Bug #1232
closedRepeatable --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Description
If I repeat this request, Lighttpd crashes.
GET / HTTP/1.1 Connection: keep-alive Host: h Location: h Location: h i
Updated by admin over 17 years ago
How do I map revision to version and the other way around?
Updated by Anonymous over 17 years ago
Replying to Olaf van der Spek:
How do I map revision to version and the other way around?
You can take a look at the source:/tags folder, you see the revisions the when the versions were tagged.
Version 1.4.15 was tagged in revision r1862
Updated by admin over 17 years ago
So Maze is running an untagged version. Maze, is your server public and can I try the request on it?
Updated by Anonymous over 17 years ago
Olaf, please send a mail to maze@strahlungsfrei.de so I can send the hostname to you. Not everyone deserves to know the address..
-- maze
Updated by admin over 17 years ago
Replying to anonymous:
Replying to Olaf van der Spek:
How do I map revision to version and the other way around?
You can take a look at the source:/tags folder, you see the revisions the when the versions were tagged.
Version 1.4.15 was tagged in revision r1862
That doesn't tell you from which branch it is (1.4 or 1.5 for example).
Updated by robbat2 over 17 years ago
Just helping Olaf debug this.
CFLAGS="-Os -mtune=970 -mcpu=970 -mabi=altivec -maltivec -pipe -Wstrict-aliasing -ggdb"
(gdb) print b
$20 = (buffer *) 0x10206900
(gdb) print *b
Cannot access memory at address 0x10206900
(gdb) frame
#0 buffer_prepare_copy (b=0x10206900, size=10) at buffer.c:76
76 if ((0 == b->size) ||
(gdb) up
#1 0x100134dc in buffer_copy_string_len (b=0x10206900, s=0x10081fb0 "text/html", s_len=9) at buffer.c:147
147 buffer_prepare_copy(b, s_len + 1);
(gdb) up
#2 0x1001d2e4 in response_header_insert (srv=<value optimized out>, con=0x100504d8, key=0xfaa6248 "Content-Type", keylen=12, value=0x10081fb0 "text/html", vallen=9) at http-header-glue.c:84
84 buffer_copy_string_len(ds->value, value, vallen);
(gdb) up
#3 0x0faa5518 in mod_staticfile_subrequest (srv=0x10037008, con=0x100504d8, p_d=0x100484d8) at mod_staticfile.c:442
442 response_header_overwrite(srv, con, CONST_STR_LEN("Content-Type"), CONST_BUF_LEN(sce->content_type));
(gdb) up
#4 0x100179b4 in plugins_call_handle_subrequest_start (srv=0xffffffff, con=0xa) at plugin.c:268
268 PLUGIN_TO_SLOT(PLUGIN_FUNC_HANDLE_SUBREQUEST_START, handle_subrequest_start)
(gdb) up
#5 0x10008ca4 in http_response_prepare (srv=0x10037008, con=0x100504d8) at response.c:618
618 switch(r = plugins_call_handle_subrequest_start(srv, con)) {
(gdb) up
#6 0x1000aa5c in connection_state_machine (srv=0x10037008, con=0x100504d8) at connections.c:1400
1400 switch (r = http_response_prepare(srv, con)) {
(gdb) up
#7 0x10007df8 in main (argc=268662144, argv=<value optimized out>) at server.c:1334
1334 connection_state_machine(srv, con);
(gdb) up
Initial frame selected; you cannot go up.
(gdb) bt full
#0 buffer_prepare_copy (b=0x10206900, size=10) at buffer.c:76
__PRETTY_FUNCTION__ = "buffer_prepare_copy"
#1 0x100134dc in buffer_copy_string_len (b=0x10206900, s=0x10081fb0 "text/html", s_len=9) at buffer.c:147
No locals.
#2 0x1001d2e4 in response_header_insert (srv=<value optimized out>, con=0x100504d8, key=0xfaa6248 "Content-Type", keylen=12, value=0x10081fb0 "text/html", vallen=9) at http-header-glue.c:84
ds = (data_string *) 0x10081bb0
#3 0x0faa5518 in mod_staticfile_subrequest (srv=0x10037008, con=0x100504d8, p_d=0x100484d8) at mod_staticfile.c:442
k = <value optimized out>
sce = (stat_cache_entry *) 0x10082228
mtime = <value optimized out>
#4 0x100179b4 in plugins_call_handle_subrequest_start (srv=0xffffffff, con=0xa) at plugin.c:268
r = <value optimized out>
slot = (plugin **) 0x10047ce0
j = 7
#5 0x10008ca4 in http_response_prepare (srv=0x10037008, con=0x100504d8) at response.c:618
st = {st_dev = 8589934595, st_ino = 1155199224817136144, st_mode = 4289630848, st_nlink = 268514828, st_uid = 268965704, st_gid = 268660744, st_rdev = 18423824204072747009,
__pad2 = 4104, st_size = -22919457051439752, st_blksize = 0, st_blocks = 1156261752212553728, st_atim = {tv_sec = 2, tv_nsec = 268965718}, st_mtim = {tv_sec = 3, tv_nsec = 268662144},
st_ctim = {tv_sec = 0, tv_nsec = 0}, __unused4 = 269213168, __unused5 = 0}
slash = <value optimized out>
pathinfo = 0x100506f8 "\020\b\025ΒΈ"
sce = (stat_cache_entry *) 0x10081f10
r = HANDLER_GO_ON
#6 0x1000aa5c in connection_state_machine (srv=0x10037008, con=0x100504d8) at connections.c:1400
ostate = 5
b = 1
r = <value optimized out>
srv_sock = (server_socket *) 0x10047c00
#7 0x10007df8 in main (argc=268662144, argv=<value optimized out>) at server.c:1334
con = (connection *) 0x100504d8
r = <value optimized out>
srv = (server *) 0xffffffff
print_config = 268475292
test_config = <value optimized out>
i_am_root = <value optimized out>
o = <value optimized out>
num_childs = <value optimized out>
pid_fd = 1
fd = <value optimized out>
i = <value optimized out>
act = {__sigaction_handler = {sa_handler = 0x100061c0 <sigaction_handler>, sa_sigaction = 0x100061c0 <sigaction_handler>}, sa_mask = {__val = {0 <repeats 32 times>}}, sa_flags = 4,
sa_restorer = 0}
rlim = {rlim_cur = 1014, rlim_max = 1024}
Updated by robbat2 over 17 years ago
The above trace is from lighttpd-1.4.15, on ppc64 with a 32 bit userland.
Portage 2.1.2.5 (default-linux/ppc/ppc64/2006.1/32bit-userland/970/pmac, gcc-4.1.2, glibc-2.5-r1, 2.6.18-g64134594-dirty ppc64)
The initialization of ds->value in data_string_init appears to be at fault, not sure why yet, still tracing more.
Updated by Anonymous over 17 years ago
Ok, while single-stepping, I see that the data_response_init branch is seldom taken, and the bad ds structure is coming from array_get_unused_element.
valgrind's memcheck fails to find any bad memory usage, possibly time to use electricfence.
-- robbat2
Updated by jan over 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in r1869
Also available in: Atom