mod_auth_digest.c (around line 366) is creating an APR_READWRITE lock with a scope of APR_LOCKALL (global) for the 'client_lock', but I see no way that APR could be supporting this concept. In any case, mod_auth_digest.c seems to be treating it as a simple global mutex-style lock, and never attempts to acquire 'client_lock' as a reader or a writer.
I'm working on a new APR locks API that would replace the calls to apr_lock_*() in mod_auth_digest.c (and a few other places in httpd), but to that end I'd like to find out if this is an error, or if the author actually wanted a global rwlock. -aaron
