Segfault in ap_core_output_filter - how to debug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am getting a very occasional segfault in ap_core_output_filter. By
'very occasional' I mean after watching ten minutes of youtube video
over VNC with vnc streamed through websockets through apache. I'm
wondering what is the best way to debug this.

I'm running
apache2-mpm-prefork 2.2.14-5ubuntu8.

What seems to happen each time is that the bucket brigade list
gets corrupted. Though the prefork mpm is being used, the module
(apache websockets) is threaded (in the sense that it does
its own apr_thread_create). The module that isn't mine maintains
a mutex preventing the each of the input and output brigades
being manipulated by both threads, but does not prevent one
thread manipulating one bb whilst the other manipulates the other
bb. I've seen different sorts of corruption, but it always seems
to be in the bb.

I take it there is nothing to prevent one using the ap_ functions
from more than one thread whilst running the prefork mpm?

Any idea how I might debug this? Running with valgrind and -X
comprehensively hides the bug.

Core dump and some gdb bits below.

--
Alex Bligh

Core was generated by `/usr/sbin/apache2'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f8dd2010414 in ap_core_output_filter (f=<value optimised out>, b=0x7f8dd30308b8) at /build/buildd/apache2-2.2.14/server/core_filters.c:630 630 /build/buildd/apache2-2.2.14/server/core_filters.c: No such file or directory.
	in /build/buildd/apache2-2.2.14/server/core_filters.c
(gdb) bt
#0 0x00007f8dd2010414 in ap_core_output_filter (f=<value optimised out>, b=0x7f8dd30308b8) at /build/buildd/apache2-2.2.14/server/core_filters.c:630 #1 0x00007f8dca185f85 in mod_websocket_plugin_send (server=0x7fff3d9cbe30, type=0, buffer=0x7f8dc0025e81 "3.png,2.14,1.0,4.1186,3.590,3344.iVBORw0KGgoAAAANSUhEUgAAAjwAAAAKCAIAAAA/0RNUAAAABmJLR0QA/wD/AP+gvaeTAAAJf0lEQVR4nO1b247jOA4l5VuSRj3PJ+z/f1YDXQ+NXaDKsUTuw4lpWhenUp1uDGaKD4YiyxJFSTw6lML/+Wsax/F0Oo3jOAy"..., buffer_size=3378) at mod_websocket.c:363 #2 0x00007f8dc9d7b472 in tcp_proxy_run (thread=0x7f8dd3031130, data=0x7f8dd3030d38) at mod_websocket_vnc_proxy.c:980
#3  0x00007f8dd174deb3 in ?? () from /usr/lib/libapr-1.so.0
#4 0x00007f8dd150d9ca in start_thread (arg=<value optimised out>) at pthread_create.c:300 #5 0x00007f8dd126acdd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6  0x0000000000000000 in ?? ()

(gdb) print *b
$29 = {p = 0x7f8dd302ac88, list = {next = 0x7f8dd3028e98, prev = 0x7f8dd3028d58}, bucket_alloc = 0x7f8dd3028c78}
(gdb) print *(b->list->next)
$30 = {link = {next = 0x7f8dd3028d58, prev = 0x7f8dd30308c0}, type = 0x7f8dd1b7bc60, length = 3382, start = 0, data = 0x7f8dd3028fd8, free = 0x7f8dd1962d20 <apr_bucket_free>, list = 0x7f8dd3028c78}
(gdb) print *(b->list->next->link->next)
$31 = {link = {next = 0x7f8dd30308bf, prev = 0x7f8dd3028e98}, type = 0x1f40, length = 0, start = 0, data = 0x0, free = 0x7f8dd1962d20 <apr_bucket_free>, list = 0x7f8dd3028c78}

Note the final one of these is bogus (e.g. broken type pointer)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux