Description: Experiencing a segmentation fault in the module mod_session_dbd, in the function dbd_remove. The segmentation fault is caused by an uninitialized function pointer session_dbd_acquire_fn. Some trial and error showed that the segmentation fault occurs when there is no entries present in the session_rec structure. No segmentation fault occurs when I add some entries. I bug seems to be related to these: * https://issues.apache.org/bugzilla/show_bug.cgi?id=53029 * https://issues.apache.org/bugzilla/show_bug.cgi?id=50012 Relevant configuration: LoadModule dbd_module modules/mod_dbd.so LoadModule session_module modules/mod_session.so LoadModule session_dbd_module modules/mod_session_dbd.so DBDriver sqlite3 DBDParams "/usr/local/apache2/db/webcontrollerproxy.db" DBDPrepareSQL "delete from session where key = %s" deletesession DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession GDB output: sudo gdb httpd GNU gdb (GDB) 7.2-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/local/apache2/bin/httpd...done. (gdb) run -X -d /usr/local/apache2 Starting program: /usr/local/apache2/bin/httpd -X -d /usr/local/apache2 [Thread debugging using libthread_db enabled] [New Thread 0x7ffff0c99700 (LWP 7768)] [New Thread 0x7ffff0498700 (LWP 7769)] [New Thread 0x7fffefc97700 (LWP 7770)] [New Thread 0x7fffef496700 (LWP 7771)] [New Thread 0x7fffeec95700 (LWP 7772)] [New Thread 0x7fffee494700 (LWP 7773)] [New Thread 0x7fffedc93700 (LWP 7774)] [New Thread 0x7fffed492700 (LWP 7775)] [New Thread 0x7fffecc91700 (LWP 7776)] [New Thread 0x7fffec490700 (LWP 7777)] [New Thread 0x7fffebc8f700 (LWP 7778)] [New Thread 0x7fffeb48e700 (LWP 7779)] [New Thread 0x7fffeac8d700 (LWP 7780)] [New Thread 0x7fffea48c700 (LWP 7781)] [New Thread 0x7fffe9c8b700 (LWP 7782)] [New Thread 0x7fffe948a700 (LWP 7783)] [New Thread 0x7fffe8c89700 (LWP 7784)] [New Thread 0x7fffe8488700 (LWP 7785)] [New Thread 0x7fffe7c87700 (LWP 7786)] [New Thread 0x7fffe7486700 (LWP 7787)] [New Thread 0x7fffe6c85700 (LWP 7788)] [New Thread 0x7fffe6484700 (LWP 7789)] [New Thread 0x7fffe5c83700 (LWP 7790)] [New Thread 0x7fffe5482700 (LWP 7791)] [New Thread 0x7fffe4c81700 (LWP 7792)] [New Thread 0x7fffe4480700 (LWP 7793)] [New Thread 0x7fffe3c7f700 (LWP 7794)] [Thread 0x7ffff0c99700 (LWP 7768) exited] /* Here I make a request to the custom module that uses mod_session(_dbd). * Note that the custom module handler returns successfully. */ Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe6c85700 (LWP 7788)] 0x0000000000000000 in ?? () (gdb) bt #0 0x0000000000000000 in ?? () #1 0x00007ffff3972e60 in dbd_remove (r=0x859c20, key=0x85eae0 "1a2448b1-8f03-4fdd-8562-f9a5c4eee525") at mod_session_dbd.c:341 #2 0x00007ffff39731a7 in session_dbd_save (r=0x859c20, z=0x85e498) at mod_session_dbd.c:428 #3 0x00007ffff3d7a9fc in ap_run_session_save (r=0x859c20, z=0x85e498) at mod_session.c:37 #4 0x00007ffff3d7b5ba in ap_session_save (r=0x859c20, z=0x85e498) at mod_session.c:209 #5 0x00007ffff3d7bcb1 in session_output_filter (f=0x85e710, in=0x85ea80) at mod_session.c:455 #6 0x000000000043338e in ap_pass_brigade (next=0x85e710, bb=0x85ea80) at util_filter.c:533 #7 0x00000000004395c6 in ap_old_write_filter (f=0x85e788, bb=0x85ea80) at protocol.c:1483 #8 0x000000000043338e in ap_pass_brigade (next=0x85e788, bb=0x85ea80) at util_filter.c:533 #9 0x0000000000438abb in end_output_stream (r=0x859c20) at protocol.c:1210 #10 0x0000000000438b17 in ap_finalize_request_protocol (r=0x859c20) at protocol.c:1232 #11 0x000000000046ee4b in ap_process_async_request (r=0x859c20) at http_request.c:346 #12 0x000000000046b271 in ap_process_http_async_connection (c=0x855e80) at http_core.c:143 #13 0x000000000046b45d in ap_process_http_connection (c=0x855e80) at http_core.c:228 #14 0x000000000045fa96 in ap_run_process_connection (c=0x855e80) at connection.c:41 #15 0x00000000004797a6 in process_socket (thd=0x6d8308, p=0x855b88, sock=0x855c00, cs=0x855e08, my_child_num=0, my_thread_num=19) at event.c:917 #16 0x000000000047bc0c in worker_thread (thd=0x6d8308, dummy=0x851110) at event.c:1744 #17 0x00007ffff740d933 in ?? () from /usr/lib/libapr-1.so.0 #18 0x00007ffff71cc971 in start_thread () from /lib/libpthread.so.0 #19 0x00007ffff6f27f3d in clone () from /lib/libc.so.6 #20 0x0000000000000000 in ?? () (gdb) p session_dbd_acquire_fn $1 = (ap_dbd_t *(*)(request_rec *)) 0
Created attachment 29117 [details] Patch to fix segfault The remove method wasn't properly initializing the dbd methods. This fixes that issue by using the init method like the rest of the code.
*** Bug 53029 has been marked as a duplicate of this bug. ***
Thanks for the report. I will apply a slightly modified version of your patch to trunk and propose it for backport in 2.4.x branch next week or so. The applied patch includes an additional test against the return value from dbd_init. This avoids a potential NULL pointer deference if APR_EGENERAL was returned. In such a case, dbd remains unmodified. rv = apr_dbd_pvbquery(dbd->driver ^ |_____
*** Bug 50012 has been marked as a duplicate of this bug. ***
Trunk patch http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1408958
Will be part of 2.4.4 r1416583
fixed in 2.4.4