A BUGNOTE has been added to this bug. ====================================================================== http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000220 ====================================================================== Reported By: mavetju Assigned To: ====================================================================== Project: DBMail Bug ID: 220 Category: IMAP daemon Reproducibility: always Severity: crash Priority: normal Status: new ====================================================================== Date Submitted: 20-Jun-05 15:11 CEST Last Modified: 27-Jun-05 12:35 CEST ====================================================================== Summary: dbmail-imap crashes in pq library on a double free() Description: Jun 20 23:00:47 kermit kernel: pid 97577 (dbmail-imapd), uid 0: exited on signal 6 (core dumped)
It happens in the PQclear(): (gdb) where http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000000 0x2811e1d7 in kill () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000001 0x2811327e in raise () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000002 0x28185627 in abort () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000003 0x28129389 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000004 0x281293cd in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000005 0x2812a2c1 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000006 0x2812a513 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000007 0x2812a644 in free () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000008 0x280c1169 in PQclear () from /usr/local/lib/libpq.so.4 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000009 0x280ae023 in db_free_result () at dbpgsql.c:136 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000010 0x2809ad50 in db_get_msginfo_range (msg_idnr_low=6361653, msg_idnr_high=6410363, mailbox_idnr=1005, get_flags=1, get_internaldate=1, get_rfcsize=1, get_msg_idnr=1, result=0xbfbe4ba8, resultsetlen=0xbfbe4bac) at db.c:3837 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000011 0x08053bed in _ic_fetch (tag=0xbfbe4dd0 "00000020", args=0x8064a40, ci=0x280acb00) at imapcommands.c:2547 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000012 0x0804acca in IMAPClientHandler (ci=0x280acb00) at imap4.c:386 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000013 0x2809ed28 in PerformChildTask (info=0x280acae0) at serverchild.c:377 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000014 0x2809ee68 in CreateChild (info=0x280acae0) at serverchild.c:251 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000015 0x2809fa8e in manage_start_children () at pool.c:357 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000016 0x2809e30d in StartServer (conf=0xbfbfe344) at server.c:117 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000017 0x080598f7 in main (argc=-1077944540, argv=0x1) at imapd.c:198 The variable res in db_free_result looks normal. I have checked and checked and checked again but I can't find a reason why this goes wrong. I'll build libpq.so tomorrow with debugging enabled so I can see more hopefully. I have saved a copy of the email, maybe it will give hints later on. It only happens with one user, always on the same message, nobody and nothing else. Very annoying. ====================================================================== ---------------------------------------------------------------------- mavetju - 27-Jun-05 12:35 CEST ---------------------------------------------------------------------- I'm trying to run it under Electric Fence, but that just gives this and no abort: <tt>ElectricFence Aborting: free(28597e00): address not from malloc().</tt> 28597e00 is '(Y~\000', which doesn't look like a text string. Bug History Date Modified Username Field Change ====================================================================== 20-Jun-05 15:11mavetju New Bug 27-Jun-05 12:35mavetju Bugnote Added: 0000757 ======================================================================
