You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Wei Sun (JIRA)" <ji...@apache.org> on 2014/12/01 04:35:14 UTC

[jira] [Comment Edited] (TS-3201) ATS crash in PluginVC

    [ https://issues.apache.org/jira/browse/TS-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14229386#comment-14229386 ] 

Wei Sun edited comment on TS-3201 at 12/1/14 3:35 AM:
------------------------------------------------------

Found another crash that seems to be related, both indicated that the {{IOBufferReader}} pointed to the NULL {{MIOBuffer}}, whereas the MIOBuffer object is still existed.
{code}
(gdb) bt
#0  0x00000000004f5478 in IOBufferReader::allocated (this=0x18) at ../iocore/eventsystem/I_IOBuffer.h:766
#1  0x0000000000533986 in MIOBuffer::max_read_avail (this=0x0) at ../iocore/eventsystem/P_IOBuffer.h:1048
#2  0x000000000053bd72 in MIOBuffer::high_water (this=0x0) at ../iocore/eventsystem/I_IOBuffer.h:994
#3  0x00000000006cb386 in MIOBuffer::check_add_block (this=0x0) at ../../iocore/eventsystem/P_IOBuffer.h:965
#4  0x00000000006cb434 in MIOBuffer::write_avail (this=0x0) at ../../iocore/eventsystem/P_IOBuffer.h:1009
#5  0x0000000000735c8d in write_to_net_io (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:422
#6  0x00000000007358ef in write_to_net (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:354
#7  0x000000000072f09e in NetHandler::mainNetEvent (this=0x2b3980c0fbc0, event=5, e=0x18859b0) at UnixNet.cc:415
#8  0x00000000004f5854 in Continuation::handleEvent (this=0x2b3980c0fbc0, event=5, data=0x18859b0) at ../iocore/eventsystem/I_Continuation.h:146
#9  0x0000000000755d26 in EThread::process_event (this=0x2b3980c0c010, e=0x18859b0, calling_code=5) at UnixEThread.cc:145
#10 0x0000000000756230 in EThread::execute (this=0x2b3980c0c010) at UnixEThread.cc:269
#11 0x0000000000755284 in spawn_thread_internal (a=0x1bfd0a0) at Thread.cc:88
#12 0x00002b3960d4f9d1 in start_thread () from /lib64/libpthread.so.0
#13 0x0000003a86ce8b5d in clone () from /lib64/libc.so.6
(gdb) f 5
#5  0x0000000000735c8d in write_to_net_io (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:422
422	  if (towrite != ntodo && buf.writer()->write_avail()) {
(gdb) p vc->write.vio
$11 = {_cont = 0x2b39ecb366b0, nbytes = 9223372036854775807, ndone = 0, op = 2, buffer = {mbuf = 0x0, entry = 0x2b3a302acfd8}, vc_server = 0x2b399445d190, mutex = {m_ptr = 0x2b3a6c002100}}
(gdb)  p *vc->write.vio._cont
$12 = (SpdyClientSession) {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top = 0x797530}, handler = (int (Continuation::*)(Continuation *, int, 
    void *)) 0x61d34a <SpdyClientSession::state_session_readwrite(int, void*)>, mutex = {m_ptr = 0x2b3a6c002100}, link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}}, <PluginIdentity> = {
    _vptr.PluginIdentity = 0x797560}, sm_id = 4845541, version = spdy::SESSION_VERSION_3_1, total_size = 0, start_time = 1416313589240113216, vc = 0x2b399445d190, req_buffer = 0x2b3a49435e60, 
  req_reader = 0x2b3a49435e78, resp_buffer = 0x2b3a302acfc0, resp_reader = 0x2b3a302acfd8, read_vio = 0x2b399445d2a0, write_vio = 0x2b399445d308, event = 100, session = 0x2b3a05596230, 
  req_map = std::map with 0 elements}
(gdb)  p vc->write.vio._cont->resp_buffer
$13 = (tsapi_iobuffer *) 0x2b3a302acfc0
(gdb)  p *(IOBufferReader *)vc->write.vio._cont->resp_reader
$14 = {accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, size_limit = 9223372036854775807}
(gdb) 
{code}

The above trace shows {{SpdySession}} was not destroyed since this->mutex is not NULL, so {{resp_reader}} was not free'ed, and the {{SpdyRequest}} was even not established, seems that there is an issue on manipulating MIOBufferReader.


was (Author: sunwei):
Found another crash that seems to be related, both indicated that the {{IOBufferReader}} doesn't point to the NULL {{MIOBuffer}}, whereas the MIOBuffer object is still existed.
{code}
(gdb) bt
#0  0x00000000004f5478 in IOBufferReader::allocated (this=0x18) at ../iocore/eventsystem/I_IOBuffer.h:766
#1  0x0000000000533986 in MIOBuffer::max_read_avail (this=0x0) at ../iocore/eventsystem/P_IOBuffer.h:1048
#2  0x000000000053bd72 in MIOBuffer::high_water (this=0x0) at ../iocore/eventsystem/I_IOBuffer.h:994
#3  0x00000000006cb386 in MIOBuffer::check_add_block (this=0x0) at ../../iocore/eventsystem/P_IOBuffer.h:965
#4  0x00000000006cb434 in MIOBuffer::write_avail (this=0x0) at ../../iocore/eventsystem/P_IOBuffer.h:1009
#5  0x0000000000735c8d in write_to_net_io (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:422
#6  0x00000000007358ef in write_to_net (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:354
#7  0x000000000072f09e in NetHandler::mainNetEvent (this=0x2b3980c0fbc0, event=5, e=0x18859b0) at UnixNet.cc:415
#8  0x00000000004f5854 in Continuation::handleEvent (this=0x2b3980c0fbc0, event=5, data=0x18859b0) at ../iocore/eventsystem/I_Continuation.h:146
#9  0x0000000000755d26 in EThread::process_event (this=0x2b3980c0c010, e=0x18859b0, calling_code=5) at UnixEThread.cc:145
#10 0x0000000000756230 in EThread::execute (this=0x2b3980c0c010) at UnixEThread.cc:269
#11 0x0000000000755284 in spawn_thread_internal (a=0x1bfd0a0) at Thread.cc:88
#12 0x00002b3960d4f9d1 in start_thread () from /lib64/libpthread.so.0
#13 0x0000003a86ce8b5d in clone () from /lib64/libc.so.6
(gdb) f 5
#5  0x0000000000735c8d in write_to_net_io (nh=0x2b3980c0fbc0, vc=0x2b399445d190, thread=0x2b3980c0c010) at UnixNetVConnection.cc:422
422	  if (towrite != ntodo && buf.writer()->write_avail()) {
(gdb) p vc->write.vio
$11 = {_cont = 0x2b39ecb366b0, nbytes = 9223372036854775807, ndone = 0, op = 2, buffer = {mbuf = 0x0, entry = 0x2b3a302acfd8}, vc_server = 0x2b399445d190, mutex = {m_ptr = 0x2b3a6c002100}}
(gdb)  p *vc->write.vio._cont
$12 = (SpdyClientSession) {<Continuation> = {<force_VFPT_to_top> = {_vptr.force_VFPT_to_top = 0x797530}, handler = (int (Continuation::*)(Continuation *, int, 
    void *)) 0x61d34a <SpdyClientSession::state_session_readwrite(int, void*)>, mutex = {m_ptr = 0x2b3a6c002100}, link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}}, <PluginIdentity> = {
    _vptr.PluginIdentity = 0x797560}, sm_id = 4845541, version = spdy::SESSION_VERSION_3_1, total_size = 0, start_time = 1416313589240113216, vc = 0x2b399445d190, req_buffer = 0x2b3a49435e60, 
  req_reader = 0x2b3a49435e78, resp_buffer = 0x2b3a302acfc0, resp_reader = 0x2b3a302acfd8, read_vio = 0x2b399445d2a0, write_vio = 0x2b399445d308, event = 100, session = 0x2b3a05596230, 
  req_map = std::map with 0 elements}
(gdb)  p vc->write.vio._cont->resp_buffer
$13 = (tsapi_iobuffer *) 0x2b3a302acfc0
(gdb)  p *(IOBufferReader *)vc->write.vio._cont->resp_reader
$14 = {accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, size_limit = 9223372036854775807}
(gdb) 
{code}

The above trace shows {{SpdySession}} was not destroyed since this->mutex is not NULL, so {{resp_reader}} was not free'ed, and the {{SpdyRequest}} was even not established, seems that there is an issue on manipulating MIOBufferReader.

> ATS crash in PluginVC
> ---------------------
>
>                 Key: TS-3201
>                 URL: https://issues.apache.org/jira/browse/TS-3201
>             Project: Traffic Server
>          Issue Type: Bug
>    Affects Versions: 5.0.0
>            Reporter: Wei Sun
>             Fix For: 5.3.0
>
>
> Intercept plugin crash when working with ats-5.0.
> {code}
> #0  0x00000000004e0f80 in Ptr<IOBufferBlock>::operator IOBufferBlock* (
>     this=0x38) at ../lib/ts/Ptr.h:326
> #1  0x00000000004f52dc in IOBufferReader::skip_empty_blocks (
>     this=0x2b4bec073718) at ../iocore/eventsystem/P_IOBuffer.h:551
> #2  0x0000000000532c04 in IOBufferReader::block_read_avail (
>     this=0x2b4bec073718) at ../iocore/eventsystem/P_IOBuffer.h:604
> #3  0x000000000052ffce in PluginVC::transfer_bytes (this=0x2b4b88586768,
>     transfer_to=0x2b4b6806c440, transfer_from=0x2b4bec073718, act_on=943)
>     at PluginVC.cc:438
> #4  0x0000000000530d7b in PluginVC::process_read_side (this=0x2b4b88586768,
>     other_side_call=true) at PluginVC.cc:655
> #5  0x00000000005307fe in PluginVC::process_write_side (this=0x2b4b88586580,
>     other_side_call=false) at PluginVC.cc:567
> #6  0x000000000052f5a0 in PluginVC::main_handler (this=0x2b4b88586580,
>     event=1, data=0x2b4b1426a060) at PluginVC.cc:212
> #7  0x00000000004f4f18 in Continuation::handleEvent (this=0x2b4b88586580,
>     event=1, data=0x2b4b1426a060) at ../iocore/eventsystem/I_Continuation.h:146
> #8  0x0000000000753d62 in EThread::process_event (this=0x2b4aed111010,
>     e=0x2b4b1426a060, calling_code=1) at UnixEThread.cc:145
> #9  0x0000000000753f30 in EThread::execute (this=0x2b4aed111010)
>     at UnixEThread.cc:196
> #10 0x00000000007532c0 in spawn_thread_internal (a=0x2bddf50) at Thread.cc:88
> #11 0x00002b4ad0c8c9d1 in start_thread () from /lib64/libpthread.so.0
> #12 0x0000003f09ae8b7d in clone () from /lib64/libc.so.6
> (gdb) up 3
> #3  0x000000000052ffce in PluginVC::transfer_bytes (this=0x2b4b88586768,
>     transfer_to=0x2b4b6806c440, transfer_from=0x2b4bec073718, act_on=943)
>     at PluginVC.cc:438
> 438     PluginVC.cc: No such file or directory.
>         in PluginVC.cc
> (gdb) p transfer_from
> $1 = (IOBufferReader *) 0x2b4bec073718
> (gdb) p *transfer_from
> $2 = {accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0,
>   size_limit = 9223372036854775807}
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)