cURL / Mailing Lists / curl-library / Single Mail

curl-library

Core dump in Curl_expire

From: Gautam Gopinadhan <gautamvsg_at_yahoo.com>
Date: Wed, 8 Sep 2010 14:27:51 -0700 (PDT)

Hello,

We are seeing the following core dump in the curl library.

Curl version: 7.19.7
OS: Linux Centos 5.4
Application: native application in C, linked statically with curl and cares
Usage: easy interface with HTTP over SSL.

Here is the backtrace..

#0 0x00000000004c8a84 in Curl_expire (data=0x1313131313131313, milli=0) at
multi.c:2283
#1 0x00000000004e8aac in Curl_done (connp=0x40ad5ce8, status=CURLE_GOT_NOTHING,
premature=false) at url.c:4849
#2 0x00000000004f8fa3 in Curl_perform (data=0x875be78) at transfer.c:2704
#3 0x00000000004c1fe5 in curl_easy_perform (curl=0x875be78) at easy.c:557
..
..
..

I did a review of the code and am wondering if the following is cause of the
bug.

(gdb) f 2
(gdb) p res
$11 = CURLE_GOT_NOTHING

CURLE_GOT_NOTHING only gets set from:
   3 1957 lib/http.c <<Curl_http_done>>
             return CURLE_GOT_NOTHING;

On the basis of this, this is the suspected code path resulting in the crash.
The line numbers are based on 7.19.7 sources.

transfer.c:2635 res = Curl_do(&conn, &do_done);

==> url.c:5031 result = Curl_reconnect_request(connp);

====> transfer.c:2521 result = Curl_done(&conn, result, FALSE); /* we are so
done with this */

======> url.c:4883 result = conn->handler->done(conn, status, premature);

========> http.c:1957 return CURLE_GOT_NOTHING;

======> url.c:
                       I'm *guessing* that the connection object was closed
using:
                       4918 CURLcode res2 = Curl_disconnect(conn); /* close
the connection */

                       And then:
                       4936 *connp = NULL; /* to make the caller of this
function better detect that
                       4937 this was either closed or handed
over to the connection
                       4938 cache here, and therefore cannot
be used from this point on
                       4939 */
                       4940
                       4941 return result;

====> transfer.c:
                   2521 result = Curl_done(&conn, result, FALSE); /* we are so
done with this */

                   And the bug is that conn is a local variable, hence the
*connp = NULL is not propagated up to the caller.

                   2505 CURLcode
                   2506 Curl_reconnect_request(struct connectdata **connp)
                   2507 {
                   2508 CURLcode result = CURLE_OK;
                   2509 struct connectdata *conn = *connp;

transfer.c:
       Line 2698 gets evaluated to true.. resulting in the crash backtrace
above..

2698 else if(conn)
2699 /* Curl_do() failed, clean up left-overs in the done-call, but note
2700 that at some cases the conn pointer is NULL when Curl_do()
failed
2701 and the connection cache is very small so only call Curl_done()
if
2702 conn is still "alive".
2703 */
2704 res2 = Curl_done(&conn, res, FALSE);

So would the fix be?

transfer.c:2521 result = Curl_done(connp, result, FALSE); /* we are so done
with this */

Gautam

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-09-08