Re: mod_include seg faults

[Greg Ames]

duh! meant to post this to dev@httpd, but just sent it to Brian

Brian Pane wrote:
 
 Greg Ames wrote:
 
 With a cvs checkout from Wednesday PM on daedalus, I get seg faults in
 ap_save_brigade() called by send_parsed_content() in mod_include.c .

 
 Do the values of ctx-head_start_bucket and ctx-head_start_index look
 reasonable when it does the bucket_split and brigade_split just before
 the segv?  If those were bad, it might explain the trashed brigade.
 (I can't recreate the crash on Linux either; it never even enters that
 branch of the code.)

The problem is triggered by a dropped network connection.  This causes
one of the include virtual subrequests to fail with EPIPE.  It unwinds
back to ap_run_sub_req, which remembers the bad return value and then
calls ap_finalize_sub_req_protocol, which calls end_output_stream.  This
builds a brigade containing an EOS bucket only, which is passed down the
filter chain.  The first filter is ap_sub_req_output_filter, which
strips the EOS bucket creating an empty brigade, which is passed down. 
includes_filter is next.  It calls send_parsed_content, where ctx-state
== PARSE_DIRECTIVE and ctx-head_start_bucket points is non-null.  (We
never unwound all the way back to the main request's instance of
send_parsed_content/handle_include where some cleanup would happen.) 
The second instance of send_parsed content quickly bails out of its main
while loop because the brigade is empty, but code after the loop (line
2959 in the current HEAD) tries to split the empty brigade at
ctx-head_start_bucket, which create two bad brigades and leads to the
seg fault.

I can patch send_parsed_content so that we bypass the failing section of
code when it sees an empty brigade.  But I'm wondering if that is too
localized.  ap_finalize_sub_req_protocol / end_output_stream /
ap_sub_req_output_filter are passing down an empty brigade.  What's the
point, especially when the connection is gone?  ap_run_sub_req did get
an EPIPE.

Greg
---
more of the backtrace...should have posted more originally

#0  0x806dce3 in ap_save_brigade (f=0x8248c9c, saveto=0x8265054,
b=0xbfbfad44,
p=0x824800c) at util_filter.c:296
#1  0x281e3abd in send_parsed_content (bb=0xbfbfb1b8, r=0x824803c,
f=0x8248c9c)
at mod_include.c:2960
#2  0x281e3e54 in includes_filter (f=0x8248c9c, b=0x8248e4c)
at mod_include.c:3094
#3  0x806dc8d in ap_pass_brigade (next=0x8248c9c, bb=0x8248e4c)
at util_filter.c:276
#4  0x80769cf in ap_sub_req_output_filter (f=0x82483a4, bb=0x8248e4c)
at request.c:1392
#5  0x806dc8d in ap_pass_brigade (next=0x82483a4, bb=0x8248e4c)
at util_filter.c:276
#6  0x806f63c in end_output_stream (r=0x824803c) at protocol.c:729
#7  0x806f662 in ap_finalize_sub_req_protocol (sub=0x824803c) at
protocol.c:734
#8  0x8076e04 in ap_run_sub_req (r=0x824803c) at request.c:1740
#9  0x281e09e3 in handle_include (ctx=0x81c100c, bb=0xbfbfd7e8,
r=0x812803c,
f=0x81352d4, head_ptr=0x80e8400, inserted_head=0xbfbfd380)
at mod_include.c:1113
#10 0x281e3749 in send_parsed_content (bb=0xbfbfd7e8, r=0x812803c,
f=0x81352d4)
at mod_include.c:2844
#11 0x281e3e54 in includes_filter (f=0x81352d4, b=0x823f904)
at mod_include.c:3094
#12 0x806dc8d in ap_pass_brigade (next=0x81352d4, bb=0x813543c)
at util_filter.c:276
#13 0x80744da in default_handler (r=0x812803c) at core.c:2753
#14 0x8063d93 in ap_run_handler (r=0x812803c) at config.c:185
#15 0x806431f in ap_invoke_handler (r=0x812803c) at config.c:344
#16 0x8061411 in ap_process_request (r=0x812803c) at http_request.c:286
#17 0x805cd26 in ap_process_http_connection (c=0x8122114) at
http_core.c:287
#18 0x806c2d7 in ap_run_process_connection (c=0x8122114) at
connection.c:82
#19 0x806c495 in ap_process_connection (c=0x8122114) at connection.c:219
#20 0x806298c in child_main (child_num_arg=41) at prefork.c:830
#21 0x8062ae2 in make_child (s=0x8095804, slot=41) at prefork.c:917
#22 0x8062d35 in perform_idle_server_maintenance (p=0x809500c)
at prefork.c:1058
#23 0x80630f6 in ap_mpm_run (_pconf=0x809500c, plog=0x80cb00c,
s=0x8095804)
at prefork.c:1236
#24 0x806833f in main (argc=3, argv=0xbfbffbd0) at main.c:431
#25 0x805c8dd in _start ()

Re: mod_include seg faults

[Brian Pane]

Greg Ames wrote:

(sigh...where did I put the phone # for the mod_include help desk?) 

With a cvs checkout from Wednesday PM on daedalus, I get seg faults in
ap_save_brigade() called by send_parsed_content() in mod_include.c .
We've seen the URL before - http://httpd.apache.org/docs/misc/FAQ.html
.  The same request works fine on my Linux box.

We appear to be processing the !--#include virtual=FAQ-D.html? --
tag.  The brigade passed into ap_save_brigade() starts with a valid MMAP
bucket, followed by trash which may be a sentinel for another brigade. 
This is right after a split, and the other brigade from the split looks
bad too.  I don't see any signs of network errors.

Since I have no idea where the brigades got trashed, my plan is to
create a debug function which walks its input brigade and verifies that
each bucket has a valid type field, then sprinkle calls to this function
in strategic places within send_parsed_content().  Other ideas are
appreciated.


Do the values of ctx-head_start_bucket and ctx-head_start_index look
reasonable when it does the bucket_split and brigade_split just before
the segv?  If those were bad, it might explain the trashed brigade.
(I can't recreate the crash on Linux either; it never even enters that
branch of the code.)

Also, in case there's memory corruption happening in some other code
that triggers the segv here, do you have a Purify-style tool available
on that platform?

--Brian

Re: mod_include seg faults

[Ryan Bloom]

On Friday 21 September 2001 01:18 pm, Greg Ames wrote:

 * Looking thru the commit logs, I see hundreds of lines of changes going
 in since 2.0.25, when I believe it worked.  I don't think any of these
 changes have simplified the module, and it was pretty complex to start
 with.  About a year ago, I remember rbb commenting that this code needed
 rewriting.  Now I'm a believer.  What can we do to simplify this code?
 Use a char * variable to hold the current tag?

ARGH  Greg, now I have the Monkey's song, I'm a believer stuck in 
my head.  :-(

Ryan

__
Ryan Bloom  [EMAIL PROTECTED]
Covalent Technologies   [EMAIL PROTECTED]
--

Re: mod_include seg faults

[Bill Stoddard]

 On Friday 21 September 2001 01:18 pm, Greg Ames wrote:
 
  * Looking thru the commit logs, I see hundreds of lines of changes going
  in since 2.0.25, when I believe it worked.  I don't think any of these
  changes have simplified the module, and it was pretty complex to start
  with.  About a year ago, I remember rbb commenting that this code needed
  rewriting.  Now I'm a believer.  What can we do to simplify this code?
  Use a char * variable to hold the current tag?
 
 ARGH  Greg, now I have the Monkey's song, I'm a believer stuck in 
 my head.  :-(

The Smashmouth version or the original? :-)

Bill

Re: mod_include seg faults

[john sachs]

what is the case that causes segfault?
i'd like to get a test into httpd-test to catch this.
-j

Re: mod_include seg faults

[Greg Ames]

john sachs wrote:
 
 what is the case that causes segfault?
 i'd like to get a test into httpd-test to catch this.
 -j

It's just serving http://httpd.apache.org/docs/misc/FAQ.html on
FreeBSD.  It doesn't fail on Linux when I access it locally.  dunno why
it makes a difference yet.

I like the idea of beefing up httpd-test for mod_include though.  Jeff
sent me a couple of perl scripts that may trigger the failure.  I'll see
if they do, and post them if so.  The basic idea is a CGI which inserts
include tags at an offset that varies from the start of the response
document.  

Greg