A possible bug in ngx_rbtree

YongFeng Wu ywu at about.com
Fri Sep 28 15:01:12 UTC 2012


Hi,

 

We just found a worker process was stuck in an infinite loop, in function
ngx_open_file_lookup(). Checking the open file cache RB tree with GDB shows
the following:

 

(gdb) p cache->rbtree.root->right

$3 = (ngx_rbtree_node_t *) 0x80122f900

(gdb) p cache->rbtree.root->right->right

$4 = (ngx_rbtree_node_t *) 0x8040ea400

(gdb) p cache->rbtree.root->right->right->left

$5 = (ngx_rbtree_node_t *) 0x801236980

 

(gdb) p cache->rbtree.root->right->right->left->right

$6 = (ngx_rbtree_node_t *) 0x8090ee080

(gdb) p cache->rbtree.root->right->right->left->right->right

$7 = (ngx_rbtree_node_t *) 0x804aab280

(gdb) p cache->rbtree.root->right->right->left->right->right->left

$8 = (ngx_rbtree_node_t *) 0x804aabf00

 

(gdb) p cache->rbtree.root->right->right->left->right->right->left->left

$9 = (ngx_rbtree_node_t *) 0x8090ee080

(gdb) p
cache->rbtree.root->right->right->left->right->right->left->left->right

$10 = (ngx_rbtree_node_t *) 0x804aab280

(gdb) p
cache->rbtree.root->right->right->left->right->right->left->left->right->lef
t

$11 = (ngx_rbtree_node_t *) 0x804aabf00

 

(gdb) p
cache->rbtree.root->right->right->left->right->right->left->left->right->lef
t->left

$12 = (ngx_rbtree_node_t *) 0x8090ee080

(gdb) p
cache->rbtree.root->right->right->left->right->right->left->left->right->lef
t->left->right

$13 = (ngx_rbtree_node_t *) 0x804aab280

(gdb) p
cache->rbtree.root->right->right->left->right->right->left->left->right->lef
t->left->right->left

$14 = (ngx_rbtree_node_t *) 0x804aabf00

 

 

Please look at the address of

 

   cache->rbtree.root->right->right->left->right->right->left->left ($9)

 

It is the same as that of

 

   cache->rbtree.root->right->right->left->right ($6)

 

 

That means the $9 == $9->parent->parent->parent, so the infinite loop.

 

I think there might be a bug in ngx_rbtree.c. I'll really appreciate it if
somebody can look into it.

 

Thanks a lot,

Yongfeng Wu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120928/1c5f7a9e/attachment.html>


More information about the nginx-devel mailing list