bugfix: semaphore: memory invalid reads might happen when using ngx.semaphore in init_by_lua*.

Author: agentzh

src/ngx_http_lua_directive.c

@@ -120,6 +120,7 @@ ngx_http_lua_shared_dict(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
     ctx->name = name;
     ctx->main_conf = lmcf;
     ctx->log = &cf->cycle->new_log;
+    ctx->cycle = cf->cycle;
 
     zone = ngx_shared_memory_add(cf, &name, (size_t) size,
                                  &ngx_http_lua_module);

src/ngx_http_lua_semaphore.c

@@ -293,10 +293,9 @@ ngx_http_lua_ffi_semaphore_new(ngx_http_lua_semaphore_t **psem,
 
     sem->resource_count = n;
     sem->wait_count = 0;
-    sem->log = ngx_cycle->log;
     *psem = sem;
 
-    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, sem->log, 0,
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
                    "http lua semaphore new: %p, resources: %d",
                    sem, sem->resource_count);
 
@@ -307,7 +306,7 @@ ngx_http_lua_ffi_semaphore_new(ngx_http_lua_semaphore_t **psem,
 int
 ngx_http_lua_ffi_semaphore_post(ngx_http_lua_semaphore_t *sem, int n)
 {
-    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, sem->log, 0,
+    ngx_log_debug3(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
                    "http lua semaphore post: %p, n: %d, resources: %d",
                    sem, n, sem->resource_count);
 
@@ -333,7 +332,7 @@ ngx_http_lua_ffi_semaphore_wait(ngx_http_request_t *r,
     ngx_http_lua_co_ctx_t        *wait_co_ctx;
     ngx_int_t                     rc;
 
-    ngx_log_debug4(NGX_LOG_DEBUG_HTTP, sem->log, 0,
+    ngx_log_debug4(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
                    "http lua semaphore wait: %p, timeout: %d, "
                    "resources: %d, event posted: %d",
                    sem, wait_ms, sem->resource_count,
@@ -391,7 +390,7 @@ ngx_http_lua_ffi_semaphore_wait(ngx_http_request_t *r,
     wait_co_ctx->data = sem;
     wait_co_ctx->cleanup = ngx_http_lua_semaphore_cleanup;
 
-    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, sem->log, 0,
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
                    "http lua semaphore wait yielding");
 
     return NGX_AGAIN;
@@ -414,7 +413,7 @@ ngx_http_lua_semaphore_cleanup(void *data)
 
     sem = coctx->data;
 
-    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, sem->log, 0,
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
                    "http lua semaphore cleanup");
 
     if (coctx->sleep.timer_set) {

src/ngx_http_lua_semaphore.h

@@ -35,7 +35,6 @@ typedef struct ngx_http_lua_semaphore_s {
     ngx_queue_t                          wait_queue;
     ngx_queue_t                          chain;
     ngx_event_t                          sem_event;
-    ngx_log_t                           *log;
     ngx_http_lua_semaphore_mm_block_t   *block;
     int                                  resource_count;
     unsigned                             wait_count;

src/ngx_http_lua_shdict.c

@@ -56,6 +56,8 @@ ngx_http_lua_shdict_init_zone(ngx_shm_zone_t *shm_zone, void *data)
     ngx_http_lua_shdict_ctx_t  *octx = data;
 
     size_t                      len;
+    ngx_int_t                   rc;
+    volatile ngx_cycle_t       *saved_cycle;
     ngx_http_lua_shdict_ctx_t  *ctx;
     ngx_http_lua_main_conf_t   *lmcf;
 
@@ -117,7 +119,14 @@ ngx_http_lua_shdict_init_zone(ngx_shm_zone_t *shm_zone, void *data)
     if (lmcf->shm_zones_inited == lmcf->shm_zones->nelts
         && lmcf->init_handler)
     {
-        if (lmcf->init_handler(ctx->log, lmcf, lmcf->lua) != NGX_OK) {
+        saved_cycle = ngx_cycle;
+        ngx_cycle = ctx->cycle;
+
+        rc = lmcf->init_handler(ctx->log, lmcf, lmcf->lua);
+
+        ngx_cycle = saved_cycle;
+
+        if (rc != NGX_OK) {
             /* an error happened */
             return NGX_ERROR;
         }

src/ngx_http_lua_shdict.h

@@ -37,6 +37,7 @@ typedef struct {
     ngx_str_t                     name;
     ngx_http_lua_main_conf_t     *main_conf;
     ngx_log_t                    *log;
+    ngx_cycle_t                  *cycle;
 } ngx_http_lua_shdict_ctx_t;