dovecot - Oct 2009 - Dovecot 1.2.6 segfault in imap_fetch_begin

We recently upgraded from Dovecot 1.2.4 to 1.2.6 (with the sieve patches
of course). Everything has been running quite well since the upgrade.
The occasional issue with assert-crashing when expunging has gone away.

However, one of our users seems to have triggered a new issue. She's
been the only one to see it, but whenever she logs in, her imap process
segfaults immediately. It appears that the crash is a null pointer deref
in the array library, but I'm not sure what code is at fault for calling
in without checking array validity... or even if I'm on the right track.

Backtraces and some further information are available here. Cores
available on request.
http://uoregon.edu/~brandond/dovecot-1.2.6/bt.txt

Thanks,

-Brad

On Wed, 2009-10-14 at 17:14 -0700, Brandon Davidson
wrote:
> Backtraces and some further information are available here. Cores
> available on request.
> http://uoregon.edu/~brandond/dovecot-1.2.6/bt.txt
-O2 compiling has dropped one stage from the backtrace, but I think this
will fix the crash:

http://hg.dovecot.org/dovecot-1.2/rev/352eab3d6ade

There are also a few other bugs in QRESYNC handling that get fixed by
these:

http://hg.dovecot.org/dovecot-1.2/rev/f7f0bff8438a
http://hg.dovecot.org/dovecot-1.2/rev/51329696ecf5
http://hg.dovecot.org/dovecot-1.2/rev/73c4a7d325fe

I guess it would be time for 1.2.7 somewhat soon..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20091014/efce3ed6/attachment-0002.bin>

Timo,
> -----Original Message-----
> -O2 compiling has dropped one stage from the backtrace, but I think
this
> will fix the crash:
> <snip>
> I guess it would be time for 1.2.7 somewhat soon..
Thanks! As always, you're one step ahead of us with the bug fixes! I've
got one more for you that just popped up. I'm guessing that it's also
due to expunging causing sequence numbers to mixed up, and one of the
existing patches will fix it?

The error from the logs is:
Panic: file mail-transaction-log-view.c: line 108
(mail_transaction_log_view_set): assertion failed: (min_file_seq
<max_file_seq)
Raw backtrace: imap [0x49e4a0] -> imap [0x49e503] -> imap [0x49db66] ->
imap(mail_transaction_log_view_set+0x4ac) [0x48651c] ->
imap(mail_index_view_sync_begin+0xe5) [0x480055] ->
imap(index_mailbox_sync_init+0x7f) [0x45e84f] ->
imap(maildir_storage_sync_init+0x100) [0x43cd30] ->
imap(imap_sync_init+0x67) [0x428257] -> imap(cmd_sync_delayed+0x174)
[0x4284a4] -> imap(client_handle_input+0x19e) [0x420aee] ->
imap(client_input+0x5f) [0x4214df] -> imap(io_loop_handler_run+0xf8)
[0x4a61f8] -> imap(io_loop_run+0x1d) [0x4a530d] -> imap(main+0x620)
[0x428da0] -> /lib64/libc.so.6(__libc_start_main+0xf4) [0x31d5a1d994] ->
imap [0x419a89] 
dovecot: child 11758 (imap) killed with signal 6 (core dumped)

Backtrace and such here:
http://uoregon.edu/~brandond/dovecot-1.2.6/bt2.txt

Thanks again,

-Brad