Timo Sirainen writes:
Can you still reproduce this in any way?
Yes, I have 6 sets of user INBOX index caches that will crash dovecot-lda. The actual content of the INBOX is irrelevant (crash probably happens before INBOX is opened).
I found two bugs, would be nice to know if they solve it:
http://hg.dovecot.org/dovecot-2.1/rev/2f848393f78e http://hg.dovecot.org/dovecot-2.1/rev/bded819417d9
No, these patch don't help. It crashes in the same place with the same value of field_hdr. Here's the full backtrace:
#0 0xff2a0474 in mail_cache_header_fields_read (cache=0x5c250) at mail-cache-fields.c:325 field_hdr = (const struct mail_cache_header_fields *) 0x20 field = {name = 0x402 <Address 0x402 out of bounds>, idx = 4282351288, type = MAIL_CACHE_FIELD_VARIABLE_SIZE, field_size = 4282335628, decision = MAIL_CACHE_DECISION_TEMP, last_used = -14558816} last_used = (const uint32_t *) 0x64584 sizes = (const uint32_t *) 0xc types = (const uint8_t *) 0x64888 "" decisions = (const uint8_t *) 0x64900 "" p = 0x24a38 "�\035\212@����" names = 0x0 end = 0x64a50 "" orig_key = (void *) 0xffbfee38 orig_value = (void *) 0x64550 fidx = 411784 new_fields_count = 4280126016 dec = MAIL_CACHE_DECISION_NO max_drop_time = 376804 offset = 32 i = 4282348464 #1 0xff29e8cc in mail_cache_compress_locked (cache=0x5c250, trans=0x645e0, unlock=0xffbfeeef) at mail-cache-compress.c:361 dotlock = (struct dotlock *) 0x2ea00 st = {st_dev = 235718347, st_pad1 = {874, 0, 0}, st_ino = 0, st_mode = 0, st_nlink = 0, st_uid = 0, st_gid = 0, st_rdev = 3720, st_pad2 = {0, 0}, st_size = 3720, st_atim = { tv_sec = 410816, tv_nsec = -12631336}, st_mtim = {tv_sec = 514, tv_nsec = -12631336}, st_ctim = {tv_sec = 65536, tv_nsec = 0}, st_blksize = 0, st_blocks = 1621028016851520, st_fstype = "\000\000\000\004\000\000\000\003\212\000\000\000\000\005�P", st_pad4 = {-4198784, -14028952, 39394339, 377424, 0, 16777216, 3, 4}} old_mask = 4282348464 file_seq = 4 old_offset = 4290768372 ext_offsets = {arr = {buffer = 0xffbfee10, element_size = 4280930288}, v = 0xffbfee10, v_modifiable = 0xffbfee10} offsets = (const uint32_t *) 0x0 data = (const void *) 0xff3f4380 i = 0 count = 1 fd = 0 ret = 377424 #2 0xff29efe0 in mail_cache_compress (cache=0x5c250, trans=0x645e0) at mail-cache-compress.c:489 unlock = false ret = 411764 __FUNCTION__ = "mail_cache_compress" #3 0xff2a3e28 in mail_cache_transaction_compress (ctx=0x5e3b8) at mail-cache-transaction.c:180 cache = (struct mail_cache *) 0x5c250 view = (struct mail_index_view *) 0x644c0 trans = (struct mail_index_transaction *) 0x645e0 ret = 2424 #4 0xff2a40b8 in mail_cache_transaction_open_if_needed (ctx=0x5e3b8) at mail-cache-transaction.c:241 cache = (struct mail_cache *) 0x5c250 ext = (const struct mail_index_ext *) 0x1e idx = 154968 i = 1 __FUNCTION__ = "mail_cache_transaction_open_if_needed" #5 0xff2a6e94 in mail_cache_field_want_add (ctx=0x5e3b8, seq=1, field_idx=12) at mail-cache-transaction.c:1048 decision = 153968 #6 0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5efa8) at index-mail-headers.c:175 _mail = (struct mail *) 0x5efa8 all_cache_fields = (const struct mail_cache_field *) 0x25970 i = 12 count = 26 #7 0xff27ec90 in index_mail_parse_header_init (mail=0x5efa8, headers=0x0) at index-mail-headers.c:230 _data_stack_cur_id = 2 data = (struct index_mail_data *) 0x5f058 match = (const uint8_t *) 0x641a0 "" i = 0 field_idx = 4290769328 match_count = 2155905152 __FUNCTION__ = "index_mail_parse_header_init" #8 0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5efa8, input=0x64058) at index-mail-headers.c:376 mail = (struct index_mail *) 0x5efa8 input2 = (struct istream *) 0x641a0 __FUNCTION__ = "index_mail_cache_parse_init" #9 0xff2299cc in mbox_save_get_input_stream (ctx=0x5e6e0, input=0x637c8) at mbox-save.c:411 filter = (struct istream *) 0x0 ret = (struct istream *) 0x5edd0 cache_input = (struct istream *) 0x25990 streams = {0x20202020, 0x2e938, 0xa202020} #10 0xff22a084 in mbox_save_begin (_ctx=0x5e6e0, input=0x637c8) at mbox-save.c:520 ctx = (struct mbox_save_context *) 0x5e6e0 t = (struct mbox_transaction_context *) 0x5de88 save_flags = MAIL_RECENT offset = 0 __FUNCTION__ = "mbox_save_begin" #11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x637c8) at mail-storage.c:1652 box = (struct mailbox *) 0x594e8 ret = 0 #12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68 ctx = (struct mail_save_context *) 0x5e6e0 pmail = (struct mail_private *) 0x54cd8 input = (struct istream *) 0x637c8 from_envelope = 0x13d90 "MAILER-DAEMON" guid = 0xff2f0ec0 "" received_date = -1 #13 0xff23f23c in mail_storage_copy (ctx=0x5e6e0, mail=0x54cd8) at mail-copy.c:93 No locals. #14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721 ctx = (struct mail_save_context *) 0x5e6e0 box = (struct mailbox *) 0x594e8 keywords = (struct mail_keywords *) 0x0 ret = 389032 #15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730 No locals. #16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0, keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317 open_ctx = {user = 0x3d3a8, lda_mailbox_autocreate = true, lda_mailbox_autosubscribe = false} box = (struct mailbox *) 0x594e8 trans_flags = MAILBOX_TRANSACTION_FLAG_EXTERNAL t = (struct mailbox_transaction_context *) 0x5de88 save_ctx = (struct mail_save_context *) 0x0 headers_ctx = (struct mailbox_header_lookup_ctx *) 0x0 kw = (struct mail_keywords *) 0x0 error = MAIL_ERROR_NONE mailbox_name = 0x13fe8 "INBOX" errstr = 0x0 guid = 0xff3f73b0 "" changes = {pool = 0x13e38, uid_validity = 0, saved_uids = {arr = {buffer = 0x13e28, element_size = 1}, v = 0x13e28, v_modifiable = 0x13e28}, ignored_modseq_changes = 4282350008, changed = false} range = (const struct seq_range *) 0xff1d3580 default_save = true ret = 0 __FUNCTION__ = "mail_deliver_save" #17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403 ret = -1 #18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434 set_roots = {0x24b48, 0x0} ctx = {pool = 0x2eaf0, set = 0x30440, session = 0x2eb00, dup_ctx = 0x0, session_id = 0x0, src_mail = 0x54cd8, src_envelope_sender = 0x0, dest_user = 0x3d3a8, dest_addr = 0x25828 "testuser@domain", final_dest_addr = 0x25828 "testuser@domain", dest_mailbox_name = 0x13fe8 "INBOX", dest_mail = 0x5efa8, var_expand_table = 0x0, tried_default_save = true, saved_mail = false, save_dest_mail = false, mailbox_full = false, dsn = false} service_flags = 1027 user = 0xffbffad0 "testuser" errstr = 0xff3f48e8 "" path = 0x0 storage_service = (struct mail_storage_service_ctx *) 0x2f650 service_user = (struct mail_storage_service_user *) 0x2fe88 service_input = {module = 0x13fd0 "lda", service = 0x13fd0 "lda", username = 0xffbffad0 "testuser", session_id = 0x0, local_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, remote_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, local_port = 0, remote_port = 0, userdb_fields = 0x0, flags_override_add = 0, flags_override_remove = 0, no_userdb_lookup = 0} storage = (struct mail_storage *) 0x39330 user_source = 0x13f30 "" destaddr_source = 0x13f30 "" process_euid = 0 stderr_rejection = false ret = 1 c = -1 error = MAIL_ERROR_NONE
Joseph Tam <tam@math.ubc.ca>