-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Polling wakeup: recover from possible faults or return error #29
Open
pereverzev-nxlog
wants to merge
1
commit into
apache:trunk
Choose a base branch
from
pereverzev-nxlog:trunk
base: trunk
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
296995966
pushed a commit
to 296995966/apr
that referenced
this pull request
Apr 27, 2023
apr_pools: lock parent pool in pool_destroy_debug(). By using apr_pool_clear_debug() instead of pool_clear_debug() in pool_destroy_debug() we gain the locking provided by the former and thus protection from concurrent access from apr_pool_walk_tree(), which is undefined behaviour. While pool_destroy_debug()=>apr_pool_clear_debug()=>pool_clear_debug() calls pool_destroy_debug() for all the children pools, this does not cause a deadlock because apr_pool_clear_debug() locks the parent pool only (not the pool itself) and thus pool_destroy_debug(pool->child) locks the current pool with no issue. This fixes use-after-free like the below in httpd (with -D APR_POOL_DEBUG): ================================================================= ==2026856==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600025acf0 at pc 0x7fe738f4c5be bp 0x7fe718598110 sp 0x7fe718598108 READ of size 8 at 0x60600025acf0 thread T51 #0 0x7fe738f4c5bd in apr_thread_mutex_lock locks/unix/thread_mutex.c:124 apache#1 0x7fe738f4e01c in apr_pool_walk_tree memory/unix/apr_pools.c:1505 apache#2 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511 apache#3 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511 apache#4 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511 apache#5 0x7fe738f5027c in apr_pool_find memory/unix/apr_pools.c:2291 apache#6 0x7fe738f14aba in apr_table_mergen tables/apr_tables.c:746 apache#7 0x5578ad926a25 in ap_set_keepalive /home/ylavic/src/apache/httpd/trunk/modules/http/http_protocol.c:309 apache#8 0x5578ad93933f in ap_http_header_filter /home/ylavic/src/apache/httpd/trunk/modules/http/http_filters.c:1376 apache#9 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783 apache#10 0x5578ad9a67f3 in ap_content_length_filter /home/ylavic/src/apache/httpd/trunk/server/protocol.c:2046 apache#11 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783 apache#12 0x5578ad9405ae in ap_byterange_filter /home/ylavic/src/apache/httpd/trunk/modules/http/byterange_filter.c:463 apache#13 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783 apache#14 0x7fe7330e398b in ap_headers_output_filter /home/ylavic/src/apache/httpd/trunk/modules/metadata/mod_headers.c:891 apache#15 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783 apache#16 0x7fe732e32dba in session_output_filter /home/ylavic/src/apache/httpd/trunk/modules/session/mod_session.c:501 apache#17 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783 apache#18 0x5578ad9c8ee5 in default_handler /home/ylavic/src/apache/httpd/trunk/server/core.c:5188 apache#19 0x5578ad9431bb in ap_run_handler /home/ylavic/src/apache/httpd/trunk/server/config.c:170 apache#20 0x5578ad944941 in ap_invoke_handler /home/ylavic/src/apache/httpd/trunk/server/config.c:444 apache#21 0x5578ad92cc23 in ap_process_async_request /home/ylavic/src/apache/httpd/trunk/modules/http/http_request.c:463 apache#22 0x5578ad924d7c in ap_process_http_async_connection /home/ylavic/src/apache/httpd/trunk/modules/http/http_core.c:158 apache#23 0x5578ad925410 in ap_process_http_connection /home/ylavic/src/apache/httpd/trunk/modules/http/http_core.c:252 apache#24 0x5578ad97e04d in ap_run_process_connection /home/ylavic/src/apache/httpd/trunk/server/connection.c:42 apache#25 0x7fe735c7ef79 in process_socket /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1097 apache#26 0x7fe735c856a0 in worker_thread /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:2386 apache#27 0x7fe738f7cef4 in dummy_worker threadproc/unix/thread.c:145 apache#28 0x7fe738e3eea6 in start_thread nptl/pthread_create.c:477 apache#29 0x7fe738d6ed4e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfdd4e) 0x60600025acf0 is located 48 bytes inside of 64-byte region [0x60600025acc0,0x60600025ad00) freed by thread T63 here: #0 0x7fe7391ed277 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277) apache#1 0x7fe738f4e9e5 in pool_clear_debug memory/unix/apr_pools.c:1893 apache#2 0x7fe738f4ecb2 in pool_destroy_debug memory/unix/apr_pools.c:1956 apache#3 0x7fe738f4eeeb in apr_pool_destroy_debug memory/unix/apr_pools.c:2002 apache#4 0x5578ada2534b in ap_queue_info_push_pool /home/ylavic/src/apache/httpd/trunk/server/mpm_fdqueue.c:230 apache#5 0x7fe735c81412 in process_lingering_close /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1686 apache#6 0x7fe735c7f9bc in process_socket /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1255 apache#7 0x7fe735c856a0 in worker_thread /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:2386 apache#8 0x7fe738f7cef4 in dummy_worker threadproc/unix/thread.c:145 apache#9 0x7fe738e3eea6 in start_thread nptl/pthread_create.c:477 git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1883751 13f79535-47bb-0310-9956-ffa450edef68
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Good time of day.
We've noticed that there is a bug when wakeup pipe in polling becomes broken that leads to an instant taint of polling process
It is possible because in Windows pipe is done via real network sockets that could be closed by network change or in some other cases
In general, no matter the OS if wakeup pipe gets broken
apr_poll_drain_wakeup_pipe
's status is disregarded and no action is takenThis PR is mirroring mailing list message