Looks like [efd71d49bde0 [2]] could be indeed responsible for that:
I see at least one state where rev->ready could remain 1 (after
rev->available gets 0) e. g. deviation between blocks
[efd71d49bde0#l10.8 [3]] and [efd71d49bde0#l11.8 [4]] where first did
not reset rev->ready and for example if ngx_socket_nread in
[efd71d49bde0#l10.38 [5]] would write 0 into rev->available, so
rev->ready remains 1 yet.
Maybe it should be changed to this one:
if (rev->available == 0 && !rev->pending_eof) {
if (rev->available <= 0 && !rev->pending_eof) {
Also rev->available could remain negative if n != size and
ngx_readv_chain or ngx_unix_recv wouldn't enter this blocks or if
ngx_socket_nread failed (returns -1).
And there are some code pices where nginx would expect positive
ev->available.
So I guess either one of this blocks are not fully correct, or perhaps
the block [efd71d49bde0#l10.28 [6]] could be moved to end of the #if
(NGX_HAVE_FIONREAD) block (before #endif at least in case
!rev->pending_eof).
Regards,
Sergey.
18.11.2019 15:03, Dave Brennan wrote:
> For the last few years we have been using the "nginx_upload" module to
> streamline result posting within our environment.
>
> With the introduction of nginx 1.17.5 we saw a large number of segment
> faults, causing us to revert to 1.17.4 on our development system.
>
> While isolating the fault we added an increase in debug messages to monitor
> the request and context variables being passed to event handlers.
>
> So a good response in 1.17.4 looks like this:-
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload handle pre alloc
> Request address = 0000563E9FE451F0 Context = 0000000000000000
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload Handler post alloc
> Request address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload_eval_path Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload eval state path Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload client read Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 do read upload client Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 process request body Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 upload md5 variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload variable Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload File size variable
> Request address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> 2019/11/14 10:24:21 [debug] 12398#12398: *9770 Upload Body Handler Request
> address = 0000563E9FE451F0 Context = 0000563E9FE81CD8
>
> In 1.17.5 the event stream looks like this:-
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload handle pre alloc
> Request address = 0000558ADDD4F780 Context = 0000000000000000
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload Handler post alloc
> Request address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload_eval_path Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload eval state path Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload client read Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 do read upload client Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 process request body Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 process request body Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 upload md5 variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload variable Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload File size variable
> Request address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [debug] 28086#28086: *3703 Upload Body Handler Request
> address = 0000558ADDD4F780 Context = 0000558ADDD49FF8
>
> 2019/11/13 14:21:52 [DEBUG] 28086#28086: *3703 READ UPLOAD CLENT REQUEST BODY
> REQUEST ADDRESS = 0000558ADDD4F780 CONTEXT = 0000000000000000
>
> 2019/11/13 14:21:52 [DEBUG] 28086#28086: *3703 DO READ UPLOAD CLIENT REQUEST
> ADDRESS = 0000558ADDD4F780 CONTEXT = 0000000000000000
>
> There appears to be an extra call to the request "read event" and although
> the request address has not changed the context address returned by:-
>
> ngx_http_upload_ctx_t *u = ngx_http_get_module_ctx(r,
> ngx_http_upload_module);
>
> Returns NULL, which causes any reference to the context table to cause a
> segment fault.
>
> While it is possible to work round this by checking for a NULL context, the
> read event appears to be rouge when compared to the previous version of
> nginx, and I can only assume has been generated by code changes in 1.17.5.
>
> Dave Brennan
> Cyber Protection Senior Technologist
>
> CORVID Protect Holdings Limited, trading as CORVID Protect, is registered in
> Guernsey, company number FC034204, whose registered office is at Royal Bank
> Place, 1 Glategny Esplanade, St Peter Port, Guernsey GY1 4ND. CORVID Protect
> Holdings Limited is a subsidiary company of Ultra Electronics Holdings plc
> registered in England and Wales, company number 02830397, whose registered
> office is at 35 Portman Square, London W1H 6LR.
>
> Ultra Electronics is committed to safeguarding the privacy of all personal
> data: data privacy notice. Email communications may be monitored by us, as
> permitted by applicable law and regulations. This email is confidential and
> may also be privileged. If you have received this message in error you should
> notify the sender immediately by reply e-mail and delete the message from
> your system.
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel [1]
Links:
------
[1] http://mailman.nginx.org/mailman/listinfo/nginx-devel
[2] https://hg.nginx.org/nginx/rev/efd71d49bde0
[3] https://hg.nginx.org/nginx/rev/efd71d49bde0#l10.8
[4] https://hg.nginx.org/nginx/rev/efd71d49bde0#l11.8
[5] https://hg.nginx.org/nginx/rev/efd71d49bde0#l10.38
[6] https://hg.nginx.org/nginx/rev/efd71d49bde0#l10.28
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
