Hi Lukas, On Thu, Dec 03, 2015 at 06:22:12PM +0100, Lukas Tribus wrote: > Hi Bernd, Willy, > > > > Hello, > > > > im getting segfault, it happens on 1 of ~500 million requests that are > > processed on haproxy 1.6.2-2 on debian wheezy and jessie (systems > > updated, crash stayed). > > > > If you need more informations, let me know. > > > > Thank You. > > > > Trace: > > (gdb) thread apply all bt full > > > > Thread 1 (Thread 0x7fd811254700 (LWP 19002)): > > #0 __memmove_ssse3_back () at > > ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1652 > > No locals. > > #1 0x0000000000413349 in buffer_insert_line2 (b=0x1e47a70, > > pos=0x1e47acb "ntent-Type: text/html; > > charset=UTF-8\r\nTransfer-Encoding: chunked\r\n\r\n1b9\r\n<!DOCTYPE html > > PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" > > \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\";>\n<html"..., > > str=0x513979 "Connection: close", > > len=17) at src/buffer.c:126 > > delta = 19 > > > Could this be: > https://sourceware.org/bugzilla/show_bug.cgi?id=12518 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627818 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625521 > > > Short description: > > Starting with version 2.13, eglibc provides an SSSE3 optimized version > > of memcpy() on the amd64 architecture. This version might copy memory > > backward in some conditions, which causes issues if the source and > > destination overlap. memmove() should be used in such cases, but some > > programs still wrongly use memcpy(). > > > Although this seems like an old change (2011), so its probably something > else.
Thanks for these pointers. I don't think it's the same, because we do have memmove() here, not memcpy(). The fact that glibc decided to use memcpy in the end is probably only related to the fact that it implements half of the memmove() using memcpy(). That said I really don't understand here. The new length is short (19 bytes inserted), we're not crossing a page boundary, everything looks pretty clean. Maybe we're facing a bug where the buffer wraps at the end or something like this. Bernd, if you still have the core, could you please issue "print *b" while in buffer_insert_line2() ? Thanks, Willy
