(sigh...where did I put the phone # for the mod_include help desk?)
With a cvs checkout from Wednesday PM on daedalus, I get seg faults in
ap_save_brigade() called by send_parsed_content() in mod_include.c .
We've seen the URL before - http://httpd.apache.org/docs/misc/FAQ.html
. The same request works fine on my Linux box.
We appear to be processing the <!--#include virtual="FAQ-D.html?" -->
tag. The brigade passed into ap_save_brigade() starts with a valid MMAP
bucket, followed by trash which may be a sentinel for another brigade.
This is right after a split, and the other brigade from the split looks
bad too. I don't see any signs of network errors.
Since I have no idea where the brigades got trashed, my plan is to
create a debug function which walks its input brigade and verifies that
each bucket has a valid type field, then sprinkle calls to this function
in strategic places within send_parsed_content(). Other ideas are
appreciated.
Questions:
* Since this code seems pretty fragile, I'm wondering if I should wrap
my debug code in #ifdef DEBUG_INCLUDE logic and commit it, assuming it
shakes out the current bug?
* Looking thru the commit logs, I see hundreds of lines of changes going
in since 2.0.25, when I believe it worked. I don't think any of these
changes have simplified the module, and it was pretty complex to start
with. About a year ago, I remember rbb commenting that this code needed
rewriting. Now I'm a believer. What can we do to simplify this code?
Use a char * variable to hold the current tag?
Opinions?
Greg
------------------------------------------------------------
a few details from the dump. If you want more, the dump is on daedalus
at /usr/local/apache2.0.26-dev/corefiles/httpd.core .
(gdb) bt
#0 0x806dce3 in ap_save_brigade (f=0x8247c9c, saveto=0x8264054,
b=0xbfbfacc8,
p=0x824700c) at util_filter.c:296
#1 0x281e2abd in send_parsed_content (bb=0xbfbfb13c, r=0x824703c,
f=0x8247c9c) at mod_include.c:2960
#2 0x281e2e54 in includes_filter (f=0x8247c9c, b=0x8247e4c)
at mod_include.c:3094
[...]
(gdb) fr 1
#1 0x281e2abd in send_parsed_content (bb=0xbfbfb13c, r=0x824703c,
f=0x8247c9c)
at mod_include.c:2960
2960 ap_save_brigade(f, &ctx->ssi_tag_brigade,
&tag_and_after, r->pool);
(gdb) list
2955
APR_BUCKET_NEXT(ctx->head_start_bucket);
2956 ctx->head_start_index = 0;
2957 }
2958 /* Set aside tag, pass pre-tag... */
2959 tag_and_after = apr_brigade_split(*bb,
ctx->head_start_bucket);
2960 ap_save_brigade(f, &ctx->ssi_tag_brigade,
&tag_and_after, r->pool);
2961 rv = ap_pass_brigade(f->next, *bb);
2962 if (rv != APR_SUCCESS) {
2963 return rv;
2964 }
(gdb) dump_brigade tag_and_after
dump of brigade 0x8247e7c
0: bucket=MMAP(0x8100440), length=187, data=0x80e8080
1Cannot access memory at address 0x0.
(gdb) p *tag_and_after
$1 = {p = 0x824700c, list = {next = 0x8100440, prev = 0x8247e50}}
(gdb) p *tag_and_after.list.next
$3 = {link = {next = 0x8247e30, prev = 0x8247e80}, type = 0x280b0fd4,
length = 187, start = 18504, data = 0x80e8080, sms = 0x80e4000}
(gdb) p *tag_and_after.list.next.link.next
$4 = {link = {next = 0x8247e50, prev = 0x8100440}, type = 0x0,
length = 136609324, start = 2885267100644575012, data = 0x8247dcc,
sms = 0x824700c}
(gdb) dump_brigade *bb
dump of brigade 0x8247e4c
0Cannot access memory at address 0x0.
(gdb) p *bb
$6 = (apr_bucket_brigade *) 0x8247e4c
(gdb) p **bb
$7 = {p = 0x824700c, list = {next = 0x8247e80, prev = 0x8247e30}}
(gdb) p *(**bb).list.next
$10 = {link = {next = 0x8100440, prev = 0x8247e50}, type = 0x0,
length = 136609404, start = 2885267100644575012, data = 0x8247e5c, sms
= 0x0}