https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
--- Comment #30 from Ruediger Pluem <[email protected]> --- (In reply to Joe Orton from comment #28) > I have not managed to reproduce the segfaults, but I think I now understand > the problem expressed in comment 7 with bucket allocator mismatches. > > Specifically, I think this is possible: > > a) ap_proxy_http_request allocates header brigade in the proxy worker pool > "scpool" > b) buckets are inserted into that brigade, allocated from the bucket > allocator from "ptrans" > c) <something happens> > d) header brigade is NOT CLEANED UP Could happen if we return early in ap_proxy_pass_brigade. > e) ptrans allocator gets destroyed, bucket memory are invalidated > f) later... scpool is cleared/destroyed, header brigade gets cleaned up but > has a corrupt bucket list -> boom Right: scpool and ptrans have completly different lifecycles and scpool could live longer than ptrans. > > I confirmed (a) and (b) by hacking ap_pass_brigade() to compare e->list > against bb->bucket_alloc for every bucket in the passed-in brigade. I don't > know precisely how to trigger (c) thru (f) but it is consistent with > reported symptoms, of a crash in running the brigade pool cleanup. > > *IF* this is all correct then a simple fix is just to avoid (a) & (b). Any > other thoughts? > > - header_brigade = apr_brigade_create(p, origin->bucket_alloc); > + header_brigade = apr_brigade_create(p, bucket_alloc); This looks like the correct thing to do. Can someone of the original reporters please check? In addition I propose the following patch to have the brigade cleaned up in any case in ap_proxy_pass_brigade: Index: proxy_util.c =================================================================== --- proxy_util.c (revision 1515728) +++ proxy_util.c (working copy) @@ -3305,6 +3305,7 @@ if (transferred != -1) p_conn->worker->s->transferred += transferred; status = ap_pass_brigade(origin->output_filters, bb); + apr_brigade_cleanup(bb); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01084) "pass request body failed to %pI (%s)", @@ -3324,7 +3325,6 @@ return HTTP_BAD_REQUEST; } } - apr_brigade_cleanup(bb); return OK; } -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
