openresty 1.15.8.3 crashed randomly in arm64 with signal 11

[gentle-king]

Hi members,

our nginx worker crashed randomly, around several days one time. we tried our best to check the coredump file and logs, but it seems hard for us.
kindly help to check.

best regards!
king

attach the info collected

./nginx -V
nginx version: openresty/1.15.8.3
built by gcc 7.3.0 (GCC)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/opt/gentle/openresty/nginx --with-cc-opt='-O2 -fstack-protector-all -fPIC -Wl,-z,relro,-z,now -z,noexecstack' --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../iconv-nginx-module-0.14 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.7 --with-ld-opt=-Wl,-rpath,/opt/gentle/openresty/luajit/lib --http-client-body-temp-path=tmp/nginx_client_body --http-proxy-temp-path=tmp/nginx_proxy_temp --http-fastcgi-temp-path=tmp/nginx_fastcgi_temp --http-uwsgi-temp-path=tmp/uwsgi_temp --http-scgi-temp-path=tmp/scgi_temp --with-openssl=/base/openresty_ARM_compile/openresty_ARM/build/third-party/openssl-1.1.1g --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_flv_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-cpp_test_module --with-http_v2_module --with-http_auth_request_module --with-pcre=/base/openresty_ARM_compile/openresty_ARM/build/third-party/pcre-8.44 --with-pcre-opt=-fPIC --with-zlib=/base/openresty_ARM_compile/openresty_ARM/build/third-party/zlib-1.2.11 --with-zlib-opt=-fPIC --add-module=/base/openresty_ARM_compile/openresty_ARM/build/script/../../modules/king --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module

uname -a
Linux host-10-32-8-162 4.19.36-vhulk1907.1.0.h748.eulerosv2r8.aarch64 #1 SMP Thu May 14 16:41:16 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux

error.log like
[alert] 18041#0: worker process 803 exited on signal 11 (core dumped)

(gdb) backtrace full
#0 0x0000ffffa4d9c6cc in ?? ()
No symbol table info available.
#1 0x0000ffffa5401000 in lj_ir_callinfo () from /opt/gentle/openresty/luajit/lib/libluajit-5.1.so.2
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) info reg
x0 0x4c81f0fd4b50 84120977623888
x1 0xfffbcc81f0d06f08 -1182516420514040
x2 0xfffffffffffffff5 -11
x3 0xfff9000000000000 -1970324836974592
x4 0xffffffffffffffff -1
x5 0xf9e6421d42053f00 -439591220192919808
x6 0x338 824
x7 0x13f40010 334757904
x8 0x1 1
x9 0xffffa54cdb30 281473455020848
x10 0xb6 182
x11 0x16 22
x12 0x0 0
x13 0x2 2
x14 0x4 4
x15 0x6a 106
x16 0x13fc6010 335306768
x17 0xffffa4feda40 281473449908800
x18 0x1 1
x19 0x40690000f0e18698 4641240895023318680
x20 0x4 4
x21 0x0 0
x22 0x4c81f0cca3e0 84120974435296
x23 0x4c81f0ce3590 84120974538128
x24 0x4c81f0d03fc8 84120974671816
x25 0x1000 4096
x26 0x20 32
x27 0x4c81f0fd4b70 84120977623920
x28 0x0 0
x29 0xffffd0e58270 281474186445424
x30 0xfffacc81f0fd4b70 -1463991394284688
sp 0xffffd0e57f70 0xffffd0e57f70
pc 0xffffa4d9c6cc 0xffffa4d9c6cc
cpsr 0x80000000 [ EL=0 N ]
fpsr 0x10 16
fpcr 0x0 0

(gdb) x/200ga 0xffffd0e57ee0
0xffffd0e57ee0: 0x4c81f0d4c8a8 0xffffa4ebd6a8
0xffffd0e57ef0: 0x4c81f0cca3e0 0xffffa54e1710 <__stack_chk_guard>
0xffffd0e57f00: 0x18 0x54dc88 <ngx_http_lua_ffi_var_get+120>
0xffffd0e57f10: 0xffffa53701d0 <lj_mem_newgco+64> 0xf9e6421d42053f00
0xffffd0e57f20: 0x4c81f0e18660 0xf9e6421d42053f00
0xffffd0e57f30: 0x40690000f0e18698 0x4
0xffffd0e57f40: 0x0 0x4c81f0cca3e0
0xffffd0e57f50: 0xffffa4d9c66c 0x1
0xffffd0e57f60: 0x4c81f0cf3cd8 0xf9e6421d42053f00
0xffffd0e57f70: 0x4c81f0d03fd8 0x4c81f0fd4b50
0xffffd0e57f80: 0x40690000f0e18698 0x4c81f0d03fd8
0xffffd0e57f90: 0x4c81f0ce35a0 0x4c81f0e18660
0xffffd0e57fa0: 0x4c81f0cda4b0 0x4c8100001000
0xffffd0e57fb0: 0x4c81f2ff82f8 0x4c81f0cdc4a0
0xffffd0e57fc0: 0x56ce78 <ngx_http_lua_ffi_shdict_incr> 0x4c81f0cdc528
0xffffd0e57fd0: 0x56c510 <ngx_http_lua_ffi_shdict_udata_to_zone> 0x4c81f14a46d0
0xffffd0e57fe0: 0x4c81f2ff8258 0x4c81f0d072a8
0xffffd0e57ff0: 0x4c81f0d08ab0 0xf9e6421d42053f00
0xffffd0e58000: 0x4c81f0e186c0 0x0
0xffffd0e58010: 0x4c81f0cca534 0x4c81f0cca3e0
0xffffd0e58020: 0x4c81f0cca378 0xfff9000000000000
0xffffd0e58030: 0xffffa536c748 <lj_BC_FUNCC+44> 0x8020080280200802
0xffffd0e58040: 0x0 0x4c81f16d75d8
0xffffd0e58050: 0x4c81f16d75de 0x4c81f0cca378
0xffffd0e58060: 0x0 0x4c81f16d75de
0xffffd0e58070: 0xffffffffffffffff 0xffffa53737d0 <lj_tab_resize+664>
0xffffd0e58080: 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272> 0xf9e6421d42053f00
0xffffd0e58090: 0xffffd0e58150 0xffffa4fe0c2c <__GI___libc_malloc+164>
0xffffd0e580a0: 0xffffa50e7a58 <main_arena> 0x2d8a
0xffffd0e580b0: 0xffffa54cdba0 0xffffa54cdb30
0xffffd0e580c0: 0x70 0x4c81f0d084b0
0xffffd0e580d0: 0x4c81f0d089b0 0x4c81f0ce35a0
0xffffd0e580e0: 0xffff4ecd1020 0x1870ed10
0xffffd0e580f0: 0xffff4ecd1000 0xffff4eccd018
0xffffd0e58100: 0x65248071 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e58110: 0x2000000 0x2
0xffffd0e58120: 0x0 0x7c00000070
0xffffd0e58130: 0x7100000077 0xffffa50e7a58 <main_arena>
0xffffd0e58140: 0x0 0x70000000e6
0xffffd0e58150: 0xffffd0e58190 0x56cd58 <ngx_http_lua_ffi_shdict_get+696>
0xffffd0e58160: 0xffffd0e58190 0x56ccac <ngx_http_lua_ffi_shdict_get+524>
0xffffd0e58170: 0x0 0x56ccac <ngx_http_lua_ffi_shdict_get+524>
0xffffd0e58180: 0x0 0xf9e6421d42053f00
0xffffd0e58190: 0xffffd0e58270 0xffffa4efdb38
0xffffd0e581a0: 0x4c81f0e18698 0x4c81f0d089b0
0xffffd0e581b0: 0x56caa0 <ngx_http_lua_ffi_shdict_get> 0x4c81f0cca3e0
0xffffd0e581c0: 0x4c81f0ce3590 0x4c81f0d03fc8
0xffffd0e581d0: 0x1000 0x20
0xffffd0e581e0: 0x4c81f0d08430 0x4c81f0d08410
0xffffd0e581f0: 0x20 0xffff4ecd1044
0xffffd0e58200: 0xffff4ecd1064 0x2d8a
0xffffd0e58210: 0x4c81f0d08430 0x4c81f0d08450
0xffffd0e58220: 0x4c81f0d08490 0x4c81f0d08410
0xffffd0e58230: 0xffff4ecd1020 0x10
0xffffd0e58240: 0x1870ecf0 0xf9e6421d42053f00
0xffffd0e58250: 0xffff00000000 0x4c81f0d08450
0xffffd0e58260: 0x4c81f0e18698 0x1870ed58
0xffffd0e58270: 0xffffd0e58370 0xffffa53818a8 <lua_pcall+176>
0xffffd0e58280: 0x0 0xffffa5401000 <lj_ir_callinfo+624>
0xffffd0e58290: 0x4c81f0cca3e0 0x1819c1f0
0xffffd0e582a0: 0x1819c1f0 0x1819a320
0xffffd0e582b0: 0x18701c00 0x8ff000
0xffffd0e582c0: 0x5 0x1
0xffffd0e582d0: 0x0 0x0
--Type for more, q to quit, c to continue without paging--c
0xffffd0e582e0: 0x0 0x0
0xffffd0e582f0: 0x0 0x0
0xffffd0e58300: 0x0 0x0
0xffffd0e58310: 0x0 0x4c81f0ce8fa8
0xffffd0e58320: 0x4c81f0cca378 0xfff9000000000000
0xffffd0e58330: 0x1000000010 0x2
0xffffd0e58340: 0x13f79430 0x0
0xffffd0e58350: 0x4c81f0cca378 0x57719c <ngx_http_lua_log_by_chunk+148>
0xffffd0e58360: 0x13f79430 0xf9e6421d42053f00
0xffffd0e58370: 0xffffd0e583c0 0x5775c0 <ngx_http_lua_log_handler_file+160>
0xffffd0e58380: 0x13f79430 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e58390: 0x4c81f0cca378 0x4e19d4 <ngx_http_copy_filter+84>
0xffffd0e583a0: 0x13f79430 0x4c81f0cca378
0xffffd0e583b0: 0x18708560 0xf9e6421d42053f00
0xffffd0e583c0: 0xffffd0e58410 0x5772f4 <ngx_http_lua_log_handler+140>
0xffffd0e583d0: 0x13f79430 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e583e0: 0x14001520 0x8ff000
0xffffd0e583f0: 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272> 0x1f
0xffffd0e58400: 0x1870f4f2 0xf9e6421d42053f00
0xffffd0e58410: 0xffffd0e58460 0x4af900 <ngx_http_log_request+88>
0xffffd0e58420: 0x1da2ee38 0x1da2ee40
0xffffd0e58430: 0x13f79430 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e58440: 0x0 0x13f79430
0xffffd0e58450: 0x1a498990 0xf9e6421d42053f00
0xffffd0e58460: 0xffffd0e584a0 0x4b14fc <ngx_http_free_request+164>
0xffffd0e58470: 0x0 0x13f79430
0xffffd0e58480: 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272> 0x18701b40
0xffffd0e58490: 0x13fdf020 0xf9e6421d42053f00
0xffffd0e584a0: 0xffffd0e584f0 0x4b23d0 <ngx_http_finalize_connection+1304>
0xffffd0e584b0: 0x1a498300 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e584c0: 0x18701ba0 0x13f79430
0xffffd0e584d0: 0x1873ee90 0xf9e6421d42053f00
0xffffd0e584e0: 0xffffd0e58550 0xf9e6421d42053f00
0xffffd0e584f0: 0xffffd0e58550 0x4c5f70 <ngx_http_upstream_process_request+432>
0xffffd0e58500: 0x13fdf020 0x8fe000 <PKCS12_SAFEBAG_adbtbl+272>
0xffffd0e58510: 0x13fdf520 0x13f79430

(gdb) backtrace full
#0 0x0000ffffa4d9c6cc in ?? ()
No symbol table info available.
#1 0x0000ffffa5401000 in lj_ir_callinfo () from /opt/gentle/openresty/luajit/lib/libluajit-5.1.so.2
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) ltracebymcode 0x0000ffffa4d9c6cc
(GCtrace*)0x4c81f0fc8ee8 (trace #712)
machine code start addr: 0xffffa4d9c628
machine code end addr: 0xffffa4d9c72c
@/opt/gentle/openresty/lualib/resty/core/shdict.lua:333
(GCtrace*)0x4c81f31179f8 (trace #713)
machine code start addr: 0xffffa4d9b060
machine code end addr: 0xffffa4d9c3d8
@/opt/gentle/openresty/nginx/conf/lua/reportTimer.lua:131
(GCtrace*)0x4c81f50806a8 (trace #719)
machine code start addr: 0xffffa4d98fec
machine code end addr: 0xffffa4d9a048
@/opt/gentle/openresty/lualib/resty/core/shdict.lua:328
(gdb) x/50ga 0xffffa4d9c628
0xffffa4d9c628: 0xf9417ff3aa1003fb 0xbd0013ffbd42f3ff
0xffffa4d9c638: 0xf940aec0b27d07e1 0x5280022194174ed4
0xffffa4d9c648: 0x790014015280015e 0xf90008133900241e
0xffffa4d9c658: 0xf90007e0f9400bf3 0xf940aec0b27d07e1
0xffffa4d9c668: 0x52800dc194174eca 0x790014015280015e
0xffffa4d9c678: 0xf900081b3900241e 0xd2947c00aa0003fb
0xffffa4d9c688: 0xf2c99020f2be1980 0xeb0103dfa942041e
0xffffa4d9c698: 0x321f03e154000089 0x350004a094174da8
0xffffa4d9c6a8: 0xd2ffff2392800004 0xd28de10192800142
0xffffa4d9c6b8: 0xf2d99021f2be1a01 0xf94007e0f2ffff61
0xffffa4d9c6c8: 0xa904fa648b02bf7e 0xf900227e8b3c407e
0xffffa4d9c6d8: 0xf9001e7e8b34407e 0xf9001a7e8b35407e
0xffffa4d9c6e8: 0xf900167e8b02befe 0xf900127e8b02bf1e
0xffffa4d9c6f8: 0xf9000e7e8b39407e 0xf9000a7e8b3a407e
0xffffa4d9c708: 0xf900027e8b02bc1e 0xf81f0261d2800000
0xffffa4d9c718: 0xf2be1a15d2954e15 0x910c03fff2c99035
0xffffa4d9c728: 0xf90003fe141746b3 0x5280590094174677
0xffffa4d9c738: 0x97fffffc97fffffd 0xfd4013ff97fffffb
0xffffa4d9c748: 0xf94073fcfd400ffe 0xb9404bfab940dbfb
0xffffa4d9c758: 0x6d00fffea943e7f8 0xb27d07e129043fee
0xffffa4d9c768: 0x94174e89f940aec0 0x5280015e52800221
0xffffa4d9c778: 0x3900241e79001401 0xf9000fe0f9000814
0xffffa4d9c788: 0xf2be1980d2947c00 0xa942041ef2c99020
0xffffa4d9c798: 0x54000089eb0103df 0x94174d67320003e1
0xffffa4d9c7a8: 0x29443fee35000660 0x92800143b27dfbe4

[agentzh]

@gentle-king There have been many bug fixes since 1.15.8.3 in both the nginx core, the ngx_lua module, the LuaJIT VM, among many other things. Please try the latest formal release 1.19.3.1.

[gentle-king]

@agentzh
now we have implement 1.19.3.1.
due to 1.15.8.3 on x86 is always stable, only arm crash randomly.
if it works fine with 1.19.3.1, the arm items among release note(all is from luajit), which one help to solve this issue? or is other item help to solve this issue?
kindly advise.
BR.

attach the arm changes I found in release note:
upgraded LuaJIT to 2.1-20201008.
imported Mike Pall's latest changes:
ARM: Ensure relative GG_State element alignment differently.
Android/ARM: Fix build with recent NDK.
OSX/iOS: Handle iOS simulator and ARM64 Macs.
ARM: Implement FLOAD from GG_State.
ARM64: Fix {AHUV}LOAD specialized to nil/false/true.
ARM, ARM64, PPC: Fix TSETR fallback.
FFI/ARM64: Fix pass-by-value struct calling conventions.

[gentle-king]

@agentzh

Add more info as my check, the machine code disas.
kindly help check if there is any change item in 1.19.3.1 related to my case?
thanks!

attach the machine code disasembled in frame 0

(gdb) backtrace full
#0 0x0000ffffa4d9c6cc in ?? ()
No symbol table info available.
#1 0x0000ffffa5401000 in lj_ir_callinfo () from /opt/gentle/openresty/luajit/lib/libluajit-5.1.so.2
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) ltracebymcode 0x0000ffffa4d9c6cc
(GCtrace*)0x4c81f0fc8ee8 (trace #712)
machine code start addr: 0xffffa4d9c628
machine code end addr: 0xffffa4d9c72c
@/opt/gentle/openresty/lualib/resty/core/shdict.lua:333
(GCtrace*)0x4c81f31179f8 (trace #713)
machine code start addr: 0xffffa4d9b060
machine code end addr: 0xffffa4d9c3d8
@/opt/gentle/openresty/nginx/conf/lua/reportTimer.lua:131
(GCtrace*)0x4c81f50806a8 (trace #719)
machine code start addr: 0xffffa4d98fec
machine code end addr: 0xffffa4d9a048
@/opt/gentle/openresty/lualib/resty/core/shdict.lua:328
(gdb) disas 0xffffa4d9c628,0xffffa4d9c72c
Dump of assembler code from 0xffffa4d9c628 to 0xffffa4d9c72c:
0x0000ffffa4d9c628: mov x27, x16
0x0000ffffa4d9c62c: ldr x19, [sp, #760]
0x0000ffffa4d9c630: ldr s31, [sp, #752]
0x0000ffffa4d9c634: str s31, [sp, #16]
0x0000ffffa4d9c638: orr x1, xzr, #0x18
0x0000ffffa4d9c63c: ldr x0, [x22, #344]
0x0000ffffa4d9c640: bl 0xffffa5370190 <lj_mem_newgco>
0x0000ffffa4d9c644: mov w1, #0x11 // #17
0x0000ffffa4d9c648: mov w30, #0xa // #10
0x0000ffffa4d9c64c: strh w1, [x0, #10]
0x0000ffffa4d9c650: strb w30, [x0, #9]
0x0000ffffa4d9c654: str x19, [x0, #16]
0x0000ffffa4d9c658: ldr x19, [sp, #16]
0x0000ffffa4d9c65c: str x0, [sp, #8]
0x0000ffffa4d9c660: orr x1, xzr, #0x18
0x0000ffffa4d9c664: ldr x0, [x22, #344]
0x0000ffffa4d9c668: bl 0xffffa5370190 <lj_mem_newgco>
0x0000ffffa4d9c66c: mov w1, #0x6e // #110
0x0000ffffa4d9c670: mov w30, #0xa // #10
0x0000ffffa4d9c674: strh w1, [x0, #10]
0x0000ffffa4d9c678: strb w30, [x0, #9]
0x0000ffffa4d9c67c: str x27, [x0, #16]
0x0000ffffa4d9c680: mov x27, x0
0x0000ffffa4d9c684: mov x0, #0xa3e0 // #41952
0x0000ffffa4d9c688: movk x0, #0xf0cc, lsl #16
0x0000ffffa4d9c68c: movk x0, #0x4c81, lsl #32
0x0000ffffa4d9c690: ldp x30, x1, [x0, #32]
0x0000ffffa4d9c694: cmp x30, x1
0x0000ffffa4d9c698: b.ls 0xffffa4d9c6a8 // b.plast
0x0000ffffa4d9c69c: orr w1, wzr, #0x2
0x0000ffffa4d9c6a0: bl 0xffffa536fd40 <lj_gc_step_jit>
0x0000ffffa4d9c6a4: cbnz w0, 0xffffa4d9c738
0x0000ffffa4d9c6a8: mov x4, #0xffffffffffffffff // #-1
0x0000ffffa4d9c6ac: mov x3, #0xfff9000000000000 // #-1970324836974592
0x0000ffffa4d9c6b0: mov x2, #0xfffffffffffffff5 // #-11
0x0000ffffa4d9c6b4: mov x1, #0x6f08 // #28424
0x0000ffffa4d9c6b8: movk x1, #0xf0d0, lsl #16
0x0000ffffa4d9c6bc: movk x1, #0xcc81, lsl #32
0x0000ffffa4d9c6c0: movk x1, #0xfffb, lsl #48
0x0000ffffa4d9c6c4: ldr x0, [sp, #8]
0x0000ffffa4d9c6c8: add x30, x27, x2, lsl #47
=> 0x0000ffffa4d9c6cc: stp x4, x30, [x19, #72]
0x0000ffffa4d9c6d0: add x30, x3, w28, uxtw
0x0000ffffa4d9c6d4: str x30, [x19, #64]
0x0000ffffa4d9c6d8: add x30, x3, w20, uxtw
0x0000ffffa4d9c6dc: str x30, [x19, #56]
0x0000ffffa4d9c6e0: add x30, x3, w21, uxtw
0x0000ffffa4d9c6e4: str x30, [x19, #48]
0x0000ffffa4d9c6e8: add x30, x23, x2, lsl #47
0x0000ffffa4d9c6ec: str x30, [x19, #40]
0x0000ffffa4d9c6f0: add x30, x24, x2, lsl #47
0x0000ffffa4d9c6f4: str x30, [x19, #32]
0x0000ffffa4d9c6f8: add x30, x3, w25, uxtw
0x0000ffffa4d9c6fc: str x30, [x19, #24]
0x0000ffffa4d9c700: add x30, x3, w26, uxtw
0x0000ffffa4d9c704: str x30, [x19, #16]
0x0000ffffa4d9c708: add x30, x0, x2, lsl #47
0x0000ffffa4d9c70c: str x30, [x19]
0x0000ffffa4d9c710: mov x0, #0x0 // #0
0x0000ffffa4d9c714: stur x1, [x19, #-16]
0x0000ffffa4d9c718: mov x21, #0xaa70 // #43632
0x0000ffffa4d9c71c: movk x21, #0xf0d0, lsl #16
0x0000ffffa4d9c720: movk x21, #0x4c81, lsl #32
0x0000ffffa4d9c724: add sp, sp, #0x300
0x0000ffffa4d9c728: b 0xffffa536e1f4 <lj_vm_exit_interp>
End of assembler dump.

[gentle-king]

@agentzh

I have found more info, seems serious. kindly pay attention on it.

** machine code load by luajit was executing, and seems wrong register was used(a 64bit address put in a 32 bit reg, sth. lost). **
so kindly help check is there some change related to register selection(ARM64) merged by openresty, thanks!

It crashed at 0x0000ffffa4d9c6cc, and x19 register has stored invalid address, the low 32bit in x19 same with global_State.jit_base
it seems from sp+752, and pass by s31 which is a 32bit register

I have found 2 kinds of corefile. both is related with table:
a: local h = buf[i]
b: if str_value_buf[0] ~= buf then

global_State.jit_base = {ptr64 = 0x4c81f0e18698} this seems correct, but x19 wrong.
x19 0x40690000f0e18698

x27=GCState.root.gcptr= 0x4c81f0fd4b70
gc = {total = 0x8bbf31, threshold = 0xa7d410, currentwhite = 0x21, state = 0x0, nocdatafin = 0x1, unused2 = 0x0,
sweepstr = 0x4000, root = {gcptr64 = 0x4c81f0fd4b70}, sweep = {ptr64 = 0x4c81f0cd09a8}, gray = {gcptr64 = 0x0}, grayagain = {gcptr64 = 0x4c81f0ccc6a0}, weak = {gcptr64 = 0x4c81f0ccd3f8}, mmudata = {gcptr64 = 0x0}, debt = 0x0,
estimate = 0x53ea64, stepmul = 0xc8, pause = 0xc8}
(gdb) backtrace full
#0 0x0000ffffa4d9c6cc in ?? ()
No symbol table info available.
#1 0x0000ffffa5401000 in lj_ir_callinfo () from /opt/gentle/openresty/luajit/lib/libluajit-5.1.so.2
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) ltracebymcode 0x0000ffffa4d9c6cc
(GCtrace*)0x4c81f0fc8ee8 (trace #712)
machine code start addr: 0xffffa4d9c628
machine code end addr: 0xffffa4d9c72c
@/opt/gentle/openresty/lualib/resty/core/shdict.lua:333
(gdb) disas 0xffffa4d9c628,0xffffa4d9c72c
Dump of assembler code from 0xffffa4d9c628 to 0xffffa4d9c72c:
0x0000ffffa4d9c628: mov x27, x16
0x0000ffffa4d9c62c: ldr x19, [sp, #760]
** 0x0000ffffa4d9c630: ldr s31, [sp, #752]**
** 0x0000ffffa4d9c634: str s31, [sp, #16]**
0x0000ffffa4d9c638: orr x1, xzr, #0x18
0x0000ffffa4d9c63c: ldr x0, [x22, #344]
0x0000ffffa4d9c640: bl 0xffffa5370190 <lj_mem_newgco>
0x0000ffffa4d9c644: mov w1, #0x11 // #17
0x0000ffffa4d9c648: mov w30, #0xa // #10
0x0000ffffa4d9c64c: strh w1, [x0, #10]
0x0000ffffa4d9c650: strb w30, [x0, #9]
0x0000ffffa4d9c654: str x19, [x0, #16]
** 0x0000ffffa4d9c658: ldr x19, [sp, #16]**
0x0000ffffa4d9c65c: str x0, [sp, #8]
0x0000ffffa4d9c660: orr x1, xzr, #0x18
0x0000ffffa4d9c664: ldr x0, [x22, #344]
0x0000ffffa4d9c668: bl 0xffffa5370190 <lj_mem_newgco>
0x0000ffffa4d9c66c: mov w1, #0x6e // #110
0x0000ffffa4d9c670: mov w30, #0xa // #10
0x0000ffffa4d9c674: strh w1, [x0, #10]
0x0000ffffa4d9c678: strb w30, [x0, #9]
0x0000ffffa4d9c67c: str x27, [x0, #16]
0x0000ffffa4d9c680: mov x27, x0
0x0000ffffa4d9c684: mov x0, #0xa3e0 // #41952
0x0000ffffa4d9c688: movk x0, #0xf0cc, lsl #16
0x0000ffffa4d9c68c: movk x0, #0x4c81, lsl #32
0x0000ffffa4d9c690: ldp x30, x1, [x0, #32]
0x0000ffffa4d9c694: cmp x30, x1
0x0000ffffa4d9c698: b.ls 0xffffa4d9c6a8 // b.plast
0x0000ffffa4d9c69c: orr w1, wzr, #0x2
0x0000ffffa4d9c6a0: bl 0xffffa536fd40 <lj_gc_step_jit>
0x0000ffffa4d9c6a4: cbnz w0, 0xffffa4d9c738
0x0000ffffa4d9c6a8: mov x4, #0xffffffffffffffff // #-1
0x0000ffffa4d9c6ac: mov x3, #0xfff9000000000000 // #-1970324836974592
0x0000ffffa4d9c6b0: mov x2, #0xfffffffffffffff5 // #-11
0x0000ffffa4d9c6b4: mov x1, #0x6f08 // #28424
0x0000ffffa4d9c6b8: movk x1, #0xf0d0, lsl #16
0x0000ffffa4d9c6bc: movk x1, #0xcc81, lsl #32
0x0000ffffa4d9c6c0: movk x1, #0xfffb, lsl #48
0x0000ffffa4d9c6c4: ldr x0, [sp, #8]
** 0x0000ffffa4d9c6c8: add x30, x27, x2, lsl #47 **
** => 0x0000ffffa4d9c6cc: stp x4, x30, [x19, #72]** ////broken point x19 invalid
0x0000ffffa4d9c6d0: add x30, x3, w28, uxtw
0x0000ffffa4d9c6d4: str x30, [x19, #64]
0x0000ffffa4d9c6d8: add x30, x3, w20, uxtw

(gdb) info reg
x0 0x4c81f0fd4b50 84120977623888
x1 0xfffbcc81f0d06f08 -1182516420514040
x2 0xfffffffffffffff5 -11
x3 0xfff9000000000000 -1970324836974592
x4 0xffffffffffffffff -1
x5 0xf9e6421d42053f00 -439591220192919808
x6 0x338 824
x7 0x13f40010 334757904
x8 0x1 1
x9 0xffffa54cdb30 281473455020848
x10 0xb6 182
x11 0x16 22
x12 0x0 0
x13 0x2 2
x14 0x4 4
x15 0x6a 106
x16 0x13fc6010 335306768
x17 0xffffa4feda40 281473449908800
x18 0x1 1
x19 0x40690000f0e18698 4641240895023318680
x20 0x4 4
x21 0x0 0
x22 0x4c81f0cca3e0 84120974435296
x23 0x4c81f0ce3590 84120974538128
x24 0x4c81f0d03fc8 84120974671816
x25 0x1000 4096
x26 0x20 32
x27 0x4c81f0fd4b70 84120977623920
x28 0x0 0
x29 0xffffd0e58270 281474186445424
x30 0xfffacc81f0fd4b70 -1463991394284688
sp 0xffffd0e57f70 0xffffd0e57f70
pc 0xffffa4d9c6cc 0xffffa4d9c6cc
cpsr 0x80000000 [ EL=0 N ]
fpsr 0x10 16
fpcr 0x0 0
(gdb) x/20ga $sp+16
0xffffd0e57f80: 0x40690000f0e18698 0x4c81f0d03fd8
0xffffd0e57f90: 0x4c81f0ce35a0 0x4c81f0e18660
0xffffd0e57fa0: 0x4c81f0cda4b0 0x4c8100001000
0xffffd0e57fb0: 0x4c81f2ff82f8 0x4c81f0cdc4a0
0xffffd0e57fc0: 0x56ce78 <ngx_http_lua_ffi_shdict_incr> 0x4c81f0cdc528
0xffffd0e57fd0: 0x56c510 <ngx_http_lua_ffi_shdict_udata_to_zone> 0x4c81f14a46d0
0xffffd0e57fe0: 0x4c81f2ff8258 0x4c81f0d072a8
0xffffd0e57ff0: 0x4c81f0d08ab0 0xf9e6421d42053f00
0xffffd0e58000: 0x4c81f0e186c0 0x0
0xffffd0e58010: 0x4c81f0cca534 0x4c81f0cca3e0
(gdb) x/20ga $sp+752
0xffffd0e58260: 0x4c81f0e18698 0x1870ed58
0xffffd0e58270: 0xffffd0e58370 0xffffa53818a8 <lua_pcall+176>
0xffffd0e58280: 0x0 0xffffa5401000 <lj_ir_callinfo+624>
0xffffd0e58290: 0x4c81f0cca3e0 0x1819c1f0