Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

segfault in node v0.6.6 #2438

Closed
ry opened this Issue · 4 comments

2 participants

@ry
ry commented

Experiencing crashes in what appears to be a bad ref in node_http_parser.cc during StringPtr::Update.

(gdb) bt
#0  0x00007f470e1fcd30 in memcpy () from /lib/libc.so.6
#1  0x000000000053e58b in node::StringPtr::Update (p_=<value optimized out>, 
    at=0x662efea "92395c572&now=1325093117.714518 HTTP/1.1\r\nHost: prod-nr263.vox^?\226?\217\027RIR\031J\026\222\231{94\\?\202??\235\a??.?K? \017\004\061a\n     9d8\nyR\026S]\234??S?c?@\034\030?9@??ſ?\217z\213\004\061f\n     9ec\nyj???\016??\212?ȿ\fs\225H\035?\210\205?a\f?GU?y/f\017\004\061b\n     a00\ny\212\217\035m޺?\226\204"..., 
    length=31) at /usr/include/bits/string3.h:52
#2  node::Parser::on_url_ (p_=<value optimized out>, 
    at=0x662efea "92395c572&now=1325093117.714518 HTTP/1.1\r\nHost: prod-nr263.vox^?\226?\217\027RIR\031J\026\222\231{94\\?\202??\235\a??.?K? \017\004\061a\n     9d8\nyR\026S]\234??S?c?@\034\030?9@??ſ?\217z\213\004\061f\n     9ec\nyj???\016??\212?ȿ\fs\225H\035?\210\205?a\f?GU?y/f\017\004\061b\n     a00\ny\212\217\035m޺?\226\204"..., 
    length=31) at ../src/node_http_parser.cc:250
#3  node::Parser::on_url (p_=<value optimized out>, 
    at=0x662efea "92395c572&now=1325093117.714518 HTTP/1.1\r\nHost: prod-nr263.vox^?\226?\217\027RIR\031J\026\222\231{94\\?\202??\235\a??.?K? \017\004\061a\n     9d8\nyR\026S]\234??S?c?@\034\030?9@??ſ?\217z\213\004\061f\n     9ec\nyj???\016??\212?ȿ\fs\225H\035?\210\205?a\f?GU?y/f\017\004\061b\n     a00\ny\212\217\035m޺?\226\204"..., 
    length=31) at ../src/node_http_parser.cc:248
#4  0x000000000057aa5b in http_parser_execute (parser=0x4bb72e8, settings=0xc3d000, data=<value optimized out>, 
    len=<value optimized out>) at ../deps/http_parser/http_parser.c:993
#5  0x000000000053e3b6 in node::Parser::Execute (args=<value optimized out>) at ../src/node_http_parser.cc:457
#6  0x00000000005a9d41 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) ()

Crashes are very rare. At first we thought this was a problem with missing HandleScope and made 73cf8e8 to fix it. It turns out that didn't stop the problems and was reverted in 448c5e0.

cc @mranney @bnoordhuis

@ry ry referenced this issue from a commit
@ry ry Add test for #2438
Unfortunately valgrind must be used to see the bad read. It would be nice if
we could improve this test to cause a segfault.
432a2e4
@mranney

Stacks from various cores run into trouble in a number of places, all after http_parser somewhere. Memory corruption is tricky.

@ry
ry commented

potential fix didn't work. resulted in new crashes https://gist.github.com/53efa2e0f2b1efac75c8

@ry ry referenced this issue from a commit
@ry ry Potential fix for #2438
- Save StringPtr if the header hasn't been completely received yet after one
  packet.
- Add one to num_fields and num_values. They were actually one less than the
  number of fields and values.
- Remove always_inline makes debugging difficult, and has negligible
  performance benefits.
f3da6c6
@ry
ry commented

f3da6c6 was tested in production and does fix the bug.

@ry ry closed this
@isaacs isaacs referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@isaacs isaacs referenced this issue from a commit in isaacs/node
@isaacs isaacs 2012.01.06, Version 0.6.7 (stable)
* Upgrade V8 to 3.6.6.15

* Upgrade npm to 1.1.0-beta-10 (isaacs)

* many doc updates (Ben Noordhuis, Jeremy Martin, koichik, Dave Irvine,
  Seong-Rak Choi, Shannen, Adam Malcontenti-Wilson, koichik)

* #2438 segfault in node v0.6.6

* dgram, timers: fix memory leaks (Ben Noordhuis, Yoshihiro Kukuchi)

* repl: fix repl.start not passing the `ignoreUndefined` arg (Damon Oehlman)

* #1980: Socket.pause null reference when called on a closed Stream (koichik)

* #2263: XMLHttpRequest piped in a writable file stream hang (koichik)

* #2069: http resource leak (koichik)

* buffer.readInt global pollution fix (Phil Sung)

* timers: fix performance regression (Ben Noordhuis)

* #2308, #2246: node swallows openssl error on request (koichik)

* #2114: timers: remove _idleTimeout from item in .unenroll() (James Hartig)

* #2379: debugger: Request backtrace w/o refs (Fedor Indutny)

* simple DTrace ustack helper (Dave Pacheco)

* crypto: rewrite HexDecode without snprintf (Roman Shtylman)

* crypto: add SecureContext.clearOptions() method (Ben Noordhuis)

* crypto: don't ignore DH init errors (Ben Noordhuis)
f15ef99
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.