Hi all,
I'm getting core dumps from Dovecot when using Thunderbird as a client.
Everything is fine when using the Apple Mail client. I've appended the
debug dumps to this message so they are out of the way, but they should
be read now.
I think the problem might be that io->prev and io->next aren't reliably
initialised in ioloop.c:io_add. The value that io->prev has when the
program crashes is just completely bogus. It isn't aligned correctly,
and it doesn't point to anywhere inside the process's memory map. I
don't know what *io->next is, but it sure doesn't look like a struct
io_file. It doesn't even look like a struct io. Part of the garbage in
*io->next is the char sequence "/vol/home/lloyd/Maildir/new" which is
part of my mail box.
*io is not in the doubly linked list in current_io_look->io_files. I'm
guessing that this object has been unlinked already. Some further
digging (not shown here) shows that io->callback is notify_callback. It
is set to NULL by the time imap crashes.
Here are all the gory GDB details:
Version: 1.1.beta3
OS: NetBSD 4.0_RC3/sparc64 (a 64 bit big endian architecture)
Client: Mozilla Thunderbird 2.0.0.6
bt full:
#0 0x00000000001e846c in io_file_unlink (io=0x32e2c0) at ioloop.c:54
No locals.
#1 0x00000000001e8568 in io_remove (_io=0x3420a8) at ioloop.c:82
io_file = (struct io_file *) 0x32e2c0
io = (struct io *) 0x32e2c0
#2 0x000000000017a0a4 in index_mailbox_check_remove_all (ibox=0x331048)
at index-mailbox-check.c:118
file = (struct index_notify_file *) 0x0
aio = (struct index_notify_io *) 0x3420a0
#3 0x0000000000139850 in maildir_notify_changes (box=0x331048)
at maildir-storage.c:824
mbox = (struct maildir_mailbox *) 0x331048
#4 0x00000000001c0724 in mailbox_notify_changes (box=0x331048,
min_interval=0, callback=0, context=0x0) at mail-storage.c:544
No locals.
#5 0x00000000001c074c in mailbox_notify_changes_stop (box=0x331048)
at mail-storage.c:550
No locals.
#6 0x00000000001167fc in idle_finish (ctx=0x3380b0, done_ok=true,
free_cmd=true) at cmd-idle.c:48
client = (struct client *) 0x334100
#7 0x0000000000116a04 in idle_client_input (ctx=0x3380b0) at cmd-idle.c:90
client = (struct client *) 0x334100
line = 0x33a075 "DONE"
#8 0x00000000001ea2ac in io_loop_handler_run (ioloop=0x320080)
at ioloop-kqueue.c:149
ctx = (struct ioloop_handler_context *) 0x32e080
events = (struct kevent *) 0x332000
event = (const struct kevent *) 0x332000
tv = {tv_sec = 0, tv_usec = 999441}
ts = {tv_sec = 0, tv_nsec = 999441000}
io = (struct io_file *) 0x320a80
events_count = 4
t_id = 2
msecs = 1000
ret = 1
i = 0
__PRETTY_FUNCTION__ = "io_loop_handler_run"
#9 0x00000000001e8f28 in io_loop_run (ioloop=0x320080) at ioloop.c:303
No locals.
#10 0x000000000012d710 in main (argc=1, argv=0xffffffffffffc978,
envp=0xffffffffffffc988) at main.c:293
No locals.
More GDB Info:
(gdb) print *io
$2 = {io = {condition = 0, callback = 0, context = 0x331048},
prev = 0x10000000d, next = 0x32e280, refcount = 0, fd = 0}
(gdb) print *io->next
$18 = {io = {condition = 0, callback = 0, context = 0x471a982100000000},
prev = 0x0, next = 0x2f766f6c2f686f6d, refcount = 1697606764,
fd = 1870226479}
(gdb) print *current_ioloop->io_files
$35 = {io = {condition = IO_READ, callback = 0x1e9284 <event_callback>,
context = 0x342080}, prev = 0x0, next = 0x320140, refcount = 1, fd = 11}
(gdb) print *current_ioloop->io_files->next
$36 = {io = {condition = IO_ERROR, callback = 0x12ca70 <log_error_callback>,
context = 0x0}, prev = 0x320a00, next = 0x3200c0, refcount = 1, fd = 2}
(gdb) print *current_ioloop->io_files->next->next
$37 = {io = {condition = IO_READ, callback = 0x1ea6f0 <signal_read>,
context = 0x0}, prev = 0x320140, next = 0x0, refcount = 1, fd = 5}
(gdb) print io
$1 = (struct io_file *) 0x32e2c0
(gdb) print *current_ioloop
$2 = {prev = 0x0, io_files = 0x320a00, next_io_file = 0x0,
timeouts = 0x320a40, handler_context = 0x32e080,
notify_handler_context = 0x342080, running = 1}
