nginx 0.8 segmentation violation в src/core/ngx_output_chain.c:629

DeD MustDIE dedmustdie на gmail.com
Чт Ноя 18 11:34:58 MSK 2010


Здравствуйте.

При заходе на определённые страницы сайта стали падать воркеры nginx.

worker process 31710 exited on signal 11 (core dumped)

Страницы динамические, генерятся php и по fastcgi передаются nginx.

FreeBSD example.com 7.2-STABLE FreeBSD 7.2-STABLE #3: Fri Aug  7
15:40:24 MSD 2009     root на example.com:/usr/obj/usr/src/sys/KERNEL
amd64
nginx version: nginx/0.8.53
configure arguments: --without-http_scgi_module
--without-http_uwsgi_module --prefix=/usr/local/etc/nginx
--with-cc-opt='-I /usr/local/include' --with-ld-opt='-L
/usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--with-debug --http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_flv_module
--with-http_realip_module --with-http_stub_status_module
--add-module=/var/tmp/ports/usr/ports/www/nginx-devel/work/nginx_upload_module-2.2.0
--add-module=/var/tmp/ports/usr/ports/www/nginx-devel/work/nginx_uploadprogress_module-0.8
--with-pcre

core dump показывает, что

ошибка в  src/core/ngx_output_chain.c:629

624             cl = ngx_alloc_chain_link(ctx->pool);
 625             if (cl == NULL) {
 626                 return NGX_ERROR;
 627             }
 628
>629             cl->buf = in->buf;
 630             cl->next = NULL;
 631             *ctx->last = cl;
 632             ctx->last = &cl->next;

0x40a533 <ngx_chain_writer+641> mov    DWORD PTR
[rbp-72],0xffffffffffffffff
0x40a53b <ngx_chain_writer+649> jmp    0x40a83c
<ngx_chain_writer+1418>
0x40a540 <ngx_chain_writer+654> mov    rax,DWORD PTR [rbp-48]
0x40a544 <ngx_chain_writer+658> mov    rdx,DWORD PTR [rax]
0x40a547 <ngx_chain_writer+661> mov    rax,DWORD PTR [rbp-16]

0x40a54b <ngx_chain_writer+665> mov    DWORD PTR [rax],rdx
здесь вылетает

(gdb) info register
rax            0x45c1a8 4571560
rbx            0x1      1
rcx            0xffffffffffffff3e       -194
rdx            0x8012261c8      34378768840
rsi            0x10     16
rdi            0x8013fe000      34380701696
rbp            0x7fffffffe400   0x7fffffffe400
rsp            0x7fffffffe3a0   0x7fffffffe3a0
r8             0x0      0
r9             0x7fffffffda38   140737488345656
r10            0xfffffffffffffff4       -12
r11            0x202    514
r12            0x7fffffffea90   140737488349840
r13            0x7fffffffea80   140737488349824
r14            0x0      0
r15            0x0      0
rip            0x40a54b 0x40a54b <ngx_chain_writer+665>
eflags         0x10202  66050
cs             0x2b     43
ss             0x23     35
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

(gdb) bt
#0  0x000000000040a54b in ngx_chain_writer (data=0x8013ff0e8,
in=0x801226770) at src/core/ngx_output_chain.c:629
#1  0x0000000000409388 in ngx_output_chain (ctx=0x8013ff080,
in=0x801226770) at src/core/ngx_output_chain.c:65
#2  0x000000000045bf3e in ngx_http_upstream_send_request
(r=0x800e3d800, u=0x8013ff000)
    at src/http/ngx_http_upstream.c:1339
#3  0x000000000045c1a4 in ngx_http_upstream_send_request_handler
(r=0x800e3d800, u=0x8013ff000)
    at src/http/ngx_http_upstream.c:1440
#4  0x000000000045b0a9 in ngx_http_upstream_handler (ev=0x801e004d0)
at src/http/ngx_http_upstream.c:892
#5  0x0000000000434f44 in ngx_kqueue_process_events
(cycle=0x800e10050, timer=500, flags=1)
    at src/event/modules/ngx_kqueue_module.c:683
#6  0x0000000000424ec9 in ngx_process_events_and_timers
(cycle=0x800e10050) at src/event/ngx_event.c:245
#7  0x0000000000431703 in ngx_worker_process_cycle (cycle=0x800e10050,
data=0x0) at src/os/unix/ngx_process_cycle.c:795
#8  0x000000000042e8bd in ngx_spawn_process
(cycle=dwarf2_read_address: Corrupted DWARF expression.
) at src/os/unix/ngx_process.c:196
#9  0x00000000004305f4 in ngx_start_worker_processes
(cycle=0x800e10050, n=8, type=-3)
    at src/os/unix/ngx_process_cycle.c:355
#10 0x000000000042fc79 in ngx_master_process_cycle (cycle=0x800e10050)
at src/os/unix/ngx_process_cycle.c:136
#11 0x000000000040350c in main (argc=1, argv=0x7fffffffea80) at
src/core/nginx.c:401

(gdb) p ctx->pool
$1 = (ngx_pool_t *) 0x8013fe000
(gdb) p *ctx->pool
$2 = {d = {last = 0x8013ff000 "╦аE", end = 0x8013ff000 "╦аE", next =
0x8013ff000, failed = 1}, max = 4016,
  current = 0x8013fe000, chain = 0x0, large = 0x0, cleanup = 0x0, log
= 0x80129ea60}
$20 = (ngx_pool_t *) 0x8013ff000
(gdb) p *ctx->pool->current->d.next
$21 = {d = {last = 0x45c1b8 "\213EхH\213@\020H\211EПH\213EПH\213 на PH\213",
    end = 0x45c0e6 "UH\211ЕH\203Л
H\211}ХH\211uЮH\213EЮH\213@\020H\211EЬH\213EХH\213@\bH\213 на PH\213",
next = 0x801700790,
    failed = 34374622008}, max = 16, current = 0x80129b830, chain =
0x1, large = 0x463baf, cleanup = 0x4645cc,
  log = 0x8012267f8}
(gdb) p cl
$4 = (ngx_chain_t *) 0x45c1a8


cl->buf - указывает на секцию кода, поэтому при попытке записать в
него, происходит
segmentation violation

Неверный указатель cl возвращает цепочка функций
ngx_alloc_chain_link->ngx_palloc
ngx_palloc возвращает неверный указатель, т.к.
ctx->pool->current.d->next (0x8013ff000) на несуществующий
 или затёртый объект.


Что делать?

-----------------------------------
Лалетин Михаил



Подробная информация о списке рассылки nginx-ru