Hello!

On Sun, Feb 19, 2012 at 09:12:26AM -0500, locojohn wrote:

> #0 ngx_event_pipe_write_chain_to_temp_file (p=0x2238f88)
> at src/event/ngx_event_pipe.c:709
> 709 src/event/ngx_event_pipe.c: No such file or directory.
> (gdb) fr 0
> #0 ngx_event_pipe_write_chain_to_temp_file (p=0x2238f88)
> at src/event/ngx_event_pipe.c:709
> 709 in src/event/ngx_event_pipe.c
> (gdb) p *p->busy->buf

[...]

> Я включил debug log, но пока segfault-ов не
> наблюдается. Думаю, в понедельник
> появятся снова, как люди начнут активно
> работать.

Похоже, я нашёл проблему, так что debug log не обязателен. Патч
прилагается.

Maxim Dounin
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1329689859 -14400
# Node ID 8ea23b5fb9574a68153212d58fe82a41d3ec7241
# Parent dd668cf20818600a500bc8386dd0d99abafbcb2f
Event pipe: fixed buffer loss in p->length case.

With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list. This eventually might cause "all buffers busy"
problem, resulting in segmentation fault.

In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.

Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().

diff --git a/src/event/ngx_event_pipe.c b/src/event/ngx_event_pipe.c
--- a/src/event/ngx_event_pipe.c
+++ b/src/event/ngx_event_pipe.c
@@ -401,13 +401,14 @@ ngx_event_pipe_read_upstream(ngx_event_p

if (cl->buf->last - cl->buf->pos >= p->length) {

+ p->free_raw_bufs = cl->next;
+
/* STUB */ cl->buf->num = p->num++;

if (p->input_filter(p, cl->buf) == NGX_ERROR) {
return NGX_ABORT;
}

- p->free_raw_bufs = cl->next;
ngx_free_chain(p->pool, cl);
}
}
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru