[
https://issues.apache.org/jira/browse/TS-1273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216631#comment-14216631
]
Susan Hinrichs commented on TS-1273:
------------------------------------
This issue has the same root cause as TS-1254. Calling TSMimeHdrFieldRemove()
followed by TSMimeHdrFieldDestory() was causing problems because detatch was
being called twice.
I verified that this logic has been fixed in the 5.x code. Both methods call
detatch, but detach is now smart enough to detect that the field has already
been detached and does not run the logic again.
> Crash report: selectively deleting instances of mime header field which has
> duplicates causes core dump
> -------------------------------------------------------------------------------------------------------
>
> Key: TS-1273
> URL: https://issues.apache.org/jira/browse/TS-1273
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 3.0.4
> Reporter: Manjesh Nilange
> Assignee: Susan Hinrichs
> Labels: Crash
> Fix For: 5.3.0
>
>
> Try header plugin
> #include <ts/ts.h>
> static int deleteLastCookie(TSCont, TSEvent, void *);
> void TSPluginInit(int argc, const char *argv[])
> {
> TSCont globalCont = TSContCreate(deleteLastCookie, 0);
> TSHttpHookAdd(TS_HTTP_SEND_RESPONSE_HDR_HOOK, globalCont);
> }
> static int deleteLastCookie(TSCont cont, TSEvent event, void *edata)
> {
> TSHttpTxn txn = static_cast<TSHttpTxn>(edata);
> TSMBuffer hdrBuf;
> TSMLoc hdrLoc;
> if (TSHttpTxnClientRespGet(txn, &hdrBuf, &hdrLoc) != TS_SUCCESS)
> {
> TSError("Could not get client response object");
> TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
> return 0;
> }
> TSMLoc fieldLoc = TSMimeHdrFieldFind(hdrBuf, hdrLoc,
> TS_MIME_FIELD_SET_COOKIE, -1);
> while (fieldLoc)
> {
> TSMLoc nextFieldLoc = TSMimeHdrFieldNextDup(hdrBuf, hdrLoc, fieldLoc);
> if (!nextFieldLoc)
> {
> TSMimeHdrFieldRemove(hdrBuf, hdrLoc, fieldLoc);
> TSMimeHdrFieldDestroy(hdrBuf, hdrLoc, fieldLoc);
> }
> TSHandleMLocRelease(hdrBuf, hdrLoc, fieldLoc);
> fieldLoc = nextFieldLoc;
> }
> TSHandleMLocRelease(hdrBuf, 0, hdrLoc);
> TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
> return 0;
> }
> with OS script
> <?php
> // bool setcookie ( string $name [, string $value [, int $expire = 0 [,
> string $path [, string $domain [, bool $secure = false [, bool $httponly =
> false ]]]]]] )
> setcookie('foo', 'bar1');
> setcookie('foo', 'bar2', time() + 1000, "/", "www.test.com", false, false);
> setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
> setcookie('foo', 'bar3', time() + 1000, "/", ".www.test.com", false, false);
> setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
> setcookie('foo2', 'bar5', time() + 1000, "/", "test.com", false, false);
> setcookie('foo3', 'bar6');
> setcookie('foo3', 'bar6', time() + 1000, "/", "www.test.com", true, false);
> ?>
> <html>
> <body>
> This is a test
> </body>
> </html>
> And there's a core consistently with this stack trace
> (gdb) bt
> #0 mime_hdr_field_detach (mh=0x7ffff403f8c8, field=0x7ffff403fa58,
> detach_all_dups=false) at MIME.cc:1640
> #1 0x00000000005a0237 in mime_hdr_field_delete (heap=0x7ffff403f810,
> mh=0x7ffff403f8c8, field=0x7ffff403fa58,
> delete_all_dups=<value optimized out>) at MIME.cc:1688
> #2 0x00000000004a6a51 in TSMimeHdrFieldDestroy (bufp=0x7fffec251ab8,
> mh_mloc=0x7ffff403f898,
> field_mloc=0x7fffdc0258d0) at InkAPI.cc:2719
> #3 0x00007fffed56ba73 in deleteLastCookie(tsapi_cont*, TSEvent, void*) ()
> from /home/mnilange/temp/mime-field-crash.so
> #4 0x00000000005137a5 in HttpSM::state_api_callout (this=0x7fffec2511c0,
> event=<value optimized out>,
> data=<value optimized out>) at HttpSM.cc:1374
> #5 0x000000000051bc6c in HttpSM::set_next_state (this=0x7fffec2511c0) at
> HttpSM.cc:6534
> #6 0x000000000050912f in HttpSM::call_transact_and_set_next_state
> (this=0x7fffec2511c0, f=<value optimized out>)
> at HttpSM.cc:6329
> #7 0x00000000005134f8 in HttpSM::state_api_callout (this=0x7fffec2511c0,
> event=0, data=0x0) at HttpSM.cc:1448
> #8 0x0000000000514d38 in do_api_callout (this=0x7fffec2511c0, event=100,
> data=0x7fffe401db80) at HttpSM.cc:497
> #9 HttpSM::state_read_server_response_header (this=0x7fffec2511c0,
> event=100, data=0x7fffe401db80)
> at HttpSM.cc:1826
> #10 0x0000000000515cc8 in HttpSM::main_handler (this=0x7fffec2511c0,
> event=100, data=0x7fffe401db80)
> at HttpSM.cc:2439
> #11 0x00000000006346bb in handleEvent (event=<value optimized out>,
> vc=0x7fffe401d9c0)
> at ../../iocore/eventsystem/I_Continuation.h:146
> #12 read_signal_and_update (event=<value optimized out>, vc=0x7fffe401d9c0)
> at UnixNetVConnection.cc:138
> #13 0x00000000006371f1 in read_from_net (nh=0x7ffff6630628,
> vc=0x7fffe401d9c0, thread=<value optimized out>)
> at UnixNetVConnection.cc:320
> #14 0x0000000000630952 in NetHandler::mainNetEvent (this=0x7ffff6630628,
> event=<value optimized out>,
> e=<value optimized out>) at UnixNet.cc:389
> #15 0x0000000000656d24 in handleEvent (this=0x7ffff662f010, e=0xfc1190,
> calling_code=5) at I_Continuation.h:146
> #16 EThread::process_event (this=0x7ffff662f010, e=0xfc1190, calling_code=5)
> at UnixEThread.cc:140
> #17 0x00000000006576b3 in EThread::execute (this=0x7ffff662f010) at
> UnixEThread.cc:262
> #18 0x0000000000655f82 in spawn_thread_internal (a=0xfbb570) at Thread.cc:88
> #19 0x000000320aa077e1 in start_thread () from /lib64/libpthread.so.0
> #20 0x000000320a6e68ed in clone () from /lib64/libc.so.6
> proxy/hdrs/MIME.cc:1640 shows
> while (prev && (prev->m_next_dup != field))
> prev = prev->m_next_dup;
> ink_assert(prev != NULL);
> if (prev->m_next_dup == field)
> prev->m_next_dup = next_dup;
> so prev is not expected to be null, but is part of the while condition -
> contradictory.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
