Mailing Lists
|
| |
|
|
|
|
cURL  Mailing List Monthly Index Single Mail
curl-tracker mailing list Archives
[ curl-Bugs-2824938 ] SIGSEGV in Curl_pgrsTime
From: SourceForge.net <noreply_at_sourceforge.net>
Date: Tue, 21 Jul 2009 22:38:14 +0000
Bugs item #2824938, was opened at 2009-07-21 20:47
Please note that this message will contain a full copy of the comment thread,
Initial Comment:
> ::status
This is the stack from the only LWP running in the process:
> $C
> libcurl.so.3.0.0`Curl_pgrsTime+0xb3::dis
Disassembly shows that we're dying after a call to curlx_tvnow, a leaf function in Curl_pgrsTime, called like this:
Curl_tvdiff_secs(Curl_tvnow(), data->progress.t_startsingle);
> ::regs
%esi = 0x10
0x3fc + 0x10 is 0x40c which corresponds to our fault address. This is unmapped, obviously the cause of the segfault.
%ebp = 0x08045f24
> 0x08045f24+0x8/X
So far, this makes sense. We're moving timevalues from the arguments and return values of one function to another, as per this nested invocation.
If the Curl_pgrsTime call frame is to be believed, we were called with 0x10 as the address for the SessionHandle pointer. The second argument is 4. This corresponds to a timerid of TIMER_PRETRANSFER, which is verified by inspection of checkPendPipeline(). It only makes one call to Curl_pgrsTime and that's with TIMER_PRETRANSFER as an argument.
Working backwards a bit, it's possible to see that the second argument to multi_runsingle() is a pointer to struct Curl_one_easy. The stack says that our pointer to Curl_one_easy is 0x25a2cf00. multi_runsingle calls checkPendPipeline() with a pointer to connectdata at offset 0xc in the Curl_one_easy structure.
Just for the sake of sanity, it's possible to work backwards even further by looking at the Curl_multi that was supplied in curl_multi_perform. It contains a list of Curl_one_easy structs that are linked together and traversed like this:
easy=multi->easy.next;
result = multi_runsingle(multi, easy);
easy = easy->next; /* operate on next handle */
In both curl_multi_perform() and multi_runsingle() the first argument is a pointer to a Curl_multi struct. Walking that struct, it has the following Curl_one_easy structs:
The last points back to 0x256f3208, completing the loop. We seem to have gotten hung up processing 0x25a2cf00, at least according to the call stack of
Based upon this information 0x25a2cf00 + 0xc should be the connectdata:
> 0x25a2cf00 + 0xc/K
The connect data has a SessionHandle pointer as its first member:
> 25b384b0/K
So this should be the session handle where we ran into trouble.
The session handle keeps a magic number in its final member. This allows us to identify that it's actually a SessionHandle:
> ad0cc48+0x85ec/K
In this case the magic number is zero, which means that the handle has already been closed, or isn't a SessionHandle object. However, the
> ad0cc48+0x8/K
This points back to the correct multi handle, which means we should be looking at a SessionHandle object here.
Getting back to the task at hand, we need to fish out the easy_conn from our Curl_easy_one in order to double-check the sanity of our stack
checkPendPipeline() looks at the head of the pend_pipe list and moves each pending object to the send_pipe, after calling Curl_pgrsTime() to
Unfortunately for us, the connectdata's pipes appear to be NULL. Fromcode inspection, it's not clear how this might happen. However, the
0 1 2 3 \/ 5 6 7 8 9 a b c d e f
So, we can't figure it out by working backwards. We'll have to go fishing in the stack to see if we can find the object that caused all of
> 0x08045f24,64::dump -qe
Digging around in the stack turned out to be fruitful, as unlikely as that might be. At 0x08045f44 there's a pointer to 0x0853ac88, which when
pmap says the following about the heap:
08061000 512936K rwx-- [ heap ]
This means that every address from 0x08061000 to 0x2754b000 is within the heap. This means that 0x0853ac88 was allocated from the heap rather
There was some suggestion that this might be related to the Curl_getoff_all_pipelines() bug, if so, I could use some additional information in determining whether I've been affected by that issue. In this crash, it looks like the connectdata already had Curl_done() called on it and had the pipeline lists free'd. Since the code hits checkPendPipeline() before Curl_done() in the multi_runsingle CURLM_STATE_DONE case, it's not clear to me that this would help. Further information about how to diagnose the getoff_all_pipelines bug would be appreciated.
I'm having a difficult time coming up with a hypothesis for how the library ended up in the state that it did at the time of the crash. The bits in the connectdata show close and done as True, which means that Curl_done() had already been called on the handle, and it also needed to be closed. The reuse and retry bits were false. If there something else that I should check, please let me know.
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Message:
----------------------------------------------------------------------
You can respond by visiting:
These mail archives are generated by hypermail. |
Page updated November 12, 2010.
web site info