[ https://issues.apache.org/jira/browse/TS-1803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhao Yongming reassigned TS-1803: --------------------------------- Assignee: Yunkai Zhang (was: Zhao Yongming) please check if it is still valid, if not, resolve as 'can not reproduce' > Crash report: HttpTunnel::deallocate_buffers -> IOBufferBlock::free -> > reclamable_freelist_free -> ink_atomic_increment > ----------------------------------------------------------------------------------------------------------------------- > > Key: TS-1803 > URL: https://issues.apache.org/jira/browse/TS-1803 > Project: Traffic Server > Issue Type: Bug > Components: Core > Reporter: Zhao Yongming > Assignee: Yunkai Zhang > Fix For: 4.2.0 > > > {code} > Core was generated by `/usr/bin/traffic_server -M --httpport 80:fd=9'. > Program terminated with signal 11, Segmentation fault. > #0 ink_atomic_increment<int, int> (f=<value optimized out>, > item=0x2b1b2c028990) at ink_atomic.h:160 > 160 return __sync_fetch_and_add(mem, (Type)count); > Missing separate debuginfos, use: debuginfo-install > expat-2.0.1-11.el6_2.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 > keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6_4.1.x86_64 > libattr-2.4.44-7.el6.x86_64 libcap-2.16-5.5.el6.x86_64 > libcom_err-1.41.12-12.el6.x86_64 libgcc-4.4.6-4.el6.x86_64 > libselinux-2.0.94-5.3.el6.x86_64 libstdc++-4.4.6-4.el6.x86_64 > openssl-1.0.0-27.el6_4.2.x86_64 pcre-7.8-6.el6.x86_64 tcl-8.5.7-6.el6.x86_64 > ts-verycdn-stable.2.0.1535-1.el6.x86_64 > xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64 zlib-1.2.3-29.el6.x86_64 > (gdb) bt > #0 ink_atomic_increment<int, int> (f=<value optimized out>, > item=0x2b1b2c028990) at ink_atomic.h:160 > #1 reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) > at ink_queue_ext.cc:614 > #2 0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at > ../lib/ts/Allocator.h:68 > #3 dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325 > #4 IOBufferData::free (this=0x2b1ad6f76060) at > ../iocore/eventsystem/P_IOBuffer.h:338 > #5 0x0000000000481f06 in operator= (this=0x2b1b71c49640) at > ../lib/ts/Ptr.h:399 > #6 clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426 > #7 dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464 > #8 IOBufferBlock::free (this=0x2b1b71c49640) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #9 0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:435 > #10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464 > #11 IOBufferBlock::free (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at > ../../lib/ts/Ptr.h:399 > #13 free_MIOBuffer (this=0x2b1b391f7680) at > ../../iocore/eventsystem/P_IOBuffer.h:776 > #14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535 > #15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at > HttpSM.cc:6319 > #16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, > event=100, data=0x2b1b4c5edd88) at HttpSM.cc:2516 > #17 0x000000000066ba3b in handleEvent (event=<value optimized out>, > vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146 > #18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) > at UnixNetVConnection.cc:138 > #19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, > vc=0x2b1b4c5edc80, thread=<value optimized out>) at UnixNetVConnection.cc:320 > #20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, > event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378 > #21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at I_Continuation.h:146 > #22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at UnixEThread.cc:142 > #23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at > UnixEThread.cc:266 > #24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88 > #25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0 > #26 0x00002b1ac138711d in clone () from /lib64/libc.so.6 > (gdb) f 14 > #14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535 > 535 free_MIOBuffer(producers[i].read_buffer); > (gdb) p producers[i].read_buffer > value has been optimized out > (gdb) p producers[i] > value has been optimized out > (gdb) f 13 > #13 free_MIOBuffer (this=0x2b1b391f7680) at > ../../iocore/eventsystem/P_IOBuffer.h:776 > 776 mio->_writer = NULL; > (gdb) p mio > $1 = (MIOBuffer *) 0x2b1b7394d860 > (gdb) p *mio > $2 = {size_index = 4, water_mark = 0, _writer = {m_ptr = 0x0}, readers = > {{accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, > size_limit = 9223372036854775807}, {accessor = 0x0, > mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, size_limit = > 9223372036854775807}, {accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, > start_offset = 0, size_limit = 9223372036854775807}, { > accessor = 0x0, mbuf = 0x0, block = {m_ptr = 0x0}, start_offset = 0, > size_limit = 9223372036854775807}, {accessor = 0x0, mbuf = 0x0, block = > {m_ptr = 0x0}, start_offset = 0, > size_limit = 9223372036854775807}}, _location = 0x6b2478 > "memory/IOBuffer/HttpSM.cc:5804"} > (gdb) f 12 > #12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at > ../../lib/ts/Ptr.h:399 > 399 ((RefCountObj *) temp_ptr)->free(); > (gdb) p temp_ptr > $3 = <value optimized out> > (gdb) f 11 > #11 IOBufferBlock::free (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:470 > 470 dealloc(); > (gdb) p this > $4 = (IOBufferBlock * const) 0x2b1b71c48b00 > (gdb) p *this > $5 = {<RefCountObj> = {<ForceVFPTToTop> = {_vptr.ForceVFPTToTop = 0x692690}, > m_refcount = 0}, _start = 0x2b1bcfa11800 "", _end = 0x2b1bcfa11800 "", > _buf_end = 0x2b1bcfa12000 "", > _location = 0x6b2478 "memory/IOBuffer/HttpSM.cc:5804", data = {m_ptr = > 0x0}, next = {m_ptr = 0x2b1b71c49640}} > (gdb) bt > #0 ink_atomic_increment<int, int> (f=<value optimized out>, > item=0x2b1b2c028990) at ink_atomic.h:160 > #1 reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) > at ink_queue_ext.cc:614 > #2 0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at > ../lib/ts/Allocator.h:68 > #3 dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325 > #4 IOBufferData::free (this=0x2b1ad6f76060) at > ../iocore/eventsystem/P_IOBuffer.h:338 > #5 0x0000000000481f06 in operator= (this=0x2b1b71c49640) at > ../lib/ts/Ptr.h:399 > #6 clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426 > #7 dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464 > #8 IOBufferBlock::free (this=0x2b1b71c49640) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #9 0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:435 > #10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464 > #11 IOBufferBlock::free (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at > ../../lib/ts/Ptr.h:399 > #13 free_MIOBuffer (this=0x2b1b391f7680) at > ../../iocore/eventsystem/P_IOBuffer.h:776 > #14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535 > #15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at > HttpSM.cc:6319 > #16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, > event=100, data=0x2b1b4c5edd88) at HttpSM.cc:2516 > #17 0x000000000066ba3b in handleEvent (event=<value optimized out>, > vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146 > #18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) > at UnixNetVConnection.cc:138 > #19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, > vc=0x2b1b4c5edc80, thread=<value optimized out>) at UnixNetVConnection.cc:320 > #20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, > event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378 > #21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at I_Continuation.h:146 > #22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at UnixEThread.cc:142 > #23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at > UnixEThread.cc:266 > #24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88 > #25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0 > #26 0x00002b1ac138711d in clone () from /lib64/libc.so.6 > (gdb) f 14 > #14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535 > 535 free_MIOBuffer(producers[i].read_buffer); > (gdb) p producers > $6 = {{consumer_list = {head = 0x2b1b391f76b8}, self_consumer = 0x0, vc = > 0x1, vc_handler = NULL, read_vio = 0x0, read_buffer = 0x2b1b7394d860, > buffer_start = 0x0, vc_type = HT_STATIC, > chunked_handler = {static DEFAULT_MAX_CHUNK_SIZE = 4096, chunked_reader = > 0x0, dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0, > chunked_buffer = 0x0, chunked_size = 0, > truncation = false, skip_bytes = 0, state = > ChunkedHandler::CHUNK_READ_CHUNK, cur_chunk_size = 0, bytes_left = 0, > last_server_event = 0, running_sum = 0, num_digits = 0, max_chunk_size = 4096, > max_chunk_header = '\000' <repeats 15 times>, max_chunk_header_len = > 0}, chunking_action = TCA_PASSTHRU_DECHUNKED_CONTENT, do_chunking = false, > do_dechunking = false, > do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0, > bytes_read = 0, handler_state = 0, num_consumers = 1, alive = false, > read_success = true, name = 0x6b09bb "internal msg"}, { > consumer_list = {head = 0x0}, self_consumer = 0x0, vc = 0x0, vc_handler = > NULL, read_vio = 0x0, read_buffer = 0x0, buffer_start = 0x0, vc_type = > HT_HTTP_SERVER, chunked_handler = { > static DEFAULT_MAX_CHUNK_SIZE = 4096, chunked_reader = 0x0, > dechunked_buffer = 0x0, dechunked_size = 0, dechunked_reader = 0x0, > chunked_buffer = 0x0, chunked_size = 0, truncation = false, > skip_bytes = 0, state = ChunkedHandler::CHUNK_READ_CHUNK, > cur_chunk_size = 0, bytes_left = 0, last_server_event = 0, running_sum = 0, > num_digits = 0, max_chunk_size = 4096, > max_chunk_header = '\000' <repeats 15 times>, max_chunk_header_len = > 0}, chunking_action = TCA_PASSTHRU_DECHUNKED_CONTENT, do_chunking = false, > do_dechunking = false, > do_chunked_passthru = false, init_bytes_done = 0, nbytes = 0, ntodo = 0, > bytes_read = 0, handler_state = 0, num_consumers = 0, alive = false, > read_success = false, name = 0x0}} > (gdb) p i > $7 = <value optimized out> > (gdb) bt > #0 ink_atomic_increment<int, int> (f=<value optimized out>, > item=0x2b1b2c028990) at ink_atomic.h:160 > #1 reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) > at ink_queue_ext.cc:614 > #2 0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at > ../lib/ts/Allocator.h:68 > #3 dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325 > #4 IOBufferData::free (this=0x2b1ad6f76060) at > ../iocore/eventsystem/P_IOBuffer.h:338 > #5 0x0000000000481f06 in operator= (this=0x2b1b71c49640) at > ../lib/ts/Ptr.h:399 > #6 clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426 > #7 dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464 > #8 IOBufferBlock::free (this=0x2b1b71c49640) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #9 0x0000000000481eb2 in clear (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:435 > #10 dealloc (this=0x2b1b71c48b00) at ../iocore/eventsystem/P_IOBuffer.h:464 > #11 IOBufferBlock::free (this=0x2b1b71c48b00) at > ../iocore/eventsystem/P_IOBuffer.h:470 > #12 0x00000000005636c6 in operator= (this=0x2b1b391f7680) at > ../../lib/ts/Ptr.h:399 > #13 free_MIOBuffer (this=0x2b1b391f7680) at > ../../iocore/eventsystem/P_IOBuffer.h:776 > #14 HttpTunnel::deallocate_buffers (this=0x2b1b391f7680) at HttpTunnel.cc:535 > #15 0x000000000052ab23 in HttpSM::kill_this (this=0x2b1b391f5af0) at > HttpSM.cc:6319 > #16 0x000000000052b058 in HttpSM::main_handler (this=0x2b1b391f5af0, > event=100, data=0x2b1b4c5edd88) at HttpSM.cc:2516 > #17 0x000000000066ba3b in handleEvent (event=<value optimized out>, > vc=0x2b1b4c5edc80) at ../../iocore/eventsystem/I_Continuation.h:146 > #18 read_signal_and_update (event=<value optimized out>, vc=0x2b1b4c5edc80) > at UnixNetVConnection.cc:138 > #19 0x0000000000670054 in read_from_net (nh=0x2b1ac32f0bc0, > vc=0x2b1b4c5edc80, thread=<value optimized out>) at UnixNetVConnection.cc:320 > #20 0x0000000000667172 in NetHandler::mainNetEvent (this=0x2b1ac32f0bc0, > event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:378 > #21 0x000000000068f754 in handleEvent (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at I_Continuation.h:146 > #22 EThread::process_event (this=0x2b1ac32ed010, e=0x2b1ac3dfe9c0, > calling_code=5) at UnixEThread.cc:142 > #23 0x0000000000690133 in EThread::execute (this=0x2b1ac32ed010) at > UnixEThread.cc:266 > #24 0x000000000068e6d2 in spawn_thread_internal (a=0x27f5c40) at Thread.cc:88 > #25 0x00002b1abecf5851 in start_thread () from /lib64/libpthread.so.0 > #26 0x00002b1ac138711d in clone () from /lib64/libc.so.6 > (gdb) p 1 > $8 = 1 > (gdb) f 1 > #1 reclaimable_freelist_free (f=<value optimized out>, item=0x2b1b2c028990) > at ink_queue_ext.cc:614 > 614 ink_atomic_increment((int *)&pCache->nr_malloc, -1); > (gdb) p pCache > $9 = (InkThreadCache *) 0x2e73736969616e69 > (gdb) p *pCache > Cannot access memory at address 0x2e73736969616e69 > (gdb) f 2 > #2 0x0000000000481fd1 in free_void (this=0x2b1ad6f76060) at > ../lib/ts/Allocator.h:68 > 68 ink_freelist_free(this->fl, ptr); > (gdb) p ptr > $10 = <value optimized out> > (gdb) p this > $11 = (Allocator * const) 0x0 > (gdb) p *this > Cannot access memory at address 0x0 > (gdb) f 3 > #3 dealloc (this=0x2b1ad6f76060) at ../iocore/eventsystem/P_IOBuffer.h:325 > 325 ioBufAllocator[_size_index].free_void(_data); > (gdb) p _data > $12 = 0x2b1b2c028990 "" > (gdb) p *data > Cannot take address of method data. > (gdb) p this > $13 = (IOBufferData * const) 0x2b1ad6f76060 > (gdb) p ioBufAllocator[_size_index] > $14 = {fl = 0x27d73d0} > (gdb) p ioBufAllocator[_size_index]. > alloc_void fl free_void re_init > (gdb) p ioBufAllocator[_size_index].fl > $15 = (InkFreeList *) 0x27d73d0 > (gdb) p * ioBufAllocator[_size_index].fl > $16 = {thread_cache_idx = 6, refcnt = 6, name = 0x6e8933 > "UDPIOEventAllocator", type_size = 128, alignment = 32768, chunk_size = 159, > chunk_byte_size = 20480, chunk_addr_mask = 18446744073709518848, > count = 1431, allocated = 794, allocated_base = 0, count_base = 0, > chunk_size_base = 128, nr_thread_cache = 9, pThreadCache = 0x2b1ae4001f30, > lock = {__data = {__lock = 0, __count = 0, __owner = 0, > __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = > 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}} > (gdb) f 4 > #4 IOBufferData::free (this=0x2b1ad6f76060) at > ../iocore/eventsystem/P_IOBuffer.h:338 > 338 dealloc(); > (gdb) l > 333 } > 334 > 335 TS_INLINE void > 336 IOBufferData::free() > 337 { > 338 dealloc(); > 339 ioDataAllocator.free(this); > 340 } > 341 > 342 ////////////////////////////////////////////////////////////////// > (gdb) p this > $17 = (IOBufferData * const) 0x2b1ad6f76060 > (gdb) p *this > $18 = {<RefCountObj> = {<ForceVFPTToTop> = {_vptr.ForceVFPTToTop = 0x6926d0}, > m_refcount = 0}, _size_index = 0, _mem_type = DEFAULT_ALLOC, _data = > 0x2b1b2c028990 "", > _location = 0x6b2478 "memory/IOBuffer/HttpSM.cc:5804"} > (gdb) f 5 > #5 0x0000000000481f06 in operator= (this=0x2b1b71c49640) at > ../lib/ts/Ptr.h:399 > 399 ((RefCountObj *) temp_ptr)->free(); > (gdb) l > 394 if (m_ptr != 0) { > 395 _ptr()->refcount_inc(); > 396 } > 397 > 398 if ((temp_ptr) && ((RefCountObj *) temp_ptr)->refcount_dec() == 0) { > 399 ((RefCountObj *) temp_ptr)->free(); > 400 } > 401 > 402 return (*this); > 403 } > (gdb) p temp_ptr > $19 = <value optimized out> > (gdb) f 6 > #6 clear (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:426 > 426 data = NULL; > (gdb) l > 421 } > 422 > 423 TS_INLINE void > 424 IOBufferBlock::clear() > 425 { > 426 data = NULL; > 427 IOBufferBlock *p = next; > 428 while (p) { > 429 int r = p->refcount_dec(); > 430 if (r) > (gdb) f 7 > #7 dealloc (this=0x2b1b71c49640) at ../iocore/eventsystem/P_IOBuffer.h:464 > 464 clear(); > (gdb) l > 459 } > 460 > 461 TS_INLINE void > 462 IOBufferBlock::dealloc() > 463 { > 464 clear(); > 465 } > 466 > 467 TS_INLINE void > 468 IOBufferBlock::free() > (gdb) f 8 > #8 IOBufferBlock::free (this=0x2b1b71c49640) at > ../iocore/eventsystem/P_IOBuffer.h:470 > 470 dealloc(); > {code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira