A NOTE has been added to this issue. ====================================================================== http://www.dbmail.org/mantis/view.php?id=220 ====================================================================== Reported By: mavetju Assigned To: aaron ====================================================================== Project: DBMail Issue ID: 220 Category: IMAP daemon Reproducibility: always Severity: crash Priority: high Status: acknowledged ====================================================================== Date Submitted: 20-Jun-05 15:11 CEST Last Modified: 08-Feb-06 19:04 CET ====================================================================== Summary: dbmail-imap crashes in pq library on a double free() Description: Jun 20 23:00:47 kermit kernel: pid 97577 (dbmail-imapd), uid 0: exited on signal 6 (core dumped)
It happens in the PQclear(): (gdb) where http://www.dbmail.org/mantis/view.php?id=0 0x2811e1d7 in kill () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=1 0x2811327e in raise () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=2 0x28185627 in abort () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=3 0x28129389 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=4 0x281293cd in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=5 0x2812a2c1 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=6 0x2812a513 in ldexp () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=7 0x2812a644 in free () from /lib/libc.so.5 http://www.dbmail.org/mantis/view.php?id=8 0x280c1169 in PQclear () from /usr/local/lib/libpq.so.4 http://www.dbmail.org/mantis/view.php?id=9 0x280ae023 in db_free_result () at dbpgsql.c:136 http://www.dbmail.org/mantis/view.php?id=10 0x2809ad50 in db_get_msginfo_range (msg_idnr_low=6361653, msg_idnr_high=6410363, mailbox_idnr=1005, get_flags=1, get_internaldate=1, get_rfcsize=1, get_msg_idnr=1, result=0xbfbe4ba8, resultsetlen=0xbfbe4bac) at db.c:3837 http://www.dbmail.org/mantis/view.php?id=11 0x08053bed in _ic_fetch (tag=0xbfbe4dd0 "00000020", args=0x8064a40, ci=0x280acb00) at imapcommands.c:2547 http://www.dbmail.org/mantis/view.php?id=12 0x0804acca in IMAPClientHandler (ci=0x280acb00) at imap4.c:386 http://www.dbmail.org/mantis/view.php?id=13 0x2809ed28 in PerformChildTask (info=0x280acae0) at serverchild.c:377 http://www.dbmail.org/mantis/view.php?id=14 0x2809ee68 in CreateChild (info=0x280acae0) at serverchild.c:251 http://www.dbmail.org/mantis/view.php?id=15 0x2809fa8e in manage_start_children () at pool.c:357 http://www.dbmail.org/mantis/view.php?id=16 0x2809e30d in StartServer (conf=0xbfbfe344) at server.c:117 http://www.dbmail.org/mantis/view.php?id=17 0x080598f7 in main (argc=-1077944540, argv=0x1) at imapd.c:198 The variable res in db_free_result looks normal. I have checked and checked and checked again but I can't find a reason why this goes wrong. I'll build libpq.so tomorrow with debugging enabled so I can see more hopefully. I have saved a copy of the email, maybe it will give hints later on. It only happens with one user, always on the same message, nobody and nothing else. Very annoying. ====================================================================== ---------------------------------------------------------------------- mavetju - 27-Jun-05 12:35 ---------------------------------------------------------------------- I'm trying to run it under Electric Fence, but that just gives this and no abort: <tt>ElectricFence Aborting: free(28597e00): address not from malloc().</tt> 28597e00 is '(Y~\000', which doesn't look like a text string. ---------------------------------------------------------------------- aaron - 27-Jun-05 17:02 ---------------------------------------------------------------------- Have you ruled out database problems? For completeness, I'd like to know what your PG version is, if it's hosted on the same FreeBSD machine, what the database charset is (the now-known unicode issue might be spilling over), and whatever other interesting tidbits you have. Also, have you run the various maintenance routines, such as vacuuming, analyzing, and checking for corruption? ---------------------------------------------------------------------- aaron - 23-Jul-05 07:00 ---------------------------------------------------------------------- I'm taking this off the active bugs list. Reopen if there's something more to report! ---------------------------------------------------------------------- mavetju - 30-Jul-05 16:34 ---------------------------------------------------------------------- I have a simple dbmail database now, with one user and three messages in it which causes the imapd to segfault. The database size is 700 Kb compressed. I will anonymize[sp] the data and make it available tomorrow. ---------------------------------------------------------------------- mavetju - 01-Aug-05 10:27 ---------------------------------------------------------------------- The file uploaded explodes into a file 1.2Mb big: $ bzcat imap-crash.dump.5.4.bz2 | wc 1179 5000 1234377 To create the database from it, use: $ psql -U pgsql mail < imap-crash.dump.5.4 To see the crash, use the attached script: $ nc localhost 8143 < imap-crash Aug 1 18:26:51 k7 kernel: pid 96559 (dbmail-imapd), uid 65534: exited on signal 6 If you need more information, please let me know. ---------------------------------------------------------------------- mavetju - 10-Aug-05 03:00 ---------------------------------------------------------------------- Is more information required for this problem? If so please let me know. ---------------------------------------------------------------------- mavetju - 20-Aug-05 01:47 ---------------------------------------------------------------------- Is more information required for this problem? If so please let me know. ---------------------------------------------------------------------- aaron - 04-Jan-06 21:06 ---------------------------------------------------------------------- Is this still broken in 2.0.7? ---------------------------------------------------------------------- mavetju - 05-Jan-06 06:40 ---------------------------------------------------------------------- Still happening with 2.0.7. See the earlier submitted files which contain the database dump and the IMAP commands. ---------------------------------------------------------------------- aaron - 08-Feb-06 19:04 ---------------------------------------------------------------------- Finally found a moment to put together your database. Here's my run: localhost codingprojects # nc localhost 143 < imap-crash * OK dbmail imap (protocol version 4r1) server 2.0.9 ready to run * CAPABILITY IMAP4 IMAP4rev1 AUTH=LOGIN ACL NAMESPACE SORT CHILDREN QUOTA 00000000 OK CAPABILITY completed + dXNlcm5hbWUNCg== + cGFzc3dvcmQNCg== 00000001 OK AUTHENTICATE completed * CAPABILITY IMAP4 IMAP4rev1 AUTH=LOGIN ACL NAMESPACE SORT CHILDREN QUOTA 00000002 OK CAPABILITY completed * 3 EXISTS * 3 RECENT * FLAGS (\Seen \Answered \Deleted \Flagged \Draft \Recent) * OK [PERMANENTFLAGS (\Seen \Answered \Deleted \Flagged \Draft \Recent)] * OK [UIDNEXT 6401661] Predicted next UID * OK [UIDVALIDITY 1005] UIDs valid * OK [UNSEEN 2] first unseen message 00000003 OK [READ-WRITE] SELECT completed 00000004 BAD syntax error in sort keys * SEARCH 6361653 6401660 00000007 OK SEARCH completed * SEARCH 2 3 00000008 OK SEARCH completed * 2 FETCH (UID 6361653 ENVELOPE ("Thu, 16 Jun 2005 15:40:39 +1000" {39} xxxxx and i'll send you the materials (("xxx" NIL "xxx" "xxxx.anu.edu.au")) (("xxx" NIL "xxx" "xxxx.anu.edu.au")) (("xxx" NIL "xxx" "xxxx.anu.edu.au")) ((NIL NIL "harriet.xxx" "xxxx.xxx.xx")) NIL NIL NIL "<[EMAIL PROTECTED]>") BODY[HEADER.FIELDS (Newsgroups Content-MD5 Content-Disposition Content-Language Content-Location Followup-To References)] {2} INTERNALDATE "Thu, 16 Jun 2005 16:41:20 -0700" RFC822.SIZE 1643 FLAGS (\Answered \Recent)) * 3 FETCH (UID 6401660 ENVELOPE ("Mon, 20 Jun 2005 10:48:36 +1000" "xxxxx" (("xxx" NIL "xxx" "xxxx.asn.au")) ((NIL NIL "private.barcouncil-xxx" "xxxx.nswbar.asn.au")) ((NIL NIL "xxx" "xxxx.asn.au")) (("Bar Council Private" NIL "private.xxx" "xxxx.nswbar.asn.au")) (("allmanagers DL" NIL "xxx" "xxxx.asn.au")("Kim Kemp" NIL "xxx" "xxxx.asn.au")) NIL NIL "<[EMAIL PROTECTED]>") BODY[HEADER.FIELDS (Newsgroups Content-MD5 Content-Disposition Content-Language Content-Location Followup-To References)] {2} INTERNALDATE "Mon, 20 Jun 2005 11:49:19 -0700" RFC822.SIZE 621739 FLAGS (\Recent)) 00000009 OK FETCH completed 0000000a OK NOOP completed * 3 EXISTS * 3 RECENT * FLAGS (\Seen \Answered \Deleted \Flagged \Draft \Recent ) * OK [PERMANENTFLAGS (\Seen \Answered \Deleted \Flagged \Draft \Recent )] * OK [UIDVALIDITY 1005] UID value 0000000b OK [READ-ONLY] EXAMINE completed * 1 FETCH (*** glibc detected *** double free or corruption (!prev): 0x08098490 *** ENVELOPE ("Thu, 16 Jun 2005 12:54:37 +1000" "xxxxx" (("xxx" NIL "xxx" "xxxx.asn.au")) ((NIL NIL "private.barcouncil-xxx" "xxxx.nswbar.asn.au")) ((NIL NIL "xxx" "xxxx.asn.au")) (("Bar Council Private" NIL "private.xxx" "xxxx.nswbar.asn.au")) NIL NIL NIL "<[EMAIL PROTECTED]>") BODY[HEADER.FIELDS (Newsgroups Content-MD5 Content-Disposition Content-Language Content-Location Followup-To References)] {2} INTERNALDATE "Thu, 16 Jun 2005 13:55:30 -0700" RFC822.SIZE 609791 FLAGS (\Seen \Recent)) Issue History Date Modified Username Field Change ====================================================================== 20-Jun-05 15:11 mavetju New Issue 27-Jun-05 12:35 mavetju Note Added: 0000757 27-Jun-05 17:02 aaron Note Added: 0000758 23-Jul-05 07:00 aaron Status new => resolved 23-Jul-05 07:00 aaron Resolution open => suspended 23-Jul-05 07:00 aaron Assigned To => aaron 23-Jul-05 07:00 aaron Note Added: 0000784 30-Jul-05 16:34 mavetju Status resolved => feedback 30-Jul-05 16:34 mavetju Resolution suspended => reopened 30-Jul-05 16:34 mavetju Note Added: 0000787 01-Aug-05 10:24 mavetju File Added: imap-crash.dump.5.4.bz2 01-Aug-05 10:27 mavetju Note Added: 0000789 01-Aug-05 10:27 mavetju File Added: imap-crash 10-Aug-05 03:00 mavetju Note Added: 0000816 20-Aug-05 01:47 mavetju Note Added: 0000847 01-Oct-05 11:20 paul Priority normal => high 01-Oct-05 11:20 paul Status feedback => acknowledged 04-Jan-06 21:06 aaron Note Added: 0000970 05-Jan-06 06:40 mavetju Note Added: 0000977 08-Feb-06 19:04 aaron Note Added: 0000996 ======================================================================
