#0 ngx_http_lua_run_posted_threads (c=c@entry=0x10dc93c0, L=L@entry=0x4180d378, r=r@entry=0x137b0a10,
ctx=ctx@entry=0x136e0700) at addon/lua-nginx-module-ssl-cert-by-lua/src/ngx_http_lua_util.c:3051
#1 0x00000000004ff26f in ngx_http_lua_rewrite_by_chunk (L=L@entry=0x4180d378, r=r@entry=0x137b0a10)
at addon/lua-nginx-module-ssl-cert-by-lua/src/ngx_http_lua_rewriteby.c:321
#2 0x00000000004ff783 in ngx_http_lua_rewrite_handler_file (r=0x137b0a10)
at addon/lua-nginx-module-ssl-cert-by-lua/src/ngx_http_lua_rewriteby.c:226
#3 0x00000000004ff61c in ngx_http_lua_rewrite_handler (r=0x137b0a10)
at addon/lua-nginx-module-ssl-cert-by-lua/src/ngx_http_lua_rewriteby.c:162
#4 0x000000000047ec23 in ngx_http_core_rewrite_phase (r=0x137b0a10, ph=0x10ac1fa0) at src/http/ngx_http_core_module.c:940
#5 0x000000000047aa63 in ngx_http_core_run_phases (r=r@entry=0x137b0a10) at src/http/ngx_http_core_module.c:886
#6 0x000000000047ab7c in ngx_http_handler (r=r@entry=0x137b0a10) at src/http/ngx_http_core_module.c:869
#7 0x0000000000486290 in ngx_http_process_request (r=r@entry=0x137b0a10) at src/http/ngx_http_request.c:1921
#8 0x000000000048666b in ngx_http_process_request_headers (rev=rev@entry=0x1163cb90) at src/http/ngx_http_request.c:1352
#9 0x0000000000486994 in ngx_http_process_request_line (rev=rev@entry=0x1163cb90) at src/http/ngx_http_request.c:1032
#10 0x0000000000486dc6 in ngx_http_wait_request_handler (rev=0x1163cb90) at src/http/ngx_http_request.c:508
#11 0x0000000000470d5c in ngx_epoll_process_events (cycle=0x140a970, timer=<optimized out>, flags=<optimized out>)
at src/event/modules/ngx_epoll_module.c:822
#12 0x0000000000467bf0 in ngx_process_events_and_timers (cycle=cycle@entry=0x140a970) at src/event/ngx_event.c:248
#13 0x000000000046ed66 in ngx_worker_process_cycle (cycle=0x140a970, data="" out>)
at src/os/unix/ngx_process_cycle.c:769
#14 0x000000000046d39f in ngx_spawn_process (cycle=cycle@entry=0x140a970,
proc=proc@entry=0x46ec6b <ngx_worker_process_cycle>, data="" name=name@entry=0x71428e "worker process",
respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
#15 0x000000000046df6e in ngx_start_worker_processes (cycle=cycle@entry=0x140a970, n=6, type=type@entry=-3)
at src/os/unix/ngx_process_cycle.c:358
#16 0x000000000046f6c7 in ngx_master_process_cycle (cycle=cycle@entry=0x140a970) at src/os/unix/ngx_process_cycle.c:130
#17 0x000000000044df46 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:419
场景:
lua代码中执行ngx.exec到named location,该named location中执行return 403,小概率引发coredump
分析:
在ngx_http_lua_rewrite_by_chunk函数执行lua代码ngx_http_lua_run_thread之后,
执行ngx_http_named_location,然后执行ngx_http_core_run_phases,然后执行ngx_http_finalize_request(r, 403)
最后执行ngx_http_close_request,发现r->main->count=2,此时--,并return
ngx_http_lua_run_thread在此次执行过程中返回NGX_DONE,然后执行ngx_http_lua_finalize_request(r, NGX_DONE)
有两种情况
1、Connection: close
再次执行ngx_http_close_request,此时r->main->count=1,释放r,并销毁连接c,ngx_http_lua_run_posted_threads函数中,判断c->destroyed,返回NGX_DONE,没有问题
2、Connection: keep-alive
执行ngx_http_set_keepalive,然后执行ngx_http_free_request,b->pos < b->last的情况下(客户端发送的数据还有未解析的),会创建新的request
此时释放之前的r,但不会销毁c,此时ngx_http_lua_run_posted_threads再次使用的ctx来自于r->pool,因为free不会把对应的内存置为0,当该内存再次被使用时,就会引发core
解决思路
1、ngx_http_lua_run_posted_threads之后执行ngx_http_lua_finalize_request(r, NGX_DONE),这个我没看出来有什么问题
2、lua ctx不在r->pool中申请,而是r->connection->pool中,不过此时r都释放了,感觉意义不大