grpc 1.23.0 → 1.24.0

data/src/core/lib/security/security_connector/ssl_utils_config.h

@@ -0,0 +1,30 @@
+/*
+ *
+ * Copyright 2019 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_CONFIG_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_CONFIG_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/gprpp/global_config.h"
+
+GPR_GLOBAL_CONFIG_DECLARE_STRING(grpc_default_ssl_roots_file_path);
+GPR_GLOBAL_CONFIG_DECLARE_BOOL(grpc_not_use_system_ssl_roots);
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_CONFIG_H \
+        */

data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc

@@ -38,6 +38,8 @@
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security.h"
 
+namespace grpc_core {
+
 namespace {
 
 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
@@ -58,42 +60,55 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
   return tsi_pairs;
 }
 
-/** -- Util function to populate SPIFFE server/channel credentials. -- */
-grpc_core::RefCountedPtr<grpc_tls_key_materials_config>
-PopulateSpiffeCredentials(const grpc_tls_credentials_options& options) {
-  GPR_ASSERT(options.credential_reload_config() != nullptr ||
-             options.key_materials_config() != nullptr);
-  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config;
+}  // namespace
+
+/** -- Util function to fetch SPIFFE server/channel credentials. -- */
+grpc_status_code TlsFetchKeyMaterials(
+    const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
+        key_materials_config,
+    const grpc_tls_credentials_options& options,
+    grpc_ssl_certificate_config_reload_status* reload_status) {
+  GPR_ASSERT(key_materials_config != nullptr);
+  bool is_key_materials_empty =
+      key_materials_config->pem_key_cert_pair_list().empty();
+  if (options.credential_reload_config() == nullptr && is_key_materials_empty) {
+    gpr_log(GPR_ERROR,
+            "Either credential reload config or key materials should be "
+            "provisioned.");
+    return GRPC_STATUS_FAILED_PRECONDITION;
+  }
+  grpc_status_code status = GRPC_STATUS_OK;
   /* Use credential reload config to fetch credentials. */
   if (options.credential_reload_config() != nullptr) {
     grpc_tls_credential_reload_arg* arg =
         grpc_core::New<grpc_tls_credential_reload_arg>();
-    key_materials_config = grpc_tls_key_materials_config_create()->Ref();
     arg->key_materials_config = key_materials_config.get();
     int result = options.credential_reload_config()->Schedule(arg);
     if (result) {
       /* Do not support async credential reload. */
       gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
+      status =
+          is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
     } else {
-      grpc_ssl_certificate_config_reload_status status = arg->status;
-      if (status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
+      GPR_ASSERT(reload_status != nullptr);
+      *reload_status = arg->status;
+      if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
+        /* Key materials is not empty. */
         gpr_log(GPR_DEBUG, "Credential does not change after reload.");
-      } else if (status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
-        gpr_log(GPR_ERROR, "Credential reload failed with an error: %s",
-                arg->error_details);
+      } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
+        gpr_log(GPR_ERROR, "Credential reload failed with an error:");
+        if (arg->error_details != nullptr) {
+          gpr_log(GPR_ERROR, "%s", arg->error_details);
+        }
+        status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
       }
     }
     gpr_free((void*)arg->error_details);
     grpc_core::Delete(arg);
-    /* Use existing key materials config. */
-  } else {
-    key_materials_config = options.key_materials_config()->Ref();
   }
-  return key_materials_config;
+  return status;
 }
 
-}  // namespace
-
 SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
@@ -104,6 +119,7 @@ SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
       overridden_target_name_(overridden_target_name == nullptr
                                   ? nullptr
                                   : gpr_strdup(overridden_target_name)) {
+  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
   check_arg_ = ServerAuthorizationCheckArgCreate(this);
   grpc_core::StringView host;
   grpc_core::StringView port;
@@ -115,12 +131,19 @@ SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
   if (client_handshaker_factory_ != nullptr) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
   }
+  if (key_materials_config_.get() != nullptr) {
+    key_materials_config_.get()->Unref();
+  }
   ServerAuthorizationCheckArgDestroy(check_arg_);
 }
 
 void SpiffeChannelSecurityConnector::add_handshakers(
     grpc_pollset_set* interested_parties,
     grpc_core::HandshakeManager* handshake_mgr) {
+  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
+    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
+    return;
+  }
   // Instantiate TSI handshaker.
   tsi_handshaker* tsi_hs = nullptr;
   tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
@@ -239,32 +262,75 @@ SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
           std::move(channel_creds), std::move(request_metadata_creds),
           target_name, overridden_target_name);
   if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
+    gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
     return nullptr;
   }
   return c;
 }
 
-grpc_security_status
-SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
+grpc_security_status SpiffeChannelSecurityConnector::ReplaceHandshakerFactory(
     tsi_ssl_session_cache* ssl_session_cache) {
-  const SpiffeCredentials* creds =
-      static_cast<const SpiffeCredentials*>(channel_creds());
-  auto key_materials_config = PopulateSpiffeCredentials(creds->options());
-  if (key_materials_config->pem_key_cert_pair_list().empty()) {
-    key_materials_config->Unref();
-    return GRPC_SECURITY_ERROR;
+  /* Free the client handshaker factory if exists. */
+  if (client_handshaker_factory_) {
+    tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
   }
+  GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
   tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
-      key_materials_config->pem_key_cert_pair_list());
+      key_materials_config_->pem_key_cert_pair_list());
   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
-      pem_key_cert_pair, key_materials_config->pem_root_certs(),
+      pem_key_cert_pair, key_materials_config_->pem_root_certs(),
       ssl_session_cache, &client_handshaker_factory_);
-  // Free memory.
-  key_materials_config->Unref();
+  /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
   return status;
 }
 
+grpc_security_status
+SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
+    tsi_ssl_session_cache* ssl_session_cache) {
+  grpc_core::MutexLock lock(&mu_);
+  const SpiffeCredentials* creds =
+      static_cast<const SpiffeCredentials*>(channel_creds());
+  grpc_tls_key_materials_config* key_materials_config =
+      creds->options().key_materials_config();
+  /* Copy key materials config from credential options. */
+  if (key_materials_config != nullptr) {
+    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
+        key_materials_config->pem_key_cert_pair_list();
+    auto pem_root_certs = grpc_core::UniquePtr<char>(
+        gpr_strdup(key_materials_config->pem_root_certs()));
+    key_materials_config_->set_key_materials(std::move(pem_root_certs),
+                                             std::move(cert_pair_list));
+  }
+  grpc_ssl_certificate_config_reload_status reload_status =
+      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
+                           &reload_status) != GRPC_STATUS_OK) {
+    /* Raise an error if key materials are not populated. */
+    return GRPC_SECURITY_ERROR;
+  }
+  return ReplaceHandshakerFactory(ssl_session_cache);
+}
+
+grpc_security_status
+SpiffeChannelSecurityConnector::RefreshHandshakerFactory() {
+  grpc_core::MutexLock lock(&mu_);
+  const SpiffeCredentials* creds =
+      static_cast<const SpiffeCredentials*>(channel_creds());
+  grpc_ssl_certificate_config_reload_status reload_status =
+      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
+                           &reload_status) != GRPC_STATUS_OK) {
+    return GRPC_SECURITY_ERROR;
+  }
+  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
+    // Re-use existing handshaker factory.
+    return GRPC_SECURITY_OK;
+  } else {
+    return ReplaceHandshakerFactory(nullptr);
+  }
+}
+
 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckDone(
     grpc_tls_server_authorization_check_arg* arg) {
   GPR_ASSERT(arg != nullptr);
@@ -332,19 +398,28 @@ void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
 SpiffeServerSecurityConnector::SpiffeServerSecurityConnector(
     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
     : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
-                                     std::move(server_creds)) {}
+                                     std::move(server_creds)) {
+  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
+}
 
 SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
   if (server_handshaker_factory_ != nullptr) {
     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
   }
+  if (key_materials_config_.get() != nullptr) {
+    key_materials_config_.get()->Unref();
+  }
 }
 
 void SpiffeServerSecurityConnector::add_handshakers(
     grpc_pollset_set* interested_parties,
     grpc_core::HandshakeManager* handshake_mgr) {
+  /* Refresh handshaker factory if needed. */
+  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
+    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
+    return;
+  }
   /* Create a TLS SPIFFE TSI handshaker for server. */
-  RefreshServerHandshakerFactory();
   tsi_handshaker* tsi_hs = nullptr;
   tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
       server_handshaker_factory_, &tsi_hs);
@@ -384,39 +459,76 @@ SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
   grpc_core::RefCountedPtr<SpiffeServerSecurityConnector> c =
       grpc_core::MakeRefCounted<SpiffeServerSecurityConnector>(
           std::move(server_creds));
-  if (c->RefreshServerHandshakerFactory() != GRPC_SECURITY_OK) {
+  if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
+    gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
     return nullptr;
   }
   return c;
 }
 
-grpc_security_status
-SpiffeServerSecurityConnector::RefreshServerHandshakerFactory() {
+grpc_security_status SpiffeServerSecurityConnector::ReplaceHandshakerFactory() {
   const SpiffeServerCredentials* creds =
       static_cast<const SpiffeServerCredentials*>(server_creds());
-  auto key_materials_config = PopulateSpiffeCredentials(creds->options());
-  /* Credential reload does NOT take effect and we need to keep using
-   * the existing handshaker factory. */
-  if (key_materials_config->pem_key_cert_pair_list().empty()) {
-    key_materials_config->Unref();
-    return GRPC_SECURITY_ERROR;
-  }
-  /* Credential reload takes effect and we need to free the existing
-   * handshaker library. */
+  /* Free the server handshaker factory if exists. */
   if (server_handshaker_factory_) {
     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
   }
+  GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
   tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
-      key_materials_config->pem_key_cert_pair_list());
+      key_materials_config_->pem_key_cert_pair_list());
   size_t num_key_cert_pairs =
-      key_materials_config->pem_key_cert_pair_list().size();
+      key_materials_config_->pem_key_cert_pair_list().size();
   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
       pem_key_cert_pairs, num_key_cert_pairs,
-      key_materials_config->pem_root_certs(),
+      key_materials_config_->pem_root_certs(),
       creds->options().cert_request_type(), &server_handshaker_factory_);
-  // Free memory.
-  key_materials_config->Unref();
+  /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);
   return status;
 }
+
+grpc_security_status
+SpiffeServerSecurityConnector::InitializeHandshakerFactory() {
+  grpc_core::MutexLock lock(&mu_);
+  const SpiffeServerCredentials* creds =
+      static_cast<const SpiffeServerCredentials*>(server_creds());
+  grpc_tls_key_materials_config* key_materials_config =
+      creds->options().key_materials_config();
+  if (key_materials_config != nullptr) {
+    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
+        key_materials_config->pem_key_cert_pair_list();
+    auto pem_root_certs = grpc_core::UniquePtr<char>(
+        gpr_strdup(key_materials_config->pem_root_certs()));
+    key_materials_config_->set_key_materials(std::move(pem_root_certs),
+                                             std::move(cert_pair_list));
+  }
+  grpc_ssl_certificate_config_reload_status reload_status =
+      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
+                           &reload_status) != GRPC_STATUS_OK) {
+    /* Raise an error if key materials are not populated. */
+    return GRPC_SECURITY_ERROR;
+  }
+  return ReplaceHandshakerFactory();
+}
+
+grpc_security_status SpiffeServerSecurityConnector::RefreshHandshakerFactory() {
+  grpc_core::MutexLock lock(&mu_);
+  const SpiffeServerCredentials* creds =
+      static_cast<const SpiffeServerCredentials*>(server_creds());
+  grpc_ssl_certificate_config_reload_status reload_status =
+      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
+                           &reload_status) != GRPC_STATUS_OK) {
+    return GRPC_SECURITY_ERROR;
+  }
+  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
+    /* At this point, we should have key materials populated. */
+    return GRPC_SECURITY_OK;
+  } else {
+    return ReplaceHandshakerFactory();
+  }
+}
+
+}  // namespace grpc_core

data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h

@@ -21,11 +21,14 @@
 
 #include <grpc/support/port_platform.h>
 
+#include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 
 #define GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE "spiffe"
 
+namespace grpc_core {
+
 // Spiffe channel security connector.
 class SpiffeChannelSecurityConnector final
     : public grpc_channel_security_connector {
@@ -66,6 +69,11 @@ class SpiffeChannelSecurityConnector final
   grpc_security_status InitializeHandshakerFactory(
       tsi_ssl_session_cache* ssl_session_cache);
 
+  // A util function to create a new client handshaker factory to replace
+  // the existing one if exists.
+  grpc_security_status ReplaceHandshakerFactory(
+      tsi_ssl_session_cache* ssl_session_cache);
+
   // gRPC-provided callback executed by application, which servers to bring the
   // control back to gRPC core.
   static void ServerAuthorizationCheckDone(
@@ -83,11 +91,17 @@ class SpiffeChannelSecurityConnector final
   static void ServerAuthorizationCheckArgDestroy(
       grpc_tls_server_authorization_check_arg* arg);
 
+  // A util function to refresh SSL TSI client handshaker factory with a valid
+  // credential.
+  grpc_security_status RefreshHandshakerFactory();
+
+  grpc_core::Mutex mu_;
   grpc_closure* on_peer_checked_;
   grpc_core::UniquePtr<char> target_name_;
   grpc_core::UniquePtr<char> overridden_target_name_;
   tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
   grpc_tls_server_authorization_check_arg* check_arg_;
+  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
 };
 
 // Spiffe server security connector.
@@ -113,11 +127,30 @@ class SpiffeServerSecurityConnector final
   int cmp(const grpc_security_connector* other) const override;
 
  private:
+  // Initialize SSL TSI server handshaker factory.
+  grpc_security_status InitializeHandshakerFactory();
+
+  // A util function to create a new server handshaker factory to replace the
+  // existing once if exists.
+  grpc_security_status ReplaceHandshakerFactory();
+
   // A util function to refresh SSL TSI server handshaker factory with a valid
   // credential.
-  grpc_security_status RefreshServerHandshakerFactory();
+  grpc_security_status RefreshHandshakerFactory();
+
+  grpc_core::Mutex mu_;
   tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
+  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
 };
 
+// Exposed for testing only.
+grpc_status_code TlsFetchKeyMaterials(
+    const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
+        key_materials_config,
+    const grpc_tls_credentials_options& options,
+    grpc_ssl_certificate_config_reload_status* status);
+
+}  // namespace grpc_core
+
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H \
         */

data/src/core/lib/slice/slice_intern.cc

@@ -138,11 +138,12 @@ grpc_slice grpc_slice_maybe_static_intern(grpc_slice slice,
   for (uint32_t i = 0; i <= max_static_metadata_hash_probe; i++) {
     static_metadata_hash_ent ent =
         static_metadata_hash[(hash + i) % GPR_ARRAY_SIZE(static_metadata_hash)];
+    const grpc_core::StaticMetadataSlice* static_slice_table =
+        grpc_static_slice_table();
     if (ent.hash == hash && ent.idx < GRPC_STATIC_MDSTR_COUNT &&
-        grpc_slice_eq_static_interned(slice,
-                                      grpc_static_slice_table[ent.idx])) {
+        grpc_slice_eq_static_interned(slice, static_slice_table[ent.idx])) {
       *returned_slice_is_different = true;
-      return grpc_static_slice_table[ent.idx];
+      return static_slice_table[ent.idx];
     }
   }
 
@@ -168,10 +169,11 @@ static const grpc_core::StaticMetadataSlice* MatchStaticSlice(
   for (uint32_t i = 0; i <= max_static_metadata_hash_probe; i++) {
     static_metadata_hash_ent ent =
         static_metadata_hash[(hash + i) % GPR_ARRAY_SIZE(static_metadata_hash)];
+    const grpc_core::StaticMetadataSlice* static_slice_table =
+        grpc_static_slice_table();
     if (ent.hash == hash && ent.idx < GRPC_STATIC_MDSTR_COUNT &&
-        grpc_static_slice_table[ent.idx].Equals(
-            std::forward<SliceArgs>(args)...)) {
-      return &grpc_static_slice_table[ent.idx];
+        static_slice_table[ent.idx].Equals(std::forward<SliceArgs>(args)...)) {
+      return &static_slice_table[ent.idx];
     }
   }
   return nullptr;
@@ -206,7 +208,11 @@ static InternedSliceRefcount* InternNewStringLocked(slice_shard* shard,
   InternedSliceRefcount* s =
       static_cast<InternedSliceRefcount*>(gpr_malloc(sizeof(*s) + len));
   new (s) grpc_core::InternedSliceRefcount(len, hash, shard->strs[shard_idx]);
-  memcpy(reinterpret_cast<char*>(s + 1), buffer, len);
+  // TODO(arjunroy): Investigate why hpack tried to intern the nullptr string.
+  // https://github.com/grpc/grpc/pull/20110#issuecomment-526729282
+  if (len > 0) {
+    memcpy(reinterpret_cast<char*>(s + 1), buffer, len);
+  }
   shard->strs[shard_idx] = s;
   shard->count++;
   if (shard->count > shard->capacity * 2) {
@@ -318,9 +324,11 @@ void grpc_slice_intern_init(void) {
     static_metadata_hash[i].idx = GRPC_STATIC_MDSTR_COUNT;
   }
   max_static_metadata_hash_probe = 0;
+  const grpc_core::StaticMetadataSlice* static_slice_table =
+      grpc_static_slice_table();
   for (size_t i = 0; i < GRPC_STATIC_MDSTR_COUNT; i++) {
     grpc_static_metadata_hash_values[i] =
-        grpc_slice_default_hash_internal(grpc_static_slice_table[i]);
+        grpc_slice_default_hash_internal(static_slice_table[i]);
     for (size_t j = 0; j < GPR_ARRAY_SIZE(static_metadata_hash); j++) {
       size_t slot = (grpc_static_metadata_hash_values[i] + j) %
                     GPR_ARRAY_SIZE(static_metadata_hash);
@@ -336,7 +344,7 @@ void grpc_slice_intern_init(void) {
   }
   // Handle KV hash for all static mdelems.
   for (size_t i = 0; i < GRPC_STATIC_MDELEM_COUNT; ++i) {
-    grpc_static_mdelem_table[i].HashInit();
+    grpc_static_mdelem_table()[i].HashInit();
   }
 }