A NOTE has been added to this issue. ====================================================================== http://dbmail.org/mantis/view.php?id=789 ====================================================================== Reported By: jasb Assigned To: netvulture ====================================================================== Project: DBMail Issue ID: 789 Category: IMAP daemon Reproducibility: have not tried Severity: crash Priority: normal Status: feedback target: ====================================================================== Date Submitted: 21-Jul-09 23:51 CEST Last Modified: 04-Aug-09 13:31 CEST ====================================================================== Summary: dbmail-imapd crash with invalid pointer reason Description: Hi, After this commit on GIT HEAD:
http://git.dbmail.eu/cgit/cgit.cgi/paul/dbmail/commit/?id=02b0fe06c4947fb50bdcbe3ac39661006f78aa07 imapd crashes with invalid pointer on this. Attached there's the GDB trace for this. ====================================================================== ---------------------------------------------------------------------- (0002837) waza123 (reporter) - 22-Jul-09 14:02 http://dbmail.org/mantis/view.php?id=789#c2837 ---------------------------------------------------------------------- i have many crashes in all sectors. dbmail-imapd dbmail-pop3d dbmail-lmtpd v2.3.6 ---------------------------------------------------------------------- (0002838) pschmiel (reporter) - 23-Jul-09 12:55 http://dbmail.org/mantis/view.php?id=789#c2838 ---------------------------------------------------------------------- I have the same problem with a crashing imapd. Backtrace is attached. ---------------------------------------------------------------------- (0002839) pschmiel (reporter) - 23-Jul-09 16:30 http://dbmail.org/mantis/view.php?id=789#c2839 ---------------------------------------------------------------------- I think the following changes did the trick. No more crashes since this modification: if(D->data != NULL) g_free(D->data); if(D != NULL) g_free(D); ---------------------------------------------------------------------- (0002840) waza123 (reporter) - 23-Jul-09 16:37 http://dbmail.org/mantis/view.php?id=789#c2840 ---------------------------------------------------------------------- yes, you have to check if it exists before free it ---------------------------------------------------------------------- (0002841) pschmiel (reporter) - 23-Jul-09 18:02 http://dbmail.org/mantis/view.php?id=789#c2841 ---------------------------------------------------------------------- got another crash a few minutes ago. looks like the pointer points to an invalid address location so it is not NULL but nevertheless it can't be freed... ---------------------------------------------------------------------- (0002844) netvulture (developer) - 24-Jul-09 19:25 http://dbmail.org/mantis/view.php?id=789#c2844 ---------------------------------------------------------------------- I think I might have triggered the crash on my system by using IDLE and then reading messages fairly fast, switching from IDLE to OPERATION and BACK in short order. Will try to reproduce this weekend under gdb operation. ---------------------------------------------------------------------- (0002863) jasb (reporter) - 28-Jul-09 22:30 http://dbmail.org/mantis/view.php?id=789#c2863 ---------------------------------------------------------------------- Hi Jon, Were you able to reproduce this and fix it? ---------------------------------------------------------------------- (0002869) netvulture (developer) - 29-Jul-09 06:09 http://dbmail.org/mantis/view.php?id=789#c2869 ---------------------------------------------------------------------- Looking at the bt you attached, the session is null, thus is does make sense that is should blow up if it tries to free a memory address that isn't even defined in a null object. So it would appear that a job is pushed to the thread pool with a bogus session pointer. http://dbmail.org/mantis/view.php?id=6 0x08054090 in imap_idle_loop (self=0x0, timeout=30) at imapcommands.c:1088 1088 g_free(D->data); There is a trace already in place in imap_idle_loop() that should tell you what the session address is. Is it 0x0 when it blows up? ---------------------------------------------------------------------- (0002885) netvulture (developer) - 30-Jul-09 23:46 http://dbmail.org/mantis/view.php?id=789#c2885 ---------------------------------------------------------------------- Please try my bug fix testing branch git clone git://git.dbmail.eu/netvulture/dbmail nvc_bug_test The (proposed) fix for bug http://dbmail.org/mantis/view.php?id=790 is in there along with some other things that I've found that could be causing crashes. Bug 790 might be the cause of this bug. ---------------------------------------------------------------------- (0002890) jasb (reporter) - 31-Jul-09 15:04 http://dbmail.org/mantis/view.php?id=789#c2890 ---------------------------------------------------------------------- Still same problem. Check attached file "invalid pointer.txt". ---------------------------------------------------------------------- (0002891) netvulture (developer) - 31-Jul-09 19:07 http://dbmail.org/mantis/view.php?id=789#c2891 ---------------------------------------------------------------------- Well it was worth a shot. Did my testing branch help with anything else for you? ---------------------------------------------------------------------- (0002892) jasb (reporter) - 31-Jul-09 23:23 http://dbmail.org/mantis/view.php?id=789#c2892 ---------------------------------------------------------------------- For pop3d and lmtpd, haven't tested on a stress time of the server. Starting next monday i'll have the oportunity to test it and let you know. ---------------------------------------------------------------------- (0002895) netvulture (developer) - 03-Aug-09 03:02 http://dbmail.org/mantis/view.php?id=789#c2895 ---------------------------------------------------------------------- Can you duplicate this by: [r...@mail /var/log]# telnet mail.domain.com 143 Trying 1.2.3.4... Connected to mail.domain.com. Escape character is '^]'. * OK imap 4r1 server (dbmail 2.3.6) 1 login userid password 1 OK LOGIN completed 2 select inbox * 4 EXISTS * 0 RECENT * FLAGS (\Seen \Answered \Deleted \Flagged \Draft ) * OK [PERMANENTFLAGS (\Seen \Answered \Deleted \Flagged \Draft \*)] * OK [UIDNEXT 820210] Predicted next UID * OK [UIDVALIDITY 2998] UID value * OK [UNSEEN 1] first unseen message 2 OK [READ-WRITE] SELECT completed 3 idle + idling ^] telnet> close Connection closed. ---------------------------------------------------------------------- (0002896) netvulture (developer) - 03-Aug-09 07:16 http://dbmail.org/mantis/view.php?id=789#c2896 ---------------------------------------------------------------------- OK, I've narrowed the problem down to clients disconnecting while in IDLE. I have figured out how to fix the g_free problem, but the session is still not being handled properly for cleanup and delete. Still working on it, but should have something by tomorrow. ---------------------------------------------------------------------- (0002897) jasb (reporter) - 03-Aug-09 10:32 http://dbmail.org/mantis/view.php?id=789#c2897 ---------------------------------------------------------------------- Oki Jon, you're the boss :-) Still want me to do that test or not needed anymore? ---------------------------------------------------------------------- (0002898) netvulture (developer) - 04-Aug-09 05:27 http://dbmail.org/mantis/view.php?id=789#c2898 ---------------------------------------------------------------------- Ok - I've committed a patch to my git branch for this. Please update and run both the above mentioned test and anything else you can to crash it when using idle. ---------------------------------------------------------------------- (0002901) jasb (reporter) - 04-Aug-09 13:31 http://dbmail.org/mantis/view.php?id=789#c2901 ---------------------------------------------------------------------- Hi Jon, The invalid pointer seems to disapeared, but now i have one other problem that i don't know if it existed before or it's new. Check the attached files named "imapd_SIGSEGV". PS: For LMTPD & POP3D, no crashes for about 3hours on stress. Issue History Date Modified Username Field Change ====================================================================== 21-Jul-09 23:51 jasb New Issue 21-Jul-09 23:51 jasb File Added: imapd_invalid_pointer.txt 22-Jul-09 14:02 waza123 Note Added: 0002837 23-Jul-09 12:55 pschmiel File Added: backtrace.txt 23-Jul-09 12:55 pschmiel Note Added: 0002838 23-Jul-09 13:22 pschmiel Issue Monitored: pschmiel 23-Jul-09 16:30 pschmiel Note Added: 0002839 23-Jul-09 16:36 waza123 Note Added: 0002840 23-Jul-09 16:37 waza123 Note Edited: 0002840 23-Jul-09 18:02 pschmiel Note Added: 0002841 24-Jul-09 19:23 netvulture Status new => assigned 24-Jul-09 19:23 netvulture Assigned To => netvulture 24-Jul-09 19:25 netvulture Note Added: 0002844 24-Jul-09 19:25 netvulture Status assigned => acknowledged 28-Jul-09 22:30 jasb Note Added: 0002863 29-Jul-09 06:09 netvulture Note Added: 0002869 29-Jul-09 06:10 netvulture Status acknowledged => feedback 30-Jul-09 23:46 netvulture Note Added: 0002885 31-Jul-09 15:04 jasb Note Added: 0002890 31-Jul-09 15:04 jasb File Added: invalid pointer.txt 31-Jul-09 19:07 netvulture Note Added: 0002891 31-Jul-09 23:23 jasb Note Added: 0002892 03-Aug-09 03:02 netvulture Note Added: 0002895 03-Aug-09 07:16 netvulture Note Added: 0002896 03-Aug-09 10:32 jasb Note Added: 0002897 04-Aug-09 05:27 netvulture Note Added: 0002898 04-Aug-09 13:31 jasb Note Added: 0002901 ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
