ink_atomic_increment

Zhao Yongming (JIRA) Fri, 05 Apr 2013 08:31:16 -0700

Zhao Yongming created TS-1803:
---------------------------------

             Summary: Crash report: HttpTunnel::deallocate_buffers -> 
IOBufferBlock::free -> reclamable_freelist_free -> ink_atomic_increment
                 Key: TS-1803
                 URL: https://issues.apache.org/jira/browse/TS-1803
             Project: Traffic Server
          Issue Type: Bug
          Components: Core
            Reporter: Zhao Yongming



{code}
Core was generated by `/usr/bin/traffic_server -M --httpport 80:fd=9'.
Program terminated with signal 11, Segmentation fault.
#0  ink_atomic_increment<int, int> (f=<value optimized out>, 
item=0x2b1b2c028990) at ink_atomic.h:160
160       return __sync_fetch_and_add(mem, (Type)count);
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-11.el6_2.x86_64 
glibc-2.12-1.80.el6_3.7.x86_64 keyutils-libs-1.4-4.el6.x86_64 
krb5-libs-1.10.3-10.el6_4.1.x86_64 libattr-2.4.44-7.el6.x86_64 
libcap-2.16-5.5.el6.x86_64 libcom_err-1.41.12-12.el6.x86_64 
libgcc-4.4.6-4.el6.x86_64 libselinux-2.0.94-5.3.el6.x86_64 
libstdc++-4.4.6-4.el6.x86_64 openssl-1.0.0-27.el6_4.2.x86_64 
pcre-7.8-6.el6.x86_64 tcl-8.5.7-6.el6.x86_64 
ts-verycdn-stable.2.0.1535-1.el6.x86_64 
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  ink_atomic_increment<int, int> (f=<value optimized out>, 
item=0x2b1b2c028990) at ink_atomic.h:160
#1  reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) at 
ink_queue_ext.cc:614
#2  0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at 
../lib/ts/Allocator.h:68
#3  dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325
#4  IOBufferData::free (this=0x2b1ad6f76060) at 
../iocore/eventsystem/P_IOBuffer.h:338
#5  0x0000000000481f06 in operator= (this=0x2b1b71c49640) at ../lib/ts/Ptr.h:399
#6  clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426
#7  dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464
#8  IOBufferBlock::free (this=0x2b1b71c49640) at 
../iocore/eventsystem/P_IOBuffer.h:470
#9  0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:435
#10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464
#11 IOBufferBlock::free (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:470
#12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at 
../../lib/ts/Ptr.h:399
#13 free_MIOBuffer (this=0x2b1b391f7680) at 
../../iocore/eventsystem/P_IOBuffer.h:776
#14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535
#15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at 
HttpSM.cc:6319
#16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, event=100, 
data=0x2b1b4c5edd88) at HttpSM.cc:2516
#17 0x000000000066ba3b in handleEvent (event=<value optimized out>, 
vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146
#18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) at 
UnixNetVConnection.cc:138
#19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, vc=0x2b1b4c5edc80, 
thread=<value optimized out>) at UnixNetVConnection.cc:320
#20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, 
event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378
#21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at I_Continuation.h:146
#22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at UnixEThread.cc:142
#23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at 
UnixEThread.cc:266
#24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88
#25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0
#26 0x00002b1ac138711d in clone () from /lib64/libc.so.6
(gdb) f 14
#14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535
535           free_MIOBuffer(producers[i].read_buffer);
(gdb) p producers[i].read_buffer
value has been optimized out
(gdb) p producers[i]
value has been optimized out
(gdb) f 13
#13 free_MIOBuffer (this=0x2b1b391f7680) at 
../../iocore/eventsystem/P_IOBuffer.h:776
776       mio->_writer = NULL;
(gdb) p mio
$1 = (MIOBuffer *) 0x2b1b7394d860
(gdb) p *mio
$2 = {size_index = 4, water_mark = 0, _writer = {m_ptr = 0x0}, readers = 
{{accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, 
size_limit = 9223372036854775807}, {accessor = 0x0,
      mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, size_limit = 
9223372036854775807}, {accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, 
start_offset = 0, size_limit = 9223372036854775807}, {
      accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, 
size_limit = 9223372036854775807}, {accessor = 0x0, mbuf = 0x0, block = {m_ptr 
= 0x0}, start_offset = 0,
      size_limit = 9223372036854775807}}, _location = 0x6b2478 
"memory/IOBuffer/HttpSM.cc:5804"}
(gdb) f 12
#12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at 
../../lib/ts/Ptr.h:399
399         ((RefCountObj *) temp_ptr)->free();
(gdb) p temp_ptr
$3 = <value optimized out>
(gdb) f 11
#11 IOBufferBlock::free (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:470
470       dealloc();
(gdb) p this
$4 = (IOBufferBlock * const) 0x2b1b71c48b00
(gdb) p *this
$5 = {<RefCountObj> = {<ForceVFPTToTop> = {_vptr.ForceVFPTToTop = 0x692690}, 
m_refcount = 0}, _start = 0x2b1bcfa11800 "", _end = 0x2b1bcfa11800 "", _buf_end 
= 0x2b1bcfa12000 "",
  _location = 0x6b2478 "memory/IOBuffer/HttpSM.cc:5804", data = {m_ptr = 0x0}, 
next = {m_ptr = 0x2b1b71c49640}}
(gdb) bt
#0  ink_atomic_increment<int, int> (f=<value optimized out>, 
item=0x2b1b2c028990) at ink_atomic.h:160
#1  reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) at 
ink_queue_ext.cc:614
#2  0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at 
../lib/ts/Allocator.h:68
#3  dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325
#4  IOBufferData::free (this=0x2b1ad6f76060) at 
../iocore/eventsystem/P_IOBuffer.h:338
#5  0x0000000000481f06 in operator= (this=0x2b1b71c49640) at ../lib/ts/Ptr.h:399
#6  clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426
#7  dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464
#8  IOBufferBlock::free (this=0x2b1b71c49640) at 
../iocore/eventsystem/P_IOBuffer.h:470
#9  0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:435
#10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464
#11 IOBufferBlock::free (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:470
#12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at 
../../lib/ts/Ptr.h:399
#13 free_MIOBuffer (this=0x2b1b391f7680) at 
../../iocore/eventsystem/P_IOBuffer.h:776
#14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535
#15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at 
HttpSM.cc:6319
#16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, event=100, 
data=0x2b1b4c5edd88) at HttpSM.cc:2516
#17 0x000000000066ba3b in handleEvent (event=<value optimized out>, 
vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146
#18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) at 
UnixNetVConnection.cc:138
#19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, vc=0x2b1b4c5edc80, 
thread=<value optimized out>) at UnixNetVConnection.cc:320
#20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, 
event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378
#21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at I_Continuation.h:146
#22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at UnixEThread.cc:142
#23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at 
UnixEThread.cc:266
#24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88
#25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0
#26 0x00002b1ac138711d in clone () from /lib64/libc.so.6
(gdb) f 14
#14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535
535           free_MIOBuffer(producers[i].read_buffer);
(gdb) p producers
$6 = {{consumer_list = {head = 0x2b1b391f76b8}, self_consumer = 0x0, vc = 0x1, 
vc_handler = NULL, read_vio = 0x0, read_buffer = 0x2b1b7394d860, buffer_start = 
0x0, vc_type = HT_STATIC,
    chunked_handler = {static DEFAULT_MAX_CHUNK_SIZE = 4096, chunked_reader = 
0x0, dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0, 
chunked_buffer = 0x0, chunked_size = 0,
      truncation = false, skip_bytes = 0, state = 
ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left = 0, 
last_server_event = 0, running_sum = 0, num_digits = 0, max_chunk_size = 4096,
      max_chunk_header = '\000' <repeats 15 times>, max_chunk_header_len = 0}, 
chunking_action = TCA_PASSTHRU_DECHUNKED_CONTENT, do_chunking = false, 
do_dechunking = false,
    do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0, 
bytes_read = 0, handler_state = 0, num_consumers = 1, alive = false, 
read_success = true, name = 0x6b09bb "internal msg"}, {
    consumer_list = {head = 0x0}, self_consumer = 0x0, vc = 0x0, vc_handler = 
NULL, read_vio = 0x0, read_buffer = 0x0, buffer_start = 0x0, vc_type = 
HT_HTTP_SERVER, chunked_handler = {
      static DEFAULT_MAX_CHUNK_SIZE = 4096, chunked_reader = 0x0, 
dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0, 
chunked_buffer = 0x0, chunked_size = 0, truncation = false,
      skip_bytes = 0, state = ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size 
= 0, bytes_left = 0, last_server_event = 0, running_sum = 0, num_digits = 0, 
max_chunk_size = 4096,
      max_chunk_header = '\000' <repeats 15 times>, max_chunk_header_len = 0}, 
chunking_action = TCA_PASSTHRU_DECHUNKED_CONTENT, do_chunking = false, 
do_dechunking = false,
    do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0, 
bytes_read = 0, handler_state = 0, num_consumers = 0, alive = false, 
read_success = false, name = 0x0}}
(gdb) p i
$7 = <value optimized out>
(gdb) bt
#0  ink_atomic_increment<int, int> (f=<value optimized out>, 
item=0x2b1b2c028990) at ink_atomic.h:160
#1  reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) at 
ink_queue_ext.cc:614
#2  0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at 
../lib/ts/Allocator.h:68
#3  dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325
#4  IOBufferData::free (this=0x2b1ad6f76060) at 
../iocore/eventsystem/P_IOBuffer.h:338
#5  0x0000000000481f06 in operator= (this=0x2b1b71c49640) at ../lib/ts/Ptr.h:399
#6  clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426
#7  dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464
#8  IOBufferBlock::free (this=0x2b1b71c49640) at 
../iocore/eventsystem/P_IOBuffer.h:470
#9  0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:435
#10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464
#11 IOBufferBlock::free (this=0x2b1b71c48b00) at 
../iocore/eventsystem/P_IOBuffer.h:470
#12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at 
../../lib/ts/Ptr.h:399
#13 free_MIOBuffer (this=0x2b1b391f7680) at 
../../iocore/eventsystem/P_IOBuffer.h:776
#14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535
#15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at 
HttpSM.cc:6319
#16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, event=100, 
data=0x2b1b4c5edd88) at HttpSM.cc:2516
#17 0x000000000066ba3b in handleEvent (event=<value optimized out>, 
vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146
#18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) at 
UnixNetVConnection.cc:138
#19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, vc=0x2b1b4c5edc80, 
thread=<value optimized out>) at UnixNetVConnection.cc:320
#20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, 
event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378
#21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at I_Continuation.h:146
#22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, 
calling_code=5) at UnixEThread.cc:142
#23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at 
UnixEThread.cc:266
#24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88
#25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0
#26 0x00002b1ac138711d in clone () from /lib64/libc.so.6
(gdb) p 1
$8 = 1
(gdb) f 1
#1  reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) at 
ink_queue_ext.cc:614
614       ink_atomic_increment((int *)&pCache->nr_malloc, -1);
(gdb) p pCache
$9 = (InkThreadCache *) 0x2e73736969616e69
(gdb) p *pCache
Cannot access memory at address 0x2e73736969616e69
(gdb) f 2
#2  0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at 
../lib/ts/Allocator.h:68
68          ink_freelist_free(this->fl, ptr);
(gdb) p ptr
$10 = <value optimized out>
(gdb) p this
$11 = (Allocator * const) 0x0
(gdb) p *this
Cannot access memory at address 0x0
(gdb) f 3
#3  dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325
325           ioBufAllocator[_size_index].free_void(_data);
(gdb) p _data
$12 = 0x2b1b2c028990 ""
(gdb) p *data
Cannot take address of method data.
(gdb) p this
$13 = (IOBufferData * const) 0x2b1ad6f76060
(gdb) p ioBufAllocator[_size_index]
$14 = {fl = 0x27d73d0}
(gdb) p ioBufAllocator[_size_index].
alloc_void  fl          free_void   re_init
(gdb) p ioBufAllocator[_size_index].fl
$15 = (InkFreeList *) 0x27d73d0
(gdb) p * ioBufAllocator[_size_index].fl
$16 = {thread_cache_idx = 6, refcnt = 6, name = 0x6e8933 "UDPIOEventAllocator", 
type_size = 128, alignment = 32768, chunk_size = 159, chunk_byte_size = 20480, 
chunk_addr_mask = 18446744073709518848,
  count = 1431, allocated = 794, allocated_base = 0, count_base = 0, 
chunk_size_base = 128, nr_thread_cache = 9, pThreadCache = 0x2b1ae4001f30, lock 
= {__data = {__lock = 0, __count = 0, __owner = 0,
      __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 
0x0}}, __size = '\000' <repeats 39 times>, __align = 0}}
(gdb) f 4
#4  IOBufferData::free (this=0x2b1ad6f76060) at 
../iocore/eventsystem/P_IOBuffer.h:338
338       dealloc();
(gdb) l
333     }
334
335     TS_INLINE void
336     IOBufferData::free()
337     {
338       dealloc();
339       ioDataAllocator.free(this);
340     }
341
342     //////////////////////////////////////////////////////////////////
(gdb) p this
$17 = (IOBufferData * const) 0x2b1ad6f76060
(gdb) p *this
$18 = {<RefCountObj> = {<ForceVFPTToTop> = {_vptr.ForceVFPTToTop = 0x6926d0}, 
m_refcount = 0}, _size_index = 0, _mem_type = DEFAULT_ALLOC, _data = 
0x2b1b2c028990 "",
  _location = 0x6b2478 "memory/IOBuffer/HttpSM.cc:5804"}
(gdb) f 5
#5  0x0000000000481f06 in operator= (this=0x2b1b71c49640) at ../lib/ts/Ptr.h:399
399         ((RefCountObj *) temp_ptr)->free();
(gdb) l
394       if (m_ptr != 0) {
395         _ptr()->refcount_inc();
396       }
397
398       if ((temp_ptr) && ((RefCountObj *) temp_ptr)->refcount_dec() == 0) {
399         ((RefCountObj *) temp_ptr)->free();
400       }
401
402       return (*this);
403     }
(gdb) p temp_ptr
$19 = <value optimized out>
(gdb) f 6
#6  clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426
426       data = NULL;
(gdb) l
421     }
422
423     TS_INLINE void
424     IOBufferBlock::clear()
425     {
426       data = NULL;
427       IOBufferBlock *p = next;
428       while (p) {
429         int r = p->refcount_dec();
430         if (r)
(gdb) f 7
#7  dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464
464       clear();
(gdb) l
459     }
460
461     TS_INLINE void
462     IOBufferBlock::dealloc()
463     {
464       clear();
465     }
466
467     TS_INLINE void
468     IOBufferBlock::free()
(gdb) f 8
#8  IOBufferBlock::free (this=0x2b1b71c49640) at 
../iocore/eventsystem/P_IOBuffer.h:470
470       dealloc();

{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (TS-1803) Crash report: HttpTunnel::deallocate_buffers -> IOBufferBlock::free -> reclamable_freelist_free -> ink_atomic_increment

Reply via email to