Re: haproxy 1.6.4 segfault in logging (I think)

[Lukas Tribus]

Hi David,

thanks, that's extremely useful.
Seems like we access memory that we are not supposed to access.


I bisected this to eee5b512 ("MAJOR: http: move http_txn out of struct 
stream"),
the backtrace looks like this:


Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x08058656 in build_logline (s=0x826d9f0, dst=0x826e990 "Proxy 
BACKEND_foo_tcp started.\n", maxsize=1024, list_format=0x8271dbc) at 
src/log.c:1669
1669                                    ret = ltoa_o(txn->status, 
tmplog, dst + maxsize - tmplog);
(gdb) bt
#0  0x08058656 in build_logline (s=0x826d9f0, dst=0x826e990 "Proxy 
BACKEND_foo_tcp started.\n", maxsize=1024, list_format=0x8271dbc) at 
src/log.c:1669
#1  0x0805a22a in strm_log (s=0x826d9f0) at src/log.c:2212
#2  0x080ec682 in sess_establish (s=0x826d9f0) at src/stream.c:750
#3  0x080ee0e7 in process_stream (t=0x826d998) at src/stream.c:1661
#4  0x0805a962 in process_runnable_tasks () at src/task.c:238
#5  0x0804d148 in run_poll_loop () at src/haproxy.c:1592
#6  0x0804dd46 in main (argc=3, argv=0xbf9ac154) at src/haproxy.c:1952
(gdb) backtrace full
#0  0x08058656 in build_logline (s=0x826d9f0, dst=0x826e990 "Proxy 
BACKEND_foo_tcp started.\n", maxsize=1024, list_format=0x8271dbc) at 
src/log.c:1669
        conn = 0x826dbc8
        src = 0x0
        key = 0xbf9abdc0
        empty = {str = 0x0, size = 0, len = 0}
        sess = 0x826d940
        fe = 0x82712a8
        be = 0x8274978
        txn = 0x0
        chunk = {str = 0x4c80c700 <error: Cannot access memory at 
address 0x4c80c700>, size = 135009507, len = 136797136}
        uri = 0x0
        spc = 0x0
        qmark = 0xbf9abe08 ""
        end = 0xb7737000 "\250\235\032"
        tm = {tm_sec = 0, tm_min = -1080377784, tm_hour = 135321243, 
tm_mday = 135608324, tm_mon = 0, tm_year = 0, tm_wday = -1080377848,
          tm_yday = 135009507, tm_isdst = -1080377832, tm_gmtoff = 0, 
tm_zone = 0x8153804 <rqueue> ""}
        t_request = -1
        hdr = 135008578
        last_isspace = 1
        nspaces = 0
        tmplog = 0x826e990 "Proxy BACKEND_foo_tcp started.\n"
        ret = 0x0
        iret = 135018702
        tmp = 0x826e008
#1  0x0805a22a in strm_log (s=0x826d9f0) at src/log.c:2212
        sess = 0x826d940
        size = -1080426495
        err = 0
        level = 6
        sd_size = 0
#2  0x080ec682 in sess_establish (s=0x826d9f0) at src/stream.c:750
        si = 0x826db4c
        req = 0x826d9fc
        rep = 0x826da30
#3  0x080ee0e7 in process_stream (t=0x826d998) at src/stream.c:1661
        srv = 0x8275bd0
        s = 0x826d9f0
        sess = 0x826d940
        rqf_last = 8421376
        rpf_last = 2147483648
        rq_prod_last = 136763800
        rq_cons_last = 0
        rp_cons_last = 135608324
        rp_prod_last = 3214589688
        req_ana_back = 0
        req = 0x826d9fc
        res = 0x826da30
        si_f = 0x826db34
        si_b = 0x826db4c
#4  0x0805a962 in process_runnable_tasks () at src/task.c:238
        t = 0x826d998
        max_processed = 0
#5  0x0804d148 in run_poll_loop () at src/haproxy.c:1592
        next = 0
#6  0x0804dd46 in main (argc=3, argv=0xbf9ac154) at src/haproxy.c:1952
        err = 0
        retry = 200
        limit = {rlim_cur = 4012, rlim_max = 4012}
        errmsg = "\000ps\267\070\000\000\000\000ps\267 
ts\267\200\020&\b\200\020&\btA`\267\210\020&\b\000\000\000\000<\000\000\000\002\000\000\000X\300\232\277\000\265x\267\070\000\000\000 
ts\267\031\000\000\000\064\020&\bX\300\232\277\000\340\024\b\031\000\000\000\264\020&\bh\300\232\277\250\256\017\b\272\020&\br\020\023\b"
        pidfd = -1




cheers,
lukas