You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Bill Stoddard <bi...@wstoddard.com> on 2002/03/18 17:26:26 UTC

Win32 segfault in allocator code

I get this when I shutdown Apache 2 in Windows... (net stop apache2). I have not had time
to spend debugging this one...

NTDLL! 77f83941()
NTDLL! 77f838c6()
apr_allocator_free(apr_allocator_t * 0x00512768, apr_memnode_t * 0x00513fc8) line 322
apr_pool_destroy(apr_pool_t * 0x00513fd8) line 687
apr_pool_terminate() line 524
apr_terminate() line 237
destroy_and_exit_process(process_rec * 0x005180d8, int 0) line 242
main(int 4, const char * const * 0x005126f0) line 621 + 11 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e8d326()

Re: Win32 segfault in allocator code

Posted by Branko Čibej <br...@xbc.nu>.

Sander Striker wrote:

>>That patch doesn't solve the problem. apr_terminate still crashes in the 
>>pool cleanup.
>>
>
>Hmmm, reviewing the code again.  The patch is basically a noop, since
>apr_allocator_destroy doesn't even use the lock.  Moving the code up
>a few lines, as in my next commit, will fix it I think.
>
*Much* better, thank you! :-)


-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/

RE: Win32 segfault in allocator code

Posted by Sander Striker <st...@apache.org>.

> From: Branko Cibej [mailto:brane@xbc.nu]
> Sent: 19 March 2002 16:14

> Sander Striker wrote:
> 
> >>From: Bill Stoddard [mailto:bill@wstoddard.com]
> >>Sent: 19 March 2002 05:43
> >>
> >
> >>>I'm pretty sure I have identified the problem on Windows.  The blow up happens when we
> >>>are trying to obtain a mutex that has been freed. This happens on the very last pool to be
> >>>cleaned up (the "global_pool"). In apr_pool_destroy, we call the pool cleanups (one of
> >>>which is for the mutex in the allocator) then call apr_allocator_free() which proceeds
> >>>to attempt to acquire the mutex that was just freed.
> >>>
> >
> >Oh, duh!  Why didn't I think of that?
> >Thanks for tracking this down Bill.
> >
> >
> >>This hack of a patch eliminates the seg fault.  I am not so familier with the pool code and
> >>am not inclined to dig into it right now.  Perhaps the check to NULL out the mutex should
> >>be
> >>
> >>if (apr_allocator_get_owner(allocator) == pool) {
> >>
> >>???
> >>
> >
> >Yes, that is the correct spot.  I've committed a patch similar to yours.
> >
> 
> That patch doesn't solve the problem. apr_terminate still crashes in the 
> pool cleanup.

Hmmm, reviewing the code again.  The patch is basically a noop, since
apr_allocator_destroy doesn't even use the lock.  Moving the code up
a few lines, as in my next commit, will fix it I think.

Thanks,

Sander

Re: Win32 segfault in allocator code

Posted by Branko Čibej <br...@xbc.nu>.

Sander Striker wrote:

>>From: Bill Stoddard [mailto:bill@wstoddard.com]
>>Sent: 19 March 2002 05:43
>>
>
>>>I'm pretty sure I have identified the problem on Windows.  The blow up happens when we
>>>are trying to obtain a mutex that has been freed. This happens on the very last pool to be
>>>cleaned up (the "global_pool"). In apr_pool_destroy, we call the pool cleanups (one of
>>>which is for the mutex in the allocator) then call apr_allocator_free() which proceeds
>>>to attempt to acquire the mutex that was just freed.
>>>
>
>Oh, duh!  Why didn't I think of that?
>Thanks for tracking this down Bill.
>
>
>>This hack of a patch eliminates the seg fault.  I am not so familier with the pool code and
>>am not inclined to dig into it right now.  Perhaps the check to NULL out the mutex should
>>be
>>
>>if (apr_allocator_get_owner(allocator) == pool) {
>>
>>???
>>
>
>Yes, that is the correct spot.  I've committed a patch similar to yours.
>

That patch doesn't solve the problem. apr_terminate still crashes in the 
pool cleanup.

-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/

RE: Win32 segfault in allocator code

Posted by Sander Striker <st...@apache.org>.

> From: Bill Stoddard [mailto:bill@wstoddard.com]
> Sent: 19 March 2002 05:43

>> I'm pretty sure I have identified the problem on Windows.  The blow up happens when we
>> are trying to obtain a mutex that has been freed. This happens on the very last pool to be
>> cleaned up (the "global_pool"). In apr_pool_destroy, we call the pool cleanups (one of
>> which is for the mutex in the allocator) then call apr_allocator_free() which proceeds
>> to attempt to acquire the mutex that was just freed.

Oh, duh!  Why didn't I think of that?
Thanks for tracking this down Bill.


> This hack of a patch eliminates the seg fault.  I am not so familier with the pool code and
> am not inclined to dig into it right now.  Perhaps the check to NULL out the mutex should
> be
> 
> if (apr_allocator_get_owner(allocator) == pool) {
> 
> ???

Yes, that is the correct spot.  I've committed a patch similar to yours.

> Bill

Sander

Re: Win32 segfault in allocator code

Posted by Bill Stoddard <bi...@wstoddard.com>.

This hack of a patch eliminates the seg fault. I am not so familier with the pool code and
am not inclined to dig into it right now. Perhaps the check to NULL out the mutex should
be

if (apr_allocator_get_owner(allocator) == pool) {

???

Bill

Index: apr_pools.c
===================================================================
RCS file: /home/cvs/apr/memory/unix/apr_pools.c,v
retrieving revision 1.160
diff -u -r1.160 apr_pools.c
--- apr_pools.c 18 Mar 2002 15:01:42 -0000 1.160
+++ apr_pools.c 19 Mar 2002 04:37:00 -0000
@@ -668,7 +668,15 @@
             apr_thread_mutex_unlock(mutex);
 #endif /* APR_HAS_THREADS */
     }
-
+#if APR_HAS_THREADS
+    else {
+        /* This pools allocator mutex was cleaned up during run_cleanups()
+         * This hack will prevent apr_allocator_free from attempting to
+         * access the mutex
+         */
+        pool->allocator->mutex = NULL;
+     }
+#endif
     /* Find the block attached to the pool structure.  Save a copy of the
      * allocator pointer, because the pool struct soon will be no more.
      */

----- Original Message -----
From: "Bill Stoddard" <bi...@wstoddard.com>
To: "APR Development List" <de...@apr.apache.org>
Sent: Monday, March 18, 2002 11:09 PM
Subject: Re: Win32 segfault in allocator code


> I'm pretty sure I have identified the problem on Windows.  The blow up happens when we
are
> trying to obtain a mutex that has been freed. This happens on the very last pool to be
> cleaned up (the "global_pool"). In apr_pool_destroy, we call the pool cleanups (one of
> which is for the mutex in the allocator) then call apr_allocator_free() which proceeds
to
> attempt to acquire the mutex that was just freed.
>
> Will post a patch later on unless someone beats me to it.
>
> Bill
>
> ----- Original Message -----
> From: "Bill Stoddard" <bi...@wstoddard.com>
> To: "APR Development List" <de...@apr.apache.org>
> Sent: Monday, March 18, 2002 11:26 AM
> Subject: Win32 segfault in allocator code
>
>
> > I get this when I shutdown Apache 2 in Windows... (net stop apache2). I have not had
> time
> > to spend debugging this one...
> >
> > NTDLL! 77f83941()
> > NTDLL! 77f838c6()
> > apr_allocator_free(apr_allocator_t * 0x00512768, apr_memnode_t * 0x00513fc8) line 322
> > apr_pool_destroy(apr_pool_t * 0x00513fd8) line 687
> > apr_pool_terminate() line 524
> > apr_terminate() line 237
> > destroy_and_exit_process(process_rec * 0x005180d8, int 0) line 242
> > main(int 4, const char * const * 0x005126f0) line 621 + 11 bytes
> > mainCRTStartup() line 338 + 17 bytes
> > KERNEL32! 77e8d326()
> >
>

Re: Win32 segfault in allocator code

Posted by Bill Stoddard <bi...@wstoddard.com>.

I'm pretty sure I have identified the problem on Windows.  The blow up happens when we are
trying to obtain a mutex that has been freed. This happens on the very last pool to be
cleaned up (the "global_pool"). In apr_pool_destroy, we call the pool cleanups (one of
which is for the mutex in the allocator) then call apr_allocator_free() which proceeds to
attempt to acquire the mutex that was just freed.

Will post a patch later on unless someone beats me to it.

Bill

----- Original Message -----
From: "Bill Stoddard" <bi...@wstoddard.com>
To: "APR Development List" <de...@apr.apache.org>
Sent: Monday, March 18, 2002 11:26 AM
Subject: Win32 segfault in allocator code


> I get this when I shutdown Apache 2 in Windows... (net stop apache2). I have not had
time
> to spend debugging this one...
>
> NTDLL! 77f83941()
> NTDLL! 77f838c6()
> apr_allocator_free(apr_allocator_t * 0x00512768, apr_memnode_t * 0x00513fc8) line 322
> apr_pool_destroy(apr_pool_t * 0x00513fd8) line 687
> apr_pool_terminate() line 524
> apr_terminate() line 237
> destroy_and_exit_process(process_rec * 0x005180d8, int 0) line 242
> main(int 4, const char * const * 0x005126f0) line 621 + 11 bytes
> mainCRTStartup() line 338 + 17 bytes
> KERNEL32! 77e8d326()
>

Re: Win32 segfault in allocator code

Posted by Aaron Bannert <aa...@clove.org>.

I'm definately seeing something very similiar to this, but in an earlier
version (near .32). For me it seems like the second allocator freelist
has been corrupted and points to an invalid mem region.

-aaron

On Mon, Mar 18, 2002 at 11:26:26AM -0500, Bill Stoddard wrote:
> I get this when I shutdown Apache 2 in Windows... (net stop apache2). I have not had time
> to spend debugging this one...
> 
> NTDLL! 77f83941()
> NTDLL! 77f838c6()
> apr_allocator_free(apr_allocator_t * 0x00512768, apr_memnode_t * 0x00513fc8) line 322
> apr_pool_destroy(apr_pool_t * 0x00513fd8) line 687
> apr_pool_terminate() line 524
> apr_terminate() line 237
> destroy_and_exit_process(process_rec * 0x005180d8, int 0) line 242
> main(int 4, const char * const * 0x005126f0) line 621 + 11 bytes
> mainCRTStartup() line 338 + 17 bytes
> KERNEL32! 77e8d326()