indexer crash

Sun Aug 29 00:42:01 EEST 2021

Hi,

Because I was getting segfaults in libc in calloc calls by the indexer 
process of Dovecot 2.3.16, I ran indexer with valgrind to look for 
possible memory corruption. It did indeed find that indexer was 
accessing memory that had already been freed, I've attached the log file.

I've then tried running Dovecot with the fix in commit 
97367ef61784a364ccf615cb816be6492329050d, but that didn't make any 
difference. Reverting (just the code in src/indexer) to the last 
revision before the recent rewrite to use connection.c 
(d76761698a06bab60a741c6794252fddec4292ef) did: valgrind doesn't log any 
errors anymore, and indexer has stopped crashing.

Onno
-------------- next part --------------
==15425== Memcheck, a memory error detector
==15425== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15425== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==15425== Command: /usr/lib/dovecot/indexer.orig
==15425== Parent PID: 15410
==15425== 
==15425== Invalid write of size 8
==15425==    at 0x405D27: worker_connection_call_callback (worker-connection.c:44)
==15425==    by 0x405D27: worker_connection_input_args (worker-connection.c:109)
==15425==    by 0xFFFCE8756: connection_input_default (connection.c:95)
==15425==    by 0xFFFD0FB83: io_loop_call_io (ioloop.c:727)
==15425==    by 0xFFFD11DF2: io_loop_handler_run_internal (ioloop-poll.c:213)
==15425==    by 0xFFFD0FC22: io_loop_handler_run (ioloop.c:779)
==15425==    by 0xFFFD0FDF7: io_loop_run (ioloop.c:752)
==15425==    by 0xFFFC67F0A: master_service_run (master-service.c:865)
==15425==    by 0x4049F4: main (indexer.c:145)
==15425==  Address 0xfff6bf0e0 is 368 bytes inside a block of size 384 free'd
==15425==    at 0xFFFF65981: free (vg_replace_malloc.c:766)
==15425==    by 0x406494: worker_pool_release_connection (worker-pool.c:105)
==15425==    by 0x4046C1: worker_status_callback (indexer.c:112)
==15425==    by 0x405D1B: worker_connection_call_callback (worker-connection.c:42)
==15425==    by 0x405D1B: worker_connection_input_args (worker-connection.c:109)
==15425==    by 0xFFFCE8756: connection_input_default (connection.c:95)
==15425==    by 0xFFFD0FB83: io_loop_call_io (ioloop.c:727)
==15425==    by 0xFFFD11DF2: io_loop_handler_run_internal (ioloop-poll.c:213)
==15425==    by 0xFFFD0FC22: io_loop_handler_run (ioloop.c:779)
==15425==    by 0xFFFD0FDF7: io_loop_run (ioloop.c:752)
==15425==    by 0xFFFC67F0A: master_service_run (master-service.c:865)
==15425==    by 0x4049F4: main (indexer.c:145)
==15425==  Block was alloc'd at
==15425==    at 0xFFFF66B88: calloc (vg_replace_malloc.c:1128)
==15425==    by 0xFFFD1C329: pool_system_malloc (mempool-system.c:105)
==15425==    by 0x406128: p_malloc (mempool.h:107)
==15425==    by 0x406128: worker_connection_create (worker-connection.c:222)
==15425==    by 0x40642A: worker_pool_add_connection (worker-pool.c:60)
==15425==    by 0x40642A: worker_pool_get_connection (worker-pool.c:96)
==15425==    by 0x40486E: queue_try_send_more (indexer.c:85)
==15425==    by 0x4052B6: indexer_queue_append_finish (indexer-queue.c:129)
==15425==    by 0x4052B6: indexer_queue_append (indexer-queue.c:144)
==15425==    by 0x404B01: indexer_client_request_queue (indexer-client.c:68)
==15425==    by 0x404D53: indexer_client_request (indexer-client.c:112)
==15425==    by 0x404D53: indexer_client_input_args (indexer-client.c:130)
==15425==    by 0xFFFCE8756: connection_input_default (connection.c:95)
==15425==    by 0xFFFD0FB83: io_loop_call_io (ioloop.c:727)
==15425==    by 0xFFFD11DF2: io_loop_handler_run_internal (ioloop-poll.c:213)
==15425==    by 0xFFFD0FC22: io_loop_handler_run (ioloop.c:779)