[mp2] Segfaults in mpxs_Apache2__RequestRec_rflush

[Damian Lukowski]

Hi,

we are encountering occasional connection disruptions caused by segmentation
faults in xs/Apache2/RequestIO/Apache2__RequestIO.h Our application is a
PerlResponseHandler based on Catalyst::View::Mason on Debian Wheezy. The
segfault seems to always happen in mpxs_Apache2__RequestRec_rflush().
Sometimes we have NULL dereference, sometimes dangling pointers:

> (gdb) bt
> #0  0x00007fd145345728 in mpxs_Apache2__RequestRec_rflush 
> (my_perl=0x7fd1520b3950, items=1, mark=0x7fd1542ed2a0, sp=0x7fd1542ed298)
>     at 
> /libapache2-mod-perl2-2.0.7/xs/Apache2/RequestIO/Apache2__RequestIO.h:177
> #1  0x00007fd14534724d in XS_Apache2__RequestRec_rflush 
> (my_perl=0x7fd1520b3950, cv=0x7fd1552432b8) at RequestIO.xs:201
> #2  0x00007fd14aa24266 in Perl_pp_entersub (my_perl=0x7fd1520b3950) at 
> pp_hot.c:3046
> #3  0x00007fd14aa1bf52 in Perl_runops_standard (my_perl=0x7fd1520b3950) at 
> run.c:41
> #4  0x00007fd14a9babc6 in Perl_call_sv (my_perl=my_perl@entry=0x7fd1520b3950, 
> sv=sv@entry=0x7fd1541a71d0, flags=flags@entry=45) at perl.c:2647
> #5  0x00007fd14aa296df in S_curse (check_refcnt=1 '\001', sv=0x7fd155cc70d0, 
> my_perl=0x7fd1520b3950) at sv.c:6342
> #6  Perl_sv_clear (my_perl=my_perl@entry=0x7fd1520b3950, 
> orig_sv=orig_sv@entry=0x7fd156306b18) at sv.c:6073
> #7  0x00007fd14aa29f3f in Perl_sv_free2 
> (my_perl=my_perl@entry=0x7fd1520b3950, sv=sv@entry=0x7fd156306b18) at 
> sv.c:6474
> #8  0x00007fd14aa15aff in Perl_hv_free_ent 
> (my_perl=my_perl@entry=0x7fd1520b3950, hv=hv@entry=0x7fd156311498, 
> entry=entry@entry=0x7fd156315908) at hv.c:1468
> #9  0x00007fd14aa15fcb in S_hfreeentries 
> (my_perl=my_perl@entry=0x7fd1520b3950, hv=hv@entry=0x7fd156311498) at 
> hv.c:1786
> #10 0x00007fd14aa19081 in Perl_hv_undef_flags 
> (my_perl=my_perl@entry=0x7fd1520b3950, hv=hv@entry=0x7fd156311498, 
> flags=flags@entry=2) at hv.c:1873
> #11 0x00007fd14aa29acf in Perl_sv_clear 
> (my_perl=my_perl@entry=0x7fd1520b3950, orig_sv=orig_sv@entry=0x7fd156311498) 
> at sv.c:6125
> #12 0x00007fd14aa29f3f in Perl_sv_free2 
> (my_perl=my_perl@entry=0x7fd1520b3950, sv=0x7fd156311498) at sv.c:6474
> #13 0x00007fd14aa4c31b in Perl_free_tmps 
> (my_perl=my_perl@entry=0x7fd1520b3950) at scope.c:167
> #14 0x00007fd14aa1cb49 in Perl_pp_unstack (my_perl=0x7fd1520b3950) at 
> pp_hot.c:221
> #15 0x00007fd14aa1bf52 in Perl_runops_standard (my_perl=0x7fd1520b3950) at 
> run.c:41
> #16 0x00007fd14a9babc6 in Perl_call_sv (my_perl=0x7fd1520b3950, 
> sv=0x7fd152db6318, flags=10) at perl.c:2647
> #17 0x00007fd14a4c69b5 in modperl_callback (my_perl=0x7fd1520b3950, 
> handler=0x7fd14fe062e0, p=0x7fd14fc64028, r=0x7fd14fc640a0, s=0x7fd14fe14810, 
> args=0x7fd156306ff8)
>     at modperl_callback.c:101
> #18 0x00007fd14a4c740b in modperl_callback_run_handlers (idx=6, type=4, 
> r=0x7fd14fc640a0, c=0x0, s=0x7fd14fe14810, pconf=0x0, plog=0x0, ptemp=0x0, 
> run_mode=MP_HOOK_RUN_FIRST)
>     at modperl_callback.c:262
> #19 0x00007fd14a4c79c1 in modperl_callback_per_dir (idx=6, r=0x7fd14fc640a0, 
> run_mode=MP_HOOK_RUN_FIRST) at modperl_callback.c:369
> #20 0x00007fd14a4c0079 in modperl_response_handler_run (r=0x7fd14fc640a0) at 
> mod_perl.c:1000
> #21 0x00007fd14a4c03d9 in modperl_response_handler_cgi (r=0x7fd14fc640a0) at 
> mod_perl.c:1099
> #22 0x00007fd14fe8ec90 in ap_run_handler (r=0x7fd14fc640a0) at config.c:159
> #23 0x00007fd14fe8f0db in ap_invoke_handler (r=r@entry=0x7fd14fc640a0) at 
> config.c:377
> #24 0x00007fd14fe9f208 in ap_process_request (r=r@entry=0x7fd14fc640a0) at 
> http_request.c:282
> #25 0x00007fd14fe9c0c8 in ap_process_http_connection (c=0x7fd14fc81290) at 
> http_core.c:190
> #26 0x00007fd14fe95650 in ap_run_process_connection (c=0x7fd14fc81290) at 
> connection.c:43
> #27 0x00007fd14fe95a38 in ap_process_connection (c=c@entry=0x7fd14fc81290, 
> csd=<optimized out>) at connection.c:190
> #28 0x00007fd14fea3dbe in child_main (child_num_arg=child_num_arg@entry=0) at 
> prefork.c:667
> #29 0x00007fd14fea4512 in make_child (slot=0, s=0x7fd14fdea818) at 
> prefork.c:768
> #30 make_child (s=0x7fd14fdea818, slot=0) at prefork.c:696
> #31 0x00007fd14fea5076 in perform_idle_server_maintenance (p=<optimized out>) 
> at prefork.c:903
> #32 ap_mpm_run (_pconf=_pconf@entry=0x7fd14fe34028, plog=<optimized out>, 
> s=s@entry=0x7fd14fdea818) at prefork.c:1107
> #33 0x00007fd14fe79896 in main (argc=3, argv=0x7fff0fa46788) at main.c:755
> (gdb) frame 0
> #0  0x00007fd145345728 in mpxs_Apache2__RequestRec_rflush 
> (my_perl=0x7fd1520b3950, items=1, mark=0x7fd1542ed2a0, sp=0x7fd1542ed298)
>     at 
> /libapache2-mod-perl2-2.0.7/xs/Apache2/RequestIO/Apache2__RequestIO.h:177
> 177       MP_CHECK_WBUCKET_INIT("$r->rflush");
> (gdb) list
> 172       /* this also magically assings to r ;-) */
> 173       mpxs_usage_va_1(r, "$r->rflush()");
> 174   
> 175       rcfg = modperl_config_req_get(r);
> 176   
> 177       MP_CHECK_WBUCKET_INIT("$r->rflush");
> 178       MP_TRACE_o(MP_FUNC, "%d bytes [%s]",
> 179                  rcfg->wbucket->outcnt,
> 180                  apr_pstrmemdup(rcfg->wbucket->pool, 
> rcfg->wbucket->outbuf,
> 181                                 rcfg->wbucket->outcnt));
> (gdb) p rcfg->wbucket
> Cannot access memory at address 0xc54b77eb434f4e66

Other example:


> (gdb) bt
> #0  0x00007fb700952728 in mpxs_Apache2__RequestRec_rflush 
> (my_perl=0x7fb70f64f440, items=1, mark=0x7fb70c0b5d50, sp=0x7fb70c0b5d48)
>     at 
> /libapache2-mod-perl2-2.0.7/xs/Apache2/RequestIO/Apache2__RequestIO.h:177
> #1  0x00007fb70095424d in XS_Apache2__RequestRec_rflush 
> (my_perl=0x7fb70f64f440, cv=0x7fb70c046328) at RequestIO.xs:201
> #2  0x00007fb705e2b266 in Perl_pp_entersub (my_perl=0x7fb70f64f440) at 
> pp_hot.c:3046
> #3  0x00007fb705e22f52 in Perl_runops_standard (my_perl=0x7fb70f64f440) at 
> run.c:41
> #4  0x00007fb705dc1bc6 in Perl_call_sv (my_perl=my_perl@entry=0x7fb70f64f440, 
> sv=sv@entry=0x7fb70e702d50, flags=flags@entry=45) at perl.c:2647
> #5  0x00007fb705e306df in S_curse (check_refcnt=1 '\001', sv=0x7fb7101483b8, 
> my_perl=0x7fb70f64f440) at sv.c:6342
> #6  Perl_sv_clear (my_perl=my_perl@entry=0x7fb70f64f440, 
> orig_sv=orig_sv@entry=0x7fb71016ffb0) at sv.c:6073
> #7  0x00007fb705e30f3f in Perl_sv_free2 
> (my_perl=my_perl@entry=0x7fb70f64f440, sv=sv@entry=0x7fb71016ffb0) at 
> sv.c:6474
> #8  0x00007fb705e1caff in Perl_hv_free_ent 
> (my_perl=my_perl@entry=0x7fb70f64f440, hv=hv@entry=0x7fb710142d40, 
> entry=entry@entry=0x7fb710143b18) at hv.c:1468
> #9  0x00007fb705e1cfcb in S_hfreeentries 
> (my_perl=my_perl@entry=0x7fb70f64f440, hv=hv@entry=0x7fb710142d40) at 
> hv.c:1786
> #10 0x00007fb705e20081 in Perl_hv_undef_flags 
> (my_perl=my_perl@entry=0x7fb70f64f440, hv=hv@entry=0x7fb710142d40, 
> flags=flags@entry=2) at hv.c:1873
> #11 0x00007fb705e30acf in Perl_sv_clear 
> (my_perl=my_perl@entry=0x7fb70f64f440, orig_sv=orig_sv@entry=0x7fb710142d40) 
> at sv.c:6125
> #12 0x00007fb705e30f3f in Perl_sv_free2 
> (my_perl=my_perl@entry=0x7fb70f64f440, sv=0x7fb710142d40) at sv.c:6474
> #13 0x00007fb705e5331b in Perl_free_tmps 
> (my_perl=my_perl@entry=0x7fb70f64f440) at scope.c:167
> #14 0x00007fb705e23b49 in Perl_pp_unstack (my_perl=0x7fb70f64f440) at 
> pp_hot.c:221
> #15 0x00007fb705e22f52 in Perl_runops_standard (my_perl=0x7fb70f64f440) at 
> run.c:41
> #16 0x00007fb705dc1bc6 in Perl_call_sv (my_perl=0x7fb70f64f440, 
> sv=0x7fb70cffeb08, flags=10) at perl.c:2647
> #17 0x00007fb7061009b5 in modperl_callback (my_perl=0x7fb70f64f440, 
> handler=0x7fb70b21c2e0, p=0x7fb70b089028, r=0x7fb70b0890a0, s=0x7fb70b224810, 
> args=0x7fb7101706b8)
>     at modperl_callback.c:101
> #18 0x00007fb70610140b in modperl_callback_run_handlers (idx=6, type=4, 
> r=0x7fb70b0890a0, c=0x0, s=0x7fb70b224810, pconf=0x0, plog=0x0, ptemp=0x0, 
> run_mode=MP_HOOK_RUN_FIRST)
>     at modperl_callback.c:262
> #19 0x00007fb7061019c1 in modperl_callback_per_dir (idx=6, r=0x7fb70b0890a0, 
> run_mode=MP_HOOK_RUN_FIRST) at modperl_callback.c:369
> #20 0x00007fb7060fa079 in modperl_response_handler_run (r=0x7fb70b0890a0) at 
> mod_perl.c:1000
> #21 0x00007fb7060fa3d9 in modperl_response_handler_cgi (r=0x7fb70b0890a0) at 
> mod_perl.c:1099
> #22 0x00007fb70b2a0c90 in ap_run_handler (r=0x7fb70b0890a0) at config.c:159
> #23 0x00007fb70b2a10db in ap_invoke_handler (r=r@entry=0x7fb70b0890a0) at 
> config.c:377
> #24 0x00007fb70b2b1208 in ap_process_request (r=r@entry=0x7fb70b0890a0) at 
> http_request.c:282
> #25 0x00007fb70b2ae0c8 in ap_process_http_connection (c=0x7fb70b093290) at 
> http_core.c:190
> #26 0x00007fb70b2a7650 in ap_run_process_connection (c=0x7fb70b093290) at 
> connection.c:43
> #27 0x00007fb70b2a7a38 in ap_process_connection (c=c@entry=0x7fb70b093290, 
> csd=<optimized out>) at connection.c:190
> #28 0x00007fb70b2b5dbe in child_main (child_num_arg=child_num_arg@entry=9) at 
> prefork.c:667
> #29 0x00007fb70b2b6512 in make_child (slot=9, s=0x7fb70b240818) at 
> prefork.c:768
> #30 make_child (s=0x7fb70b240818, slot=9) at prefork.c:696
> #31 0x00007fb70b2b7076 in perform_idle_server_maintenance (p=<optimized out>) 
> at prefork.c:903
> #32 ap_mpm_run (_pconf=_pconf@entry=0x7fb70b246028, plog=<optimized out>, 
> s=s@entry=0x7fb70b240818) at prefork.c:1107
> #33 0x00007fb70b28b896 in main (argc=3, argv=0x7fff5df54748) at main.c:755
> (gdb) frame 0
> #0  0x00007fb700952728 in mpxs_Apache2__RequestRec_rflush 
> (my_perl=0x7fb70f64f440, items=1, mark=0x7fb70c0b5d50, sp=0x7fb70c0b5d48)
>     at 
> /libapache2-mod-perl2-2.0.7/xs/Apache2/RequestIO/Apache2__RequestIO.h:177
> 177       MP_CHECK_WBUCKET_INIT("$r->rflush");
> (gdb) list
> 172       /* this also magically assings to r ;-) */
> 173       mpxs_usage_va_1(r, "$r->rflush()");
> 174   
> 175       rcfg = modperl_config_req_get(r);
> 176   
> 177       MP_CHECK_WBUCKET_INIT("$r->rflush");
> 178       MP_TRACE_o(MP_FUNC, "%d bytes [%s]",
> 179                  rcfg->wbucket->outcnt,
> 180                  apr_pstrmemdup(rcfg->wbucket->pool, 
> rcfg->wbucket->outbuf,
> 181                                 rcfg->wbucket->outcnt));
> (gdb) p rcfg
> $2 = (modperl_config_req_t *) 0x0

I have no idea how to debug this further and would appreciate your help.

Best regards
 Damian