Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 52779] mod_lua segfaults

 

 

Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Jun 12, 2012, 1:13 PM

Post #1 of 5 (295 views)
Permalink
[Bug 52779] mod_lua segfaults

https://issues.apache.org/bugzilla/show_bug.cgi?id=52779

--- Comment #1 from Dick Snippe <Dick.Snippe [at] tech> ---
I just replicated this bug.
The segfault is caused by cleanup_lua getting passed a NULL pointer;
this NULL pointer is passed to lua_close(NULL), which tries to dereference
is which cases a segfault.

So how can cleanup_lua be passed a NULL pointer? Here is where it gets weird:
The NULL pointer stems from ap_lua_get_lua_state where apr_pool_userdata_set
is called with L==NULL.

Now the weird thing is that L appears to be filled in slightly later.
I added some debug code to print the value of L returned by vm_construct
if(L==NULL) {
ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, lifecycle_pool,
APLOGNO(01483)
"creating lua_State with file %s", spec->file);
/* not available, so create */

if(vm_construct((void **)&L, spec, lifecycle_pool) == APR_SUCCESS) {
ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, lifecycle_pool,
APLOGNO(01483)
"call apr_pool_userdata_set with %x", (unsigned int) L);
ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, lifecycle_pool,
APLOGNO(01483)
"call apr_pool_userdata_set with %x", (unsigned int) L);

apr_pool_userdata_set(L,
spec->file,
cleanup_lua,
lifecycle_pool);
}

note that both ap_log_perror calls are identical, however the output isn't
identical:

[Tue Jun 12 22:00:10.169038 2012] [lua:debug] [pid 25340:tid 1136863568]
lua_vmprep.c(415): AH01483: creating lua_State with file
/home/beheer/dick/apache/lua/luatest.lua
[Tue Jun 12 22:00:10.169696 2012] [lua:debug] [pid 25340:tid 1136863568]
lua_vmprep.c(365): AH01481: loading lua file
/home/beheer/dick/apache/lua/luatest.lua
[Tue Jun 12 22:00:10.169905 2012] [lua:debug] [pid 25340:tid 1136863568]
lua_vmprep.c(420): AH01483: call apr_pool_userdata_set with 0
[Tue Jun 12 22:00:10.169924 2012] [lua:debug] [pid 25340:tid 1136863568]
lua_vmprep.c(423): AH01483: call apr_pool_userdata_set with 2224bc0

I assume that without the debug code the first (NULL) value is passed
to apr_pool_userdata_set, causing havoc.

As to why L==NULL at the firs reference but not on subsequent references I have
no idea. A bad compiler optimization perhaps?
That might explain why not everybody can replicate this bug.

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Jun 12, 2012, 2:54 PM

Post #2 of 5 (289 views)
Permalink
[Bug 52779] mod_lua segfaults [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52779

--- Comment #2 from Dick Snippe <Dick.Snippe [at] tech> ---
Because
static apr_status_t vm_construct(void **vm, void *params, apr_pool_t
*lifecycle_pool)
does a *vm = L and thereby dereferences a void pointer. When I change it to
static apr_status_t vm_construct(lua_State **vm, void *params, apr_pool_t
*lifecycle_pool)
the function acts as expected and the problem appers to be solved

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Jun 13, 2012, 5:43 AM

Post #3 of 5 (285 views)
Permalink
[Bug 52779] mod_lua segfaults [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52779

Dick Snippe <Dick.Snippe [at] tech> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #28390|0 |1
is obsolete| |

--- Comment #3 from Dick Snippe <Dick.Snippe [at] tech> ---
Created attachment 28926
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28926&action=edit
change void** to lua_State ** to wokr around compiler(?) issue

This simple patch changes the type of the first argument in vm_construct from
void ** to lua_State **, this fixes our issue on 64bit linux, gcc 4.1.2.

the issue does not happen on 32bit linux.

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Jun 16, 2012, 3:43 PM

Post #4 of 5 (273 views)
Permalink
[Bug 52779] mod_lua segfaults [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52779

Stefan Fritsch <sf [at] sfritsch> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk

--- Comment #4 from Stefan Fritsch <sf [at] sfritsch> ---
committed to trunk as r1351012

Marco, can you verify if that fixes the problem for you, too?

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Jun 28, 2012, 2:26 PM

Post #5 of 5 (217 views)
Permalink
[Bug 52779] mod_lua segfaults [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52779

--- Comment #5 from Marco van Tol <marco [at] tols> ---
Hm, I had replied a couple of days ago, but that somehow didn't make it into
this system. What I wrote was this, which is still valid:

-----
As far as I'm concerned Dick Snippe became authoritative for this bug.

Without going into much out-of-scope detail, he continued where I left off. :-)

Thank you,
-----

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.