RE: SSL segfault on HEAD

Fri, 20 Dec 2002 06:02:42 -0800 

> On Thu, 19 Dec 2002, Scott Lamb wrote:
>
> > HEAD (as of sometime yesterday) is segfaulting on me. Stack trace below.
> > This happens on all SSL requests; others seem fine. This on Linux with
> > RedHat's openssl-0.9.6b-28.
> >
> > I'm wondering if this has anything to do with the ssl changes on the
> > 14th. They touched ssl_engine_io.c, though there's no immediate culprit
> > to my (uneducated) eye.
> >
> > The particular revs I've got:
> >
> >      ssl_engine_io.c      1.102
> >      apr_buckets_simple.c 1.41
> >      apr_buckets_alloc.c  1.8
>
> Sigh.  Wonder if this is related to what FirstBill saw earlier today with
> the proxy?  Seeing as nothing has changed in the buckets code any time
> recently... OHHHHHHHH WAIT, yes it has.  Brian apparently committed a
> change to allocate the apr_bucket_brigade itself out of the brigade
> allocator.

Revert Brian's patch to apr_brigade.c (attached) and the segfaults go away.
Interesting... I suspect this patch tickled a bug elsewhere in the code.

Index: apr_brigade.c
  ===================================================================
  RCS file: /home/cvs/apr-util/buckets/apr_brigade.c,v
  retrieving revision 1.54
  retrieving revision 1.55
  diff -u -r1.54 -r1.55
  --- apr_brigade.c     30 Sep 2002 01:57:55 -0000      1.54
  +++ apr_brigade.c     17 Dec 2002 19:16:39 -0000      1.55
  @@ -85,16 +85,18 @@
           e = APR_BRIGADE_FIRST(b);
           apr_bucket_delete(e);
       }
  -    /*
  -     * We don't need to free(bb) because it's allocated from a pool.
  -     */
       return APR_SUCCESS;
   }

   APU_DECLARE(apr_status_t) apr_brigade_destroy(apr_bucket_brigade *b)
   {
  -    apr_pool_cleanup_kill(b->p, b, brigade_cleanup);
  -    return apr_brigade_cleanup(b);
  +    apr_status_t rv;
  +    if (b->p) {
  +        apr_pool_cleanup_kill(b->p, b, brigade_cleanup);
  +    }
  +    rv = apr_brigade_cleanup(b);
  +    apr_bucket_free(b);
  +    return rv;
   }

   APU_DECLARE(apr_bucket_brigade *) apr_brigade_create(apr_pool_t *p,
  @@ -102,13 +104,16 @@
   {
       apr_bucket_brigade *b;

  -    b = apr_palloc(p, sizeof(*b));
  +    b = apr_bucket_alloc(sizeof(*b), list);
       b->p = p;
       b->bucket_alloc = list;

       APR_RING_INIT(&b->list, apr_bucket, link);

  -    apr_pool_cleanup_register(b->p, b, brigade_cleanup,
apr_pool_cleanup_null);
  +    if (p) {
  +        apr_pool_cleanup_register(b->p, b, brigade_cleanup,
  +                                  apr_pool_cleanup_null);
  +    }
       return b;
   }

Reply via email to