We've noticed a few crashes for requests using SPDY (on ATS 5.2.x and 6..x) where the downstream origin is down with a backtrace that looks something like:
Which looks a bit odd-- as frame 0 is missing. From digging into it a bit more (with the help of Alan M. Carroll) we found that the VC we where calling was an INKContInternal (meaning an INKVConnInternal):
From looking at the debug logs that lead up to the crash, I'm seeing that some events (namely timeout events) are being called after the VConn has been destroy()'d . This lead me to find that INKVConnInternal::handle_event is actually checking if that is the case-- and then re-destroying everything, which makes no sense.
So although the ideal would be to not call handle_event on a closed VConn, crashing is definitely not acceptable. My solution is to continue to only call the event handler if the VConn hasn't been deleted-- but instead of attempting to re-destroy the connection, we'll leave it be (unless we are in debug mode-- where I'll throw in an assert).
I did some looking at this on ATS7 and it looks like this is all fixed by the cleanup of the whole free-ing stuff for VConns (https://github.com/apache/trafficserver/pull/752/files).