<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Sometimes we got weird segmentation fault crashes in ngx_http_core_rewrite_phase():<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>(gdb) bt<o:p></o:p></p><p class=MsoNormal>#0 0x0000000801c17a00 in ?? ()<o:p></o:p></p><p class=MsoNormal>#1 0x0000000814c7ca10 in ?? ()<o:p></o:p></p><p class=MsoNormal>#2 0x0000000809453600 in ?? ()<o:p></o:p></p><p class=MsoNormal>#3 0x000000000044715e in ngx_http_core_rewrite_phase (r=0x80fbf6150, ph=0xfffffffffffffffb) at src/http/ngx_http_core_module.c:931<o:p></o:p></p><p class=MsoNormal>#4 0x0000000000440c65 in ngx_http_core_run_phases (r=0x801c17a00) at src/http/ngx_http_core_module.c:877<o:p></o:p></p><p class=MsoNormal>#5 0x0000000000440e1c in ngx_http_handler (r=0x801c17a00) at src/http/ngx_http_core_module.c:860<o:p></o:p></p><p class=MsoNormal>#6 0x0000000000459620 in ngx_http_process_request (r=0x801c17a00) at src/http/ngx_http_request.c:1687<o:p></o:p></p><p class=MsoNormal>#7 0x000000000045a97e in ngx_http_process_request_headers (rev=Variable "rev" is not available.<o:p></o:p></p><p class=MsoNormal>) at src/http/ngx_http_request.c:1135<o:p></o:p></p><p class=MsoNormal>#8 0x000000000045b2e7 in ngx_http_process_request_line (rev=0x801d4d380) at src/http/ngx_http_request.c:933<o:p></o:p></p><p class=MsoNormal>#9 0x0000000000454a69 in ngx_http_init_request (rev=0x801d4d380) at src/http/ngx_http_request.c:519<o:p></o:p></p><p class=MsoNormal>#10 0x000000000042c249 in ngx_event_process_posted (cycle=0x801c6e050, posted=0x818488) at src/event/ngx_event_posted.c:41<o:p></o:p></p><p class=MsoNormal>#11 0x000000000042b84d in ngx_process_events_and_timers (cycle=0x801c6e050) at src/event/ngx_event.c:1376<o:p></o:p></p><p class=MsoNormal>#12 0x0000000000436429 in ngx_worker_process_cycle (cycle=0x801c6e050, data=Variable "data" is not available.<o:p></o:p></p><p class=MsoNormal>) at src/os/unix/ngx_process_cycle.c:963<o:p></o:p></p><p class=MsoNormal>#13 0x0000000000434bb7 in ngx_spawn_process (cycle=0x801c6e050, proc=0x436330 <ngx_worker_process_cycle>, data=0x18,<o:p></o:p></p><p class=MsoNormal> name=0x4d9987 "worker process", respawn=-3) at src/os/unix/ngx_process.c:209<o:p></o:p></p><p class=MsoNormal>#14 0x00000000004358e8 in ngx_start_worker_processes (cycle=0x801c6e050, n=32, type=-3) at src/os/unix/ngx_process_cycle.c:409<o:p></o:p></p><p class=MsoNormal>#15 0x00000000004371c3 in ngx_master_process_cycle (cycle=0x801c6e050) at src/os/unix/ngx_process_cycle.c:150<o:p></o:p></p><p class=MsoNormal>#16 0x00000000004078ff in main (argc=350832656, argv=Variable "argv" is not available.<o:p></o:p></p><p class=MsoNormal>) at src/core/nginx.c:504<o:p></o:p></p><p class=MsoNormal>(gdb)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It’s weird because the address of “r” was mysteriously changed from <0x801c17a00> in ngx_http_core_run_phases to <0x80fbf6150> in ngx_http_core_rewrite_phase. This new address is, of course, an invalid request struct, hence the invalid r->phase_handler and &ph[r->phase_handler].<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The value of r->phase_handler in ngx_http_core_run_phases() is 0, so ngx_http_core_rewrite_phase is the first phase hander to be called.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Try to check the address of “*r” get the following:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>(gdb) f 3<o:p></o:p></p><p class=MsoNormal>#3 0x000000000044715e in ngx_http_core_rewrite_phase (r=0x80fbf6150, ph=0xfffffffffffffffb) at src/http/ngx_http_core_module.c:931<o:p></o:p></p><p class=MsoNormal>956 in src/http/ngx_http_core_module.c<o:p></o:p></p><p class=MsoNormal>(gdb) p &r<o:p></o:p></p><p class=MsoNormal>Address requested for identifier "r" which is in register $rbx<o:p></o:p></p><p class=MsoNormal>(gdb) p $rbx<o:p></o:p></p><p class=MsoNormal>$9 = 34623938896<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Anybody have any ideas? We use FreeBSD 9.1, nginx_1.2.6<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks a lot,<o:p></o:p></p><p class=MsoNormal>Yong<o:p></o:p></p></div></body></html>