[Dovecot] Segfault in deliver server

Sascha Wilde wilde at intevation.de
Tue Feb 3 13:04:17 EET 2009 

Hi Timo,
Hi list,

I finally got along to test the current dovecot 1.2 with our Kolab
Server.  And I'm very excited to see all the cool ACL and shared
name spaces stuff upstream, thanks a lot Timo!

Anyway I just stumbled across a new bug using our metadata-plugin (which
in turn uses the dict back end):

Making a few annotations requests after another it stops working.

dovecot.log sais something like:

Feb 03 11:58:21 burlywood3 <info> dovecot[10486]: IMAP(4 at burlywood3.rgb): metadata_get_metadata_entry: dict key=shared//kolab/var/dovecot/spool/4 at burlywood3.
rgb/home/maildir/.Calendar//vendor/kolab/folder-type
Feb 03 11:58:21 burlywood3 <error> dovecot[10486]: child 10503 (dict) killed with signal 11
Feb 03 11:58:21 burlywood3 <error> dovecot[10486]: IMAP(4 at burlywood3.rgb): read(/kolab/var/dovecot/run/dict-server) failed: Connection reset by peer
Feb 03 11:58:21 burlywood3 <critical> dovecot[10520]: Fatal: dup2(3) failed: Bad file descriptor
Feb 03 11:58:21 burlywood3 <error> dovecot[10486]: child 10520 (dict) returned error 89 (Fatal failure)
Feb 03 11:58:21 burlywood3 <critical> dovecot[10486]: Panic: file ioloop.c: line 38 (io_add): assertion failed: (fd >= 0)
(END) 

I attached gdb to dict and got this:

Program received signal SIGSEGV, Segmentation fault.
array_idx_modifiable_i (array=0x38, idx=0) at array.c:10
10              pos = idx * array->element_size;
(gdb) bt
#0  array_idx_modifiable_i (array=0x38, idx=0) at array.c:10
#1  0x0805e9a2 in sql_pool_unlink (ctx=0x80fb670) at sql-pool.c:64
#2  0x0805ea24 in sql_pool_new (pool=0x80f9470, db_driver=0x80dd498 "sqlite", connect_string=0x810ad78 "/kolab/var/dovecot/lib/metadata-dict.sqlite")
    at sql-pool.c:97
#3  0x0805bb3c in sql_dict_init (driver=0x80f9ae0, uri=0xbfce9f76 "/kolab/etc/dovecot/metadata-dict.conf", value_type=DICT_DATA_TYPE_STRING, 
    username=0x80fb910 "4 at burlywood3.rgb") at dict-sql.c:86
#4  0x0805c9ca in dict_init (uri=0xbfce9f6f "sqlite:/kolab/etc/dovecot/metadata-dict.conf", value_type=DICT_DATA_TYPE_STRING, 
    username=0x80fb910 "4 at burlywood3.rgb") at dict.c:87
#5  0x0805a1b1 in dict_client_connection_input (conn=0x80fb8d0) at dict-server.c:407
#6  0x0806637c in io_loop_handler_run (ioloop=0x80f8a80) at ioloop-epoll.c:202
#7  0x080652fd in io_loop_run (ioloop=0x80f8a80) at ioloop.c:338
#8  0x0805a42d in main () at main.c:122
(gdb) li
5       
6       void *array_idx_modifiable_i(struct array *array, unsigned int idx)
7       {
8               size_t pos;
9       
10              pos = idx * array->element_size;
11              if (pos >= array->buffer->used) {
12                      /* index doesn't exist yet, initialize with zero */
13                      buffer_append_zero(array->buffer, pos + array->element_size -
14                                         array->buffer->used);
(gdb) p array
$1 = (struct array *) 0x38
(gdb) p *array
Cannot access memory at address 0x38
(gdb) up
#1  0x0805e9a2 in sql_pool_unlink (ctx=0x80fb670) at sql-pool.c:64
64                      next_ctx = SQL_POOL_CONTEXT(ctx->prev);
(gdb) p *ctx
$2 = {module_ctx = {reg = 0x0}, prev = 0x0, next = 0x810d2b0, pool = 0x80f9470, refcount = 0, 
  key = 0x80fb638 "sqlite\t/kolab/var/dovecot/lib/metadata-dict.sqlite", orig_deinit = 0x805f229 <driver_sqlite_deinit_v>}
(gdb) li
59                      prev_ctx->next = ctx->next;
60              }
61              if (ctx->next == NULL)
62                      ctx->pool->unused_head = ctx->prev;
63              else {
64                      next_ctx = SQL_POOL_CONTEXT(ctx->prev);
65                      next_ctx->prev = ctx->prev;
66              }
67              ctx->pool->unused_count--;
68      }
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists

It's quite possible, that we got any details in the usage of the dict
back end wrong, but I guess that in any case the dict server shouldn't
segfault...

cheers
sascha
-- 
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090203/d63e400d/attachment.bin

More information about the dovecot mailing list