From Brian Pane <>
Subject segfault in worker mpm due to thread return values on stack
Date Wed, 26 Dec 2001 12:54:00 GMT
I'm seeing a segfault during child process shutdown with the
worker MPM on Solaris.  It appears to happen because the worker
threads do this:

static void *worker_thread(apr_thread_t *thd, void * dummy)
    proc_info * ti = dummy;
    int process_slot = ti->pid;
    int thread_slot = ti->tid;
    apr_socket_t *csd = NULL;
    apr_pool_t *ptrans;                /* Pool for per-transaction stuff */
    apr_status_t rv;
    rv = APR_SUCCESS;
    apr_thread_exit(thd, &rv);
    return NULL;

Note that "rv" is a local var...
When apr_thread_join tries to dereference the saved apr_status_t*
to get the return status, it's accessing memory on the stack of
a now-defunct thread.  This yields random data at best, or a segfault
at worst.

I was about to apply the simple fix: make the worker thread malloc
an apr_status_t and pass the address of the malloc'ed block to
apr_thread_exit.  But that won't quite work, because apr_thread_join
makes a copy of the return status, rather than passing the pointer
itself back to the thread that does the join.  So there would be
no way to free the malloc'ed space.

I think the only clean way to fix this is to change apr_thread_exit
and apr_thread_join.
  * malloc space for a copy of the return status in apr_thread_exit
    and free it in apr_thread join
  * add an apr_status_t to the apr_thread_t struct, and store the
    exit status there


