Hi all, I'm getting core dumps from Dovecot when using Thunderbird as a client. Everything is fine when using the Apple Mail client. I've appended the debug dumps to this message so they are out of the way, but they should be read now.

I think the problem might be that io->prev and io->next aren't reliably initialised in ioloop.c:io_add. The value that io->prev has when the program crashes is just completely bogus. It isn't aligned correctly, and it doesn't point to anywhere inside the process's memory map. I don't know what *io->next is, but it sure doesn't look like a struct io_file. It doesn't even look like a struct io. Part of the garbage in *io->next is the char sequence "/vol/home/lloyd/Maildir/new" which is part of my mail box.

*io is not in the doubly linked list in current_io_look->io_files. I'm guessing that this object has been unlinked already. Some further digging (not shown here) shows that io->callback is notify_callback. It is set to NULL by the time imap crashes.

Here are all the gory GDB details:

Version: 1.1.beta3
OS: NetBSD 4.0_RC3/sparc64 (a 64 bit big endian architecture)
Client: Mozilla Thunderbird 2.0.0.6
bt full:

#0 0x00000000001e846c in io_file_unlink (io=0x32e2c0) at ioloop.c:54 No locals. #1 0x00000000001e8568 in io_remove (_io=0x3420a8) at ioloop.c:82 io_file = (struct io_file *) 0x32e2c0 io = (struct io *) 0x32e2c0 #2 0x000000000017a0a4 in index_mailbox_check_remove_all (ibox=0x331048) at index-mailbox-check.c:118 file = (struct index_notify_file *) 0x0 aio = (struct index_notify_io *) 0x3420a0 #3 0x0000000000139850 in maildir_notify_changes (box=0x331048) at maildir-storage.c:824 mbox = (struct maildir_mailbox *) 0x331048 #4 0x00000000001c0724 in mailbox_notify_changes (box=0x331048, min_interval=0, callback=0, context=0x0) at mail-storage.c:544 No locals. #5 0x00000000001c074c in mailbox_notify_changes_stop (box=0x331048) at mail-storage.c:550 No locals. #6 0x00000000001167fc in idle_finish (ctx=0x3380b0, done_ok=true, free_cmd=true) at cmd-idle.c:48 client = (struct client *) 0x334100 #7 0x0000000000116a04 in idle_client_input (ctx=0x3380b0) at cmd-idle.c:90 client = (struct client *) 0x334100 line = 0x33a075 "DONE" #8 0x00000000001ea2ac in io_loop_handler_run (ioloop=0x320080) at ioloop-kqueue.c:149 ctx = (struct ioloop_handler_context *) 0x32e080 events = (struct kevent *) 0x332000 event = (const struct kevent *) 0x332000 tv = {tv_sec = 0, tv_usec = 999441} ts = {tv_sec = 0, tv_nsec = 999441000} io = (struct io_file *) 0x320a80 events_count = 4 t_id = 2 msecs = 1000 ret = 1 i = 0 __PRETTY_FUNCTION__ = "io_loop_handler_run" #9 0x00000000001e8f28 in io_loop_run (ioloop=0x320080) at ioloop.c:303 No locals. #10 0x000000000012d710 in main (argc=1, argv=0xffffffffffffc978, envp=0xffffffffffffc988) at main.c:293 No locals.

More GDB Info:

(gdb) print *io $2 = {io = {condition = 0, callback = 0, context = 0x331048}, prev = 0x10000000d, next = 0x32e280, refcount = 0, fd = 0} (gdb) print *io->next $18 = {io = {condition = 0, callback = 0, context = 0x471a982100000000}, prev = 0x0, next = 0x2f766f6c2f686f6d, refcount = 1697606764, fd = 1870226479} (gdb) print *current_ioloop->io_files $35 = {io = {condition = IO_READ, callback = 0x1e9284 , context = 0x342080}, prev = 0x0, next = 0x320140, refcount = 1, fd = 11} (gdb) print *current_ioloop->io_files->next $36 = {io = {condition = IO_ERROR, callback = 0x12ca70 , context = 0x0}, prev = 0x320a00, next = 0x3200c0, refcount = 1, fd = 2} (gdb) print *current_ioloop->io_files->next->next $37 = {io = {condition = IO_READ, callback = 0x1ea6f0 , context = 0x0}, prev = 0x320140, next = 0x0, refcount = 1, fd = 5} (gdb) print io $1 = (struct io_file *) 0x32e2c0 (gdb) print *current_ioloop $2 = {prev = 0x0, io_files = 0x320a00, next_io_file = 0x0, timeouts = 0x320a40, handler_context = 0x32e080, notify_handler_context = 0x342080, running = 1}