<div dir="ltr"><span id="docs-internal-guid-54e8326c-eac0-ed77-bce9-2759b84ca4db"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">I have investigated this further and found that ngx_finalize_connection() is being called recursively and on the third recursive call, called by ngx_upstream_finalize_request(), sometimes the call to set_lingering_close() calls ngx_http_close_request() which runs the log handler then closes the connection. This frees up r->pool and during the unwinding of the stack ngx_http_log_request()/ngx_http_log_handler() are called a second time which end up calling ngx_pnalloc() with a null r->pool pointer here: </span><a href="http://lxr.nginx.org/source/src/http/modules/ngx_http_log_module.c#0349" style="text-decoration:none"><span style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">http://lxr.nginx.org/source/src/http/modules/ngx_http_log_module.c#0349</span></a></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">This is reproducible with the module linked below when setup with an upstream and nikto pointed at nginx.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">I have found a fix by setting r->keepalive to 0 before finalising the request, if you revert this commit nginx will stop coring and the issue seems to be taken care of.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/tommywatson/nginx-hello-world-module/commit/1d94b065be875d26e11ff14257c411076aa79eaa" style="text-decoration:none"><span style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">https://github.com/tommywatson/nginx-hello-world-module/commit/1d94b065be875d26e11ff14257c411076aa79eaa</span></a></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Any help on a better solution would be great.</span></p><br><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Cheers.</span></span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 13, 2015 at 8:44 PM, tommy watson <span dir="ltr"><<a href="mailto:tommywatson+nginx-devel@gmail.com" target="_blank">tommywatson+nginx-devel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div>  I'm trying to continue or cancel an ngx_http_request_t after a slight delay but am failing miserably, I keep getting crashes and am not sure what I'm doing wrong. </div><div>The code is here <a href="https://github.com/tommywatson/nginx-hello-world-module" target="_blank">https://github.com/tommywatson/nginx-hello-world-module</a> (borrowed from <a href="https://www.ruby-forum.com/topic/5564332" target="_blank">https://www.ruby-forum.com/topic/5564332</a>) basically it pauses and fires and event to continue or finalize the request. Firing nikto at it brings the dump below.</div><div> Any help/insight appreciated.</div><div><br></div><div>Cheers.</div><div><br></div><div><div>Program terminated with signal SIGSEGV, Segmentation fault.</div><div>#0  0x0000000000406af2 in ngx_pnalloc (pool=0x0, size=181) at src/core/ngx_palloc.c:155</div><div>155<span style="white-space:pre-wrap">       </span>    if (size <= pool->max) {</div><div>(gdb) where</div><div>#0  0x0000000000406af2 in ngx_pnalloc (pool=0x0, size=181) at src/core/ngx_palloc.c:155</div><div>#1  0x0000000000452692 in ngx_http_log_handler (r=0x6676b50) at src/http/modules/ngx_http_log_module.c:349</div><div>#2  0x000000000044c385 in ngx_http_log_request (r=0x6676b50) at src/http/ngx_http_request.c:3510</div><div>#3  0x000000000044c1f2 in ngx_http_free_request (r=0x6676b50, rc=0) at src/http/ngx_http_request.c:3457</div><div>#4  0x000000000044b297 in ngx_http_set_keepalive (r=0x6676b50) at src/http/ngx_http_request.c:2895</div><div>#5  0x000000000044a994 in ngx_http_finalize_connection (r=0x6676b50) at src/http/ngx_http_request.c:2532</div><div>#6  0x000000000044a10b in ngx_http_finalize_request (r=0x6676b50, rc=-4) at src/http/ngx_http_request.c:2262</div><div>#7  0x000000000043cb18 in ngx_http_core_content_phase (r=0x6676b50, ph=0x60b7798) at src/http/ngx_http_core_module.c:1407</div><div>#8  0x000000000043b911 in ngx_http_core_run_phases (r=0x6676b50) at src/http/ngx_http_core_module.c:888</div><div>#9  0x00000000004af101 in hack_event (e=0x6677bc8) at ../nginx-hello-world-module/ngx_http_hello_world_module.c:85</div><div>#10 0x000000000042afac in ngx_event_expire_timers () at src/event/ngx_event_timer.c:94</div><div>#11 0x00000000004290a7 in ngx_process_events_and_timers (cycle=0x608f310) at src/event/ngx_event.c:262</div><div>#12 0x000000000043493f in ngx_worker_process_cycle (cycle=0x608f310, data=0x0) at src/os/unix/ngx_process_cycle.c:824</div><div>#13 0x000000000043176d in ngx_spawn_process (cycle=0x608f310, proc=0x43476b <ngx_worker_process_cycle>, data=0x0, name=0x4b3180 "worker process", respawn=-3) at src/os/unix/ngx_process.c:198</div><div>#14 0x0000000000433a71 in ngx_start_worker_processes (cycle=0x608f310, n=1, type=-3) at src/os/unix/ngx_process_cycle.c:368</div><div>#15 0x00000000004331cd in ngx_master_process_cycle (cycle=0x608f310) at src/os/unix/ngx_process_cycle.c:140</div><div>#16 0x00000000004037c6 in main (argc=1, argv=0xffefffbe8) at src/core/nginx.c:407</div><div>(gdb) quit</div></div><div><br></div></div>
</blockquote></div><br></div>