[
https://issues.apache.org/jira/browse/TS-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13017927#comment-13017927
]
Ricky Chan commented on TS-733:
-------------------------------
I spoke to early I was able to crash it in 2.1.7 as well using my method
details above.
#0 0x00000000006d02e9 in CacheVC::openReadChooseWriter (this=0x297e8e0,
event=1, e=0x0) at CacheRead.cc:209
209 if (w->start_time > start_time || w->closed < 0)
(gdb) bt
#0 0x00000000006d02e9 in CacheVC::openReadChooseWriter (this=0x297e8e0,
event=1, e=0x0) at CacheRead.cc:209
#1 0x00000000006d0e2c in CacheVC::openReadFromWriter (this=0x297e8e0, event=1,
e=0x0) at CacheRead.cc:326
#2 0x00000000004ee0ef in Continuation::handleEvent (this=0x297e8e0, event=1,
data=0x0) at I_Continuation.h:146
#3 0x00000000006d2914 in Cache::open_read (this=0x1f6f9b0,
cont=0x2aaab4d16b90, key=0x4229ce50, request=0x2aaab4d15210,
params=0x2aaab4d14a48, type=CACHE_FRAG_TYPE_HTTP,
hostname=0x2aaab475c83e "test1.isp.sky.com0", '�' <repeats 182 times>...,
host_len=17) at CacheRead.cc:149
#4 0x00000000006b3b97 in Cache::open_read (this=0x1f6f9b0,
cont=0x2aaab4d16b90, url=0x2aaab4d149f8, request=0x2aaab4d15210,
params=0x2aaab4d14a48, type=CACHE_FRAG_TYPE_HTTP)
at P_CacheInternal.h:1006
#5 0x00000000006a44f7 in CacheProcessor::open_read (this=0xf750a0,
cont=0x2aaab4d16b90, url=0x2aaab4d149f8, request=0x2aaab4d15210,
params=0x2aaab4d14a48, pin_in_cache=0,
type=CACHE_FRAG_TYPE_HTTP) at Cache.cc:2787
#6 0x00000000005691d5 in HttpCacheSM::do_cache_open_read (this=0x2aaab4d16b90)
at HttpCacheSM.cc:215
#7 0x0000000000569328 in HttpCacheSM::open_read (this=0x2aaab4d16b90,
url=0x2aaab4d149f8, hdr=0x2aaab4d15210, params=0x2aaab4d14a48, pin_in_cache=0)
at HttpCacheSM.cc:247
#8 0x0000000000584acf in HttpSM::do_cache_lookup_and_read
(this=0x2aaab4d14950) at HttpSM.cc:3898
#9 0x0000000000590053 in HttpSM::set_next_state (this=0x2aaab4d14950) at
HttpSM.cc:6440
#10 0x000000000057d5e0 in HttpSM::call_transact_and_set_next_state
(this=0x2aaab4d14950, f=0) at HttpSM.cc:6332
#11 0x000000000059178e in HttpSM::handle_api_return (this=0x2aaab4d14950) at
HttpSM.cc:1523
#12 0x00000000005958a9 in HttpSM::do_api_callout (this=0x2aaab4d14950) at
HttpSM.cc:506
#13 0x000000000058fae5 in HttpSM::set_next_state (this=0x2aaab4d14950) at
HttpSM.cc:6366
#14 0x000000000057d5e0 in HttpSM::call_transact_and_set_next_state
(this=0x2aaab4d14950, f=0) at HttpSM.cc:6332
#15 0x000000000058fc12 in HttpSM::set_next_state (this=0x2aaab4d14950) at
HttpSM.cc:6382
#16 0x000000000057d5e0 in HttpSM::call_transact_and_set_next_state
(this=0x2aaab4d14950, f=0) at HttpSM.cc:6332
#17 0x000000000059178e in HttpSM::handle_api_return (this=0x2aaab4d14950) at
HttpSM.cc:1523
#18 0x00000000005958a9 in HttpSM::do_api_callout (this=0x2aaab4d14950) at
HttpSM.cc:506
#19 0x000000000058fae5 in HttpSM::set_next_state (this=0x2aaab4d14950) at
HttpSM.cc:6366
#20 0x000000000057d5e0 in HttpSM::call_transact_and_set_next_state
(this=0x2aaab4d14950, f=0) at HttpSM.cc:6332
#21 0x000000000059178e in HttpSM::handle_api_return (this=0x2aaab4d14950) at
HttpSM.cc:1523
#22 0x00000000005958a9 in HttpSM::do_api_callout (this=0x2aaab4d14950) at
HttpSM.cc:506
#23 0x000000000058fae5 in HttpSM::set_next_state (this=0x2aaab4d14950) at
HttpSM.cc:6366
#24 0x000000000057d5e0 in HttpSM::call_transact_and_set_next_state
(this=0x2aaab4d14950, f=0x5bcb70
<HttpTransact::ModifyRequest(HttpTransact::State*)>) at HttpSM.cc:6332
#25 0x0000000000591534 in HttpSM::state_read_client_request_header
(this=0x2aaab4d14950, event=100, data=0x20efea8) at HttpSM.cc:787
#26 0x000000000058ae67 in HttpSM::main_handler (this=0x2aaab4d14950, event=100,
data=0x20efea8) at HttpSM.cc:2443
#27 0x00000000004ee0ef in Continuation::handleEvent (this=0x2aaab4d14950,
event=100, data=0x20efea8) at I_Continuation.h:146
#28 0x00000000006faff1 in read_signal_and_update (event=100, vc=0x20efce0) at
UnixNetVConnection.cc:146
#29 0x00000000006fb952 in read_from_net (nh=0x2aaaab517628, vc=0x20efce0,
thread=0x2aaaab516010) at UnixNetVConnection.cc:337
#30 0x00000000006fbaaf in UnixNetVConnection::net_read_io (this=0x20efce0,
nh=0x2aaaab517628, lthread=0x2aaaab516010) at UnixNetVConnection.cc:822
#31 0x00000000006f546c in NetHandler::mainNetEvent (this=0x2aaaab517628,
event=5, e=0x1f4b130) at UnixNet.cc:401
#32 0x00000000004ee0ef in Continuation::handleEvent (this=0x2aaaab517628,
event=5, data=0x1f4b130) at I_Continuation.h:146
#33 0x000000000071e9df in EThread::process_event (this=0x2aaaab516010,
e=0x1f4b130, calling_code=5) at UnixEThread.cc:140
#34 0x000000000071ef0d in EThread::execute (this=0x2aaaab516010) at
UnixEThread.cc:262
#35 0x000000000071e26e in spawn_thread_internal (a=0x1f282b0) at Thread.cc:85
#36 0x00002b0c50d1afc7 in start_thread () from /lib/libpthread.so.0
#37 0x00002b0c52f0164d in clone () from /lib/libc.so.6
#38 0x0000000000000000 in ?? ()
I have compiled with --enable-debug as request.
So feel free to ask me any extra details from the dump you require.
(gdb) p *this
$1 = {<CacheVConnection> = {<VConnection> = {<Continuation> =
{<force_VFPT_to_top> = {_vptr.force_VFPT_to_top = 0x7a0250},
handler = 0x6d0a80 <CacheVC::openReadFromWriter(int, Event*)>,
handler_name = 0x7a5bb8 "&CacheVC::openReadFromWriter", mutex = {m_ptr =
0x2176df0},
link = {<SLink<Continuation>> = {next = 0x0}, prev = 0x0}}, lerrno =
0}, <No data fields>}, static size_to_init = 376, key = {b =
{9862551532286235992,
860322339962582156}}, first_key = {b = {9862551532286235992,
860322339962582156}}, earliest_key = {b = {9862551532286235992,
860322339962582156}}, update_key = {b = {
1964747881772749290, 15406874007834800518}}, dir = {w = {0, 0, 0, 0, 0}},
earliest_dir = {w = {21215, 39936, 10382, 0, 0}}, overwrite_dir = {w = {0, 0,
0, 0, 0}},
first_dir = {w = {22192, 39936, 9356, 0, 0}}, _action = {_vptr.Action =
0x73fb30, continuation = 0x2aaab4d16b90, mutex = {m_ptr = 0x2176df0}, cancelled
= 0},
request = {<MIMEHdr> = {<HdrHeapSDKHandle> = {m_heap = 0x2aaaaaaba010},
m_mime = 0x2aaaaaaba0c8}, m_http = 0x2aaaaaaba098, m_url_cached =
{<HdrHeapSDKHandle> = {m_heap = 0x0},
m_url_impl = 0x0}, m_host_length = 0, m_host = 0x0, m_port = 0,
m_target_cached = false, m_target_in_url = false, m_port_in_header = false},
vector = {magic = 0x0, data = {
data = 0x297e9f8, fast_data = {{alternate = {m_alt = 0x2aaab4f3c048}},
{alternate = {m_alt = 0x2aaab4f3d268}}, {alternate = {m_alt = 0x2aaab4f3e088}},
{alternate = {
m_alt = 0x2aaab4f3eea8}}}, default_val = 0xf758c8, size = 0, pos =
-1}, xcount = 0, vector_buf = {m_ptr = 0x0}}, alternate = {m_alt = 0x0}, buf =
{m_ptr = 0x0},
first_buf = {m_ptr = 0x0}, blocks = {m_ptr = 0x0}, writer_buf = {m_ptr =
0x0}, od = 0x29da510, io = {<AIOCallback> = {<Continuation> =
{<force_VFPT_to_top> = {
_vptr.force_VFPT_to_top = 0x7a0390}, handler = 0x6b189a
<AIOCallbackInternal::io_complete(int, void*)>, handler_name = 0x79dcd0
"&AIOCallbackInternal::io_complete",
mutex = {m_ptr = 0x0}, link = {<SLink<Continuation>> = {next = 0x0},
prev = 0x0}}, aiocb = {aio_fildes = 0, aio_buf = 0x0, aio_nbytes = 0,
aio_offset = 0, aio_reqprio = 0,
aio_lio_opcode = 0, aio_state = 0, aio__pad = {0}}, action =
{_vptr.Action = 0x0, continuation = 0x0, mutex = {m_ptr = 0x0}, cancelled = 0},
thread = 0x0, then = 0x0,
aio_result = 0}, first = 0x0, aio_req = 0x0, sleep_time = 0},
alternate_index = -1, opendir_link = {<SLink<CacheVC>> = {next = 0x0}, prev =
0x0}, vio = {_cont = 0x0,
nbytes = 0, ndone = 0, op = 1, buffer = {mbuf = 0x0, entry = 0x0, name =
0x0}, vc_server = 0x0, mutex = {m_ptr = 0x0}}, initial_thread = 0x2aaaab516010,
frag_type = CACHE_FRAG_TYPE_HTTP, info = 0x0, write_vector = 0x29da520,
params = 0x2aaab4d14a48, header_len = 0, frag_len = 0, write_len = 0, agg_len =
0, write_serial = 0,
frag = 0x0, integral_frags = {{offset = 0}, {offset = 0}, {offset = 0},
{offset = 0}}, part = 0x1f6f9e0, last_collision = 0x0, trigger = 0x0, read_key
= 0x0, save_handler = NULL,
pin_in_cache = 0, start_time = 1302371993498180000, base_stat = 13, recursive
= 0, closed = 0, seek_to = 0, offset = 0, writer_offset = 0, length = 0,
doc_pos = 0, write_pos = 0,
total_len = 0, doc_len = 0, update_len = 0, fragment = 0, scan_msec_delay =
0, write_vc = 0x0, hostname = 0x0, host_len = 0, header_to_write_len = 0,
header_to_write = 0x0,
writer_lock_retry = 0, {flags = 8192, f = {use_first_key = 0, overwrite = 0,
close_complete = 0, sync = 0, evacuator = 0, single_fragment = 0, evac_vector =
0, lookup = 0,
update = 0, remove = 0, remove_aborted_writers = 0, open_read_timeout =
0, data_done = 0, read_from_writer_called = 1, not_from_ram_cache = 0,
rewrite_resident_alt = 0,
readers = 0, doc_from_ram_cache = 0}}}
> segfault in mime_hdr_set_accelerators_and_presence_bits
> -------------------------------------------------------
>
> Key: TS-733
> URL: https://issues.apache.org/jira/browse/TS-733
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.0.1
> Environment: X6240 AMD64 Debian Lenny (2.6.26) 64G of Ram.
> Reporter: Ricky Chan
> Labels: MIME, segfault
> Fix For: 2.1.8
>
>
> We are seeing segfault and I have now put back unstripped binaries so I can
> get line numbers are frame traces.
> Below is the trace, although GDB claims it's line 482, I believe it's now
> actually there (a short int comparison won't crash it). My interest is the
> fact that m_wks_idx is 67 which is larger than the MAX amount of slots which
> I believe is 16 (0 - 15) right?
> I got this segfault 6 times this morning, and it appears from the same client
> too.
> I'm thinking of patching the code to make sure m_wks_idx isn't >
> MAX_FIELD_SLOTNUM_MAX for now.
> #0 ink_stack_trace_dump (sighandler_frame=2) at ink_stack_trace.cc:66
> 66 fp = (void **) (*fp);
> (gdb) bt
> #0 ink_stack_trace_dump (sighandler_frame=2) at ink_stack_trace.cc:66
> #1 0x0000000000502f8a in signal_handler (sig=<value optimized out>) at
> signals.cc:332
> #2 <signal handler called>
> #3 mime_hdr_field_detach (mh=0x2aaab46c1298, field=0x2aaab46c1390,
> detach_all_dups=false) at MIME.cc:482
> #4 0x0000000000601e8e in mime_hdr_field_delete (heap=0x2aaab46c11e0,
> mh=0x2aaab46c1298, field=0x2aaab46c1390, delete_all_dups=true) at MIME.cc:1737
> #5 0x000000000056cee9 in HttpTransact::set_headers_for_cache_write
> (s=0x2aaaba56d8b0, cache_info=0x2aaaba56d948, request=0x2aaaba56df90,
> response=0x2aaaba56dfc8) at
> ../../iocore/cache/../../proxy/http2/../hdrs/MIME.h:1071
> #6 0x000000000056ec29 in
> HttpTransact::handle_cache_operation_on_forward_server_response
> (s=0x2aaaba56d8b0) at HttpTransact.cc:5270
> #7 0x000000000056ff99 in HttpTransact::handle_forward_server_connection_open
> (s=0x2aaaba56d8b0) at HttpTransact.cc:4732
> #8 0x0000000000572370 in HttpTransact::handle_response_from_server
> (s=0x2aaaba56d8b0) at HttpTransact.cc:4255
> #9 0x0000000000578a5d in HttpTransact::HandleResponse (s=0x2aaaba56d8b0) at
> HttpTransact.cc:3937
> #10 0x0000000000534485 in HttpSM::call_transact_and_set_next_state
> (this=0x2aaaba56d830, f=0x2aaab46c1390) at HttpSM.cc:7190
> #11 0x0000000000549aa0 in HttpSM::state_read_server_response_header
> (this=0x2aaaba56d830, event=<value optimized out>, data=0x2232e28) at
> HttpSM.cc:535
> #12 0x0000000000547e3b in HttpSM::main_handler (this=0x2aaaba56d830,
> event=100, data=0x2232e28) at HttpSM.cc:2683
> #13 0x00000000006c19f7 in read_from_net (nh=0x2aaaac950098, vc=0x2232d50,
> thread=<value optimized out>) at ../../iocore/eventsystem/I_Continuation.h:147
> #14 0x00000000006b9452 in NetHandler::mainNetEvent (this=0x2aaaac950098,
> event=<value optimized out>, e=0xfa9130) at UnixNet.cc:292
> #15 0x00000000006e3614 in EThread::process_event (this=0x2aaaac94f010,
> e=0xfa9130, calling_code=5) at I_Continuation.h:147
> #16 0x00000000006e3e50 in EThread::execute (this=0x2aaaac94f010) at
> UnixEThread.cc:249
> #17 0x00000000006e1a72 in spawn_thread_internal (a=0xf93270) at Thread.cc:85
> #18 0x00002abbb5d7efc7 in start_thread () from /lib/libpthread.so.0
> #19 0x00002abbb74f064d in clone () from /lib/libc.so.6
> #20 0x0000000000000000 in ?? ()
> (gdb) frame 3
> #3 mime_hdr_field_detach (mh=0x2aaab46c1298, field=0x2aaab46c1390,
> detach_all_dups=false) at MIME.cc:482
> warning: Source file is more recent than executable.
> 482 if (field->m_wks_idx < 0)
> (gdb) p *field
> $1 = {
> m_ptr_name = 0x19618e4 "Via1.1
> AKmdrL2CacheBC10.telecom.co.nzCache-Controlmax-stale=0Via1.1
> AKmdrL2CacheBC10.telecom.co.nzX-BlueCoat-ViaB8C344C089BFFBD7Client-ip210.55.215.151X-Forwarded-For210.55.215.151http10.244.132.255om"...,
>
> m_ptr_value = 0x19618e7 "1.1
> AKmdrL2CacheBC10.telecom.co.nzCache-Controlmax-stale=0Via1.1
> AKmdrL2CacheBC10.telecom.co.nzX-BlueCoat-ViaB8C344C089BFFBD7Client-ip210.55.215.151X-Forwarded-For210.55.215.151http10.244.132.255om0yo"...,
> m_next_dup = 0xffffffffb46c87f0, m_wks_idx = 67, m_len_name = 3,
> m_len_value = 34, m_n_v_raw_printable = 0 '\0', m_n_v_raw_printable_pad = 4
> '\004', m_readiness = 2 '\002', m_flags = 1 '\001'}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
