ngx_chain_get_free_buf crashes with free=0 after return next_body_filter

Ruslan Khusnullin ruslan.khusnullin at gmail.com
Mon Dec 3 17:27:36 UTC 2012


Hello, I cannot find an issue root cause and hope for your help.

My nginx plugin crashes and core dumps on the line containing return in
body_filter function:

ngx_http_output_body_filter_pt my_next_body_filter;
static ngx_int_t ngx_http_my_init (ngx_conf_t * cf) {
    my_next_body_filter = ngx_http_top_body_filter;
    ngx_http_top_body_filter = ngx_http_my_body_filter;
    return NGX_OK;
}

static ngx_http_module_t ngx_http_my_module_ctx = {
    NULL,                                /* preconfiguration */
    ngx_http_my_init,            /* postconfiguration */
    ...
};

static ngx_int_t ngx_http_my_body_filter (ngx_http_request_t * r,
ngx_chain_t * in) {
    ngx_http_my_loc_conf_t * cf;
    cf = ngx_http_get_module_loc_conf (r, ngx_http_my_module);
    if (cf == NULL) return NGX_HTTP_INTERNAL_SERVER_ERROR;
    if (! cf->enabled || in == NULL || r->header_only) {
        return my_next_body_filter (r, in);
    }
    ...
}

I saw the same (or very similar) return statement in other official modules
and they seem no crashing. I can't understand why my module is crashing.

Here is what I've catched from gdb:
(gdb) bt
#0  ngx_chain_get_free_buf (p=0x80f5020, free=0x0) at src/core/ngx_buf.c:160
#1  0x08089fbe in ngx_http_chunked_body_filter (r=0x80de458, in=0xbfffe798)
at src/http/modules/ngx_http_chunked_filter_module.c:150
#2  0x0808ee07 in ngx_http_gzip_body_filter (r=0x80de458, in=0xbfffe798) at
src/http/modules/ngx_http_gzip_filter_module.c:324
#3  0x0808fc1a in ngx_http_postpone_filter (r=0x80de458, in=0x0) at
src/http/ngx_http_postpone_filter_module.c:83
#4  0x0809023d in ngx_http_ssi_body_filter (r=0x80de458, in=0x219) at
src/http/modules/ngx_http_ssi_filter_module.c:395
#5  0x08093ffd in ngx_http_charset_body_filter (r=0x80de458, in=0xbfffe798)
at src/http/modules/ngx_http_charset_filter_module.c:553
#6  0x080a65cb in ngx_http_my_body_filter (r=0x80de458, in=0xbfffe798) at
../../my/ngx_http_my_module.c:552
#7  0x0804fb22 in ngx_output_chain (ctx=0x80f778c, in=0xbfffe798) at
src/core/ngx_output_chain.c:66
#8  0x0807be9b in ngx_http_copy_filter (r=0x80de458, in=0xbfffe798) at
src/http/ngx_http_copy_filter_module.c:143
#9  0x0808a2a6 in ngx_http_range_body_filter (r=0x80de458, in=0xbfffe798)
at src/http/modules/ngx_http_range_filter_module.c:559
#10 0x0806f061 in ngx_http_output_filter (r=0x80de458, in=0xbfffe798) at
src/http/ngx_http_core_module.c:1912
#11 0x08089464 in ngx_http_static_handler (r=0x80de458) at
src/http/modules/ngx_http_static_module.c:266
#12 0x0807342f in ngx_http_core_content_phase (r=0x80de458, ph=0x80ecd3c)
at src/http/ngx_http_core_module.c:1403
#13 0x0806ecf5 in ngx_http_core_run_phases (r=0x80de458) at
src/http/ngx_http_core_module.c:877
#14 0x0806edfd in ngx_http_handler (r=0x219) at
src/http/ngx_http_core_module.c:860
#15 0x080725bd in ngx_http_internal_redirect (r=0x80de458, uri=0xbfffe884,
args=0xbfffe87c) at src/http/ngx_http_core_module.c:2545
#16 0x080752a1 in ngx_http_send_error_page (r=0x80de458, error=500) at
src/http/ngx_http_special_response.c:569
#17 ngx_http_special_response_handler (r=0x80de458, error=500) at
src/http/ngx_http_special_response.c:415
#18 0x0807779b in ngx_http_finalize_request (r=0x80de458, rc=500) at
src/http/ngx_http_request.c:2003
#19 0x080842b2 in ngx_http_upstream_finalize_request (r=0x80de458,
u=0x80f56ac, rc=500) at src/http/ngx_http_upstream.c:3095
#20 0x080856c4 in ngx_http_upstream_process_non_buffered_request
(r=0x80de458, do_write=<value optimized out>) at
src/http/ngx_http_upstream.c:2437
#21 0x08085994 in ngx_http_upstream_process_non_buffered_downstream
(r=0x80de458) at src/http/ngx_http_upstream.c:2368
#22 0x08086d5e in ngx_http_upstream_send_response (r=0x80de458,
u=0x80f56ac) at src/http/ngx_http_upstream.c:2141
#23 ngx_http_upstream_process_header (r=0x80de458, u=0x80f56ac) at
src/http/ngx_http_upstream.c:1644
#24 0x08084db5 in ngx_http_upstream_handler (ev=0x0) at
src/http/ngx_http_upstream.c:935
#25 0x080687b1 in ngx_epoll_process_events (cycle=0x80d6cd8, timer=60000,
flags=<value optimized out>) at src/event/modules/ngx_epoll_module.c:683
#26 0x0806152b in ngx_process_events_and_timers (cycle=0x80d6cd8) at
src/event/ngx_event.c:247
#27 0x08067427 in ngx_worker_process_cycle (cycle=0x80d6cd8, data=0x0) at
src/os/unix/ngx_process_cycle.c:810
#28 0x08065d01 in ngx_spawn_process (cycle=0x80d6cd8, proc=0x806736f
<ngx_worker_process_cycle>, data=0x0, name=0x80ae6c9 "worker process",
respawn=-3) at src/os/unix/ngx_process.c:198
#29 0x08066a7d in ngx_start_worker_processes (cycle=0x80d6cd8, n=1,
type=-3) at src/os/unix/ngx_process_cycle.c:365
#30 0x080679ae in ngx_master_process_cycle (cycle=0x80d6cd8) at
src/os/unix/ngx_process_cycle.c:137
#31 0x0804d381 in main (argc=1, argv=0xbfffedc4) at src/core/nginx.c:412

So ngx_chain_get_free_buf gets null pointer and I can't understand why it
does. The situation is: there is upstream configured and my body_filter
works with it, it should be "invisible" (do not modify contents) if it's
not enabled in config or whatelse (you can see conditions in the code
above).

Any ideas on what I'm doing wrong?

nginx-1.2.5
Linux 2.6.18 i686
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20121203/1c11c231/attachment.html>


More information about the nginx-devel mailing list