Re: [Dovecot] dovecot-lda (2.1.12) segfaults
Timo Sirainen writes:
Can you still reproduce this in any way?
Yes, I have 6 sets of user INBOX index caches that will crash dovecot-lda. The actual content of the INBOX is irrelevant (crash probably happens before INBOX is opened).
I found two bugs, would be nice to know if they solve it:
http://hg.dovecot.org/dovecot-2.1/rev/2f848393f78e http://hg.dovecot.org/dovecot-2.1/rev/bded819417d9
No, these patch don't help. It crashes in the same place with the same value of field_hdr. Here's the full backtrace:
#0 0xff2a0474 in mail_cache_header_fields_read (cache=0x5c250) at mail-cache-fields.c:325 field_hdr = (const struct mail_cache_header_fields *) 0x20 field = {name = 0x402 <Address 0x402 out of bounds>, idx = 4282351288, type = MAIL_CACHE_FIELD_VARIABLE_SIZE, field_size = 4282335628, decision = MAIL_CACHE_DECISION_TEMP, last_used = -14558816} last_used = (const uint32_t *) 0x64584 sizes = (const uint32_t *) 0xc types = (const uint8_t *) 0x64888 "" decisions = (const uint8_t *) 0x64900 "" p = 0x24a38 "�\035\212@����" names = 0x0 end = 0x64a50 "" orig_key = (void *) 0xffbfee38 orig_value = (void *) 0x64550 fidx = 411784 new_fields_count = 4280126016 dec = MAIL_CACHE_DECISION_NO max_drop_time = 376804 offset = 32 i = 4282348464 #1 0xff29e8cc in mail_cache_compress_locked (cache=0x5c250, trans=0x645e0, unlock=0xffbfeeef) at mail-cache-compress.c:361 dotlock = (struct dotlock *) 0x2ea00 st = {st_dev = 235718347, st_pad1 = {874, 0, 0}, st_ino = 0, st_mode = 0, st_nlink = 0, st_uid = 0, st_gid = 0, st_rdev = 3720, st_pad2 = {0, 0}, st_size = 3720, st_atim = { tv_sec = 410816, tv_nsec = -12631336}, st_mtim = {tv_sec = 514, tv_nsec = -12631336}, st_ctim = {tv_sec = 65536, tv_nsec = 0}, st_blksize = 0, st_blocks = 1621028016851520, st_fstype = "\000\000\000\004\000\000\000\003\212\000\000\000\000\005�P", st_pad4 = {-4198784, -14028952, 39394339, 377424, 0, 16777216, 3, 4}} old_mask = 4282348464 file_seq = 4 old_offset = 4290768372 ext_offsets = {arr = {buffer = 0xffbfee10, element_size = 4280930288}, v = 0xffbfee10, v_modifiable = 0xffbfee10} offsets = (const uint32_t *) 0x0 data = (const void *) 0xff3f4380 i = 0 count = 1 fd = 0 ret = 377424 #2 0xff29efe0 in mail_cache_compress (cache=0x5c250, trans=0x645e0) at mail-cache-compress.c:489 unlock = false ret = 411764 __FUNCTION__ = "mail_cache_compress" #3 0xff2a3e28 in mail_cache_transaction_compress (ctx=0x5e3b8) at mail-cache-transaction.c:180 cache = (struct mail_cache *) 0x5c250 view = (struct mail_index_view *) 0x644c0 trans = (struct mail_index_transaction *) 0x645e0 ret = 2424 #4 0xff2a40b8 in mail_cache_transaction_open_if_needed (ctx=0x5e3b8) at mail-cache-transaction.c:241 cache = (struct mail_cache *) 0x5c250 ext = (const struct mail_index_ext *) 0x1e idx = 154968 i = 1 __FUNCTION__ = "mail_cache_transaction_open_if_needed" #5 0xff2a6e94 in mail_cache_field_want_add (ctx=0x5e3b8, seq=1, field_idx=12) at mail-cache-transaction.c:1048 decision = 153968 #6 0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5efa8) at index-mail-headers.c:175 _mail = (struct mail *) 0x5efa8 all_cache_fields = (const struct mail_cache_field *) 0x25970 i = 12 count = 26 #7 0xff27ec90 in index_mail_parse_header_init (mail=0x5efa8, headers=0x0) at index-mail-headers.c:230 _data_stack_cur_id = 2 data = (struct index_mail_data *) 0x5f058 match = (const uint8_t *) 0x641a0 "" i = 0 field_idx = 4290769328 match_count = 2155905152 __FUNCTION__ = "index_mail_parse_header_init" #8 0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5efa8, input=0x64058) at index-mail-headers.c:376 mail = (struct index_mail *) 0x5efa8 input2 = (struct istream *) 0x641a0 __FUNCTION__ = "index_mail_cache_parse_init" #9 0xff2299cc in mbox_save_get_input_stream (ctx=0x5e6e0, input=0x637c8) at mbox-save.c:411 filter = (struct istream *) 0x0 ret = (struct istream *) 0x5edd0 cache_input = (struct istream *) 0x25990 streams = {0x20202020, 0x2e938, 0xa202020} #10 0xff22a084 in mbox_save_begin (_ctx=0x5e6e0, input=0x637c8) at mbox-save.c:520 ctx = (struct mbox_save_context *) 0x5e6e0 t = (struct mbox_transaction_context *) 0x5de88 save_flags = MAIL_RECENT offset = 0 __FUNCTION__ = "mbox_save_begin" #11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x637c8) at mail-storage.c:1652 box = (struct mailbox *) 0x594e8 ret = 0 #12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68 ctx = (struct mail_save_context *) 0x5e6e0 pmail = (struct mail_private *) 0x54cd8 input = (struct istream *) 0x637c8 from_envelope = 0x13d90 "MAILER-DAEMON" guid = 0xff2f0ec0 "" received_date = -1 #13 0xff23f23c in mail_storage_copy (ctx=0x5e6e0, mail=0x54cd8) at mail-copy.c:93 No locals. #14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721 ctx = (struct mail_save_context *) 0x5e6e0 box = (struct mailbox *) 0x594e8 keywords = (struct mail_keywords *) 0x0 ret = 389032 #15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730 No locals. #16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0, keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317 open_ctx = {user = 0x3d3a8, lda_mailbox_autocreate = true, lda_mailbox_autosubscribe = false} box = (struct mailbox *) 0x594e8 trans_flags = MAILBOX_TRANSACTION_FLAG_EXTERNAL t = (struct mailbox_transaction_context *) 0x5de88 save_ctx = (struct mail_save_context *) 0x0 headers_ctx = (struct mailbox_header_lookup_ctx *) 0x0 kw = (struct mail_keywords *) 0x0 error = MAIL_ERROR_NONE mailbox_name = 0x13fe8 "INBOX" errstr = 0x0 guid = 0xff3f73b0 "" changes = {pool = 0x13e38, uid_validity = 0, saved_uids = {arr = {buffer = 0x13e28, element_size = 1}, v = 0x13e28, v_modifiable = 0x13e28}, ignored_modseq_changes = 4282350008, changed = false} range = (const struct seq_range *) 0xff1d3580 default_save = true ret = 0 __FUNCTION__ = "mail_deliver_save" #17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403 ret = -1 #18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434 set_roots = {0x24b48, 0x0} ctx = {pool = 0x2eaf0, set = 0x30440, session = 0x2eb00, dup_ctx = 0x0, session_id = 0x0, src_mail = 0x54cd8, src_envelope_sender = 0x0, dest_user = 0x3d3a8, dest_addr = 0x25828 "testuser@domain", final_dest_addr = 0x25828 "testuser@domain", dest_mailbox_name = 0x13fe8 "INBOX", dest_mail = 0x5efa8, var_expand_table = 0x0, tried_default_save = true, saved_mail = false, save_dest_mail = false, mailbox_full = false, dsn = false} service_flags = 1027 user = 0xffbffad0 "testuser" errstr = 0xff3f48e8 "" path = 0x0 storage_service = (struct mail_storage_service_ctx *) 0x2f650 service_user = (struct mail_storage_service_user *) 0x2fe88 service_input = {module = 0x13fd0 "lda", service = 0x13fd0 "lda", username = 0xffbffad0 "testuser", session_id = 0x0, local_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, remote_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, local_port = 0, remote_port = 0, userdb_fields = 0x0, flags_override_add = 0, flags_override_remove = 0, no_userdb_lookup = 0} storage = (struct mail_storage *) 0x39330 user_source = 0x13f30 "" destaddr_source = 0x13f30 "" process_euid = 0 stderr_rejection = false ret = 1 c = -1 error = MAIL_ERROR_NONE
Joseph Tam <tam@math.ubc.ca>
On 19.12.2012, at 12.47, Joseph Tam <jtam.home@gmail.com> wrote:
Can you still reproduce this in any way?
Yes, I have 6 sets of user INBOX index caches that will crash dovecot-lda. The actual content of the INBOX is irrelevant (crash probably happens before INBOX is opened).
Could you send me those files? Would be the easiest and quickest way to get it fixed :)
On 19.12.2012, at 12.59, Timo Sirainen <tss@iki.fi> wrote:
On 19.12.2012, at 12.47, Joseph Tam <jtam.home@gmail.com> wrote:
Can you still reproduce this in any way?
Yes, I have 6 sets of user INBOX index caches that will crash dovecot-lda. The actual content of the INBOX is irrelevant (crash probably happens before INBOX is opened).
Could you send me those files? Would be the easiest and quickest way to get it fixed :)
Okay, fixed: http://hg.dovecot.org/dovecot-2.1/rev/32ce915e046a
participants (2)
-
Joseph Tam
-
Timo Sirainen