id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1263	Segmentation Fault when SSI is used in sub-request	peter.magdina.sk@…		"Hi,

nginx worker process crashes with segfault when SSI is used in a sub-request.

Config example:
{{{
    location /loc1.html {
        add_after_body /loc2.html;
    }

    location /loc2.html {
        ssi on;
    }
}}}

Seg fault happens only when I access /loc1.html location. When I access /loc2.html directly it works fine.

Error log:
{{{
==> ../log/error.log <==
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14566 exited on signal 11
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14573 exited on signal 11
}}}

Just FYI, content of loc1.html:
{{{
<p>Hi from location 1 !</p>
}}}

content of loc2.html:
{{{
<p>Hi from location 2 on <!--#echo var=""host"" --> !</p>
}}}

I tried to debug it and fix it, but due to the time I stopped here:
file ngx_http_ssi_filter_module.c:
{{{
static ngx_str_t *
ngx_http_ssi_get_variable(ngx_http_request_t *r, ngx_str_t *name,
    ngx_uint_t key)
{
    ngx_uint_t           i;
    ngx_list_part_t     *part;
    ngx_http_ssi_var_t  *var;
    ngx_http_ssi_ctx_t  *ctx;

    ctx = ngx_http_get_module_ctx(r->main, ngx_http_ssi_filter_module);

    ...
}}}
ctx is NULL. SSI context is missing when SSI is called in a subrequest.

And then the subsequent code will cause segfault, because ctx is NULL:
{{{
    if (ctx->variables == NULL) {
        return NULL;
    }
}}}

I added some additional debug logs to the code around the ctx = ngx_http_get_module_ctx(....) line. And this is the output:
{{{
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main: 00007FE3FC006E50
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main->ctx: 00007FE3FC007770, module.ctx_index: 46
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable ctx: 0000000000000000
}}}

Cheers
Peter Magdina
"	defect	closed	major		nginx-module	1.11.x	fixed			Darwin xxxxxx.local 16.5.0 Darwin Kernel Version 16.5.0: Fri Mar  3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64	"nginx version: nginx/1.12.0
built by clang 8.1.0 (clang-802.0.41)
built with OpenSSL 1.1.0e  16 Feb 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-O2 -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=spnego-http-auth-nginx-module-master --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-http_v2_module --with-threads --with-http_slice_module --user=nginx --group=nginx --prefix=/opt/nginx --error-log-path=/opt/nginx/log/error.log --http-log-path=/opt/nginx/log/access.log --pid-path=/opt/nginx/run/nginx.pid --lock-path=/opt/nginx/run/nginx --http-client-body-temp-path=/opt/nginx/cache/client --http-proxy-temp-path=/opt/nginx/cache/proxy --http-fastcgi-temp-path=/opt/nginx/cache/fastcgi --http-uwsgi-temp-path=/opt/nginx/cache/uwsgi --http-scgi-temp-path=/opt/nginx/cache/scgi"