nginx worker segfault, NULL pool

Bruno Prémont bruno.premont at restena.lu
Fri Jun 8 12:40:52 UTC 2012


Hi,

Running nginx on ARM I'm having it segfault at about any request (those
known not to crash are /status/nginx and /status/php-fpm).
Attaching it with GDB I get the following trace:

Program received signal SIGSEGV, Segmentation fault.
ngx_alloc_chain_link (pool=0x0) at src/core/ngx_buf.c:52
52      src/core/ngx_buf.c: No such file or directory.
        in src/core/ngx_buf.c
(gdb) backtrace
#0  ngx_alloc_chain_link (pool=0x0) at src/core/ngx_buf.c:52
#1  0x00012290 in ngx_chain_writer (data=0x525b24, in=<optimized out>) at src/core/ngx_output_chain.c:626
#2  0x0001202c in ngx_output_chain (ctx=0x525ae4, in=0x5260a4) at src/core/ngx_output_chain.c:66
#3  0x0004a6d0 in ngx_http_upstream_send_request (r=0x524c18, u=0x525a9c) at src/http/ngx_http_upstream.c:1394
#4  0x0004aeec in ngx_http_upstream_init_request (r=0x524c18) at src/http/ngx_http_upstream.c:645
#5  ngx_http_upstream_init (r=0x524c18) at src/http/ngx_http_upstream.c:446
#6  0x000427a4 in ngx_http_read_client_request_body (r=0x524c18, post_handler=0x4ac80 <ngx_http_upstream_init>) at src/http/ngx_http_request_body.c:59
#7  0x000612e0 in ngx_http_fastcgi_handler (r=0x524c18) at src/http/modules/ngx_http_fastcgi_module.c:636
#8  0x00036d18 in ngx_http_core_content_phase (r=0x524c18, ph=0x54ce08) at src/http/ngx_http_core_module.c:1396
#9  0x00032458 in ngx_http_core_run_phases (r=0x524c18) at src/http/ngx_http_core_module.c:877
#10 0x00037848 in ngx_http_internal_redirect (r=0x524c18, uri=<optimized out>, args=<optimized out>) at src/http/ngx_http_core_module.c:2545
#11 0x0004dad0 in ngx_http_index_handler (r=0x524c18) at src/http/modules/ngx_http_index_module.c:277
#12 0x00036d38 in ngx_http_core_content_phase (r=0x524c18, ph=0x54ce08) at src/http/ngx_http_core_module.c:1403
#13 0x00032458 in ngx_http_core_run_phases (r=0x524c18) at src/http/ngx_http_core_module.c:877
#14 0x0003bccc in ngx_http_process_request (r=0x524c18) at src/http/ngx_http_request.c:1688
#15 0x0003c6e0 in ngx_http_process_request_line (rev=0x40a5b10c) at src/http/ngx_http_request.c:932
#16 0x000397b8 in ngx_http_init_request (rev=0x40a5b10c) at src/http/ngx_http_request.c:519
#17 0x0002bf70 in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:679
#18 0x00023d0c in ngx_process_events_and_timers (cycle=0x51ec18) at src/event/ngx_event.c:247
#19 0x0002a278 in ngx_worker_process_cycle (cycle=<optimized out>, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:806
#20 0x00028920 in ngx_spawn_process (cycle=0x51ec18, proc=0, data=0x40096918, name=0x69d00 "worker process", respawn=-3) at src/os/unix/ngx_process.c:198
#21 0x0002a6f0 in ngx_start_worker_processes (cycle=0x51ec18, n=1, type=-3) at src/os/unix/ngx_process_cycle.c:365
#22 0x0002acb0 in ngx_master_process_cycle (cycle=0x51ec18) at src/os/unix/ngx_process_cycle.c:137
#23 0x0000eb64 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:410


System is Gentoo on ARM (armv5tel), nginx -V (applied patch: forward-ported
ipv6-geoip support patch as attached):

nginx version: nginx/1.2.1
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error_log --pid-path=/var/run/nginx.pid
--lock-path=/var/lock/nginx.lock --with-cc-opt=-I/usr/include
--with-ld-opt=-L/usr/lib --http-log-path=/var/log/nginx/access_log
--http-client-body-temp-path=/var/tmp/nginx/client
--http-proxy-temp-path=/var/tmp/nginx/proxy
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi
--http-scgi-temp-path=/var/tmp/nginx/scgi
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-file-aio
--with-aio_module --with-ipv6 --with-pcre --without-http_browser_module
--without-http_charset_module --without-http_empty_gif_module
--without-http_memcached_module --without-http_proxy_module
--without-http_referer_module --without-http_scgi_module
--without-http_split_clients_module --without-http_userid_module
--without-http_uwsgi_module --with-http_geoip_module
--with-http_stub_status_module --with-http_xslt_module
--with-http_realip_module
--add-module=/var/tmp/portage/www-servers/nginx-1.2.1/work/agentzh-headers-more-nginx-module-3580526
--without-http-cache --with-http_ssl_module --without-mail_imap_module
--without-mail_pop3_module --without-mail_smtp_module --user=nginx
--group=nginx


Having a look at the code it means that
   ngx_http_upstream_t->output->filter_ctx->pool is NULL
but still being dereferenced...


I have seen equivalent crash behavior for nginx-1.2.0 (no analysed or check exact
cause with gdb and debug symbols) on the same host but have not seen crashes
on an x86 system with 1.2.0.
Note, config might help trigger the issue, quoted below:

############ nginx.conf ###############
user nginx nginx;
daemon off;
worker_processes 1;
worker_cpu_affinity 0001;
worker_rlimit_nofile 65535;

error_log /var/log/nginx/error_log info;

events {
        accept_mutex off;
        worker_connections 10240;
        use epoll;
}

http {
        include /etc/nginx/mime.types;
        #default_type application/octet-stream;
        server_names_hash_bucket_size 64;

        geoip_country  /usr/share/GeoIP/GeoIPv6.dat;

        log_format main
                '$remote_addr $host $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" $request_time "$gzip_ratio" -';
        log_format main_ssl
                '$remote_addr $host $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" $request_time "$gzip_ratio" $ssl_protocol';

        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;

        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;

        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain application/xhtml+xml text/css application/javascript application/xml application/json;

        output_buffers 1 32k;
        postpone_output 1460;

        sendfile off;
        tcp_nopush on;
        tcp_nodelay on;

        keepalive_timeout 75 20;

        ignore_invalid_headers on;

        index index.html;

        # HTTP catch-all
        server {
		listen <local_addr-v4>:80 default_server;
		listen [<local_addr-v6]:80 default_server;

                access_log /var/log/nginx/access_log main;
                error_log /var/log/nginx/error_log info;
                rewrite_log off;

                return 410;
        }

        ########## include-1-start ###############
	server {
	        #
	        # HTTP access not wanted, redirect to HTTPS!
	        #
		listen <local_addr-v4>:80;
		listen [<local_addr-v6]:80;
	        include listen;
	        server_name armbox.tld;

	        access_log /var/log/nginx/sheeva.log main;
	        error_log /var/log/nginx/sheeva.elog info;
	        rewrite_log off;

	        ########## include-2-start ###############
                allow <subnet-v6>; # replaced subnet with placeholder
		allow <subnet-v6>;
		allow <subnet-v4>;
		allow <subnet-v4>;
		deny all;

		root /home/www/htdocs;
		index index.php index.html;

		error_page 400 /error400.php;
		error_page 403 /error403.php;
		error_page 404 /error404.php;
		error_page 500 /error500.php;
		error_page 502 /error502.php;
		error_page 503 /error503.php;

		rewrite ^/$     /status.html redirect;

		# Status monitoring pages
		location ~ ^/status/php-fpm$ {
		        include fastcgi_params;
		        fastcgi_buffer_size 8k;
		        fastcgi_buffers 16 4k;
		        fastcgi_param SCRIPT_FILENAME /dev/null;
		        fastcgi_param REDIRECT_STATUS 200;
		        fastcgi_pass unix:/run/php-fpm/fpm.socket;
		}
		location = /status/nginx {
		        stub_status on;
		}

		# Remaining pages
		location ~ ^/(?<page>.*)\.html$ {
		        # Rewrite non-html pages to php
		        if (-f $request_filename) { break; }
		        if (-f $document_root/$page.php ) { rewrite ^ /$page.php last; }
		}
		rewrite ^/rrdgraph.(png|svg|pdf|eps)$ /rrdgraph.php last;
		location ~ ^/(?<path>.*/)?error(?<ecode>[0-9]+)\.php$ {
		        # Handle error pages
		        if (!-f $document_root/$path/error.php) { rewrite ^ /error404.txt last; }
		        if ($ecode !~ [0-9]+) { set $ecode 200; }
		        include fastcgi_params;
		        fastcgi_buffer_size 8k;
		        fastcgi_buffers 16 4k;
		        fastcgi_param SCRIPT_FILENAME $document_root/$path/error.php;
		        fastcgi_param REDIRECT_STATUS $ecode;
		        fastcgi_pass unix:/var/run/php-fpm/fpm.socket;
		}
		location ~ \.php$ {
		        # Handle PHP pages
		        if (!-f $request_filename) { rewrite ^ /error404.php last; }
		        include fastcgi_params;
		        fastcgi_buffer_size 8k;
		        fastcgi_buffers 16 4k;
		        fastcgi_param SCRIPT_FILENAME $request_filename;
		        fastcgi_param REDIRECT_STATUS 200;
		        fastcgi_pass unix:/var/run/php-fpm/fpm.socket;
		}
		location /img/ {
		        expires 1h;
		}
		location /css/ {
		        expires 1h;
		}
		location /js/ {
		        expires 1h;
		}
	        ########## include-2-end   ###############
	}
        ########## include-1-end   ###############
}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-1.2.1-geoip-ipv6.patch
Type: text/x-patch
Size: 10076 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20120608/8c2e37c5/attachment.bin>


More information about the nginx mailing list