While shutting down apache on a windows server with debug libraries, the
underlying os libraries were complaining about the double free of a block of
memory.
It appears that when ap_proxy_add_worker_to_balancer(apr_pool_t *pool,
proxy_balancer *balancer, proxy_worker *worker) is called it uses memcpy to
duplicate the proxy worker but doesn't do anything to change the cleanup
routines or to make it's own copy of allocated resources like the pool and
possibly the semaphore. This results in two proxy workers structures each
pointing to the same pool and semaphore.
During cleanup the original worker and the balancer worker each free their
pool (which is the same pool), resulting in the pool being placed in the pool
free list twice, now when the memory is freed there will be a double free of
the memory representing the pool.
My patch for the issue is attached.
Duane
Index: proxy_util.c
===================================================================
--- proxy_util.c (revision 767999)
+++ proxy_util.c (working copy)
@@ -1473,6 +1473,18 @@
/* Increase the total runtime count */
proxy_lb_workers++;
+ // get our own copies of alloced resources
+ init_conn_pool(pool, runtime);
+
+#if APR_HAS_THREADS
+ if (apr_thread_mutex_create(&(runtime->mutex),
+ APR_THREAD_MUTEX_DEFAULT, pool) != APR_SUCCESS) {
+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, pool,
+ "proxy failed to create mutex for balancer worker");
+
+ }
+#endif
+
}
PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
