Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#284 closed defect (fixed)

segfault in DAV module during PUT processing after PUT and GET the same HTTP connection

Reported by: Hendy Irawan Owned by: vl
Priority: major Milestone:
Component: nginx-module Version: 1.1.x
Keywords: dav put pipeline Cc:
uname -a: Linux nitik1.bippo.co.id 3.5.2-linode45 #1 SMP Wed Aug 15 14:10:55 EDT 2012 i686 i686 i386 GNU/Linux
nginx -V: nginx version: nginx/1.1.19
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-dav-ext-module

Description

How to reproduce :

  1. Open connection
  2. PUT a file
  3. GET a file (pipelined)
  4. PUT a file (pipelined) <-- core dump here

I *think* this simplified scenario might also trigger the bug:

  1. Open connection
  2. GET a file
  3. PUT a file (pipelined) <-- probably will core dump here

The resulting behavior is similar to #238, but different trigger.

nginx log will say something like:

2013/01/18 03:17:03 [alert] 25253#0: worker process 25948 exited on signal 11 (core dumped)

nginx version: 1.1.19-1ubuntu0.1 on Ubuntu 12.04 32-bit

Change History (7)

comment:1 by maxim, 8 years ago

Owner: set to vl
Status: newassigned

comment:2 by Valentin V. Bartenev, 8 years ago

You are using an old unstable version of nginx. It is very likely that the issue is already fixed in r4919 (1.3.9+, 1.2.6+) or r4938 (1.3.9+).

In any case, I'd recommend to update your nginx version. You can use our official repository for Ubuntu: http://nginx.org/en/download.html (bottom of the page).

Last edited 8 years ago by Valentin V. Bartenev (previous) (diff)

comment:3 by vl, 8 years ago

The issue is beleived to be fixed in nginx r4919 (1.3.9+, 1.2.6+) or r4938 (1.3.9+),
as stated in the previous comment.
Please reopen the ticket if the issue is still present in newer versions of nginx.

comment:4 by vl, 8 years ago

Resolution: fixed
Status: assignedclosed

comment:5 by Adrianto Mahendra Wijaya, 8 years ago

Resolution: fixed
Status: closedreopened

Still happens on nginx 1.2.7.

org.soluvas.image.ImageException: Error processing image goodmood_dress_0201c
	org.soluvas.image.store.MongoImageRepository.doCreate(MongoImageRepository.java:464)
	org.soluvas.image.store.MongoImageRepository.create(MongoImageRepository.java:305)
	org.soluvas.image.store.MongoImageRepository.add(MongoImageRepository.java:314)
	id.co.bippo.product.shell.hand.ProductImportCommand$1.apply(ProductImportCommand.java:116)
	id.co.bippo.product.shell.hand.ProductImportCommand$1.apply(ProductImportCommand.java:1)
	com.google.common.collect.Iterators$9.transform(Iterators.java:893)
	com.google.common.collect.TransformedIterator.next(TransformedIterator.java:48)
	java.util.AbstractCollection.toArray(AbstractCollection.java:141)
	com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:314)
	com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:253)
	id.co.bippo.product.shell.hand.ProductImportCommand.doExecute(ProductImportCommand.java:109)
	org.apache.karaf.shell.console.OsgiCommandSupport.execute(OsgiCommandSupport.java:38)
	org.soluvas.commons.shell.TenantCommandSupport.execute(TenantCommandSupport.java:55)
	org.apache.felix.gogo.commands.basic.AbstractCommand.execute(AbstractCommand.java:35)
	org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)
	org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:474)
	org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:400)
	org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)
	org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)
	org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)
	org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
	org.apache.karaf.shell.console.jline.Console.run(Console.java:175)
	java.lang.Thread.run(Thread.java:722)
Caused by: org.soluvas.image.ImageException: Error uploading n goodmood_dress_0201c using org.soluvas.image.impl.DavConnectorImpl
	... 22 more
Caused by: org.soluvas.image.ImageException: Cannot upload to http://dav.berbatik5.adri.dev/product/n/goodmood_dress_0201c_n.jpg
	... 23 more
Caused by: org.apache.http.client.ClientProtocolException
	... 24 more
Caused by: org.apache.http.ProtocolException: The server failed to respond with a valid HTTP response
	... 26 more

nginx version:

$ nginx -V
nginx version: nginx/1.2.7
built by gcc 4.7.2 (Ubuntu/Linaro 4.7.2-2ubuntu1) 
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6

nginx log say this:

==> dav.berbatik5.adri.dev_access.log <==
127.0.0.1 - berbatik_dev [14/Feb/2013:18:07:42 +0700] "PUT /product/o/goodmood_dress_0201c_o.jpg HTTP/1.1" 204 0 "-" "Apache-HttpClient/4.2.2 (java 1.5)"
127.0.0.1 - berbatik_dev [14/Feb/2013:18:07:42 +0700] "GET /product/o/goodmood_dress_0201c_o.jpg HTTP/1.1" 200 518034 "-" "Apache-HttpClient/4.2.2 (java 1.5)"
127.0.0.1 - berbatik_dev [14/Feb/2013:18:07:43 +0700] "PUT /product/t/goodmood_dress_0201c_t.jpg HTTP/1.1" 204 0 "-" "Apache-HttpClient/4.2.2 (java 1.5)"
127.0.0.1 - berbatik_dev [14/Feb/2013:18:07:43 +0700] "PUT /product/l/goodmood_dress_0201c_l.jpg HTTP/1.1" 204 0 "-" "Apache-HttpClient/4.2.2 (java 1.5)"

==> access.log <==
127.0.0.1 - - [14/Feb/2013:18:07:43 +0700] "Q\xE7\xF1-\x1Fb\x09m\xDEf\x9Ci.\xE4<\x13\xB8\xBB\x99\xAF^\xF1\xD0\x05\x83)s\x0E\xAA8a\xF3,j\xF6\xE6\xFBK\xE6\xD2\xEE+]\xA1V.h\xAF\xB32\xBBZ;1\xC6\xEB\x03\xD3\xE4\xCA\xE0Y\x1B\xAF\x8B\x8A\xB6 \xF9.\xD2\xC9\xCE\x09\xAB\xEF\x1B\xB1\xE4\xD6\xB7\x93\xC4\xD8\xDA\x8B\x7F\xEA\xE5\x98\x8A\x9B>\xAC\xA5\xC2E\xEA\xBBN2\x0C\xC6\x04HA\x1D\xDB\xE6r\x95+" 400 166 "-" "-"

There should be another PUT after "PUT /product/l/goodmood_dress_0201c_l.jpg", but that PUT seems to be interpreted as a jumbled request.

So the revised reproduce steps is as follows:

How to reproduce :

  1. Open connection
  2. PUT a file
  3. GET a file (pipelined)
  4. PUT a file (pipelined) <-- success in 1.2.7, core dump in older version
  5. PUT a file (pipelined) <-- success in 1.2.7, core dump in older version
  6. PUT a file (pipelined) <-- jumbled request in 1.2.7

comment:6 by Maxim Dounin, 8 years ago

Resolution: fixed
Status: reopenedclosed

The problem with pipelined requests might still appear with DAV module in 1.2.x, but will no longer result in coredumps, see relevant commits pointed out by vl. The problem is completely resolved in 1.3.x.

comment:7 by Hendy Irawan, 8 years ago

Thank you Maxim and Valentin ! :)

Note: See TracTickets for help on using tickets.