I wrote:
[...]
> I've managed to isolate the problem a bit further. The csd struct gets
> corrupted within core_create_conn:
Er, no, it actually happens earlier than that. What seems
to have happened is that, in the listener loop, this block
got executed with rv->accept_func==check_pipe_of_death() :
got_fd:
if (!workers_may_exit) {
/* create a new transaction pool for each accepted socket */
apr_pool_create(&ptrans, tpool);
rv = lr->accept_func(&csd, lr, ptrans);
[...]
if (csd != NULL) {
rv = ap_queue_push(worker_queue, csd, ptrans);
The accept_func doesn't modify csd, so its value is
bogus when we hit the "if (csd != NULL)" check. And
we end up with a bad socket descriptor on the queue.
I'm testing a fix for this now...
--Brian
