Segfault in nginx-1.9.2 with ssl and spdy module
# nginx -V
nginx version: nginx/1.9.2
built by gcc 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module --with-debug --with-ipv6 --with-http_spdy_module --add-module=/home/buildbot/rpm//BUILD/lua-nginx-module-0.9.16 --add-module=/home/buildbot/rpm//BUILD/ngx_devel_kit-0.2.14
# gdb nginx nginx.core
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/nginx/sbin/nginx...done.
[New Thread 24331]
...
#0 ngx_http_spdy_close_stream_handler (ev=0x754eb58) at src/http/ngx_http_spdy.c:3353
3353 src/http/ngx_http_spdy.c: No such file or directory.
in src/http/ngx_http_spdy.c
Missing separate debuginfos, use: debuginfo-install nginx-rb-1.9.52-1.x86_64
(gdb) directory nginx-1.9.2
Source directories searched: nginx-1.9.2:$cdir:$cwd
(gdb) bt
#0 ngx_http_spdy_close_stream_handler (ev=0x754eb58) at src/http/ngx_http_spdy.c:3353
#1 0x0000000000482562 in ngx_http_spdy_write_handler (wev=<value optimized out>) at src/http/ngx_http_spdy.c:649
#2 0x0000000000435f26 in ngx_event_process_posted (cycle=0xcc6a20, posted=0x76fcd0) at src/event/ngx_event_posted.c:33
#3 0x000000000043ce85 in ngx_worker_process_cycle (cycle=0xcc6a20, data=<value optimized out>) at src/os/unix/ngx_process_cycle.c:769
#4 0x000000000043b234 in ngx_spawn_process (cycle=0xcc6a20, proc=0x43cdb0 <ngx_worker_process_cycle>, data=0x10, name=0x4f98b3 "worker process", respawn=-4) at src/os/unix/ngx_process.c:198
#5 0x000000000043c1cc in ngx_start_worker_processes (cycle=0xcc6a20, n=23, type=-4) at src/os/unix/ngx_process_cycle.c:358
#6 0x000000000043dbd8 in ngx_master_process_cycle (cycle=0xcc6a20) at src/os/unix/ngx_process_cycle.c:243
#7 0x000000000041b856 in main (argc=<value optimized out>, argv=<value optimized out>) at src/core/nginx.c:415
(gdb) list
3348 ngx_http_request_t *r;
3349
3350 fc = ev->data;
3351 r = fc->data;
3352
3353 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
3354 "spdy close stream handler");
3355
3356 ngx_http_spdy_close_stream(r->spdy_stream, 0);
3357 }
(gdb) p r
$1 = (ngx_http_request_t *) 0x0
(gdb) p fc
$2 = (ngx_connection_t *) 0x754ea20
(gdb) p *fc
$3 = {data = 0x0, read = 0x754eaf8, write = 0x754eb58, fd = 1041, recv = 0x4424e0 <ngx_ssl_recv>, send = 0x441e90 <ngx_ssl_write>, recv_chain = 0x442990 <ngx_ssl_recv_chain>, send_chain = 0x484830 <ngx_http_spdy_send_chain>, listening = 0xcc6f00, sent = 16770,
log = 0x754ebb8, pool = 0x1edb9a0, sockaddr = 0x1edb9f0, socklen = 16, addr_text = {len = 11, data = 0x1edba50 "83.149.9.264"}, proxy_protocol_addr = {len = 0, data = 0x0}, ssl = 0x53307b8, local_sockaddr = 0xe773e0, local_socklen = 16, buffer = 0x0, queue = {
prev = 0x0, next = 0x0}, number = 68976568, requests = 7, buffered = 2, log_error = 2, unexpected_eof = 0, timedout = 0, error = 1, destroyed = 1, idle = 0, reusable = 0, close = 0, sendfile = 1, sndlowat = 1, tcp_nodelay = 2, tcp_nopush = 0, need_last_buf = 1}
(gdb) p ev
$4 = (ngx_event_t *) 0x754eb58
(gdb) p *ev
$5 = {data = 0x754ea20, write = 1, accept = 0, instance = 0, active = 0, disabled = 0, ready = 1, oneshot = 0, complete = 0, eof = 0, error = 0, timedout = 0, timer_set = 0, delayed = 0, deferred_accept = 0, pending_eof = 0, posted = 0, closed = 0, channel = 0,
resolver = 0, cancelable = 0, available = 0, handler = 0x47ed90 <ngx_http_spdy_close_stream_handler>, index = 0, log = 0x754ebb8, timer = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, queue = {prev = 0x0, next = 0x0}}
(gdb) f 1
#1 0x0000000000482562 in ngx_http_spdy_write_handler (wev=<value optimized out>) at src/http/ngx_http_spdy.c:649
649 wev->handler(wev);
(gdb) list
644
645 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
646 "run spdy stream %ui", stream->id);
647
648 wev = stream->request->connection->write;
649 wev->handler(wev);
650 }
651
652 sc->blocked = 0;
653
(gdb) p wev
$6 = <value optimized out>
(gdb) p stream
$7 = (ngx_http_spdy_stream_t *) 0x66a7150
(gdb) p *stream
$8 = {id = 13, request = 0x66a64c0, connection = 0x39861e0, index = 0x0, header_buffers = 0, queued = 0, send_window = 40500, recv_window = 2147483647, free_frames = 0x10ec518, free_data_headers = 0x10ec558, free_bufs = 0x10ec4b8, queue = {prev = 0x0, next = 0x0},
priority = 4, handled = 0, blocked = 0, exhausted = 0, in_closed = 1, out_closed = 1, skip_data = 1}
(gdb) p stream->request
$9 = (ngx_http_request_t *) 0x66a64c0
(gdb) p *stream->request
$10 = {signature = 1347703880, connection = 0x754ea20, ctx = 0x66a6df8, main_conf = 0xcc76e0, srv_conf = 0xd2a178, loc_conf = 0xd3a0c0, read_event_handler = 0x454ee0 <ngx_http_test_reading>, write_event_handler = 0x4521f0 <ngx_http_terminate_handler>, cache = 0x0,
upstream = 0x0, upstream_states = 0x0, pool = 0x0, header_in = 0x66a7100, headers_in = {headers = {last = 0x66a6530, part = {elts = 0x10ebb50, nelts = 5, next = 0x0}, size = 48, nalloc = 20, pool = 0x66a6470}, host = 0x10ebb50, connection = 0x0,
if_modified_since = 0x0, if_unmodified_since = 0x0, if_match = 0x0, if_none_match = 0x0, user_agent = 0x10ebc10, referer = 0x0, content_length = 0x0, content_type = 0x0, range = 0x0, if_range = 0x0, transfer_encoding = 0x0, expect = 0x0, upgrade = 0x0,
accept_encoding = 0x10ebbb0, via = 0x0, authorization = 0x0, keep_alive = 0x0, x_forwarded_for = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, x_real_ip = 0x0, user = {len = 0, data = 0x0}, passwd = {len = 0, data = 0x0}, cookies = {elts = 0x66a71c0,
nelts = 0, size = 8, nalloc = 2, pool = 0x66a6470}, server = {len = 11, data = 0x10eb761 "r.mradx.net"}, content_length_n = -1, keep_alive_n = -1, connection_type = 1, chunked = 0, msie = 0, msie6 = 0, opera = 0, gecko = 0, chrome = 0, safari = 0, konqueror = 0},
headers_out = {headers = {last = 0x66a66a0, part = {elts = 0x66a6a38, nelts = 4, next = 0x0}, size = 48, nalloc = 20, pool = 0x66a6470}, status = 200, status_line = {len = 0, data = 0x0}, server = 0x0, date = 0x0, content_length = 0x0, content_encoding = 0x0,
location = 0x0, refresh = 0x0, last_modified = 0x0, content_range = 0x0, accept_ranges = 0x66a6ac8, www_authenticate = 0x0, expires = 0x66a6a68, etag = 0x66a6a38, override_charset = 0x0, content_type_len = 10, content_type = {len = 10,
data = 0xd84f60 "image/jpeg"}, charset = {len = 0, data = 0x0}, content_type_lowcase = 0x0, content_type_hash = 0, cache_control = {elts = 0x66a7468, nelts = 1, size = 8, nalloc = 1, pool = 0x66a6470}, content_length_n = 25036, date_time = 0,
last_modified_time = 1434536173}, request_body = 0x0, lingering_time = 0, start_sec = 1435303301, start_msec = 143, method = 2, http_version = 1001, request_line = {len = 0, data = 0x66a71d0 "GET /img/BA/1F3F84.jpg HTTP/1.1"}, uri = {len = 18,
data = 0x10eb78b "/img/BA/1F3F84.jpg"}, args = {len = 0, data = 0x0}, exten = {len = 3, data = 0x10eb79a "jpg"}, unparsed_uri = {len = 18, data = 0x10eb78b "/img/BA/1F3F84.jpg"}, method_name = {len = 3, data = 0x66a71d0 "GET /img/BA/1F3F84.jpg HTTP/1.1"},
http_protocol = {len = 8, data = 0x10eb7c1 "HTTP/1.1"}, out = 0x0, main = 0x66a64c0, parent = 0x0, postponed = 0x0, post_subrequest = 0x0, posted_requests = 0x0, phase_handler = 18, content_handler = 0, access_code = 0, variables = 0x66a6fa0, ncaptures = 0,
captures = 0x66a71f0, captures_data = 0x0, limit_rate = 0, limit_rate_after = 0, header_size = 386, request_length = 301, err_status = 0, http_connection = 0x5330770, spdy_stream = 0x66a7150, log_handler = 0x452510 <ngx_http_log_error_handler>, cleanup = 0x0,
subrequests = 201, count = 0, blocked = 0, aio = 0, http_state = 6, complex_uri = 0, quoted_uri = 0, plus_in_uri = 0, space_in_uri = 0, invalid_header = 0, add_uri_to_alias = 0, valid_location = 1, valid_unparsed_uri = 1, uri_changed = 0, uri_changes = 11,
request_body_in_single_buf = 0, request_body_in_file_only = 0, request_body_in_persistent_file = 0, request_body_in_clean_file = 0, request_body_file_group_access = 0, request_body_file_log_level = 5, request_body_no_buffering = 0, subrequest_in_memory = 0,
waited = 0, cached = 0, gzip_tested = 0, gzip_ok = 0, gzip_vary = 0, proxy = 0, bypass_cache = 0, no_cache = 0, limit_conn_set = 0, limit_req_set = 0, pipeline = 0, chunked = 0, header_only = 0, keepalive = 0, lingering_close = 0, discard_body = 0, reading_body = 0,
internal = 0, error_page = 0, filter_finalize = 0, post_action = 0, request_complete = 0, request_output = 1, header_sent = 1, expect_tested = 0, root_tested = 1, done = 0, logged = 0, buffered = 0, main_filter_need_in_memory = 1, filter_need_in_memory = 0,
filter_need_temporary = 0, allow_ranges = 1, single_range = 0, disable_not_modified = 0, stat_reading = 0, stat_writing = 1, state = 0, header_hash = 3194399592611459, lowcase_index = 18446744073709551615, lowcase_header = '\000' <repeats 31 times>,
header_name_start = 0x10eb81b "user-agent", header_name_end = 0x10eb825 "", header_start = 0x10eb829 "CFNetwork/711.3.18 Darwin/14.0.0", header_end = 0x10eb861 "", uri_start = 0x66a64c0 "HTTP", uri_end = 0x0, uri_ext = 0x10eb79a "jpg",
args_start = 0x0, request_start = 0x0, request_end = 0x0, method_end = 0x0, schema_start = 0x10eb7ac "https", schema_end = 0x10eb7b1 "", host_start = 0x0, host_end = 0x0, port_start = 0x0, port_end = 0x0, http_minor = 1, http_major = 1, content_start_sec = 0,
content_start_msec = 0, content_end_sec = 0, content_end_msec = 0, gzip_process = 0, gzip_start_sec = 0, gzip_start_msec = 0, gzip_end_sec = 0, gzip_end_msec = 0}
(gdb) p stream->request->connection
$11 = (ngx_connection_t *) 0x754ea20
(gdb) p *stream->request->connection
$12 = {data = 0x0, read = 0x754eaf8, write = 0x754eb58, fd = 1041, recv = 0x4424e0 <ngx_ssl_recv>, send = 0x441e90 <ngx_ssl_write>, recv_chain = 0x442990 <ngx_ssl_recv_chain>, send_chain = 0x484830 <ngx_http_spdy_send_chain>, listening = 0xcc6f00, sent = 16770,
log = 0x754ebb8, pool = 0x1edb9a0, sockaddr = 0x1edb9f0, socklen = 16, addr_text = {len = 11, data = 0x1edba50 "83.149.9.264"}, proxy_protocol_addr = {len = 0, data = 0x0}, ssl = 0x53307b8, local_sockaddr = 0xe773e0, local_socklen = 16, buffer = 0x0, queue = {
prev = 0x0, next = 0x0}, number = 68976568, requests = 7, buffered = 2, log_error = 2, unexpected_eof = 0, timedout = 0, error = 1, destroyed = 1, idle = 0, reusable = 0, close = 0, sendfile = 1, sndlowat = 1, tcp_nodelay = 2, tcp_nopush = 0, need_last_buf = 1}
(gdb) p stream->request->connection->write
$13 = (ngx_event_t *) 0x754eb58
(gdb) p *stream->request->connection->write
$14 = {data = 0x754ea20, write = 1, accept = 0, instance = 0, active = 0, disabled = 0, ready = 1, oneshot = 0, complete = 0, eof = 0, error = 0, timedout = 0, timer_set = 0, delayed = 0, deferred_accept = 0, pending_eof = 0, posted = 0, closed = 0, channel = 0,
resolver = 0, cancelable = 0, available = 0, handler = 0x47ed90 <ngx_http_spdy_close_stream_handler>, index = 0, log = 0x754ebb8, timer = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, queue = {prev = 0x0, next = 0x0}}
(gdb)