[Dovecot] A few rc17 imap crashes

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Jan 18 17:42:38 UTC 2007 

Chris Wakelin wrote:
> 
> dovecot-20070117.tar.gz seems to have fixed the reproducible crash, but
> I did get a couple of extra compiler warnings (gcc 3.3.2):-
> 
> mail-index.c: In function `mail_index_parse_extensions':
> mail-index.c:342: warning: comparison between signed and unsigned
> mail-index.c: In function `mail_index_map_clone':
> mail-index.c:1242: warning: comparison between signed and unsigned
> 

Hi Timo,

I've got three reproducible rc17 crashes, all fixed in
dovecot-20070117.tar.gz, and I've managed to get the same crashes in
Solaris 10 on Sparc. However, Solaris 10 has walkcontext() so I've been
able to use versions with the memdebug-* patches. The
memdebug-delayed.diff version doesn't crash or log anything interesting,
but the memdebug-bof.diff version does:

> #0  0xff154dd8 in t_splay () from /lib/libc.so.1
> #1  0xff154c68 in t_delete () from /lib/libc.so.1
> #2  0xff15487c in realfree () from /lib/libc.so.1
> #3  0xff155104 in cleanfree () from /lib/libc.so.1
> #4  0xff15425c in _malloc_unlocked () from /lib/libc.so.1
> #5  0xff15414c in malloc () from /lib/libc.so.1
> #6  0xff140f10 in calloc () from /lib/libc.so.1
> #7  0x00080644 in pool_system_malloc (pool=0xacd8c, size=28) at mempool-system.c:67
> #8  0x0007dafc in timeout_add (msecs=1000, callback=0x5086c <index_removal_timeout>, context=0x0) at ioloop.c:146
> #9  0x00050924 in index_storage_unref (index=0xacc00) at index-storage.c:192
> #10 0x00050bb4 in index_storage_mailbox_free (box=0xbee08) at index-storage.c:395
> #11 0x000368f0 in mbox_storage_close (box=0xbee08) at mbox-storage.c:1086
> #12 0x0006a14c in mailbox_close (_box=0xb8e78) at mail-storage.c:373
> #13 0x00020760 in cmd_logout (cmd=0xb8ea4) at cmd-logout.c:18
> #14 0x000229d8 in client_handle_input (cmd=0xb8ea4) at client.c:331
> #15 0x00022950 in client_handle_input (cmd=0xb8ea4) at client.c:388
> #16 0x00022b30 in _client_input (context=0xb8e60) at client.c:428
> #17 0x0007e5d8 in io_loop_handler_run (ioloop=0xb5f38) at ioloop-poll.c:199
> #18 0x0007deb8 in io_loop_run (ioloop=0xb5f38) at ioloop.c:281
> #19 0x0002ae64 in main (argc=-4196408, argv=0xac000, envp=0xacc00) at main.c:280

for two of them and:

> #0  0xff154dd8 in t_splay () from /lib/libc.so.1
> #1  0xff154c68 in t_delete () from /lib/libc.so.1
> #2  0xff1548a8 in realfree () from /lib/libc.so.1
> #3  0xff155078 in _free_unlocked () from /lib/libc.so.1
> #4  0xff154fb4 in free () from /lib/libc.so.1
> #5  0x00077320 in _buffer_free (_buf=0xacfd0) at buffer.c:123
> #6  0x00069860 in mail_storage_deinit () at array.h:80
> #7  0x0002ae9c in main (argc=0, argv=0xac000, envp=0xacc00) at main.c:247

for the other.

Is this what you expected? Each case was LOGIN, SELECT, UID FETCH *
BODY[], LOGOUT.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the dovecot mailing list