httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51062] httpd child process consumes CPU
Date Fri, 15 Apr 2011 10:44:12 GMT 
https://issues.apache.org/bugzilla/show_bug.cgi?id=51062

--- Comment #6 from Krzysztof KostaƂkowicz <KKostalkowicz@ivmx.pl> 2011-04-15 06:44:09
EDT ---
The process loops trying do dispose a corrupted list.
Don't ask me where the corruption occurred.
Below some output from gdb with my notes.

---

apr_brigade_cleanup (data=0x8f5c3d0) at buckets/apr_brigade.c:42
42          while (!APR_BRIGADE_EMPTY(b)) {

# *b
(gdb) print *((apr_bucket_brigade *)data)
$3 = {p = 0x8f5b220, list = {next = 0x8fa9768, prev = 0x8fa9768},
  bucket_alloc = 0x8f9f670}

# b
(gdb) print ((apr_bucket_brigade *)data)
$4 = (struct apr_bucket_brigade *) 0x8f5c3d0

# list head
(gdb) print ((apr_bucket_brigade *)data)->list
$5 = {next = 0x8fa9768, prev = 0x8fa9768}

# address of list head
(gdb) print &((apr_bucket_brigade *)data)->list
$24 = (struct apr_bucket_list *) 0x8f5c3d4

# first element of b
(gdb) print (((apr_bucket_brigade *)data)->list)->next
$6 = (struct apr_bucket *) 0x8fa9768

# value of first element of b
(gdb) print *(((apr_bucket_brigade *)data)->list)->next
$7 = {link = {next = 0x8f75c34, prev = 0x8f75c34}, type = 0x16c0e0,
  length = 4294967295, start = -1, data = 0x8f75608,
  free = 0x80662f8 <apr_bucket_free@plt>, list = 0x8fa9698}

# second element of b
(gdb) print (((apr_bucket_brigade *)data)->list)->next->link->next
$8 = (struct apr_bucket * volatile) 0x8f75c34

# value of second element of b
(gdb) print *(((apr_bucket_brigade *)data)->list)->next->link->next
$9 = {link = {next = 0x8f75c34, prev = 0x8f75c34}, type = 0x8fa9698,
  length = 150427552, start = 6062569827032112, data = 0x8066538,
  free = 0x8f755c8, list = 0x8f75c54}

# sentinel for b (computed with APR_RING_SENTINEL)
(gdb) print (struct apr_bucket *)((char *)(&(&((apr_bucket_brigade
*)data)->list)->next))
$23 = (struct apr_bucket *) 0x8f5c3d4

# it's not (but should be) possible to reach sentinel of b from b

# while loops because the list is not empty
# ie. APR_RING_FIRST((hp)) != APR_RING_SENTINEL((hp), elem, link)

# apr_bucket_free(void *mem) goes into if_true branch
# it does not change the data structure (the assignments do not change
anything)

# if check_not_already_free(node_header_t *node) was called
# it would abort during first loop iteration

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Mime
View raw message