i could not find the cause that only when using Chromium i get a crash
but
when using Firefox i never don’t.
some hints to the nginx experts that might help:
- i use my handler module + filter module. (when module is disabled -
no
crash) - i use C++ code in shared lib and sometimes the crash is in the c++
object
deconstructor . the object is allocated on the stack (not ptr, just
regular
declaration like: obj_t obj1) and freed automatically and end of
function. - i attach here the headers of FF / CHR browsers.
- when using valgrind - i get some warnings (see below) but never
crash,
even in CHR - the nginx runs on vurtual machine (centos 6.3) under ubuntu 12.10.
the
browser runs on the ubuntu. - the response handler runs when subrequest returns from an upstream
server, then the handler continues and goes to the filter module. - sometimes when using palloc i got alignment errors so i used pnalloc.
is
it the source of the bug ? when to use palloc and when to use pnalloc ?
(see
below the function that uses pnalloc) - when restarting nginx and doing CTRL+F5 in CHR browser (right after
the
previous crash) - its easy to get another crash again with the same
stack
trace, while when browsing to anbother page - it takes time to reproduce
the
crash.
===============
Thread [1] (Suspended: Signal ‘SIGABRT’ received. Description: Aborted.)
15 raise() 0x00007ffff64e18a5
14 abort() 0x00007ffff64e3085
13 __libc_message() 0x00007ffff651efe7
12 malloc_printerr() 0x00007ffff6524916
11 _int_free() 0x00007ffff6527443
10 ngx_destroy_pool() ngx_palloc.c:87 0x0000000000406a22
9 ngx_http_free_request() ngx_http_request.c:3081 0x000000000044dbfb
8 ngx_http_close_request() ngx_http_request.c:3006 0x000000000044d9b3
7 ngx_http_terminate_handler() ngx_http_request.c:2176
0x000000000044bc38
6 ngx_http_run_posted_requests() ngx_http_request.c:1903
0x000000000044b1ad
5 ngx_http_request_handler() ngx_http_request.c:1869
0x000000000044b0b6
4 ngx_epoll_process_events() ngx_epoll_module.c:683 0x00000000004377d6
3 ngx_process_events_and_timers() ngx_event.c:247 0x00000000004281f4
2 ngx_single_process_cycle() ngx_process_cycle.c:316
0x0000000000434442
1 main() nginx.c:409 0x0000000000403cdc
valgrind:
==27496== Address 0x90c0b2d is 29 bytes inside a block of size 3,366
free’d
==27496== at 0x4C2645F: operator delete(void*)
(vg_replace_malloc.c:387)
==27496== by 0x59B73AD: SBB::ResponseBean::~ResponseBean() (in
/usr/local/lib/libClientAPI-C-Lib.so)
==27496== by 0x57ABB04: ngx_sbb_med_handle_va_response (in
/usr/local/lib/libngx_sbb_mediator.so)
==27496== by 0x4A933D: ngx_sbb_va_response_handler
(ngx_sbb_module.c:274)
==27496== by 0x4AA372: ngx_sbb_post_subrequest_handler
(ngx_sbb_mod_utils.c:89)
==27496== by 0x44B3C0: ngx_http_finalize_request
(ngx_http_request.c:1961)
==27496== by 0x465407: ngx_http_upstream_finalize_request
(ngx_http_upstream.c:3095)
CHR headers:
GET /index.php?cat=1&pag=1&det=108 HTTP/1.1
Host: —
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML,
like
Gecko) Ubuntu/12.10 Chromium/22.0.1229.94 Chrome/22.0.1229.94
Safari/537.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://yellowmockup.com/index.php?cat=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,he;q=0.6
Accept-Charset: UTF-8,*;q=0.5
Cookie: adOtr=4aYP5; PRLST=Ya;
UTGv2=h4a59e6b096ada50ad0a1243f0549366c032;
x-autozoom=150f; SPSI=56aa48be644d6ac8ccec5dd82ade576d
FF headers:
GET /index.php?cat=1&pag=1&det=108 HTTP/1.1
Host: —
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0)
Gecko/20100101
Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: UTGv2=h430c577bc94965b18d99cd502407af14a80;
SPSI=63c40df4be7823f2acbc8e966a8817df; PRLST=zi/Jv/DT; adOtr=04Hd6
Pragma: no-cache
Cache-Control: no-cache
another crash dump:
Thread [1] (Suspended: Signal ‘SIGSEGV’ received. Description:
Segmentation
fault.)
16 memcpy() 0x00007ffff65381ab
15 sbb_strncpy() ngx_sbb_utils.c:12 0x00000000004a9e5f
14 ngx_sbb_utils_str2char() ngx_sbb_mod_utils.c:253 0x00000000004aaab7
13 ngx_sbb_med_prepare_va_request() 0x00007ffff725d7b4
12 ngx_sbb_handler() ngx_sbb_module.c:229 0x00000000004a913d
11 ngx_http_core_rewrite_phase() ngx_http_core_module.c:931
0x000000000043d2a1
10 ngx_http_core_run_phases() ngx_http_core_module.c:877
0x000000000043d103
9 ngx_http_handler() ngx_http_core_module.c:860 0x000000000043d07a
8 ngx_http_process_request() ngx_http_request.c:1687
0x000000000044ac51
7 ngx_http_process_request_headers() ngx_http_request.c:1135
0x0000000000449809
6 ngx_http_process_request_line() ngx_http_request.c:933
0x0000000000448fbe
5 ngx_http_init_request() ngx_http_request.c:519 0x000000000044873f
4 ngx_epoll_process_events() ngx_epoll_module.c:683 0x00000000004377d6
3 ngx_process_events_and_timers() ngx_event.c:247 0x00000000004281f4
2 ngx_single_process_cycle() ngx_process_cycle.c:316
0x0000000000434442
1 main() nginx.c:409 0x0000000000403cdc
// copies exactly n bytes from src to dest, then adds null in n+1 (alloc
dst
to n+1 first !)
u_char * sbb_strncpy(u_char *dst, u_char *src, size_t n)
{
memcpy(dst, src, n);
dst[n] = ‘\0’;
return dst;
}
// allocate, copy and add terminating null. do not return null but
null_str
to avoid segmentation fault later (dereferencing null ptr)
u_char* ngx_sbb_utils_str2char(ngx_http_request_t *r, ngx_str_t
*ngx_str)
{
u_char *res = NULL;
if ( (!ngx_str) || (!r))
return (u_char*)gv_null_str;
res = ngx_pnalloc(r->pool, ngx_str->len+1);
if (!res)
return (u_char*)gv_null_str;
return sbb_strncpy(res, ngx_str->data, ngx_str->len); // adds
terminating null
}
Posted at Nginx Forum: