[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] assert in http.c



On Wed, Jan 18, 2012 at 12:56 PM, Myk Taylor <myk002@xxxxxxxxx> wrote:
> Hi all,
>
> I've done a bit more debugging on this, and after reproducing a few
> segfaults (different from the original assert), it seems like the problem is
> related to the issues Zhuang Yuyao was having a year and a half ago:
>
> http://archives.seul.org/libevent/users/Jun-2010/msg00002.html
>
> It is the same situation for me: I am using openssl bufferevents and
> BEV_OPT_DEFER_CALLBACKS is set.  I am also beset with warnings like:
>
> Epoll MOD(4) on fd 471 failed.  Old events were 6; read change was 2 (del);
> write change was 0 (none): Bad file descriptor

This one usually means that it tried to event_del() an event for a fd
that had already closed.  Assuming that you're using the regular epoll
backend (and not the epoll_changelist one), that's probably a bug in
somewhere.

> However those warnings are not always coincidental with a segfault. Here is
> a representative backtrace:
>
> #0  0x0000000000000000 in ?? ()
> #1  0x00007ffff7ba1449 in evbuffer_free (buffer=0x7afee0) at buffer.c:568
> #2  0x00007ffff7ba5dc2 in _bufferevent_decref_and_unlock (bufev=0x7b38a0) at
> bufferevent.c:629
> #3  0x00007ffff7b9cb4b in event_process_deferred_callbacks
> (breakptr=0x71b530, queue=0x71b558) at event.c:1364
> #4  event_process_active (base=<optimized out>) at event.c:1403
> #5  event_base_loop (base=0x71b450, flags=<optimized out>) at event.c:1589
> #6  0x000000000040380e in main (argc=8, argv=0x7fffffffd6b8) at ...
>
> frame 0 is due to the lock callback being null in EVLOCK_LOCK.  I note that
> all the segfaults I have cores for involve
> event_process_deferred_callbacks().

 Is your code multithreaded?  I'm guessing so, from the EVBUFFER_LOCK
call.  It's very weird that the "lockvar" (evbuffer->lock) would be
set, but _evthread_mode_fns.lockfn would be NULL.   Have you tried
looking at the contents of *buffer in one of these cores? Does it look
like it's been trashed?

> Could it be that the openssl bufferevent isn't canceling pending callbacks
> when it is destroyed?  Alternately, are there assumptions about when a
> bufferevent can be destroyed that I am violating?

It's possible!  My first guess here would be some reference counting
mistake in the code someplace.

If this is not so hard to reproduce, a couple  of things to try:
  * Run it under valgrind.  If you're using valgrind and openssl at
the same time, you'll need to pass  --undef-value-errors=no to
valgrind, or rebuild openssl with -DPURIFY.
  * Add a memory poisoning step before freeing an evbuffer or
bufferevent.  (IOW, memset the thing to 0xb0 or something so that you
can more easily find any attempts to access a freed object)

hth,
-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.