nginx 0.8.45-0.8.49 segfault bug
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 6 15:57:45 MSD 2010
Hello!
On Mon, Sep 06, 2010 at 02:55:41PM +0400, Igor Sysoev wrote:
> On Wed, Sep 01, 2010 at 10:18:26PM +0400, Maxim Dounin wrote:
>
> > Hello!
> >
> > On Wed, Sep 01, 2010 at 12:19:55PM -0400, zhijianpeng wrote:
> >
> > > Sorry,I forgot about that my friend patch 0.8.47 for me.
> > >
> > > Let's forget about it, and [b]0.8.49 is clean[/b]
> >
> > [...]
> >
> > > [b]proxy_ignore_client_abort on;[/b]
> >
> > [...]
> >
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 connect to 81.19.68.137:80, fd:9
> > > #4
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 http upstream connect: -2
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 event timer add: 9:
> > > 60000:1283357753347
> > > 2010/09/02 00:14:53 [debug] 15807#0: timer delta: 991
> > > 2010/09/02 00:14:53 [debug] 15807#0: posted events 0000000000000000
> > > 2010/09/02 00:14:53 [debug] 15807#0: worker cycle
> > > 2010/09/02 00:14:53 [debug] 15807#0: epoll timer: 60000
> > > 2010/09/02 00:14:53 [debug] 15807#0: epoll: fd:3 ev:0005
> > > d:00002B77E3EDC160
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 http run request: "/aa/bb?"
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 http read client request body
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 add cleanup: 0000000010258CE0
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 hashed path:
> > > /opt/itc/vmsnginx/client_body_temp/0000000002
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 temp fd:10
> > > 2010/09/02 00:14:53 [warn] 15807#0: *3 a client request body is buffered
> > > to a temporary file /opt/itc/vmsnginx/client_body_temp/0000000002 while
> > > connecting to upstream, client: 127.0.0.1, server: localhost, request:
> > > "POST /aa/bb HTTP/1.1", upstream: "http://81.19.68.137:80/aa/bb", host:
> > > "www.nginx.net"
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 write: 10, 000000001025E6B0, 5,
> > > 0
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 recv: fd:3 0 of 0
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 http client request body recv 0
> > > 2010/09/02 00:14:53 [info] 15807#0: *3 client closed prematurely
> > > connection while connecting to upstream, client: 127.0.0.1, server:
> > > localhost, request: "POST /aa/bb HTTP/1.1", upstream:
> > > "http://81.19.68.137:80/aa/bb", host: "www.nginx.net"
> > > 2010/09/02 00:14:53 [debug] 15807#0: *3 http finalize request: 400,
> > > "/aa/bb?" a:1, c:1
> >
> > [...]
> >
> > This seems to be (somewhat known) issue with
> > "proxy_ignore_client_abort on;" and requests with body. It
> > doesn't modify request handlers correctly (don't clear request
> > body read handler if one was set) and this may cause unexpected
> > behaviour.
> >
> > I'll take a look at this more closely later. Thanks for your
> > debugging.
>
> I my test nginx run
>
> 2010/09/06 14:48:22 [debug] 25462#0: *1 http run request: "/aa/bb?"
> 2010/09/06 14:48:22 [debug] 25462#0: *1 http request empty handler
>
> instead of
>
> 2010/09/02 00:14:53 [debug] 15807#0: *3 http run request: "/aa/bb?"
> 2010/09/02 00:14:53 [debug] 15807#0: *3 http read client request body
>
> I believe here is some patch or something else.
The problem with proxy_ignore_client_abort (i.e. unexpected "read
client request body" with resulting finalize 400) is easily
reproduceable here (and was reported previously).
It is racy though: it needs read body handler to be set and fired
again due to other activity on client's connection before request
to upstream was completed (note that in original report client
claims content length 5 but sends 5 bytes and newline). Hint: try
reproducing with unreachable upstream server.
I wasn't able to reproduce SIGSEGV though, but this may be even
more racy or manifest itself only with particular event method.
Maxim Dounin
More information about the nginx
mailing list