dovecot - Dec 2006 - segfault in RC15

Hi all, ive seen a few segfaults in RC15. It's hard for me to reproduce
but I was able to get a core when it happened with one of our customers.

RC15
FreeBSD 4.10
X86
NFS/NetApp
It's squirrelmail/webmail client. 
Can't reproduce it, cant turn on dovecot.rawlog because I dont know in
advance which customer will hit this. See it about 5 times per hour,
with thousands of logins per hour. 


Here's the backtrace..

Cor


------



Core was generated by `imap'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/local/lib/dovecot/imap/lib01_quota_plugin.so...done.
Reading symbols from /usr/lib/librpcsvc.so.2...done.
Reading symbols from
/usr/local/lib/dovecot/imap/lib02_imap_quota_plugin.so...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  maildir_save_file_get_path (_t=0x80d72c0, seq=37) at maildir-save.c:242
242             i_assert(seq >= ctx->first_seq);
(gdb) bt full
#0  maildir_save_file_get_path (_t=0x80d72c0, seq=37) at maildir-save.c:242
        _t = (struct mailbox_transaction_context *) 0x80d72c0
        seq = 37
        ctx = (struct maildir_save_context *) 0x0
        mf = (struct maildir_filename *) 0x80d72c0
#1  0x80682ca in maildir_mail_get_virtual_size (_mail=0x80e9440) at
maildir-mail.c:145
        mail = (struct index_mail *) 0x80e9440
        mbox = (struct maildir_mailbox *) 0x80d8c40
        data = (struct index_mail_data *) 0x80e94a4
        path = 0x80e94a4 ""
        fname = 0x80d72c0 "@\214\r\b??\f\b\004"
        virtual_size = 580366801855675066
        flags = 19
#2  0x8097b22 in mail_get_virtual_size (mail=0x80e9440) at mail.c:68
        mail = (struct mail *) 0x80d72c0
#3  0x805cf4d in fetch_rfc822_size (ctx=0x80de088, mail=0x80e9440, context=0x0)
at imap-fetch-body.c:839
        ctx = (struct imap_fetch_context *) 0x80d72c0
        size = 135099072
#4  0x805b395 in imap_fetch (ctx=0x80de088) at imap-fetch.c:265
        ctx = (struct imap_fetch_context *) 0x80de088
        handlers = (struct imap_fetch_context_handler *) 0x80de1a8
        ret = 1
#5  0x8056e0b in cmd_fetch (cmd=0x80db044) at cmd-fetch.c:171
        cmd = (struct client_command_context *) 0x80db044
        client = (struct client *) 0x80db000
        ctx = (struct imap_fetch_context *) 0x80de088
        args = (struct imap_arg *) 0x80dc048
        search_arg = (struct mail_search_arg *) 0x80de050
        messageset = 0x25 <Address 0x25 out of bounds>
        ret = 135099072
#6  0x805955a in cmd_uid (cmd=0x80db044) at cmd-uid.c:19
        cmd = (struct client_command_context *) 0x80db044
        cmd_name = 0x80dc0f8 "FETCH"
#7  0x8059f45 in client_handle_input (cmd=0x80db044) at client.c:382
        cmd = (struct client_command_context *) 0x80db044
        client = (struct client *) 0x80db000
#8  0x805a01e in _client_input (context=0x80db000) at client.c:433
        client = (struct client *) 0x80db000
        cmd = (struct client_command_context *) 0x80db044
        ret = 2
#9  0x80a9608 in io_loop_handler_run (ioloop=0x80d7000) at ioloop-poll.c:199
        ctx = (struct ioloop_handler_context *) 0x80cb0a0
        pollfd = (struct pollfd *) 0x2
        tv = {tv_sec = 0, tv_usec = 888475}
        io = (struct io *) 0x80cb4a0
        t_id = 2
        msecs = 135099072
        ret = 0
        call = 135099072
#10 0x80a901d in io_loop_run (ioloop=0x80d7000) at ioloop.c:281
        ioloop = (struct ioloop *) 0x80d7000
#11 0x8060f1d in main (argc=1, argv=0xbfbff624, envp=0xbfbff62c) at main.c:280
No locals.

Ok, the other sefaults are the same problem..here's another one:
It looks like the filename gets corrupted or something..

Cor



Core was generated by `imap'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/local/lib/dovecot/imap/lib01_quota_plugin.so...done.
Reading symbols from /usr/lib/librpcsvc.so.2...done.
Reading symbols from
/usr/local/lib/dovecot/imap/lib02_imap_quota_plugin.so...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  maildir_save_file_get_path (_t=0x80d7300, seq=55) at maildir-save.c:242
242             i_assert(seq >= ctx->first_seq);
(gdb) bt full
#0  maildir_save_file_get_path (_t=0x80d7300, seq=55) at maildir-save.c:242
        _t = (struct mailbox_transaction_context *) 0x80d7300
        seq = 55
        ctx = (struct maildir_save_context *) 0x0
        mf = (struct maildir_filename *) 0x80d7300
#1  0x80682ca in maildir_mail_get_virtual_size (_mail=0x80e9840) at
maildir-mail.c:145
        mail = (struct index_mail *) 0x80e9840
        mbox = (struct maildir_mailbox *) 0x80d8c40
        data = (struct index_mail_data *) 0x80e98a4
        path = 0x80e98a4 ""
        fname = 0x80d7300 "@\214\r\b??\f\b\004"
        virtual_size = 580366801855675066
        flags = 19
#2  0x8097b22 in mail_get_virtual_size (mail=0x80e9840) at mail.c:68
        mail = (struct mail *) 0x80d7300
#3  0x805cf4d in fetch_rfc822_size (ctx=0x80de088, mail=0x80e9840, context=0x0)
at imap-fetch-body.c:839
        ctx = (struct imap_fetch_context *) 0x80d7300
        size = 135099136
#4  0x805b395 in imap_fetch (ctx=0x80de088) at imap-fetch.c:265
        ctx = (struct imap_fetch_context *) 0x80de088
        handlers = (struct imap_fetch_context_handler *) 0x80de1a8
        ret = 1
#5  0x8056e0b in cmd_fetch (cmd=0x80db044) at cmd-fetch.c:171
        cmd = (struct client_command_context *) 0x80db044
        client = (struct client *) 0x80db000
        ctx = (struct imap_fetch_context *) 0x80de088
        args = (struct imap_arg *) 0x80dc048
        search_arg = (struct mail_search_arg *) 0x80de050
        messageset = 0x37 <Address 0x37 out of bounds>
        ret = 135099136
#6  0x805955a in cmd_uid (cmd=0x80db044) at cmd-uid.c:19
        cmd = (struct client_command_context *) 0x80db044
        cmd_name = 0x80dc0f8 "FETCH"
#7  0x8059f45 in client_handle_input (cmd=0x80db044) at client.c:382
        cmd = (struct client_command_context *) 0x80db044
        client = (struct client *) 0x80db000
#8  0x805a01e in _client_input (context=0x80db000) at client.c:433
        client = (struct client *) 0x80db000
        cmd = (struct client_command_context *) 0x80db044
        ret = 2
#9  0x80a9608 in io_loop_handler_run (ioloop=0x80d7000) at ioloop-poll.c:199
        ctx = (struct ioloop_handler_context *) 0x80cb0a0
        pollfd = (struct pollfd *) 0x2
        tv = {tv_sec = 0, tv_usec = 926624}
        io = (struct io *) 0x80cb4a0
        t_id = 2
        msecs = 135099136
        ret = 0
        call = 135099136
#10 0x80a901d in io_loop_run (ioloop=0x80d7000) at ioloop.c:281
        ioloop = (struct ioloop *) 0x80d7000
#11 0x8060f1d in main (argc=1, argv=0xbfbff5f0, envp=0xbfbff5f8) at main.c:280

On Sun, 2006-12-10 at 15:07 +0100, Cor Bosman wrote:
> Hi all, ive seen a few segfaults in RC15. It's hard for me to reproduce
> but I was able to get a core when it happened with one of our customers.
> 
> RC15
> FreeBSD 4.10
> X86
> NFS/NetApp
Are the index files in NFS also?

See if this patch makes it give corrupted index file errors instead:

http://dovecot.org/list/dovecot-cvs/2006-December/007059.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20061210/138fec40/attachment.bin>