingInitialWindowSize:
  1733  		return sc.processSettingInitialWindowSize(s.Val)
  1734  	case SettingMaxFrameSize:
  1735  		sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31
  1736  	case SettingMaxHeaderListSize:
  1737  		sc.peerMaxHeaderListSize = s.Val
  1738  	case SettingEnableConnectProtocol:
  1739  		// Receipt of this parameter by a server does not
  1740  		// have any impact
  1741  	case SettingNoRFC7540Priorities:
  1742  		if s.Val > 1 {
  1743  			return ConnectionError(ErrCodeProtocol)
  1744  		}
  1745  	default:
  1746  		// Unknown setting: "An endpoint that receives a SETTINGS
  1747  		// frame with any unknown or unsupported identifier MUST
  1748  		// ignore that setting."
  1749  		if VerboseLogs {
  1750  			sc.vlogf("http2: server ignoring unknown setting %v", s)
  1751  		}
  1752  	}
  1753  	return nil
  1754  }
  1755  
  1756  func (sc *serverConn) processSettingInitialWindowSize(val uint32) error {
  1757  	sc.serveG.check()
  1758  	// Note: val already validated to be within range by
  1759  	// processSetting's Valid call.
  1760  
  1761  	// "A SETTINGS frame can alter the initial flow control window
  1762  	// size for all current streams. When the value of
  1763  	// SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST
  1764  	// adjust the size of all stream flow control windows that it
  1765  	// maintains by the difference between the new value and the
  1766  	// old value."
  1767  	old := sc.initialStreamSendWindowSize
  1768  	sc.initialStreamSendWindowSize = int32(val)
  1769  	growth := int32(val) - old // may be negative
  1770  	for _, st := range sc.streams {
  1771  		if !st.flow.add(growth) {
  1772  			// 6.9.2 Initial Flow Control Window Size
  1773  			// "An endpoint MUST treat a change to
  1774  			// SETTINGS_INITIAL_WINDOW_SIZE that causes any flow
  1775  			// control window to exceed the maximum size as a
  1776  			// connection error (Section 5.4.1) of type
  1777  			// FLOW_CONTROL_ERROR."
  1778  			return sc.countError("setting_win_size", ConnectionError(ErrCodeFlowControl))
  1779  		}
  1780  	}
  1781  	return nil
  1782  }
  1783  
  1784  func (sc *serverConn) processData(f *DataFrame) error {
  1785  	sc.serveG.check()
  1786  	id := f.Header().StreamID
  1787  
  1788  	data := f.Data()
  1789  	state, st := sc.state(id)
  1790  	if id == 0 || state == stateIdle {
  1791  		// Section 6.1: "DATA frames MUST be associated with a
  1792  		// stream. If a DATA frame is received whose stream
  1793  		// identifier field is 0x0, the recipient MUST respond
  1794  		// with a connection error (Section 5.4.1) of type
  1795  		// PROTOCOL_ERROR."
  1796  		//
  1797  		// Section 5.1: "Receiving any frame other than HEADERS
  1798  		// or PRIORITY on a stream in this state MUST be
  1799  		// treated as a connection error (Section 5.4.1) of
  1800  		// type PROTOCOL_ERROR."
  1801  		return sc.countError("data_on_idle", ConnectionError(ErrCodeProtocol))
  1802  	}
  1803  
  1804  	// "If a DATA frame is received whose stream is not in "open"
  1805  	// or "half closed (local)" state, the recipient MUST respond
  1806  	// with a stream error (Section 5.4.2) of type STREAM_CLOSED."
  1807  	if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued {
  1808  		// This includes sending a RST_STREAM if the stream is
  1809  		// in stateHalfClosedLocal (which currently means that
  1810  		// the http.Handler returned, so it's done reading &
  1811  		// done writing). Try to stop the client from sending
  1812  		// more DATA.
  1813  
  1814  		// But still enforce their connection-level flow control,
  1815  		// and return any flow control bytes since we're not going
  1816  		// to consume them.
  1817  		if !sc.inflow.take(f.Length) {
  1818  			return sc.countError("data_flow", streamError(id, ErrCodeFlowControl))
  1819  		}
  1820  		sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
  1821  
  1822  		if st != nil && st.resetQueued {
  1823  			// Already have a stream error in flight. Don't send another.
  1824  			return nil
  1825  		}
  1826  		return sc.countError("closed", streamError(id, ErrCodeStreamClosed))
  1827  	}
  1828  	if st.body == nil {
  1829  		panic("internal error: should have a body in this state")
  1830  	}
  1831  
  1832  	// Sender sending more than they'd declared?
  1833  	if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
  1834  		if !sc.inflow.take(f.Length) {
  1835  			return sc.countError("data_flow", streamError(id, ErrCodeFlowControl))
  1836  		}
  1837  		sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
  1838  
  1839  		st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes))
  1840  		// RFC 7540, sec 8.1.2.6: A request or response is also malformed if the
  1841  		// value of a content-length header field does not equal the sum of the
  1842  		// DATA frame payload lengths that form the body.
  1843  		return sc.countError("send_too_much", streamError(id, ErrCodeProtocol))
  1844  	}
  1845  	if f.Length > 0 {
  1846  		// Check whether the client has flow control quota.
  1847  		if !takeInflows(&sc.inflow, &st.inflow, f.Length) {
  1848  			return sc.countError("flow_on_data_length", streamError(id, ErrCodeFlowControl))
  1849  		}
  1850  
  1851  		if len(data) > 0 {
  1852  			st.bodyBytes += int64(len(data))
  1853  			wrote, err := st.body.Write(data)
  1854  			if err != nil {
  1855  				// The handler has closed the request body.
  1856  				// Return the connection-level flow control for the discarded data,
  1857  				// but not the stream-level flow control.
  1858  				sc.sendWindowUpdate(nil, int(f.Length)-wrote)
  1859  				return nil
  1860  			}
  1861  			if wrote != len(data) {
  1862  				panic("internal error: bad Writer")
  1863  			}
  1864  		}
  1865  
  1866  		// Return any padded flow control now, since we won't
  1867  		// refund it later on body reads.
  1868  		// Call sendWindowUpdate even if there is no padding,
  1869  		// to return buffered flow control credit if the sent
  1870  		// window has shrunk.
  1871  		pad := int32(f.Length) - int32(len(data))
  1872  		sc.sendWindowUpdate32(nil, pad)
  1873  		sc.sendWindowUpdate32(st, pad)
  1874  	}
  1875  	if f.StreamEnded() {
  1876  		st.endStream()
  1877  	}
  1878  	return nil
  1879  }
  1880  
  1881  func (sc *serverConn) processGoAway(f *GoAwayFrame) error {
  1882  	sc.serveG.check()
  1883  	if f.ErrCode != ErrCodeNo {
  1884  		sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f)
  1885  	} else {
  1886  		sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f)
  1887  	}
  1888  	sc.startGracefulShutdownInternal()
  1889  	// http://tools.ietf.org/html/rfc7540#section-6.8
  1890  	// We should not create any new streams, which means we should disable push.
  1891  	sc.pushEnabled = false
  1892  	return nil
  1893  }
  1894  
  1895  // isPushed reports whether the stream is server-initiated.
  1896  func (st *stream) isPushed() bool {
  1897  	return st.id%2 == 0
  1898  }
  1899  
  1900  // endStream closes a Request.Body's pipe. It is called when a DATA
  1901  // frame says a request body is over (or after trailers).
  1902  func (st *stream) endStream() {
  1903  	sc := st.sc
  1904  	sc.serveG.check()
  1905  
  1906  	if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes {
  1907  		st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes",
  1908  			st.declBodyBytes, st.bodyBytes))
  1909  	} else {
  1910  		st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest)
  1911  		st.body.CloseWithError(io.EOF)
  1912  	}
  1913  	st.state = stateHalfClosedRemote
  1914  }
  1915  
  1916  // copyTrailersToHandlerRequest is run in the Handler's goroutine in
  1917  // its Request.Body.Read just before it gets io.EOF.
  1918  func (st *stream) copyTrailersToHandlerRequest() {
  1919  	for k, vv := range st.trailer {
  1920  		if _, ok := st.reqTrailer[k]; ok {
  1921  			// Only copy it over it was pre-declared.
  1922  			st.reqTrailer[k] = vv
  1923  		}
  1924  	}
  1925  }
  1926  
  1927  // onReadTimeout is run on its own goroutine (from time.AfterFunc)
  1928  // when the stream's ReadTimeout has fired.
  1929  func (st *stream) onReadTimeout() {
  1930  	if st.body != nil {
  1931  		// Wrap the ErrDeadlineExceeded to avoid callers depending on us
  1932  		// returning the bare error.
  1933  		st.body.CloseWithError(fmt.Errorf("%w", os.ErrDeadlineExceeded))
  1934  	}
  1935  }
  1936  
  1937  // onWriteTimeout is run on its own goroutine (from time.AfterFunc)
  1938  // when the stream's WriteTimeout has fired.
  1939  func (st *stream) onWriteTimeout() {
  1940  	st.sc.writeFrameFromHandler(FrameWriteRequest{write: StreamError{
  1941  		StreamID: st.id,
  1942  		Code:     ErrCodeInternal,
  1943  		Cause:    os.ErrDeadlineExceeded,
  1944  	}})
  1945  }
  1946  
  1947  func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
  1948  	sc.serveG.check()
  1949  	id := f.StreamID
  1950  	// http://tools.ietf.org/html/rfc7540#section-5.1.1
  1951  	// Streams initiated by a client MUST use odd-numbered stream
  1952  	// identifiers. [...] An endpoint that receives an unexpected
  1953  	// stream identifier MUST respond with a connection error
  1954  	// (Section 5.4.1) of type PROTOCOL_ERROR.
  1955  	if id%2 != 1 {
  1956  		return sc.countError("headers_even", ConnectionError(ErrCodeProtocol))
  1957  	}
  1958  	// A HEADERS frame can be used to create a new stream or
  1959  	// send a trailer for an open one. If we already have a stream
  1960  	// open, let it process its own HEADERS frame (trailers at this
  1961  	// point, if it's valid).
  1962  	if st := sc.streams[f.StreamID]; st != nil {
  1963  		if st.resetQueued {
  1964  			// We're sending RST_STREAM to close the stream, so don't bother
  1965  			// processing this frame.
  1966  			return nil
  1967  		}
  1968  		// RFC 7540, sec 5.1: If an endpoint receives additional frames, other than
  1969  		// WINDOW_UPDATE, PRIORITY, or RST_STREAM, for a stream that is in
  1970  		// this state, it MUST respond with a stream error (Section 5.4.2) of
  1971  		// type STREAM_CLOSED.
  1972  		if st.state == stateHalfClosedRemote {
  1973  			return sc.countError("headers_half_closed", streamError(id, ErrCodeStreamClosed))
  1974  		}
  1975  		return st.processTrailerHeaders(f)
  1976  	}
  1977  
  1978  	// [...] The identifier of a newly established stream MUST be
  1979  	// numerically greater than all streams that the initiating
  1980  	// endpoint has opened or reserved. [...]  An endpoint that
  1981  	// receives an unexpected stream identifier MUST respond with
  1982  	// a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
  1983  	if id <= sc.maxClientStreamID {
  1984  		return sc.countError("stream_went_down", ConnectionError(ErrCodeProtocol))
  1985  	}
  1986  	sc.maxClientStreamID = id
  1987  
  1988  	if sc.idleTimer != nil {
  1989  		sc.idleTimer.Stop()
  1990  	}
  1991  
  1992  	// http://tools.ietf.org/html/rfc7540#section-5.1.2
  1993  	// [...] Endpoints MUST NOT exceed the limit set by their peer. An
  1994  	// endpoint that receives a HEADERS frame that causes their
  1995  	// advertised concurrent stream limit to be exceeded MUST treat
  1996  	// this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR
  1997  	// or REFUSED_STREAM.
  1998  	if sc.curClientStreams+1 > sc.advMaxStreams {
  1999  		if sc.unackedSettings == 0 {
  2000  			// They should know better.
  2001  			return sc.countError("over_max_streams", streamError(id, ErrCodeProtocol))
  2002  		}
  2003  		// Assume it's a network race, where they just haven't
  2004  		// received our last SETTINGS update. But actually
  2005  		// this can't happen yet, because we don't yet provide
  2006  		// a way for users to adjust server parameters at
  2007  		// runtime.
  2008  		return sc.countError("over_max_streams_race", streamError(id, ErrCodeRefusedStream))
  2009  	}
  2010  
  2011  	initialState := stateOpen
  2012  	if f.StreamEnded() {
  2013  		initialState = stateHalfClosedRemote
  2014  	}
  2015  
  2016  	// We are handling two special cases here:
  2017  	// 1. When a request is sent via an intermediary, we force priority to be
  2018  	// u=3,i. This is essentially a round-robin behavior, and is done to ensure
  2019  	// fairness between, for example, multiple clients using the same proxy.
  2020  	// 2. Until a client has shown that it is aware of RFC 9218, we make its
  2021  	// streams non-incremental by default. This is done to preserve the
  2022  	// historical behavior of handling streams in a round-robin manner, rather
  2023  	// than one-by-one to completion.
  2024  	initialPriority := defaultRFC9218Priority(sc.priorityAware && !sc.hasIntermediary)
  2025  	if _, ok := sc.writeSched.(*priorityWriteSchedulerRFC9218); ok && !sc.hasIntermediary {
  2026  		headerPriority, priorityAware, hasIntermediary := f.rfc9218Priority(sc.priorityAware)
  2027  		initialPriority = headerPriority
  2028  		sc.hasIntermediary = hasIntermediary
  2029  		if priorityAware {
  2030  			sc.priorityAware = true
  2031  		}
  2032  	}
  2033  	st := sc.newStream(id, 0, initialState, initialPriority)
  2034  
  2035  	if f.HasPriority() {
  2036  		if err := sc.checkPriority(f.StreamID, f.Priority); err != nil {
  2037  			return err
  2038  		}
  2039  		if !sc.writeSchedIgnoresRFC7540() {
  2040  			sc.writeSched.AdjustStream(st.id, f.Priority)
  2041  		}
  2042  	}
  2043  
  2044  	rw, req, err := sc.newWriterAndRequest(st, f)
  2045  	if err != nil {
  2046  		return err
  2047  	}
  2048  	st.reqTrailer = req.Trailer
  2049  	if st.reqTrailer != nil {
  2050  		st.trailer = make(Header)
  2051  	}
  2052  	st.body = req.Body.(*requestBody).pipe // may be nil
  2053  	st.declBodyBytes = req.ContentLength
  2054  
  2055  	handler := sc.handler.ServeHTTP
  2056  	if f.Truncated {
  2057  		// Their header list was too long. Send a 431 error.
  2058  		handler = handleHeaderListTooLong
  2059  	} else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil {
  2060  		handler = serve400Handler{err}.ServeHTTP
  2061  	}
  2062  
  2063  	// The net/http package sets the read deadline from the
  2064  	// http.Server.ReadTimeout during the TLS handshake, but then
  2065  	// passes the connection off to us with the deadline already
  2066  	// set. Disarm it here after the request headers are read,
  2067  	// similar to how the http1 server works. Here it's
  2068  	// technically more like the http1 Server's ReadHeaderTimeout
  2069  	// (in Go 1.8), though. That's a more sane option anyway.
  2070  	if sc.hs.ReadTimeout() > 0 {
  2071  		sc.conn.SetReadDeadline(time.Time{})
  2072  		st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout(), st.onReadTimeout)
  2073  	}
  2074  
  2075  	return sc.scheduleHandler(id, rw, req, handler)
  2076  }
  2077  
  2078  func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
  2079  	sc := st.sc
  2080  	sc.serveG.check()
  2081  	if st.gotTrailerHeader {
  2082  		return sc.countError("dup_trailers", ConnectionError(ErrCodeProtocol))
  2083  	}
  2084  	st.gotTrailerHeader = true
  2085  	if !f.StreamEnded() {
  2086  		return sc.countError("trailers_not_ended", streamError(st.id, ErrCodeProtocol))
  2087  	}
  2088  
  2089  	if len(f.PseudoFields()) > 0 {
  2090  		return sc.countError("trailers_pseudo", streamError(st.id, ErrCodeProtocol))
  2091  	}
  2092  	if st.trailer != nil {
  2093  		for _, hf := range f.RegularFields() {
  2094  			key := sc.canonicalHeader(hf.Name)
  2095  			if !httpguts.ValidTrailerHeader(key) {
  2096  				// TODO: send more details to the peer somehow. But http2 has
  2097  				// no way to send debug data at a stream level. Discuss with
  2098  				// HTTP folk.
  2099  				return sc.countError("trailers_bogus", streamError(st.id, ErrCodeProtocol))
  2100  			}
  2101  			st.trailer[key] = append(st.trailer[key], hf.Value)
  2102  		}
  2103  	}
  2104  	st.endStream()
  2105  	return nil
  2106  }
  2107  
  2108  func (sc *serverConn) checkPriority(streamID uint32, p PriorityParam) error {
  2109  	if streamID == p.StreamDep {
  2110  		// Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
  2111  		// this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR."
  2112  		// Section 5.3.3 says that a stream can depend on one of its dependencies,
  2113  		// so it's only self-dependencies that are forbidden.
  2114  		return sc.countError("priority", streamError(streamID, ErrCodeProtocol))
  2115  	}
  2116  	return nil
  2117  }
  2118  
  2119  func (sc *serverConn) processPriority(f *PriorityFrame) error {
  2120  	if err := sc.checkPriority(f.StreamID, f.PriorityParam); err != nil {
  2121  		return err
  2122  	}
  2123  	// We need to avoid calling AdjustStream when using the RFC 9218 write
  2124  	// scheduler. Otherwise, incremental's zero value in PriorityParam will
  2125  	// unexpectedly make all streams non-incremental. This causes us to process
  2126  	// streams one-by-one to completion rather than doing it in a round-robin
  2127  	// manner (the historical behavior), which might be unexpected to users.
  2128  	if sc.writeSchedIgnoresRFC7540() {
  2129  		return nil
  2130  	}
  2131  	sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam)
  2132  	return nil
  2133  }
  2134  
  2135  func (sc *serverConn) processPriorityUpdate(f *PriorityUpdateFrame) error {
  2136  	sc.priorityAware = true
  2137  	if _, ok := sc.writeSched.(*priorityWriteSchedulerRFC9218); !ok {
  2138  		return nil
  2139  	}
  2140  	p, ok := parseRFC9218Priority(f.Priority, sc.priorityAware)
  2141  	if !ok {
  2142  		return sc.countError("unparsable_priority_update", streamError(f.PrioritizedStreamID, ErrCodeProtocol))
  2143  	}
  2144  	sc.writeSched.AdjustStream(f.PrioritizedStreamID, p)
  2145  	return nil
  2146  }
  2147  
  2148  func (sc *serverConn) newStream(id, pusherID uint32, state streamState, priority PriorityParam) *stream {
  2149  	sc.serveG.check()
  2150  	if id == 0 {
  2151  		panic("internal error: cannot create stream with id 0")
  2152  	}
  2153  
  2154  	ctx, cancelCtx := context.WithCancel(sc.baseCtx)
  2155  	st := &stream{
  2156  		sc:        sc,
  2157  		id:        id,
  2158  		state:     state,
  2159  		ctx:       ctx,
  2160  		cancelCtx: cancelCtx,
  2161  	}
  2162  	st.cw.Init()
  2163  	st.flow.conn = &sc.flow // link to conn-level counter
  2164  	st.flow.add(sc.initialStreamSendWindowSize)
  2165  	st.inflow.init(sc.initialStreamRecvWindowSize)
  2166  	if writeTimeout := sc.hs.WriteTimeout(); writeTimeout > 0 {
  2167  		st.writeDeadline = time.AfterFunc(writeTimeout, st.onWriteTimeout)
  2168  	}
  2169  
  2170  	sc.streams[id] = st
  2171  	sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID, priority: priority})
  2172  	if st.isPushed() {
  2173  		sc.curPushedStreams++
  2174  	} else {
  2175  		sc.curClientStreams++
  2176  	}
  2177  	if sc.curOpenStreams() == 1 {
  2178  		sc.setConnState(ConnStateActive)
  2179  	}
  2180  
  2181  	return st
  2182  }
  2183  
  2184  func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *ServerRequest, error) {
  2185  	sc.serveG.check()
  2186  
  2187  	rp := httpcommon.ServerRequestParam{
  2188  		Method:    f.PseudoValue("method"),
  2189  		Scheme:    f.PseudoValue("scheme"),
  2190  		Authority: f.PseudoValue("authority"),
  2191  		Path:      f.PseudoValue("path"),
  2192  		Protocol:  f.PseudoValue("protocol"),
  2193  	}
  2194  
  2195  	// extended connect is disabled, so we should not see :protocol
  2196  	if disableExtendedConnectProtocol && rp.Protocol != "" {
  2197  		return nil, nil, sc.countError("bad_connect", streamError(f.StreamID, ErrCodeProtocol))
  2198  	}
  2199  
  2200  	isConnect := rp.Method == "CONNECT"
  2201  	if isConnect {
  2202  		if rp.Protocol == "" && (rp.Path != "" || rp.Scheme != "" || rp.Authority == "") {
  2203  			return nil, nil, sc.countError("bad_connect", streamError(f.StreamID, ErrCodeProtocol))
  2204  		}
  2205  	} else if rp.Method == "" || rp.Path == "" || (rp.Scheme != "https" && rp.Scheme != "http") {
  2206  		// See 8.1.2.6 Malformed Requests and Responses:
  2207  		//
  2208  		// Malformed requests or responses that are detected
  2209  		// MUST be treated as a stream error (Section 5.4.2)
  2210  		// of type PROTOCOL_ERROR."
  2211  		//
  2212  		// 8.1.2.3 Request Pseudo-Header Fields
  2213  		// "All HTTP/2 requests MUST include exactly one valid
  2214  		// value for the :method, :scheme, and :path
  2215  		// pseudo-header fields"
  2216  		return nil, nil, sc.countError("bad_path_method", streamError(f.StreamID, ErrCodeProtocol))
  2217  	}
  2218  
  2219  	header := make(Header)
  2220  	rp.Header = header
  2221  	for _, hf := range f.RegularFields() {
  2222  		header.Add(sc.canonicalHeader(hf.Name), hf.Value)
  2223  	}
  2224  	if rp.Authority == "" {
  2225  		rp.Authority = header.Get("Host")
  2226  	}
  2227  	if rp.Protocol != "" {
  2228  		header.Set(":protocol", rp.Protocol)
  2229  	}
  2230  
  2231  	rw, req, err := sc.newWriterAndRequestNoBody(st, rp)
  2232  	if err != nil {
  2233  		return nil, nil, err
  2234  	}
  2235  	bodyOpen := !f.StreamEnded()
  2236  	if bodyOpen {
  2237  		if vv, ok := rp.Header["Content-Length"]; ok {
  2238  			if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil {
  2239  				req.ContentLength = int64(cl)
  2240  			} else {
  2241  				req.ContentLength = 0
  2242  			}
  2243  		} else {
  2244  			req.ContentLength = -1
  2245  		}
  2246  		req.Body.(*requestBody).pipe = &pipe{
  2247  			b: &dataBuffer{expected: req.ContentLength},
  2248  		}
  2249  	}
  2250  	return rw, req, nil
  2251  }
  2252  
  2253  func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp httpcommon.ServerRequestParam) (*responseWriter, *ServerRequest, error) {
  2254  	sc.serveG.check()
  2255  
  2256  	var tlsState *tls.ConnectionState // nil if not scheme https
  2257  	if rp.Scheme == "https" {
  2258  		tlsState = sc.tlsState
  2259  	}
  2260  
  2261  	res := httpcommon.NewServerRequest(rp)
  2262  	if res.InvalidReason != "" {
  2263  		return nil, nil, sc.countError(res.InvalidReason, streamError(st.id, ErrCodeProtocol))
  2264  	}
  2265  
  2266  	body := &requestBody{
  2267  		conn:          sc,
  2268  		stream:        st,
  2269  		needsContinue: res.NeedsContinue,
  2270  	}
  2271  	rw := sc.newResponseWriter(st)
  2272  	rw.rws.req = ServerRequest{
  2273  		Context:    st.ctx,
  2274  		Method:     rp.Method,
  2275  		URL:        res.URL,
  2276  		RemoteAddr: sc.remoteAddrStr,
  2277  		Header:     rp.Header,
  2278  		RequestURI: res.RequestURI,
  2279  		Proto:      "HTTP/2.0",
  2280  		ProtoMajor: 2,
  2281  		ProtoMinor: 0,
  2282  		TLS:        tlsState,
  2283  		Host:       rp.Authority,
  2284  		Body:       body,
  2285  		Trailer:    res.Trailer,
  2286  	}
  2287  	return rw, &rw.rws.req, nil
  2288  }
  2289  
  2290  func (sc *serverConn) newResponseWriter(st *stream) *responseWriter {
  2291  	rws := responseWriterStatePool.Get().(*responseWriterState)
  2292  	bwSave := rws.bw
  2293  	*rws = responseWriterState{} // zero all the fields
  2294  	rws.conn = sc
  2295  	rws.bw = bwSave
  2296  	rws.bw.Reset(chunkWriter{rws})
  2297  	rws.stream = st
  2298  	return &responseWriter{rws: rws}
  2299  }
  2300  
  2301  type unstartedHandler struct {
  2302  	streamID uint32
  2303  	rw       *responseWriter
  2304  	req      *ServerRequest
  2305  	handler  func(*ResponseWriter, *ServerRequest)
  2306  }
  2307  
  2308  // scheduleHandler starts a handler goroutine,
  2309  // or schedules one to start as soon as an existing handler finishes.
  2310  func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *ServerRequest, handler func(*ResponseWriter, *ServerRequest)) error {
  2311  	sc.serveG.check()
  2312  	maxHandlers := sc.advMaxStreams
  2313  	if sc.curHandlers < maxHandlers {
  2314  		sc.curHandlers++
  2315  		go sc.runHandler(rw, req, handler)
  2316  		return nil
  2317  	}
  2318  	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
  2319  		return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
  2320  	}
  2321  	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
  2322  		streamID: streamID,
  2323  		rw:       rw,
  2324  		req:      req,
  2325  		handler:  handler,
  2326  	})
  2327  	return nil
  2328  }
  2329  
  2330  func (sc *serverConn) handlerDone() {
  2331  	sc.serveG.check()
  2332  	sc.curHandlers--
  2333  	i := 0
  2334  	maxHandlers := sc.advMaxStreams
  2335  	for ; i < len(sc.unstartedHandlers); i++ {
  2336  		u := sc.unstartedHandlers[i]
  2337  		if sc.streams[u.streamID] == nil {
  2338  			// This stream was reset before its goroutine had a chance to start.
  2339  			continue
  2340  		}
  2341  		if sc.curHandlers >= maxHandlers {
  2342  			break
  2343  		}
  2344  		sc.curHandlers++
  2345  		go sc.runHandler(u.rw, u.req, u.handler)
  2346  		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
  2347  	}
  2348  	sc.unstartedHandlers = sc.unstartedHandlers[i:]
  2349  	if len(sc.unstartedHandlers) == 0 {
  2350  		sc.unstartedHandlers = nil
  2351  	}
  2352  }
  2353  
  2354  // Run on its own goroutine.
  2355  func (sc *serverConn) runHandler(rw *responseWriter, req *ServerRequest, handler func(*ResponseWriter, *ServerRequest)) {
  2356  	defer sc.sendServeMsg(handlerDoneMsg)
  2357  	didPanic := true
  2358  	defer func() {
  2359  		rw.rws.stream.cancelCtx()
  2360  		if req.MultipartForm != nil {
  2361  			req.MultipartForm.RemoveAll()
  2362  		}
  2363  		if didPanic {
  2364  			e := recover()
  2365  			sc.writeFrameFromHandler(FrameWriteRequest{
  2366  				write:  handlerPanicRST{rw.rws.stream.id},
  2367  				stream: rw.rws.stream,
  2368  			})
  2369  			// Same as net/http:
  2370  			if e != nil && e != ErrAbortHandler {
  2371  				const size = 64 << 10
  2372  				buf := make([]byte, size)
  2373  				buf = buf[:runtime.Stack(buf, false)]
  2374  				sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf)
  2375  			}
  2376  			return
  2377  		}
  2378  		rw.handlerDone()
  2379  	}()
  2380  	handler(rw, req)
  2381  	didPanic = false
  2382  }
  2383  
  2384  func handleHeaderListTooLong(w *ResponseWriter, r *ServerRequest) {
  2385  	// 10.5.1 Limits on Header Block Size:
  2386  	// .. "A server that receives a larger header block than it is
  2387  	// willing to handle can send an HTTP 431 (Request Header Fields Too
  2388  	// Large) status code"
  2389  	const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+
  2390  	w.WriteHeader(statusRequestHeaderFieldsTooLarge)
  2391  	io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>")
  2392  }
  2393  
  2394  // called from handler goroutines.
  2395  // h may be nil.
  2396  func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error {
  2397  	sc.serveG.checkNotOn() // NOT on
  2398  	var errc chan error
  2399  	if headerData.h != nil {
  2400  		// If there's a header map (which we don't own), so we have to block on
  2401  		// waiting for this frame to be written, so an http.Flush mid-handler
  2402  		// writes out the correct value of keys, before a handler later potentially
  2403  		// mutates it.
  2404  		errc = sc.srv.state.getErrChan()
  2405  	}
  2406  	if err := sc.writeFrameFromHandler(FrameWriteRequest{
  2407  		write:  headerData,
  2408  		stream: st,
  2409  		done:   errc,
  2410  	}); err != nil {
  2411  		return err
  2412  	}
  2413  	if errc != nil {
  2414  		select {
  2415  		case err := <-errc:
  2416  			sc.srv.state.putErrChan(errc)
  2417  			return err
  2418  		case <-sc.doneServing:
  2419  			return errClientDisconnected
  2420  		case <-st.cw:
  2421  			return errStreamClosed
  2422  		}
  2423  	}
  2424  	return nil
  2425  }
  2426  
  2427  // called from handler goroutines.
  2428  func (sc *serverConn) write100ContinueHeaders(st *stream) {
  2429  	sc.writeFrameFromHandler(FrameWriteRequest{
  2430  		write:  write100ContinueHeadersFrame{st.id},
  2431  		stream: st,
  2432  	})
  2433  }
  2434  
  2435  // A bodyReadMsg tells the server loop that the http.Handler read n
  2436  // bytes of the DATA from the client on the given stream.
  2437  type bodyReadMsg struct {
  2438  	st *stream
  2439  	n  int
  2440  }
  2441  
  2442  // called from handler goroutines.
  2443  // Notes that the handler for the given stream ID read n bytes of its body
  2444  // and schedules flow control tokens to be sent.
  2445  func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) {
  2446  	sc.serveG.checkNotOn() // NOT on
  2447  	if n > 0 {
  2448  		select {
  2449  		case sc.bodyReadCh <- bodyReadMsg{st, n}:
  2450  		case <-sc.doneServing:
  2451  		}
  2452  	}
  2453  }
  2454  
  2455  func (sc *serverConn) noteBodyRead(st *stream, n int) {
  2456  	sc.serveG.check()
  2457  	sc.sendWindowUpdate(nil, n) // conn-level
  2458  	if st.state != stateHalfClosedRemote && st.state != stateClosed {
  2459  		// Don't send this WINDOW_UPDATE if the stream is closed
  2460  		// remotely.
  2461  		sc.sendWindowUpdate(st, n)
  2462  	}
  2463  }
  2464  
  2465  // st may be nil for conn-level
  2466  func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
  2467  	sc.sendWindowUpdate(st, int(n))
  2468  }
  2469  
  2470  // st may be nil for conn-level
  2471  func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
  2472  	sc.serveG.check()
  2473  	var streamID uint32
  2474  	var send int32
  2475  	if st == nil {
  2476  		send = sc.inflow.add(n)
  2477  	} else {
  2478  		streamID = st.id
  2479  		send = st.inflow.add(n)
  2480  	}
  2481  	if send == 0 {
  2482  		return
  2483  	}
  2484  	sc.writeFrame(FrameWriteRequest{
  2485  		write:  writeWindowUpdate{streamID: streamID, n: uint32(send)},
  2486  		stream: st,
  2487  	})
  2488  }
  2489  
  2490  // requestBody is the Handler's Request.Body type.
  2491  // Read and Close may be called concurrently.
  2492  type requestBody struct {
  2493  	_             incomparable
  2494  	stream        *stream
  2495  	conn          *serverConn
  2496  	closeOnce     sync.Once // for use by Close only
  2497  	sawEOF        bool      // for use by Read only
  2498  	pipe          *pipe     // non-nil if we have an HTTP entity message body
  2499  	needsContinue bool      // need to send a 100-continue
  2500  }
  2501  
  2502  func (b *requestBody) Close() error {
  2503  	b.closeOnce.Do(func() {
  2504  		if b.pipe != nil {
  2505  			b.pipe.BreakWithError(errClosedBody)
  2506  		}
  2507  	})
  2508  	return nil
  2509  }
  2510  
  2511  func (b *requestBody) Read(p []byte) (n int, err error) {
  2512  	if b.needsContinue {
  2513  		b.needsContinue = false
  2514  		b.conn.write100ContinueHeaders(b.stream)
  2515  	}
  2516  	if b.pipe == nil || b.sawEOF {
  2517  		return 0, io.EOF
  2518  	}
  2519  	n, err = b.pipe.Read(p)
  2520  	if err == io.EOF {
  2521  		b.sawEOF = true
  2522  	}
  2523  	if b.conn == nil {
  2524  		return
  2525  	}
  2526  	b.conn.noteBodyReadFromHandler(b.stream, n, err)
  2527  	return
  2528  }
  2529  
  2530  // responseWriter is the http.ResponseWriter implementation. It's
  2531  // intentionally small (1 pointer wide) to minimize garbage. The
  2532  // responseWriterState pointer inside is zeroed at the end of a
  2533  // request (in handlerDone) and calls on the responseWriter thereafter
  2534  // simply crash (caller's mistake), but the much larger responseWriterState
  2535  // and buffers are reused between multiple requests.
  2536  type responseWriter struct {
  2537  	rws *responseWriterState
  2538  }
  2539  
  2540  type responseWriterState struct {
  2541  	// immutable within a request:
  2542  	stream *stream
  2543  	req    ServerRequest
  2544  	conn   *serverConn
  2545  
  2546  	// TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc
  2547  	bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState}
  2548  
  2549  	// mutated by http.Handler goroutine:
  2550  	handlerHeader Header   // nil until called
  2551  	snapHeader    Header   // snapshot of handlerHeader at WriteHeader time
  2552  	trailers      []string // set in writeChunk
  2553  	status        int      // status code passed to WriteHeader
  2554  	wroteHeader   bool     // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet.
  2555  	sentHeader    bool     // have we sent the header frame?
  2556  	handlerDone   bool     // handler has finished
  2557  
  2558  	sentContentLen int64 // non-zero if handler set a Content-Length header
  2559  	wroteBytes     int64
  2560  
  2561  	closeNotifierMu sync.Mutex // guards closeNotifierCh
  2562  	closeNotifierCh chan bool  // nil until first used
  2563  }
  2564  
  2565  type chunkWriter struct{ rws *responseWriterState }
  2566  
  2567  func (cw chunkWriter) Write(p []byte) (n int, err error) {
  2568  	n, err = cw.rws.writeChunk(p)
  2569  	if err == errStreamClosed {
  2570  		// If writing failed because the stream has been closed,
  2571  		// return the reason it was closed.
  2572  		err = cw.rws.stream.closeErr
  2573  	}
  2574  	return n, err
  2575  }
  2576  
  2577  func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) > 0 }
  2578  
  2579  func (rws *responseWriterState) hasNonemptyTrailers() bool {
  2580  	for _, trailer := range rws.trailers {
  2581  		if _, ok := rws.handlerHeader[trailer]; ok {
  2582  			return true
  2583  		}
  2584  	}
  2585  	return false
  2586  }
  2587  
  2588  // declareTrailer is called for each Trailer header when the
  2589  // response header is written. It notes that a header will need to be
  2590  // written in the trailers at the end of the response.
  2591  func (rws *responseWriterState) declareTrailer(k string) {
  2592  	k = textproto.CanonicalMIMEHeaderKey(k)
  2593  	if !httpguts.ValidTrailerHeader(k) {
  2594  		// Forbidden by RFC 7230, section 4.1.2.
  2595  		rws.conn.logf("ignoring invalid trailer %q", k)
  2596  		return
  2597  	}
  2598  	if !slices.Contains(rws.trailers, k) {
  2599  		rws.trailers = append(rws.trailers, k)
  2600  	}
  2601  }
  2602  
  2603  const TimeFormat = "Mon, 02 Jan 2006 15:04:05 GMT" // keep in sync with net/http
  2604  
  2605  // writeChunk writes chunks from the bufio.Writer. But because
  2606  // bufio.Writer may bypass its chunking, sometimes p may be
  2607  // arbitrarily large.
  2608  //
  2609  // writeChunk is also responsible (on the first chunk) for sending the
  2610  // HEADER response.
  2611  func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
  2612  	if !rws.wroteHeader {
  2613  		rws.writeHeader(200)
  2614  	}
  2615  
  2616  	if rws.handlerDone {
  2617  		rws.promoteUndeclaredTrailers()
  2618  	}
  2619  
  2620  	isHeadResp := rws.req.Method == "HEAD"
  2621  	if !rws.sentHeader {
  2622  		rws.sentHeader = true
  2623  		var ctype, clen string
  2624  		if clen = rws.snapHeader.Get("Content-Length"); clen != "" {
  2625  			rws.snapHeader.Del("Content-Length")
  2626  			if cl, err := strconv.ParseUint(clen, 10, 63); err == nil {
  2627  				rws.sentContentLen = int64(cl)
  2628  			} else {
  2629  				clen = ""
  2630  			}
  2631  		}
  2632  		_, hasContentLength := rws.snapHeader["Content-Length"]
  2633  		if !hasContentLength && clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
  2634  			clen = strconv.Itoa(len(p))
  2635  		}
  2636  		_, hasContentType := rws.snapHeader["Content-Type"]
  2637  		// If the Content-Encoding is non-blank, we shouldn't
  2638  		// sniff the body. See Issue golang.org/issue/31753.
  2639  		ce := rws.snapHeader.Get("Content-Encoding")
  2640  		hasCE := len(ce) > 0
  2641  		if !hasCE && !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 {
  2642  			ctype = internal.DetectContentType(p)
  2643  		}
  2644  		var date string
  2645  		if _, ok := rws.snapHeader["Date"]; !ok {
  2646  			// TODO(bradfitz): be faster here, like net/http? measure.
  2647  			date = time.Now().UTC().Format(TimeFormat)
  2648  		}
  2649  
  2650  		for _, v := range rws.snapHeader["Trailer"] {
  2651  			foreachHeaderElement(v, rws.declareTrailer)
  2652  		}
  2653  
  2654  		// "Connection" headers aren't allowed in HTTP/2 (RFC 7540, 8.1.2.2),
  2655  		// but respect "Connection" == "close" to mean sending a GOAWAY and tearing
  2656  		// down the TCP connection when idle, like we do for HTTP/1.
  2657  		// TODO: remove more Connection-specific header fields here, in addition
  2658  		// to "Connection".
  2659  		if _, ok := rws.snapHeader["Connection"]; ok {
  2660  			v := rws.snapHeader.Get("Connection")
  2661  			delete(rws.snapHeader, "Connection")
  2662  			if v == "close" {
  2663  				rws.conn.startGracefulShutdown()
  2664  			}
  2665  		}
  2666  
  2667  		endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp
  2668  		err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
  2669  			streamID:      rws.stream.id,
  2670  			httpResCode:   rws.status,
  2671  			h:             rws.snapHeader,
  2672  			endStream:     endStream,
  2673  			contentType:   ctype,
  2674  			contentLength: clen,
  2675  			date:          date,
  2676  		})
  2677  		if err != nil {
  2678  			return 0, err
  2679  		}
  2680  		if endStream {
  2681  			return 0, nil
  2682  		}
  2683  	}
  2684  	if isHeadResp {
  2685  		return len(p), nil
  2686  	}
  2687  	if len(p) == 0 && !rws.handlerDone {
  2688  		return 0, nil
  2689  	}
  2690  
  2691  	// only send trailers if they have actually been defined by the
  2692  	// server handler.
  2693  	hasNonemptyTrailers := rws.hasNonemptyTrailers()
  2694  	endStream := rws.handlerDone && !hasNonemptyTrailers
  2695  	if len(p) > 0 || endStream {
  2696  		// only send a 0 byte DATA frame if we're ending the stream.
  2697  		if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil {
  2698  			return 0, err
  2699  		}
  2700  	}
  2701  
  2702  	if rws.handlerDone && hasNonemptyTrailers {
  2703  		err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
  2704  			streamID:  rws.stream.id,
  2705  			h:         rws.handlerHeader,
  2706  			trailers:  rws.trailers,
  2707  			endStream: true,
  2708  		})
  2709  		return len(p), err
  2710  	}
  2711  	return len(p), nil
  2712  }
  2713  
  2714  // TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
  2715  // that, if present, signals that the map entry is actually for
  2716  // the response trailers, and not the response headers. The prefix
  2717  // is stripped after the ServeHTTP call finishes and the values are
  2718  // sent in the trailers.
  2719  //
  2720  // This mechanism is intended only for trailers that are not known
  2721  // prior to the headers being written. If the set of trailers is fixed
  2722  // or known before the header is written, the normal Go trailers mechanism
  2723  // is preferred:
  2724  //
  2725  //	https://golang.org/pkg/net/http/#ResponseWriter
  2726  //	https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
  2727  const TrailerPrefix = "Trailer:"
  2728  
  2729  // promoteUndeclaredTrailers permits http.Handlers to set trailers
  2730  // after the header has already been flushed. Because the Go
  2731  // ResponseWriter interface has no way to set Trailers (only the
  2732  // Header), and because we didn't want to expand the ResponseWriter
  2733  // interface, and because nobody used trailers, and because RFC 7230
  2734  // says you SHOULD (but not must) predeclare any trailers in the
  2735  // header, the official ResponseWriter rules said trailers in Go must
  2736  // be predeclared, and then we reuse the same ResponseWriter.Header()
  2737  // map to mean both Headers and Trailers. When it's time to write the
  2738  // Trailers, we pick out the fields of Headers that were declared as
  2739  // trailers. That worked for a while, until we found the first major
  2740  // user of Trailers in the wild: gRPC (using them only over http2),
  2741  // and gRPC libraries permit setting trailers mid-stream without
  2742  // predeclaring them. So: change of plans. We still permit the old
  2743  // way, but we also permit this hack: if a Header() key begins with
  2744  // "Trailer:", the suffix of that key is a Trailer. Because ':' is an
  2745  // invalid token byte anyway, there is no ambiguity. (And it's already
  2746  // filtered out) It's mildly hacky, but not terrible.
  2747  //
  2748  // This method runs after the Handler is done and promotes any Header
  2749  // fields to be trailers.
  2750  func (rws *responseWriterState) promoteUndeclaredTrailers() {
  2751  	for k, vv := range rws.handlerHeader {
  2752  		if !strings.HasPrefix(k, TrailerPrefix) {
  2753  			continue
  2754  		}
  2755  		trailerKey := strings.TrimPrefix(k, TrailerPrefix)
  2756  		rws.declareTrailer(trailerKey)
  2757  		rws.handlerHeader[textproto.CanonicalMIMEHeaderKey(trailerKey)] = vv
  2758  	}
  2759  
  2760  	if len(rws.trailers) > 1 {
  2761  		slices.Sort(rws.trailers)
  2762  	}
  2763  }
  2764  
  2765  func (w *responseWriter) SetReadDeadline(deadline time.Time) error {
  2766  	st := w.rws.stream
  2767  	if !deadline.IsZero() && deadline.Before(time.Now()) {
  2768  		// If we're setting a deadline in the past, reset the stream immediately
  2769  		// so writes after SetWriteDeadline returns will fail.
  2770  		st.onReadTimeout()
  2771  		return nil
  2772  	}
  2773  	w.rws.conn.sendServeMsg(func(sc *serverConn) {
  2774  		if st.readDeadline != nil {
  2775  			if !st.readDeadline.Stop() {
  2776  				// Deadline already exceeded, or stream has been closed.
  2777  				return
  2778  			}
  2779  		}
  2780  		if deadline.IsZero() {
  2781  			st.readDeadline = nil
  2782  		} else if st.readDeadline == nil {
  2783  			st.readDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onReadTimeout)
  2784  		} else {
  2785  			st.readDeadline.Reset(deadline.Sub(time.Now()))
  2786  		}
  2787  	})
  2788  	return nil
  2789  }
  2790  
  2791  func (w *responseWriter) SetWriteDeadline(deadline time.Time) error {
  2792  	st := w.rws.stream
  2793  	if !deadline.IsZero() && deadline.Before(time.Now()) {
  2794  		// If we're setting a deadline in the past, reset the stream immediately
  2795  		// so writes after SetWriteDeadline returns will fail.
  2796  		st.onWriteTimeout()
  2797  		return nil
  2798  	}
  2799  	w.rws.conn.sendServeMsg(func(sc *serverConn) {
  2800  		if st.writeDeadline != nil {
  2801  			if !st.writeDeadline.Stop() {
  2802  				// Deadline already exceeded, or stream has been closed.
  2803  				return
  2804  			}
  2805  		}
  2806  		if deadline.IsZero() {
  2807  			st.writeDeadline = nil
  2808  		} else if st.writeDeadline == nil {
  2809  			st.writeDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onWriteTimeout)
  2810  		} else {
  2811  			st.writeDeadline.Reset(deadline.Sub(time.Now()))
  2812  		}
  2813  	})
  2814  	return nil
  2815  }
  2816  
  2817  func (w *responseWriter) EnableFullDuplex() error {
  2818  	// We always support full duplex responses, so this is a no-op.
  2819  	return nil
  2820  }
  2821  
  2822  func (w *responseWriter) Flush() {
  2823  	w.FlushError()
  2824  }
  2825  
  2826  func (w *responseWriter) FlushError() error {
  2827  	rws := w.rws
  2828  	if rws == nil {
  2829  		panic("Header called after Handler finished")
  2830  	}
  2831  	var err error
  2832  	if rws.bw.Buffered() > 0 {
  2833  		err = rws.bw.Flush()
  2834  	} else {
  2835  		// The bufio.Writer won't call chunkWriter.Write
  2836  		// (writeChunk with zero bytes), so we have to do it
  2837  		// ourselves to force the HTTP response header and/or
  2838  		// final DATA frame (with END_STREAM) to be sent.
  2839  		_, err = chunkWriter{rws}.Write(nil)
  2840  		if err == nil {
  2841  			select {
  2842  			case <-rws.stream.cw:
  2843  				err = rws.stream.closeErr
  2844  			default:
  2845  			}
  2846  		}
  2847  	}
  2848  	return err
  2849  }
  2850  
  2851  func (w *responseWriter) CloseNotify() <-chan bool {
  2852  	rws := w.rws
  2853  	if rws == nil {
  2854  		panic("CloseNotify called after Handler finished")
  2855  	}
  2856  	rws.closeNotifierMu.Lock()
  2857  	ch := rws.closeNotifierCh
  2858  	if ch == nil {
  2859  		ch = make(chan bool, 1)
  2860  		rws.closeNotifierCh = ch
  2861  		cw := rws.stream.cw
  2862  		go func() {
  2863  			cw.Wait() // wait for close
  2864  			ch <- true
  2865  		}()
  2866  	}
  2867  	rws.closeNotifierMu.Unlock()
  2868  	return ch
  2869  }
  2870  
  2871  func (w *responseWriter) Header() Header {
  2872  	rws := w.rws
  2873  	if rws == nil {
  2874  		panic("Header called after Handler finished")
  2875  	}
  2876  	if rws.handlerHeader == nil {
  2877  		rws.handlerHeader = make(Header)
  2878  	}
  2879  	return rws.handlerHeader
  2880  }
  2881  
  2882  // checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode.
  2883  func checkWriteHeaderCode(code int) {
  2884  	// Issue 22880: require valid WriteHeader status codes.
  2885  	// For now we only enforce that it's three digits.
  2886  	// In the future we might block things over 599 (600 and above aren't defined
  2887  	// at http://httpwg.org/specs/rfc7231.html#status.codes).
  2888  	// But for now any three digits.
  2889  	//
  2890  	// We used to send "HTTP/1.1 000 0" on the wire in responses but there's
  2891  	// no equivalent bogus thing we can realistically send in HTTP/2,
  2892  	// so we'll consistently panic instead and help people find their bugs
  2893  	// early. (We can't return an error from WriteHeader even if we wanted to.)
  2894  	if code < 100 || code > 999 {
  2895  		panic(fmt.Sprintf("invalid WriteHeader code %v", code))
  2896  	}
  2897  }
  2898  
  2899  func (w *responseWriter) WriteHeader(code int) {
  2900  	rws := w.rws
  2901  	if rws == nil {
  2902  		panic("WriteHeader called after Handler finished")
  2903  	}
  2904  	rws.writeHeader(code)
  2905  }
  2906  
  2907  func (rws *responseWriterState) writeHeader(code int) {
  2908  	if rws.wroteHeader {
  2909  		return
  2910  	}
  2911  
  2912  	checkWriteHeaderCode(code)
  2913  
  2914  	// Handle informational headers
  2915  	if code >= 100 && code <= 199 {
  2916  		// Per RFC 8297 we must not clear the current header map
  2917  		h := rws.handlerHeader
  2918  
  2919  		_, cl := h["Content-Length"]
  2920  		_, te := h["Transfer-Encoding"]
  2921  		if cl || te {
  2922  			h = cloneHeader(h)
  2923  			h.Del("Content-Length")
  2924  			h.Del("Transfer-Encoding")
  2925  		}
  2926  
  2927  		rws.conn.writeHeaders(rws.stream, &writeResHeaders{
  2928  			streamID:    rws.stream.id,
  2929  			httpResCode: code,
  2930  			h:           h,
  2931  			endStream:   rws.handlerDone && !rws.hasTrailers(),
  2932  		})
  2933  
  2934  		return
  2935  	}
  2936  
  2937  	rws.wroteHeader = true
  2938  	rws.status = code
  2939  	if len(rws.handlerHeader) > 0 {
  2940  		rws.snapHeader = cloneHeader(rws.handlerHeader)
  2941  	}
  2942  }
  2943  
  2944  func cloneHeader(h Header) Header {
  2945  	h2 := make(Header, len(h))
  2946  	for k, vv := range h {
  2947  		vv2 := make([]string, len(vv))
  2948  		copy(vv2, vv)
  2949  		h2[k] = vv2
  2950  	}
  2951  	return h2
  2952  }
  2953  
  2954  // The Life Of A Write is like this:
  2955  //
  2956  // * Handler calls w.Write or w.WriteString ->
  2957  // * -> rws.bw (*bufio.Writer) ->
  2958  // * (Handler might call Flush)
  2959  // * -> chunkWriter{rws}
  2960  // * -> responseWriterState.writeChunk(p []byte)
  2961  // * -> responseWriterState.writeChunk (most of the magic; see comment there)
  2962  func (w *responseWriter) Write(p []byte) (n int, err error) {
  2963  	return w.write(len(p), p, "")
  2964  }
  2965  
  2966  func (w *responseWriter) WriteString(s string) (n int, err error) {
  2967  	return w.write(len(s), nil, s)
  2968  }
  2969  
  2970  // either dataB or dataS is non-zero.
  2971  func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) {
  2972  	rws := w.rws
  2973  	if rws == nil {
  2974  		panic("Write called after Handler finished")
  2975  	}
  2976  	if !rws.wroteHeader {
  2977  		w.WriteHeader(200)
  2978  	}
  2979  	if !bodyAllowedForStatus(rws.status) {
  2980  		return 0, ErrBodyNotAllowed
  2981  	}
  2982  	rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set
  2983  	if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen {
  2984  		// TODO: send a RST_STREAM
  2985  		return 0, errors.New("http2: handler wrote more than declared Content-Length")
  2986  	}
  2987  
  2988  	if dataB != nil {
  2989  		return rws.bw.Write(dataB)
  2990  	} else {
  2991  		return rws.bw.WriteString(dataS)
  2992  	}
  2993  }
  2994  
  2995  func (w *responseWriter) handlerDone() {
  2996  	rws := w.rws
  2997  	rws.handlerDone = true
  2998  	w.Flush()
  2999  	w.rws = nil
  3000  	responseWriterStatePool.Put(rws)
  3001  }
  3002  
  3003  // Push errors.
  3004  var (
  3005  	ErrRecursivePush    = errors.New("http2: recursive push not allowed")
  3006  	ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
  3007  )
  3008  
  3009  func (w *responseWriter) Push(target, method string, header Header) error {
  3010  	st := w.rws.stream
  3011  	sc := st.sc
  3012  	sc.serveG.checkNotOn()
  3013  
  3014  	// No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream."
  3015  	// http://tools.ietf.org/html/rfc7540#section-6.6
  3016  	if st.isPushed() {
  3017  		return ErrRecursivePush
  3018  	}
  3019  
  3020  	// Default options.
  3021  	if method == "" {
  3022  		method = "GET"
  3023  	}
  3024  	if header == nil {
  3025  		header = Header{}
  3026  	}
  3027  	wantScheme := "http"
  3028  	if w.rws.req.TLS != nil {
  3029  		wantScheme = "https"
  3030  	}
  3031  
  3032  	// Validate the request.
  3033  	u, err := url.Parse(target)
  3034  	if err != nil {
  3035  		return err
  3036  	}
  3037  	if u.Scheme == "" {
  3038  		if !strings.HasPrefix(target, "/") {
  3039  			return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target)
  3040  		}
  3041  		u.Scheme = wantScheme
  3042  		u.Host = w.rws.req.Host
  3043  	} else {
  3044  		if u.Scheme != wantScheme {
  3045  			return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme)
  3046  		}
  3047  		if u.Host == "" {
  3048  			return errors.New("URL must have a host")
  3049  		}
  3050  	}
  3051  	for k := range header {
  3052  		if strings.HasPrefix(k, ":") {
  3053  			return fmt.Errorf("promised request headers cannot include pseudo header %q", k)
  3054  		}
  3055  		// These headers are meaningful only if the request has a body,
  3056  		// but PUSH_PROMISE requests cannot have a body.
  3057  		// http://tools.ietf.org/html/rfc7540#section-8.2
  3058  		// Also disallow Host, since the promised URL must be absolute.
  3059  		if asciiEqualFold(k, "content-length") ||
  3060  			asciiEqualFold(k, "content-encoding") ||
  3061  			asciiEqualFold(k, "trailer") ||
  3062  			asciiEqualFold(k, "te") ||
  3063  			asciiEqualFold(k, "expect") ||
  3064  			asciiEqualFold(k, "host") {
  3065  			return fmt.Errorf("promised request headers cannot include %q", k)
  3066  		}
  3067  	}
  3068  	if err := checkValidHTTP2RequestHeaders(header); err != nil {
  3069  		return err
  3070  	}
  3071  
  3072  	// The RFC effectively limits promised requests to GET and HEAD:
  3073  	// "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]"
  3074  	// http://tools.ietf.org/html/rfc7540#section-8.2
  3075  	if method != "GET" && method != "HEAD" {
  3076  		return fmt.Errorf("method %q must be GET or HEAD", method)
  3077  	}
  3078  
  3079  	msg := &startPushRequest{
  3080  		parent: st,
  3081  		method: method,
  3082  		url:    u,
  3083  		header: cloneHeader(header),
  3084  		done:   sc.srv.state.getErrChan(),
  3085  	}
  3086  
  3087  	select {
  3088  	case <-sc.doneServing:
  3089  		return errClientDisconnected
  3090  	case <-st.cw:
  3091  		return errStreamClosed
  3092  	case sc.serveMsgCh <- msg:
  3093  	}
  3094  
  3095  	select {
  3096  	case <-sc.doneServing:
  3097  		return errClientDisconnected
  3098  	case <-st.cw:
  3099  		return errStreamClosed
  3100  	case err := <-msg.done:
  3101  		sc.srv.state.putErrChan(msg.done)
  3102  		return err
  3103  	}
  3104  }
  3105  
  3106  type startPushRequest struct {
  3107  	parent *stream
  3108  	method string
  3109  	url    *url.URL
  3110  	header Header
  3111  	done   chan error
  3112  }
  3113  
  3114  func (sc *serverConn) startPush(msg *startPushRequest) {
  3115  	sc.serveG.check()
  3116  
  3117  	// http://tools.ietf.org/html/rfc7540#section-6.6.
  3118  	// PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that
  3119  	// is in either the "open" or "half-closed (remote)" state.
  3120  	if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote {
  3121  		// responseWriter.Push checks that the stream is peer-initiated.
  3122  		msg.done <- errStreamClosed
  3123  		return
  3124  	}
  3125  
  3126  	// http://tools.ietf.org/html/rfc7540#section-6.6.
  3127  	if !sc.pushEnabled {
  3128  		msg.done <- ErrNotSupported
  3129  		return
  3130  	}
  3131  
  3132  	// PUSH_PROMISE frames must be sent in increasing order by stream ID, so
  3133  	// we allocate an ID for the promised stream lazily, when the PUSH_PROMISE
  3134  	// is written. Once the ID is allocated, we start the request handler.
  3135  	allocatePromisedID := func() (uint32, error) {
  3136  		sc.serveG.check()
  3137  
  3138  		// Check this again, just in case. Technically, we might have received
  3139  		// an updated SETTINGS by the time we got around to writing this frame.
  3140  		if !sc.pushEnabled {
  3141  			return 0, ErrNotSupported
  3142  		}
  3143  		// http://tools.ietf.org/html/rfc7540#section-6.5.2.
  3144  		if sc.curPushedStreams+1 > sc.clientMaxStreams {
  3145  			return 0, ErrPushLimitReached
  3146  		}
  3147  
  3148  		// http://tools.ietf.org/html/rfc7540#section-5.1.1.
  3149  		// Streams initiated by the server MUST use even-numbered identifiers.
  3150  		// A server that is unable to establish a new stream identifier can send a GOAWAY
  3151  		// frame so that the client is forced to open a new connection for new streams.
  3152  		if sc.maxPushPromiseID+2 >= 1<<31 {
  3153  			sc.startGracefulShutdownInternal()
  3154  			return 0, ErrPushLimitReached
  3155  		}
  3156  		sc.maxPushPromiseID += 2
  3157  		promisedID := sc.maxPushPromiseID
  3158  
  3159  		// http://tools.ietf.org/html/rfc7540#section-8.2.
  3160  		// Strictly speaking, the new stream should start in "reserved (local)", then
  3161  		// transition to "half closed (remote)" after sending the initial HEADERS, but
  3162  		// we start in "half closed (remote)" for simplicity.
  3163  		// See further comments at the definition of stateHalfClosedRemote.
  3164  		promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote, defaultRFC9218Priority(sc.priorityAware && !sc.hasIntermediary))
  3165  		rw, req, err := sc.newWriterAndRequestNoBody(promised, httpcommon.ServerRequestParam{
  3166  			Method:    msg.method,
  3167  			Scheme:    msg.url.Scheme,
  3168  			Authority: msg.url.Host,
  3169  			Path:      msg.url.RequestURI(),
  3170  			Header:    cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
  3171  		})
  3172  		if err != nil {
  3173  			// Should not happen, since we've already validated msg.url.
  3174  			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
  3175  		}
  3176  
  3177  		sc.curHandlers++
  3178  		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
  3179  		return promisedID, nil
  3180  	}
  3181  
  3182  	sc.writeFrame(FrameWriteRequest{
  3183  		write: &writePushPromise{
  3184  			streamID:           msg.parent.id,
  3185  			method:             msg.method,
  3186  			url:                msg.url,
  3187  			h:                  msg.header,
  3188  			allocatePromisedID: allocatePromisedID,
  3189  		},
  3190  		stream: msg.parent,
  3191  		done:   msg.done,
  3192  	})
  3193  }
  3194  
  3195  // foreachHeaderElement splits v according to the "#rule" construction
  3196  // in RFC 7230 section 7 and calls fn for each non-empty element.
  3197  func foreachHeaderElement(v string, fn func(string)) {
  3198  	v = textproto.TrimString(v)
  3199  	if v == "" {
  3200  		return
  3201  	}
  3202  	if !strings.Contains(v, ",") {
  3203  		fn(v)
  3204  		return
  3205  	}
  3206  	for f := range strings.SplitSeq(v, ",") {
  3207  		if f = textproto.TrimString(f); f != "" {
  3208  			fn(f)
  3209  		}
  3210  	}
  3211  }
  3212  
  3213  // From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2
  3214  var connHeaders = []string{
  3215  	"Connection",
  3216  	"Keep-Alive",
  3217  	"Proxy-Connection",
  3218  	"Transfer-Encoding",
  3219  	"Upgrade",
  3220  }
  3221  
  3222  // checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request,
  3223  // per RFC 7540 Section 8.1.2.2.
  3224  // The returned error is reported to users.
  3225  func checkValidHTTP2RequestHeaders(h Header) error {
  3226  	for _, k := range connHeaders {
  3227  		if _, ok := h[k]; ok {
  3228  			return fmt.Errorf("request header %q is not valid in HTTP/2", k)
  3229  		}
  3230  	}
  3231  	te := h["Te"]
  3232  	if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) {
  3233  		return errors.New(`request header "TE" may only be "trailers" in HTTP/2`)
  3234  	}
  3235  	return nil
  3236  }
  3237  
  3238  type serve400Handler struct {
  3239  	err error
  3240  }
  3241  
  3242  func (handler serve400Handler) ServeHTTP(w *ResponseWriter, r *ServerRequest) {
  3243  	const statusBadRequest = 400
  3244  
  3245  	// TODO: Dedup with http.Error?
  3246  	h := w.Header()
  3247  	h.Del("Content-Length")
  3248  	h.Set("Content-Type", "text/plain; charset=utf-8")
  3249  	h.Set("X-Content-Type-Options", "nosniff")
  3250  	w.WriteHeader(statusBadRequest)
  3251  	fmt.Fprintln(w, handler.err.Error())
  3252  }
  3253  
  3254  // h1ServerKeepAlivesDisabled reports whether hs has its keep-alives
  3255  // disabled. See comments on h1ServerShutdownChan above for why
  3256  // the code is written this way.
  3257  func h1ServerKeepAlivesDisabled(hs ServerConfig) bool {
  3258  	return !hs.DoKeepAlives()
  3259  }
  3260  
  3261  func (sc *serverConn) countError(name string, err error) error {
  3262  	if sc == nil || sc.srv == nil {
  3263  		return err
  3264  	}
  3265  	f := sc.countErrorFunc
  3266  	if f == nil {
  3267  		return err
  3268  	}
  3269  	var typ string
  3270  	var code ErrCode
  3271  	switch e := err.(type) {
  3272  	case ConnectionError:
  3273  		typ = "conn"
  3274  		code = ErrCode(e)
  3275  	case StreamError:
  3276  		typ = "stream"
  3277  		code = ErrCode(e.Code)
  3278  	default:
  3279  		return err
  3280  	}
  3281  	codeStr := errCodeName[code]
  3282  	if codeStr == "" {
  3283  		codeStr = strconv.Itoa(int(code))
  3284  	}
  3285  	f(fmt.Sprintf("%s_%s_%s", typ, codeStr, name))
  3286  	return err
  3287  }
  3288
View as plain text