While shutting down apache on a windows server with debug libraries, the underlying os libraries were complaining about the double free of a block of memory. It appears that when ap_proxy_add_worker_to_balancer(apr_pool_t *pool, proxy_balancer *balancer, proxy_worker *worker) is called it uses memcpy to duplicate the proxy worker but doesn't do anything to change the cleanup routines or to make it's own copy of allocated resources like the pool and possibly the semaphore. This results in two proxy workers structures each pointing to the same pool and semaphore. During cleanup the original worker and the balancer worker each free their pool (which is the same pool), resulting in the pool being placed in the pool free list twice, now when the memory is freed there will be a double free of the memory representing the pool. My patch for the issue is attached. Duane
Index: proxy_util.c =================================================================== --- proxy_util.c (revision 767999) +++ proxy_util.c (working copy) @@ -1473,6 +1473,18 @@ /* Increase the total runtime count */ proxy_lb_workers++; + // get our own copies of alloced resources + init_conn_pool(pool, runtime); + +#if APR_HAS_THREADS + if (apr_thread_mutex_create(&(runtime->mutex), + APR_THREAD_MUTEX_DEFAULT, pool) != APR_SUCCESS) { + ap_log_perror(APLOG_MARK, APLOG_ERR, 0, pool, + "proxy failed to create mutex for balancer worker"); + + } +#endif + } PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,