DO NOT REPLY [Bug 27667] New: - Multithreading bug in jk2 connector

Mon, 15 Mar 2004 07:11:39 -0800 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27667>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=27667

Multithreading bug in jk2 connector

           Summary: Multithreading bug in jk2 connector
           Product: Tomcat 4
           Version: 4.1.30
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Connector:Coyote JK 2
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


I think that there is a bug in jk2 connector related to
multithreading.

jk2 connector uses globalPool variable (an instance of apr_pool) to
store various data, for example apr_socket variables.
Apr_sockets are then accessed (created and closed) from multiple
threads. And they should not be, because as far as I can tell,
apr_pools are not thread safe.

Apr_pool implementation contains list of cleanup functions registered
in the pool. This list is not protected by synchronization code,
neither in the apr library, nor in jk2 connector.
As a result, this list can become corrupted and can cause apache
server to malfunction. In our environment we have noticed two kinds of
behavior:
1. apache dumping core after segmentation fault
2. apache entering infinite loop, because cleanup list got corrupted
and one of the elements on the list points to itself.

The sequence of functions causing the problem is:
jk2_channel_apr_close
  -> apr_socket_close
     -> apr_pool_cleanup_run
        -> apr_pool_cleanup_kill

and the apr_pool_cleanup_kill function looks as follows:

APR_DECLARE(void) apr_pool_cleanup_kill(apr_pool_t *p, const void *data,
                      apr_status_t (*cleanup_fn)(void *))
{
    cleanup_t *c, **lastp;

#if APR_POOL_DEBUG
    apr_pool_check_integrity(p);
#endif /* APR_POOL_DEBUG */

    if (p == NULL)
        return;

    c = p->cleanups;
    lastp = &p->cleanups;
    while (c) {
        if (c->data == data && c->plain_cleanup_fn == cleanup_fn) {
            *lastp = c->next;
            break;
        }

        lastp = &c->next;
        c = c->next;
    }
}

If apr_pool_cleanup_kill gets called from two threads at the same
time, the list can become corrupted.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to