问题现象

大量僵尸进程



root     32278  0.0  0.0      0     0 ?        Z    05:39   0:00 [runuser] <defunct>

root     32280  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32304  0.0  0.0      0     0 ?        Z    Aug21   0:00 [runuser] <defunct>

root     32362  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32448  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32475  0.0  0.0      0     0 ?        Z    Aug20   0:00 [runuser] <defunct>

root     32498  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32509  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

root     32551  0.0  0.0      0     0 ?        Z    09:54   0:00 [runuser] <defunct>

root     32556  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

root     32557  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

root     32611  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32612  0.0  0.0      0     0 ?        Z    Aug22   0:00 [runuser] <defunct>

root     32647  0.0  0.0      0     0 ?        Z    Aug19   0:00 [runuser] <defunct>

root     32699  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

root     32700  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

root     32716  0.0  0.0      0     0 ?        Z    Aug19   0:00 [runuser] <defunct>

root     32753  0.0  0.0      0     0 ?        Z    Aug18   0:00 [runuser] <defunct>

systemd crash



#pstack 1

#0  0x00007fba436a4a2d in pause () from /lib64/libpthread.so.0

#1  0x00007fba44c66ecd in freeze ()

#2  0x00007fba44c14eef in crash.2986 ()

#3  <signal handler called>

#4  0x00007fba433095f7 in raise () from /lib64/libc.so.6

#5  0x00007fba4330ace8 in abort () from /lib64/libc.so.6

#6  0x00007fba44c85c72 in log_assert_failed ()

#7  0x00007fba44c4635d in unit_watch_pid ()

#8  0x00007fba44be3767 in service_spawn.9373 ()

#9  0x00007fba44c5ecab in service_start.9527 ()

#10 0x00007fba44bdc1ba in manager_dispatch_run_queue.3886 ()

#11 0x00007fba44c37db2 in source_dispatch.52334.3984 ()

#12 0x00007fba44c3adba in sd_event_dispatch ()

#13 0x00007fba44c0c9ef in manager_loop ()

#14 0x00007fba44bcb86c in main ()


(gdb)

(gdb) bt

#0  0x00007fba436a4a2d in pause () from /lib64/libpthread.so.0

#1  0x00007fba44c66ecd in freeze () at src/shared/util.c:3833

#2  0x00007fba44c14eef in crash.2986 (sig=<optimized out>) at src/core/main.c:223

#3  <signal handler called>

#4  0x00007fba433095f7 in raise () from /lib64/libc.so.6

#5  0x00007fba4330ace8 in abort () from /lib64/libc.so.6

#6  0x00007fba44c85c72 in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at src/shared/log.c:753

#7  0x00007fba44c4635d in unit_watch_pid (u=0x7fba44e44250, pid=0) at src/core/unit.c:2017

#8  0x00007fba44be3767 in service_spawn.9373 (s=0x7fba44e44250, c=0x7fba68f07ad0, timeout=90000000, pass_fds=<optimized out>, apply_permissions=<optimized out>, apply_chroot=<optimized out>,

    apply_tty_stdin=true, is_control=true, _pid=0x7fba44e4486c) at src/core/service.c:1170

#9  0x00007fba44c5ecab in service_enter_start_pre (s=0x7fba44e44250) at src/core/service.c:1596

#10 service_start.9527 (u=0x7fba44e44250) at src/core/service.c:1841

#11 0x00007fba44bdc1ba in manager_dispatch_run_queue.3886 (source=<optimized out>, userdata=0x7fba44d132e0) at src/core/unit.c:1481

#12 0x00007fba44c37db2 in source_dispatch (s=s@entry=0x7fba44d11ea0) at src/libsystemd/sd-event/sd-event.c:2155

#13 0x00007fba44c3adba in sd_event_dispatch (e=0x7fba44d11c30) at src/libsystemd/sd-event/sd-event.c:2472

#14 0x00007fba44c0c9ef in sd_event_run (timeout=18446744073709551615, e=0x7fba44d11c30) at src/libsystemd/sd-event/sd-event.c:2501

#15 manager_loop (m=0x7fba44d132e0) at src/core/manager.c:2070

#16 0x00007fba44bcb86c in main (argc=5, argv=0x7ffc45ee3a38) at src/core/main.c:1755

(gdb)

问题代码定位

(gdb) list unit_watch_pid

2008

2009	        unit_add_to_dbus_queue(u);

2010	        unit_add_to_gc_queue(u);

2011	}

2012

2013	int unit_watch_pid(Unit *u, pid_t pid) {

2014	        int q, r;

2015

2016	        assert(u);

2017	        assert(pid >= 1);   # 这里触发

(gdb)


(gdb) list src/core/service.c:1170

                return r;

static int service_load_pid_file(Service *s, bool may_warn) {

1165	                       s->exec_runtime,

1166	                       &pid);

1167	        if (r < 0)

1168	                goto fail;

1169

1170	        r = unit_watch_pid(UNIT(s), pid);  # 这里调用

1171	        if (r < 0)

1172	                /* FIXME: we need to do something here */

1173	                goto fail;

1174


(gdb) list src/core/service.c:1596

	static void service_enter_start_pre(Service *s) {

1591	                 * be left from previous runs. */

1592	                service_kill_control_processes(s);

1593

1594	                s->control_command_id = SERVICE_EXEC_START_PRE;

1595

1596	                r = service_spawn(s,

1597	                                  s->control_command,

1598	                                  s->timeout_start_usec,

1599	                                  false,

1600	                                  !s->permissions_start_only

复现方法

  1. 创建一个vm中测试
  2. 想办法耗尽内存
# mount -t tmpfs -o size=20G tmpfs /mnt

# dd if=/dev/zero of=/mnt/file bs=1M
  1. while :; do systemctl restart iptables.service; sleep 5; done

分析

问题发生在当系统内存耗尽,恰好在此时,有个systemd的service重启,此时,systemd需要分配一个pid,但是因为内存耗尽,无法分配pid。然后触发了systemd一个bug:

BUG存在于: 创建pid函数exec_spawn(), 当创建pid失败的时候,理应返回错误值,但是这里返回的是0。 这个0是r决定的。 这个r是r = exec_context_load_environment() 函数的返回值,然而这个函数永远都是返回成功,导致,pid < 0 pid创建失败后,依然返回0

创建pid函数exec_spawn():

int exec_spawn

        pid = fork();

        if (pid < 0)

                return log_unit_error_errno(params->unit_id, r, "Failed to fork: %m");

service重启,systemd会为service创建一个pid,在pid<0 的情况下,执行到unit_watch_pid() 函数,unit_watch_pid()函数判断assert(pid >= 1);

service_spawn()函数-> 调用exec_spawn()

重启service 会调用service_spawn()函数

static int service_spawn(...

        r = exec_spawn(c,

                       &s->exec_context,

                       &exec_params,

                       s->exec_runtime,

                       &pid);

        if (r < 0)

                goto fail;

        r = unit_watch_pid(UNIT(s), pid);

        if (r < 0)

                /* FIXME: we need to do something here */

                goto fail;

        *_pid = pid;


int unit_watch_pid(Unit *u, pid_t pid) {

        int q, r;

        assert(u);

        assert(pid >= 1);

REF

patch:

https://github.com/lnykryn/systemd-rhel/pull/119/commits/e18a5fa348aae0800807c3121a1ccf750eca206f

https://github.com/systemd/systemd/pull/5886

solution:

https://access.redhat.com/solutions/3096191

systemd bug: bz1437114 core:execute: fix fork() fail handling in exec_spawn()的更多相关文章

  1. electron-vue在npm run build时报错 ⨯ cannot execute cause=fork/exec C:\Users\801\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.5.0\rcedit-ia32.exe: Access is denied.

    问题描述 在electron-vue执行npm run build时报错,错误如下: ⨯ cannot execute cause=fork/exec C:\Users\801\AppData\Loc ...

  2. 缺陷的背后(四)---多进程之for循环下fork子进程引发bug

    导语 业务模块为实现高并发时的更快的处理速度,经常会采用多进程的方式去处理业务.多进程模式下常见的三种bug:for循环下fork子进程导致产生无数孙子进程,僵尸进程,接口窜包.本章主要介绍第一种常见 ...

  3. MyCat不支持毫秒 bug fix

    问题描述:mysql jdbc的驱动(mysql-connector-java-5.1.34.jar)设置的服务器的版本号最低是5.6.4才不会截取时间毫秒,但是现在取的是mycat 的版本号 5.5 ...

  4. Java Concurrency - Fork/Join Framework

    Normally, when you implement a simple, concurrent Java application, you implement some Runnable obje ...

  5. [原]CentOS7.2最小安装环境部署Asp.NET Core笔记

    转载请注明原作者(think8848)和出处(http://think8848.cnblogs.com) 写在前面的话 不知不觉在cnblogs上注册已经10多年了,看我的园龄就直接暴露了我实际年龄, ...

  6. atitit.java给属性赋值方法总结and BeanUtils 1.6.1 .copyProperty的bug

    atitit.java给属性赋值方法总结and BeanUtils 1.6.1 .copyProperty的bug 1. core.setProperty(o, "materialId&qu ...

  7. 给MySQL官方提交的bug report备忘

    1.  Bug #72215 When LOCK_plugin conflicts very much, one uninstall-audit-plugin operation crash  htt ...

  8. git Bug分支

    Bug分支 软件开发中,bug就像家常便饭一样.有了bug就需要修复,在Git中,由于分支是如此的强大,所以,每个bug都可以通过一个新的临时分支来修复,修复后,合并分支,然后将临时分支删除. 当你接 ...

  9. atitit.java方法属性赋值and BeanUtils 1.6.1 .copyProperty的bug

    atitit.java分配给属性值方法and BeanUtils 1.6.1 .copyProperty的bug 1. core.setProperty(o, "materialId&quo ...

随机推荐

  1. JavaScript进阶【二】JavaScript 严格模式(use strict)的使用

    /*** *使用严格模式的原因: * ①:消除Javascript语法的一些不合理.不严谨之处,减少一些怪异行为; ②:消除代码运行的一些不安全之处,保证代码运行的安全: ③:提高编译器效率,增加运行 ...

  2. css3实现滚动手表

    静态html: <!DOCTYPE html><html> <head> <meta charset="utf-8" /> < ...

  3. webpack学习笔记(2)--webpack.config.js

    3 模式 mode mode 参数设置为 development(开发模式), production(生产模式) 或 none(无),可以启用对应环境下 webpack 内置的优化.默认值为 prod ...

  4. 【LibreOJ 6277】数列分块入门 1 (分块)

    emmm-学下分块~ 区间:数列中连续一段的元素 区间操作:将某个区间[a,b]的所有元素进行某种改动的操作 块:我们将数列划分成若干个不相交的区间,每个区间称为一个块 整块:在一个区间操作时,完整包 ...

  5. Elasticsearch 入门 - 安装、启动和配置

    安装 请参阅elastic官网 :Installing Elasticsearch 启动 使用 ./bin/elasticsearch 命令即可启动 使用 ./bin/elasticsearch -d ...

  6. 【CodeForces 987C】Three displays

    [链接] 我是链接,点我呀:) [题意] [题解] 动态规划 设dp[i][j]表示前i个数字,选了j个的最小花费. dp[i][j] = min(dp[k][j-1]+b[i]);//其中a[i]& ...

  7. 【codeforces 807C】Success Rate

    [题目链接]:http://codeforces.com/contest/807/problem/C [题意] 给你4个数字 x y p q 要求让你求最小的非负整数b; 使得 (x+a)/(y+b) ...

  8. Elasticsearch 7.0 发布都有哪些新特性

    了解about云知识星球 .pcb{margin-right:0} 问题导读 1.Elasticsearch&Kibana 7.哪些需要修改? 2.Elasticsearch7 有哪些新特性? ...

  9. java中继承关系学习小结

    继承:把多个类中同样的内容提取出来.定义到一个类中,其它类仅仅须要继承该类.就能够使用该类公开的属性和公开的方法.   继承的优点:提高代码的复用性.提高代码的可维护性.让类与类之间产生关系,是多态存 ...

  10. jQuery Mobile页面跳转切换的几种方式

    jQuery Mobile在移动开发中越来越受到欢迎. 而他的各个版本号也在持续不断的更新中.相同的我也非常喜欢它,它加快了我们开发HTML5的速度. 同一时候又具备jQuery一样的操作方法. 学起 ...