Return-Path: 
 <dev-return-23632-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 72058 invoked by uid 500); 22 Nov 2001 05:23:08 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 72047 invoked from network); 22 Nov 2001 05:23:08 -0000
Message-ID: <3BFC8BB8.1050907@cnet.com>
Date: Wed, 21 Nov 2001 21:23:04 -0800
From: Brian Pane <brian.pane@cnet.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:0.9.5) Gecko/20011011
X-Accept-Language: en-us
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: another socket segv (worker MPM)
References: <3BFC584B.4020206@cnet.com> <3BFC6949.6000908@cnet.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

I wrote:
[...]

> I've managed to isolate the problem a bit further.  The csd struct gets
> corrupted within core_create_conn: 


Er, no, it actually happens earlier than that.  What seems
to have happened is that, in the listener loop, this block
got executed with rv->accept_func==check_pipe_of_death() :

    got_fd:
        if (!workers_may_exit) {
            /* create a new transaction pool for each accepted socket */
            apr_pool_create(&ptrans, tpool);

            rv = lr->accept_func(&csd, lr, ptrans);

[...]
           if (csd != NULL) {
                rv = ap_queue_push(worker_queue, csd, ptrans);


The accept_func doesn't modify csd, so its value is
bogus when we hit the "if (csd != NULL)" check.  And
we end up with a bad socket descriptor on the queue.

I'm testing a fix for this now...

--Brian