diff --git a/src/core/lib/surface/server.cc b/src/core/lib/surface/server.cc index 76d61e889df..2402f45e9da 100644 --- a/src/core/lib/surface/server.cc +++ b/src/core/lib/surface/server.cc @@ -262,6 +262,7 @@ class Server::RealRequestMatcherFilterStack : public RequestMatcherInterface { for (LockedMultiProducerSingleConsumerQueue& queue : requests_per_cq_) { GPR_ASSERT(queue.Pop() == nullptr); } + GPR_ASSERT(pending_.empty()); } void ZombifyPending() override { @@ -301,6 +302,8 @@ class Server::RealRequestMatcherFilterStack : public RequestMatcherInterface { MutexLock lock(&server_->mu_call_); while (!pending_.empty() && pending_.front().Age() > server_->max_time_in_pending_queue_) { + pending_.front().calld->SetState(CallData::CallState::ZOMBIED); + pending_.front().calld->KillZombie(); pending_.pop(); } if (!pending_.empty()) { diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/5250991764078592 b/test/core/end2end/fuzzers/server_fuzzer_corpus/5250991764078592 new file mode 100644 index 00000000000..780fc006e1a --- /dev/null +++ b/test/core/end2end/fuzzers/server_fuzzer_corpus/5250991764078592 @@ -0,0 +1,76 @@ +network_input { + input_segments { + segments { + delay_ms: 10 + client_prefix { + } + } + segments { + settings { + } + } + segments { + delay_ms: 16777217 + header { + stream_id: 3 + end_headers: true + simple_header { + grpc_timeout: "00m" + te: "trailers" + scheme: "http" + method: "POST" + authority: "foo" + path: "/req" + } + } + } + segments { + delay_ms: 10 + } + } +} +api_actions { + sleep_ms: 16777266 +} +api_actions { + request_call { + } +} +api_actions { + cancel_call { + } +} +api_actions { + poll_cq { + } +} +api_actions { + get_peer { + } +} +api_actions { + cancel_call { + } +} +api_actions { + create_call { + propagation_mask: 589824 + } +} +channel_args { + args { + i: 0 + } + args { + str: "~\177\177" + } + args { + str: "~\177\177" + } + args { + key: "0" + } + args { + key: "0" + } +}