Summary: | Deadlock in CRYPTO_add_lock with Apache 2.2.22 worker MPM on Solaris 9 64-bit | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Jeff <jmarcinko> |
Component: | Core | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED LATER | ||
Severity: | major | CC: | DRuggeri, micha |
Priority: | P2 | Keywords: | MassUpdate |
Version: | 2.2.22 | ||
Target Milestone: | --- | ||
Hardware: | Sun | ||
OS: | Solaris |
Description
Jeff
2012-09-13 14:19:38 UTC
This is a process trying to exit from e.g. MaxRequestsPerChild or MaxSpareThreads, but it still has threads wrapping up their work. But, these threads in SSL are blocked on a lock and not just waiting for some I/O to finish, which is why they don't wrap up without taking any action. In the meantime I'd suggest for relief maxRequestsPerChild = 0 and MaxSpareThreads=MaxClients do you don't end up with half-exited processes building up. As this is an issue encountered in load testing and presumably not a production environment, you might try to reproduce with the latest OpenSSL. BTW, what level of OpenSSL is this? (In reply to comment #2) > As this is an issue encountered in load testing and presumably not a > production environment, you might try to reproduce with the latest OpenSSL. > > BTW, what level of OpenSSL is this? I would be happy to replace OpenSSL if there is a newer version currently we are using: /usr/local/ssl/bin] ./openssl version OpenSSL 1.0.1b 26 Apr 2012 Here is the configure options for my last apache compile: CC="/opt/SUNWspro/bin/cc"; export CC CFLAGS="-xarch=generic64 -xO5"; export CFLAGS CPPFLAGS="-I/usr/local/ssl/includ/openssl"; export CPPFLAGS LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib"; export LDFLAGS "./configure" \ "--prefix=/app/asf/WS/2.2" \ "--with-included-apr" \ "--with-mpm=worker" \ "--with-ssl=/usr/local/ssl" \ "--enable-ssl=shared" \ "--disable-userdir" \ "--disable-asis" \ "--disable-autoindex" \ "--disable-mod_authn_file" \ "--disable-mod_authn_default" \ "--disable-mod_authz_host" \ "--disable-mod_authz_groupfile" \ "--disable-mod-authz_user" \ "--disable-mod-authz_default" \ "--disable-mod_auth_basic" \ "--enable-mods-shared=most" \ "CC=/opt/SUNWspro/bin/cc" \ "CFLAGS=-xarch=generic64 -xO5" \ "LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib" \ "CPPFLAGS=-I/usr/local/ssl/includ/openssl" \ "$@" Thanks, Jeff Nothing between 1.0.1b and 1.0.1c looks interesting w.r.t. this issue. Could it be this one: http://rt.openssl.org/Ticket/Display.html?id=2813 Patch for OpenSSL 1.0.1 would be: http://cvs.openssl.org/chngview?cn=22570 Regards, Rainer (In reply to comment #5) > Could it be this one: > > http://rt.openssl.org/Ticket/Display.html?id=2813 > > Patch for OpenSSL 1.0.1 would be: > > http://cvs.openssl.org/chngview?cn=22570 > > Regards, > > Rainer Thank you for the recommendation. I will patch openssl and recompile apache and test again. -Jeff I just observed the same (or at least a very similar) behavior on a Linux installation. I tried to fix it by patching OpenSSL, but this didn't change anything. What should I check next? For those seeing the issue: Are you using an engine (SSLCryptoDevice)? I know some register their own callbacks for locks - not sure if that's coming into play. I see similar behavior as well on Solaris 10 w/ worker in openssl-0.9.8u, but far fewer zombie processes. This is on a particularly busy production install rather than under a load test scenario. Just like the original bug, I see a few threads interacting with a proxied resource with most threads sitting in CRYPTO_add_lock. There is at least one zombie thread in 5 of the 6 running child processes. The child process without any zombies are still sitting in CRYPTO_add_lock. I can attach pstack output as well, but the short version is: *Very few threads doing work *Many threads waiting in CRYPTO_add_lock *Did not seem to happen in 2.2.13 w/ openssl-0.9.8l with an otherwise identical config Happy to provide more info if needed Please ignore my comment 7, the mentioned OpenSSL patch seems to fix the issue, I just did not apply it correctly. So thanks for the hint. Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |