A BUGNOTE has been added to this bug. ====================================================================== http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000220 ====================================================================== Reported By: mavetju Assigned To: aaron ====================================================================== Project: DBMail Bug ID: 220 Category: IMAP daemon Reproducibility: always Severity: crash Priority: normal Status: feedback ====================================================================== Date Submitted: 20-Jun-05 15:11 CEST Last Modified: 10-Aug-05 03:00 CEST ====================================================================== Summary: dbmail-imap crashes in pq library on a double free() Description: Jun 20 23:00:47 kermit kernel: pid 97577 (dbmail-imapd), uid 0: exited on signal 6 (core dumped)
It happens in the PQclear(): (gdb) where http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000000 0x2811e1d7 in kill () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000001 0x2811327e in raise () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000002 0x28185627 in abort () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000003 0x28129389 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000004 0x281293cd in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000005 0x2812a2c1 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000006 0x2812a513 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000007 0x2812a644 in free () from /lib/libc.so.5 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000008 0x280c1169 in PQclear () from /usr/local/lib/libpq.so.4 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000009 0x280ae023 in db_free_result () at dbpgsql.c:136 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000010 0x2809ad50 in db_get_msginfo_range (msg_idnr_low=6361653, msg_idnr_high=6410363, mailbox_idnr=1005, get_flags=1, get_internaldate=1, get_rfcsize=1, get_msg_idnr=1, result=0xbfbe4ba8, resultsetlen=0xbfbe4bac) at db.c:3837 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000011 0x08053bed in _ic_fetch (tag=0xbfbe4dd0 "00000020", args=0x8064a40, ci=0x280acb00) at imapcommands.c:2547 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000012 0x0804acca in IMAPClientHandler (ci=0x280acb00) at imap4.c:386 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000013 0x2809ed28 in PerformChildTask (info=0x280acae0) at serverchild.c:377 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000014 0x2809ee68 in CreateChild (info=0x280acae0) at serverchild.c:251 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000015 0x2809fa8e in manage_start_children () at pool.c:357 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000016 0x2809e30d in StartServer (conf=0xbfbfe344) at server.c:117 http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000017 0x080598f7 in main (argc=-1077944540, argv=0x1) at imapd.c:198 The variable res in db_free_result looks normal. I have checked and checked and checked again but I can't find a reason why this goes wrong. I'll build libpq.so tomorrow with debugging enabled so I can see more hopefully. I have saved a copy of the email, maybe it will give hints later on. It only happens with one user, always on the same message, nobody and nothing else. Very annoying. ====================================================================== ---------------------------------------------------------------------- mavetju - 27-Jun-05 12:35 CEST ---------------------------------------------------------------------- I'm trying to run it under Electric Fence, but that just gives this and no abort: <tt>ElectricFence Aborting: free(28597e00): address not from malloc().</tt> 28597e00 is '(Y~\000', which doesn't look like a text string. ---------------------------------------------------------------------- aaron - 27-Jun-05 17:02 CEST ---------------------------------------------------------------------- Have you ruled out database problems? For completeness, I'd like to know what your PG version is, if it's hosted on the same FreeBSD machine, what the database charset is (the now-known unicode issue might be spilling over), and whatever other interesting tidbits you have. Also, have you run the various maintenance routines, such as vacuuming, analyzing, and checking for corruption? ---------------------------------------------------------------------- aaron - 23-Jul-05 07:00 CEST ---------------------------------------------------------------------- I'm taking this off the active bugs list. Reopen if there's something more to report! ---------------------------------------------------------------------- mavetju - 30-Jul-05 16:34 CEST ---------------------------------------------------------------------- I have a simple dbmail database now, with one user and three messages in it which causes the imapd to segfault. The database size is 700 Kb compressed. I will anonymize[sp] the data and make it available tomorrow. ---------------------------------------------------------------------- mavetju - 01-Aug-05 10:27 CEST ---------------------------------------------------------------------- The file uploaded explodes into a file 1.2Mb big: $ bzcat imap-crash.dump.5.4.bz2 | wc 1179 5000 1234377 To create the database from it, use: $ psql -U pgsql mail < imap-crash.dump.5.4 To see the crash, use the attached script: $ nc localhost 8143 < imap-crash Aug 1 18:26:51 k7 kernel: pid 96559 (dbmail-imapd), uid 65534: exited on signal 6 If you need more information, please let me know. ---------------------------------------------------------------------- mavetju - 10-Aug-05 03:00 CEST ---------------------------------------------------------------------- Is more information required for this problem? If so please let me know. Bug History Date Modified Username Field Change ====================================================================== 20-Jun-05 15:11mavetju New Bug 27-Jun-05 12:35mavetju Bugnote Added: 0000757 27-Jun-05 17:02aaron Bugnote Added: 0000758 23-Jul-05 07:00aaron Bugnote Added: 0000784 23-Jul-05 07:00aaron Assigned To => aaron 23-Jul-05 07:00aaron Resolution open => suspended 23-Jul-05 07:00aaron Status new => resolved 30-Jul-05 16:34mavetju Bugnote Added: 0000787 30-Jul-05 16:34mavetju Resolution suspended => reopened 30-Jul-05 16:34mavetju Status resolved => feedback 01-Aug-05 10:24mavetju File Added: imap-crash.dump.5.4.bz2 01-Aug-05 10:27mavetju Bugnote Added: 0000789 01-Aug-05 10:27mavetju File Added: imap-crash 10-Aug-05 03:00mavetju Bugnote Added: 0000816 ======================================================================
