A BUGNOTE has been added to this bug. ====================================================================== http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000220 ====================================================================== Reported By: mavetju Assigned To: ====================================================================== Project: DBMail Bug ID: 220 Category: IMAP daemon Reproducibility: always Severity: crash Priority: normal Status: new ====================================================================== Date Submitted: 20-Jun-05 15:11 CEST Last Modified: 27-Jun-05 17:02 CEST ====================================================================== Summary: dbmail-imap crashes in pq library on a double free() Description: Jun 20 23:00:47 kermit kernel: pid 97577 (dbmail-imapd), uid 0: exited on signal 6 (core dumped)
It happens in the PQclear(): (gdb) where http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000000 0x2811e1d7 in kill () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000001 0x2811327e in raise () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000002 0x28185627 in abort () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000003 0x28129389 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000004 0x281293cd in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000005 0x2812a2c1 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000006 0x2812a513 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000007 0x2812a644 in free () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000008 0x280c1169 in PQclear () from /usr/local/lib/libpq.so.4 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000009 0x280ae023 in db_free_result () at dbpgsql.c:136 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000010 0x2809ad50 in db_get_msginfo_range (msg_idnr_low=6361653, msg_idnr_high=6410363, mailbox_idnr=1005, get_flags=1, get_internaldate=1, get_rfcsize=1, get_msg_idnr=1, result=0xbfbe4ba8, resultsetlen=0xbfbe4bac) at db.c:3837 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000011 0x08053bed in _ic_fetch (tag=0xbfbe4dd0 "00000020", args=0x8064a40, ci=0x280acb00) at imapcommands.c:2547 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000012 0x0804acca in IMAPClientHandler (ci=0x280acb00) at imap4.c:386 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000013 0x2809ed28 in PerformChildTask (info=0x280acae0) at serverchild.c:377 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000014 0x2809ee68 in CreateChild (info=0x280acae0) at serverchild.c:251 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000015 0x2809fa8e in manage_start_children () at pool.c:357 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000016 0x2809e30d in StartServer (conf=0xbfbfe344) at server.c:117 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000017 0x080598f7 in main (argc=-1077944540, argv=0x1) at imapd.c:198 The variable res in db_free_result looks normal. I have checked and checked and checked again but I can't find a reason why this goes wrong. I'll build libpq.so tomorrow with debugging enabled so I can see more hopefully. I have saved a copy of the email, maybe it will give hints later on. It only happens with one user, always on the same message, nobody and nothing else. Very annoying. ====================================================================== ---------------------------------------------------------------------- mavetju - 27-Jun-05 12:35 CEST ---------------------------------------------------------------------- I'm trying to run it under Electric Fence, but that just gives this and no abort: <tt>ElectricFence Aborting: free(28597e00): address not from malloc().</tt> 28597e00 is '(Y~\000', which doesn't look like a text string. ---------------------------------------------------------------------- aaron - 27-Jun-05 17:02 CEST ---------------------------------------------------------------------- Have you ruled out database problems? For completeness, I'd like to know what your PG version is, if it's hosted on the same FreeBSD machine, what the database charset is (the now-known unicode issue might be spilling over), and whatever other interesting tidbits you have. Also, have you run the various maintenance routines, such as vacuuming, analyzing, and checking for corruption? Bug History Date Modified Username Field Change ====================================================================== 20-Jun-05 15:11mavetju New Bug 27-Jun-05 12:35mavetju Bugnote Added: 0000757 27-Jun-05 17:02aaron Bugnote Added: 0000758 ======================================================================
