You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Carl Johnstone <fa...@fadetoblack.demon.co.uk> on 2005/02/24 16:36:54 UTC

[mp1] Apache::Cookie(?) Seg Fault

Getting an occasional Segfault which I've traced back to this line in a 
FixupHandler:

  my %cookies = Apache::Cookie->fetch;

I'm running Apache/1.3.31 with mod_perl/1.29 on Solaris 8.

Looking at the gdb trace, is the request pool becoming corrupt somewhere 
between ApacheCookie_new and ap_make_array?

Carl



Program received signal SIGSEGV, Segmentation fault.
0x000c56f0 in ap_palloc (a=0x1380938, reqsize=20) at alloc.c:700
700         char *first_avail = blok->h.first_avail;
(gdb) bt
#0  0x000c56f0 in ap_palloc (a=0x1380938, reqsize=20) at alloc.c:700
#1  0x000c5d84 in ap_make_array (p=0x1380938, nelts=1, elt_size=4) at 
alloc.c:992
#2  0xfe1d5a40 in ApacheCookie_new (r=0x1380960) at apache_cookie.c:79
#3  0xfe1d3550 in XS_Apache__Cookie_parse (cv=0xe7cce4) at Cookie.xs:208
#4  0x001c8bf0 in Perl_pp_entersub () at pp_hot.c:2840
#5  0x00196538 in Perl_runops_debug () at dump.c:1438
#6  0x0010fdec in S_call_body (myop=0xffbef630, is_eval=0) at perl.c:2221
#7  0x0010f7f4 in Perl_call_sv (sv=0x1088a4c, flags=4) at perl.c:2139
#8  0x0004bce4 in perl_call_handler (sv=0x1088a4c, r=0x12481f8, args=0x0) at 
mod_perl.c:1668
#9  0x0004af00 in perl_run_stacked_handlers (hook=0x2a5480 
"PerlFixupHandler", r=0x12481f8, handlers=0x1088a7c) at mod_perl.c:1381
#10 0x000499d0 in perl_fixup (r=0x12481f8) at mod_perl.c:1071
#11 0x000cc8b4 in run_method (r=0x12481f8, offset=23, run_all=1) at 
http_config.c:327
#12 0x000cca10 in ap_run_fixups (r=0x12481f8) at http_config.c:354
#13 0x000ee578 in process_request_internal (r=0x12481f8) at 
http_request.c:1284
#14 0x000ee640 in ap_process_request (r=0x12481f8) at http_request.c:1305
#15 0x000e093c in child_main (child_num_arg=9) at http_main.c:4804
#16 0x000e0cb4 in make_child (s=0x2fbde8, slot=9, now=1109256953) at 
http_main.c:4974
#17 0x000e1218 in perform_idle_server_maintenance () at http_main.c:5159
#18 0x000e1bc0 in standalone_main (argc=1, argv=0xffbefe2c) at 
http_main.c:5412
#19 0x000e2524 in main (argc=1, argv=0xffbefe2c) at http_main.c:5665
(gdb) p *a
$2 = {
  first = 0x1380960,
  last = 0x0,
  cleanups = 0x0,
  subprocesses = 0x0,
  sub_pools = 0x0,
  sub_next = 0x0,
  sub_prev = 0x0,
  parent = 0x137e920,
  free_first_avail = 0x1380960 "\0018\t8"
}
(gdb) up
#1  0x000c5d84 in ap_make_array (p=0x1380938, nelts=1, elt_size=4) at 
alloc.c:992
992         array_header *res = (array_header *) ap_palloc(p, 
sizeof(array_header));
(gdb) p *p
$3 = {
  first = 0x1380960,
  last = 0x0,
  cleanups = 0x0,
  subprocesses = 0x0,
  sub_pools = 0x0,
  sub_next = 0x0,
  sub_prev = 0x0,
  parent = 0x137e920,
  free_first_avail = 0x1380960 "\0018\t8"
}
(gdb) up
#2  0xfe1d5a40 in ApacheCookie_new (r=0x1380960) at apache_cookie.c:79
79          c->values = ap_make_array(r->pool, 1, sizeof(char *));
(gdb) p r->pool
$4 = (ap_pool *) 0x1380938
(gdb) p *(r->pool)
$5 = {
  first = 0x2f436f6f,
  last = 0x6b69652f,
  cleanups = 0x14092a0,
  subprocesses = 0x0,
  sub_pools = 0x29,
  sub_next = 0x0,
  sub_prev = 0x0,
  parent = 0x0,
  free_first_avail = 0x0
}

Re: [mp1] Apache::Cookie(?) Seg Fault

Posted by Carl Johnstone <fa...@fadetoblack.demon.co.uk>.

> This looks like a va_* related bug to me.

None of the va_* arguments would seem to be used before we hit the fault.

> The arg list to
> ApacheCookie_new() must be NULL-terminated, and between
> the r and NULL there must be an even number of arguments.

The call to ApacheCookie_new() in XS_Apache__Cookie_parse() is OK:

  c = ApacheCookie_new(r, NULL);


I'm using gcc 3.3.2. Will leave a build of gcc 3.4.3 running overnight and 
try rebuilding apache with that sometime tomorrow.

Carl

Re: [mp1] Apache::Cookie(?) Seg Fault

Posted by Joe Schaefer <jo...@sunstarsys.com>.

"Carl Johnstone" <fa...@fadetoblack.demon.co.uk> writes:

[...]

> #1  0x000c5d84 in ap_make_array (p=0x1380938, nelts=1, elt_size=4) at
> alloc.c:992
> 992         array_header *res = (array_header *) ap_palloc(p,
> sizeof(array_header));
> (gdb) p *p
> $3 = {
>   first = 0x1380960,
>   last = 0x0,
>   cleanups = 0x0,
>   subprocesses = 0x0,
>   sub_pools = 0x0,
>   sub_next = 0x0,
>   sub_prev = 0x0,
>   parent = 0x137e920,
>   free_first_avail = 0x1380960 "\0018\t8"
> }
> (gdb) up
> #2  0xfe1d5a40 in ApacheCookie_new (r=0x1380960) at apache_cookie.c:79
> 79          c->values = ap_make_array(r->pool, 1, sizeof(char *));
> (gdb) p r->pool
> $4 = (ap_pool *) 0x1380938
> (gdb) p *(r->pool)
> $5 = {
>   first = 0x2f436f6f,
>   last = 0x6b69652f,
>   cleanups = 0x14092a0,
>   subprocesses = 0x0,
>   sub_pools = 0x29,
>   sub_next = 0x0,
>   sub_prev = 0x0,
>   parent = 0x0,
>   free_first_avail = 0x0
> }

This looks like a va_* related bug to me.  The arg list to 
ApacheCookie_new() must be NULL-terminated, and between
the r and NULL there must be an even number of arguments.
Not sure what's gone wrong here tho.

-- 
Joe Schaefer