dovecot - May 2008 - Segfault in imap_bodystructure_write when searching

Whenever I try to search on my dovecot test install, dovecot dies. It 
immediately spawns a new process, which the client tries to connect to, and 
send search commands to, causing that to die, and so forth. This loop means I 
have to kill either the server or the client.

Running Dovecot 1.0.13 from/on Debian testing, rebuilt with vpopmail support 
and no other source changes. Vpopmail version is 5.4.25, latest stable.
Client is Mulberry 4.0.8, and the crash seems to occur whenever any type of 
search is performed, be it subject, sender, body etc. Otherwise the server 
behaves fine.

dovecot -n output:

# 1.0.13: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S
listen: *:9000
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
login_greeting_capability: yes
login_max_processes_count: 256
first_valid_uid: 89
mail_location: maildir:~/Maildir
mail_debug: yes
dotlock_use_excl: yes
maildir_copy_with_hardlinks: yes
maildir_copy_preserve_filename: yes
mail_drop_priv_before_exec: yes
mail_plugins: quota imap_quota
imap_client_workarounds: outlook-idle delay-newmail
auth default:
  user: vpopmail
  verbose: yes
  passdb:
    driver: vpopmail
  userdb:
    driver: vpopmail
plugin:
  quota: maildir


Anonymized log excerpt:

May 31 21:01:24 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:24 betty dovecot: child 21748 (imap) killed with signal 11
May 31 21:01:24 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:24 betty dovecot: child 21752 (imap) killed with signal 11
May 31 21:01:24 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:25 betty dovecot: child 21753 (imap) killed with signal 11
May 31 21:01:25 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:25 betty dovecot: child 21759 (imap) killed with signal 11
May 31 21:01:25 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:25 betty dovecot: child 21774 (imap) killed with signal 11
May 31 21:01:25 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:25 betty dovecot: child 21775 (imap) killed with signal 11
May 31 21:01:25 betty dovecot: imap-login: Login: user=<foo at bar.com>, 
method=PLAIN, rip=1.2.3.4, lip=4.3.2.1
May 31 21:01:25 betty dovecot: child 21776 (imap) killed with signal 11
...


Backtrace:

betty - ~vpopmail/domains/bar.com/foo # gdb /usr/lib/dovecot/imap core
GNU gdb 6.7.1-debian
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/i686/cmov/libdl.so.2...(no debugging symbols 
found)...done.
Loaded symbols for /lib/i686/cmov/libdl.so.2
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols 
found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from 
/usr/lib/dovecot/modules/imap/lib10_quota_plugin.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so
Reading symbols from 
/usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so
Reading symbols from /usr/lib/gconv/ISO8859-1.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/gconv/ISO8859-1.so
(no debugging symbols found)
Core was generated by `imap'.
Program terminated with signal 11, Segmentation fault.
#0  0x080a539d in imap_bodystructure_write ()
(gdb) bt full
#0  0x080a539d in imap_bodystructure_write ()
No symbol table info available.
#1  0x08083b5c in ?? ()
No symbol table info available.
#2  0x080fa698 in ?? ()
No symbol table info available.
#3  0x080fae60 in ?? ()
No symbol table info available.
#4  0x00000001 in ?? ()
No symbol table info available.
#5  0x080fa660 in ?? ()
No symbol table info available.
#6  0x080fae40 in ?? ()
No symbol table info available.
#7  0x080fae40 in ?? ()
No symbol table info available.
#8  0xbfc90328 in ?? ()
No symbol table info available.
#9  0x080b0520 in _buffer_free ()
No symbol table info available.
#10 0x08083f64 in index_mail_get_special ()
No symbol table info available.
#11 0x080703f4 in ?? ()
No symbol table info available.
#12 0x080f8c08 in ?? ()
No symbol table info available.
#13 0x00002000 in ?? ()
No symbol table info available.
#14 0x00000001 in ?? ()
No symbol table info available.
#15 0x080bc105 in o_stream_send_str ()
No symbol table info available.
#16 0x0805f26e in ?? ()
No symbol table info available.
#17 0x080f8c08 in ?? ()
No symbol table info available.
#18 0x00002000 in ?? ()
No symbol table info available.
#19 0x00000001 in ?? ()
No symbol table info available.
#20 0x00000000 in ?? ()


Any help would be greatly appreciated.

-- 
  -==-                  -=-                  -==-
   Christer Mjellem Strand               yitzhaq
   System administrator             ICQ: 9557698
   GSM +47 922 000 12     JID: yitzhaq at jabber.no
  -==-                  -=-                  -==-

On Sat, 2008-05-31 at 21:36 +0200, Christer Mjellem Strand
wrote:
> Whenever I try to search on my dovecot test install, dovecot dies. It 
> immediately spawns a new process, which the client tries to connect to, and
> send search commands to, causing that to die, and so forth. This loop means
I
> have to kill either the server or the client.
Your dovecot.index.cache file is probably broken somehow. Try moving
dovecot.index* files elsewhere and see if it works then? If it does and
dovecot.index.cache doesn't contain anything too sensitive
(subjects/from/to addresses), could you send me the dovecot.index*
files?

If it crashes even without dovecot.index* files then the mails
themselves contain a broken message. It would help if I could get that
message.
> betty - ~vpopmail/domains/bar.com/foo # gdb /usr/lib/dovecot/imap core
..
> (no debugging symbols found)
> Core was generated by `imap'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x080a539d in imap_bodystructure_write ()
> (gdb) bt full
> #0  0x080a539d in imap_bodystructure_write ()
> No symbol table info available.
> #1  0x08083b5c in ?? ()
Unfortunately this backtrace is almost completely broken and it doesn't
really help.. You also could try compiling Dovecot itself with debug
symbols and getting backtrace from it. That'd probably work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080601/bf8efee1/attachment-0002.bin>

>> Whenever I try to search on my dovecot test install, dovecot dies. It
>> immediately spawns a new process, which the client tries to connect to,
>> and send search commands to, causing that to die, and so forth. This
loop
>> means I have to kill either the server or the client.
>
> Your dovecot.index.cache file is probably broken somehow. Try moving
> dovecot.index* files elsewhere and see if it works then? If it does and
> dovecot.index.cache doesn't contain anything too sensitive
> (subjects/from/to addresses), could you send me the dovecot.index*
> files?
>
> If it crashes even without dovecot.index* files then the mails
> themselves contain a broken message. It would help if I could get that
> message.
Bullseye. Why did I fail to mention that I was trying to use uiddb from 
Courier? :P
Using your conversion script fixed it, but simply copying the Courier file 
crashed Dovecot. According to http://wiki.dovecot.org/Migration/Courier this 
is supposed to work though, so either that page is wrong, or Dovecot has a 
bug.
>> betty - ~vpopmail/domains/bar.com/foo # gdb /usr/lib/dovecot/imap core
> ..
>> (no debugging symbols found)
>> Core was generated by `imap'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x080a539d in imap_bodystructure_write ()
>> (gdb) bt full
>> #0  0x080a539d in imap_bodystructure_write ()
>> No symbol table info available.
>> #1  0x08083b5c in ?? ()
>
> Unfortunately this backtrace is almost completely broken and it doesn't
> really help.. You also could try compiling Dovecot itself with debug
> symbols and getting backtrace from it. That'd probably work.
I tried reproducing now, but it seems it's started working even when moving 
all dovecot files and copying courierimapuiddb to dovecot-uidlist. If I see 
it again I'll send you a copy of the file offlist.

Thanks.

-- 
  -==-                  -=-                  -==-
   Christer Mjellem Strand               yitzhaq
   System administrator             ICQ: 9557698
   GSM +47 922 000 12     JID: yitzhaq at jabber.no
  -==-                  -=-                  -==-