a weird crash in ngx_http_core_run_phases()

YongFeng Wu ywu at about.com
Thu Mar 21 15:35:32 UTC 2013 

Hi,

 

Sometimes we got weird segmentation fault  crashes in
ngx_http_core_rewrite_phase():

 

(gdb) bt

#0  0x0000000801c17a00 in ?? ()

#1  0x0000000814c7ca10 in ?? ()

#2  0x0000000809453600 in ?? ()

#3  0x000000000044715e in ngx_http_core_rewrite_phase (r=0x80fbf6150,
ph=0xfffffffffffffffb) at src/http/ngx_http_core_module.c:931

#4  0x0000000000440c65 in ngx_http_core_run_phases (r=0x801c17a00) at
src/http/ngx_http_core_module.c:877

#5  0x0000000000440e1c in ngx_http_handler (r=0x801c17a00) at
src/http/ngx_http_core_module.c:860

#6  0x0000000000459620 in ngx_http_process_request (r=0x801c17a00) at
src/http/ngx_http_request.c:1687

#7  0x000000000045a97e in ngx_http_process_request_headers (rev=Variable
"rev" is not available.

) at src/http/ngx_http_request.c:1135

#8  0x000000000045b2e7 in ngx_http_process_request_line (rev=0x801d4d380) at
src/http/ngx_http_request.c:933

#9  0x0000000000454a69 in ngx_http_init_request (rev=0x801d4d380) at
src/http/ngx_http_request.c:519

#10 0x000000000042c249 in ngx_event_process_posted (cycle=0x801c6e050,
posted=0x818488) at src/event/ngx_event_posted.c:41

#11 0x000000000042b84d in ngx_process_events_and_timers (cycle=0x801c6e050)
at src/event/ngx_event.c:1376

#12 0x0000000000436429 in ngx_worker_process_cycle (cycle=0x801c6e050,
data=Variable "data" is not available.

) at src/os/unix/ngx_process_cycle.c:963

#13 0x0000000000434bb7 in ngx_spawn_process (cycle=0x801c6e050,
proc=0x436330 <ngx_worker_process_cycle>, data=0x18,

    name=0x4d9987 "worker process", respawn=-3) at
src/os/unix/ngx_process.c:209

#14 0x00000000004358e8 in ngx_start_worker_processes (cycle=0x801c6e050,
n=32, type=-3) at src/os/unix/ngx_process_cycle.c:409

#15 0x00000000004371c3 in ngx_master_process_cycle (cycle=0x801c6e050) at
src/os/unix/ngx_process_cycle.c:150

#16 0x00000000004078ff in main (argc=350832656, argv=Variable "argv" is not
available.

) at src/core/nginx.c:504

(gdb)

 

It's weird because the address of "r" was mysteriously changed from
<0x801c17a00> in ngx_http_core_run_phases to <0x80fbf6150> in
ngx_http_core_rewrite_phase. This new address is, of course, an invalid
request struct, hence the invalid r->phase_handler and
&ph[r->phase_handler].

 

The value of r->phase_handler in ngx_http_core_run_phases() is 0, so
ngx_http_core_rewrite_phase is the first phase hander to be called.

 

Try to check the address of "*r" get the following:

 

(gdb) f 3

#3  0x000000000044715e in ngx_http_core_rewrite_phase (r=0x80fbf6150,
ph=0xfffffffffffffffb) at src/http/ngx_http_core_module.c:931

956     in src/http/ngx_http_core_module.c

(gdb) p &r

Address requested for identifier "r" which is in register $rbx

(gdb) p $rbx

$9 = 34623938896

 

Anybody have any ideas? We use FreeBSD 9.1, nginx_1.2.6

 

Thanks a lot,

Yong

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130321/4cd5032c/attachment.html>

More information about the nginx-devel mailing list