Dear Maintainer, tried to get some more information out of the kernel segfault line, until a backtrace or core gets delivered...
For the lines with "ip .............90e" I guess it could be related to these functions: array_append_array_i mailbox_uidset_change mail_search_arg_init It might be that we hit following line with dest_array or src_array containing a null pointer. array.h:193 i_assert(dest_array->element_size == src_array->element_size); Then we would get such a segfault instead of the assert message. But sure, the problem behind needs more context. Kind regards, Bernhard
# Stretch amd64 qemu VM 2019-03-29 apt update apt dist-upgrade apt install devscripts dpkg-dev mc systemd-coredump dovecot-imapd=1:2.3.4.1-1~bpo9+1 gdb wget https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot-imapd-dbgsym_2.3.4.1-1%7Ebpo9%2B1_amd64.deb wget https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot-core-dbgsym_2.3.4.1-1%7Ebpo9%2B1_amd64.deb dpkg -i dovecot-imapd-dbgsym_2.3.4.1-1~bpo9+1_amd64.deb dovecot-core-dbgsym_2.3.4.1-1~bpo9+1_amd64.deb mkdir /home/benutzer/source/dovecot/orig -p cd /home/benutzer/source/dovecot/orig dget https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot_2.3.4.1-1%7Ebpo9%2B1.dsc cd ############ From submitter: kernel: [1691560.449117] imap[8380]: segfault at 8 ip 00007fea0c1c890e sp 00007ffdc7607150 error 4 in libdovecot-storage.so.0.0.0[7fea0c10d000+12c000] https://www.enodev.fr/posts/decode-segfault-errors-in-dmesg.html https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/mm/fault.c?h=linux-4.9.y#n31 /* * Page fault error code bits: * * bit 0 ==<-> 0: no page found<----->1: protection fault * bit 1 ==<-> 0: read access><------>1: write access * bit 2 ==<-> 0: kernel-mode access<>1: user-mode access * bit 3 ==<-><------><------><------>1: use of reserved bit detected * bit 4 ==<-><------><------><------>1: fault was an instruction fetch * bit 5 ==<-><------><------><------>1: protection keys block access */ enum x86_pf_error_code { <------>PF_PROT><------>=<-----><------>1 << 0, <------>PF_WRITE<------>=<-----><------>1 << 1, <------>PF_USER><------>=<-----><------>1 << 2, <------>PF_RSVD><------>=<-----><------>1 << 3, <------>PF_INSTR<------>=<-----><------>1 << 4, <------>PF_PK<-><------>=<-----><------>1 << 5, }; "error 4" == 0b100 bit 0 ==<------> 0: no page found bit 1 ==<------> 0: read access bit 2 ==<------> 1: user-mode access ############# script -c "gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex 'run' --args /usr/lib/dovecot/imap" -a gdb_$(date +%Y-%m-%d_%H-%M-%S).log info share disassemble 0x00007ffff7ac15c0,0x00007ffff7b8599e kill q root@debian:~# grep "90e " gdb_2019-03-29_23-29-10.log | grep "0x8(" 0x00007ffff7ac690e <mail_search_arg_init+302>: mov 0x8(%r12),%rax 0x00007ffff7ae390e <shared_list_iter_init+30>: mov %rsi,0x8(%rsp) 0x00007ffff7b6890e <mail_index_strmap_view_sync_commit+1022>: mov %esi,0x8(%rdi) --> Could be the first line - as the second and third are writes ############# gdb -q --args /usr/lib/dovecot/imap set width 0 set pagination off b main directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib run root@debian:~# gdb -q --args /usr/lib/dovecot/imap Reading symbols from /usr/lib/dovecot/imap...Reading symbols from /usr/lib/debug/.build-id/18/305c1d9a040a3941346dc9a9a34a0839fc3bf0.debug...done. done. (gdb) set width 0 (gdb) set pagination off (gdb) b main Breakpoint 1 at 0xd510: file main.c, line 416. (gdb) directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap Source directories searched: /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd (gdb) directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage Source directories searched: /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd (gdb) directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib Source directories searched: /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd (gdb) run Starting program: /usr/lib/dovecot/imap Breakpoint 1, main (argc=1, argv=0x7fffffffed18) at main.c:416 416 { (gdb) print mail_search_arg_init $1 = {void (struct mail_search_args *, struct mail_search_arg *, bool, const union array__seq_range *)} 0x7ffff7ac67e0 <mail_search_arg_init> (gdb) b *$1+302 Breakpoint 2 at 0x7ffff7ac690e: file ../../src/lib/array.h, line 193. (gdb) info b Num Type Disp Enb Address What 1 breakpoint keep y 0x0000555555561510 in main at main.c:416 breakpoint already hit 1 time 2 breakpoint keep y 0x00007ffff7ac690e in mail_search_arg_init at ../../src/lib/array.h:193 (gdb) disassemble 0x00007ffff7ac690e-0x30,0x00007ffff7ac690e+0x30 Dump of assembler code from 0x7ffff7ac68de to 0x7ffff7ac693e: 0x00007ffff7ac68de <mail_search_arg_init+254>: (bad) 0x00007ffff7ac68df <mail_search_arg_init+255>: add %eax,(%rax) 0x00007ffff7ac68e1 <mail_search_arg_init+257>: add %al,-0x7af0dbc8(%rax) 0x00007ffff7ac68e7 <mail_search_arg_init+263>: std 0x00007ffff7ac68e8 <mail_search_arg_init+264>: add %al,(%rax) 0x00007ffff7ac68ea <mail_search_arg_init+266>: add %al,0xf000178(%rax) 0x00007ffff7ac68f0 <mail_search_arg_init+272>: test %esi,%ebx 0x00007ffff7ac68f2 <mail_search_arg_init+274>: add %al,(%rax) 0x00007ffff7ac68f4 <mail_search_arg_init+276>: add %cl,-0x75(%rcx) 0x00007ffff7ac68f7 <mail_search_arg_init+279>: jg 0x7ffff7ac6911 <mail_search_arg_init+305> 0x00007ffff7ac68f9 <mail_search_arg_init+281>: xor %esi,%esi 0x00007ffff7ac68fb <mail_search_arg_init+283>: callq 0x7ffff7abed08 0x00007ffff7ac6900 <mail_search_arg_init+288>: test %r12,%r12 0x00007ffff7ac6903 <mail_search_arg_init+291>: je 0x7ffff7ac6930 <mail_search_arg_init+336> 0x00007ffff7ac6905 <mail_search_arg_init+293>: mov (%r12),%rsi 0x00007ffff7ac6909 <mail_search_arg_init+297>: test %rsi,%rsi 0x00007ffff7ac690c <mail_search_arg_init+300>: je 0x7ffff7ac6930 <mail_search_arg_init+336> 0x00007ffff7ac690e <mail_search_arg_init+302>: mov 0x8(%r12),%rax <<<<<<<<<<<<<< 0x00007ffff7ac6913 <mail_search_arg_init+307>: cmp %rax,0x20(%r15) 0x00007ffff7ac6917 <mail_search_arg_init+311>: jne 0x7ffff7ac6bdb <mail_search_arg_init+1019> 0x00007ffff7ac691d <mail_search_arg_init+317>: mov 0x18(%r15),%rdi 0x00007ffff7ac6921 <mail_search_arg_init+321>: mov $0xffffffffffffffff,%rcx 0x00007ffff7ac6928 <mail_search_arg_init+328>: xor %edx,%edx 0x00007ffff7ac692a <mail_search_arg_init+330>: callq 0x7ffff7ac0e60 0x00007ffff7ac692f <mail_search_arg_init+335>: nop 0x00007ffff7ac6930 <mail_search_arg_init+336>: mov 0x8(%rsp),%rdi 0x00007ffff7ac6935 <mail_search_arg_init+341>: callq 0x7ffff7abdde8 0x00007ffff7ac693a <mail_search_arg_init+346>: test %al,%al 0x00007ffff7ac693c <mail_search_arg_init+348>: jne 0x7ffff7ac6890 <mail_search_arg_init+176> End of assembler dump. (gdb) disassemble /m 0x00007ffff7ac690e-0x10,0x00007ffff7ac690e+0x10 Dump of assembler code from 0x7ffff7ac68fe to 0x7ffff7ac691e: 193 i_assert(dest_array->element_size == src_array->element_size); 0x00007ffff7ac690e <mail_search_arg_init+302>: mov 0x8(%r12),%rax 0x00007ffff7ac6913 <mail_search_arg_init+307>: cmp %rax,0x20(%r15) 0x00007ffff7ac6917 <mail_search_arg_init+311>: jne 0x7ffff7ac6bdb <mail_search_arg_init+1019> 194 buffer_append_buf(dest_array->buffer, src_array->buffer, 0, (size_t)-1); 0x00007ffff7ac691d <mail_search_arg_init+317>: mov 0x18(%r15),%rdi 0x00007ffff7ac6921 <mail_search_arg_init+321>: mov $0xffffffffffffffff,%rcx 0x00007ffff7ac6928 <mail_search_arg_init+328>: xor %edx,%edx 0x00007ffff7ac692a <mail_search_arg_init+330>: callq 0x7ffff7ac0e60 0x00007ffff7ac692f <mail_search_arg_init+335>: nop End of assembler dump. $ cat -n src/lib/array.h | grep "193" -C6 187 array_append_i(&(array)->arr + ARRAY_TYPE_CHECK(array, data), \ 188 data, count) 189 190 static inline void 191 array_append_array_i(struct array *dest_array, const struct array *src_array) 192 { 193 i_assert(dest_array->element_size == src_array->element_size); 194 buffer_append_buf(dest_array->buffer, src_array->buffer, 0, (size_t)-1); 195 } 196 #define array_append_array(dest_array, src_array) \ 197 array_append_array_i(&(dest_array)->arr + ARRAY_TYPES_CHECK(dest_array, src_array), \ 198 &(src_array)->arr) 199 (gdb) disassemble /m mail_search_arg_init Dump of assembler code for function mail_search_arg_init: 21 if (arg->value.str != NULL && strcmp(arg->value.str, "$") == 0) { 0x00007ffff7ac68d5 <+245>: mov 0x28(%r15),%rax 0x00007ffff7ac68d9 <+249>: test %rax,%rax 0x00007ffff7ac68dc <+252>: je 0x7ffff7ac69e8 <mail_search_arg_init+520> 0x00007ffff7ac68e2 <+258>: cmpb $0x24,(%rax) 0x00007ffff7ac68e5 <+261>: jne 0x7ffff7ac69e8 <mail_search_arg_init+520> 0x00007ffff7ac68eb <+267>: cmpb $0x0,0x1(%rax) 0x00007ffff7ac68ef <+271>: jne 0x7ffff7ac69e8 <mail_search_arg_init+520> 22 /* SEARCHRES: Replace with saved uidset */ 23 array_clear(&arg->value.seqset); 24 if (search_saved_uidset == NULL || 0x00007ffff7ac6900 <+288>: test %r12,%r12 0x00007ffff7ac6903 <+291>: je 0x7ffff7ac6930 <mail_search_arg_init+336> 0x00007ffff7ac6905 <+293>: mov (%r12),%rsi 0x00007ffff7ac6909 <+297>: test %rsi,%rsi 0x00007ffff7ac690c <+300>: je 0x7ffff7ac6930 <mail_search_arg_init+336> 25 !array_is_created(search_saved_uidset)) 26 return; 27 28 array_append_array(&arg->value.seqset, search_saved_uidset); 29 return; 30 } 31 32 arg->type = SEARCH_SEQSET; 0x00007ffff7ac69ee <+526>: movl $0x3,0x8(%r15) 33 ... $ grep "array_append_array(&arg->value.seqset, search_saved_uidset);" . -Rn -C15 ./src/lib-storage/mail-search.c-13-static void ./src/lib-storage/mail-search.c-14-mailbox_uidset_change(struct mail_search_arg *arg, struct mailbox *box, ./src/lib-storage/mail-search.c-15- const ARRAY_TYPE(seq_range) *search_saved_uidset) ./src/lib-storage/mail-search.c-16-{ ./src/lib-storage/mail-search.c-17- struct seq_range *uids; ./src/lib-storage/mail-search.c-18- unsigned int i, count; ./src/lib-storage/mail-search.c-19- uint32_t seq1, seq2; ./src/lib-storage/mail-search.c-20- ./src/lib-storage/mail-search.c-21- if (arg->value.str != NULL && strcmp(arg->value.str, "$") == 0) { ./src/lib-storage/mail-search.c-22- /* SEARCHRES: Replace with saved uidset */ ./src/lib-storage/mail-search.c-23- array_clear(&arg->value.seqset); ./src/lib-storage/mail-search.c-24- if (search_saved_uidset == NULL || ./src/lib-storage/mail-search.c-25- !array_is_created(search_saved_uidset)) ./src/lib-storage/mail-search.c-26- return; ./src/lib-storage/mail-search.c-27- ./src/lib-storage/mail-search.c:28: array_append_array(&arg->value.seqset, search_saved_uidset); ./src/lib-storage/mail-search.c-29- return; ./src/lib-storage/mail-search.c-30- } ./src/lib-storage/mail-search.c-31- ./src/lib-storage/mail-search.c-32- arg->type = SEARCH_SEQSET; ./src/lib-storage/mail-search.c-33- ./src/lib-storage/mail-search.c-34- /* make a copy of the UIDs */ ./src/lib-storage/mail-search.c-35- count = array_count(&arg->value.seqset); ./src/lib-storage/mail-search.c-36- if (count == 0) { ./src/lib-storage/mail-search.c-37- /* empty set, keep it */ ./src/lib-storage/mail-search.c-38- return; ./src/lib-storage/mail-search.c-39- } ./src/lib-storage/mail-search.c-40- uids = t_new(struct seq_range, count); ./src/lib-storage/mail-search.c-41- memcpy(uids, array_idx(&arg->value.seqset, 0), sizeof(*uids) * count); ./src/lib-storage/mail-search.c-42- ./src/lib-storage/mail-search.c-43- /* put them back to the range as sequences */ $ grep "struct array {" . -Rn -A4 ./src/lib/array-decl.h:12:struct array { ./src/lib/array-decl.h-13- buffer_t *buffer; ./src/lib/array-decl.h-14- size_t element_size; ./src/lib/array-decl.h-15-}; ./src/lib/array-decl.h-16- ########### From submitter: kernel: [118616.482998] imap[31111]: segfault at 8 ip 00007efbff924cbb sp 00007fff0b333890 error 4 in libdovecot-storage.so.0.0.0[7efbff858000+145000] root@debian:~# grep "cbb " gdb_2019-03-29_23-29-10.log | grep "0x8(" 0x00007ffff7af5cbb <dbox_save_write_metadata+395>: mov 0x8(%rbp),%rdx 0x00007ffff7af8cbb <maildir_mail_get_special+635>: mov 0x8(%rdi),%rdi 0x00007ffff7affcbb <maildir_sync_context+699>: mov 0x8(%rdi),%rdx 0x00007ffff7b54cbb <index_sync_search_results_uidify+91>: mov 0x8(%rax),%rax -> 4 matching candidates ...
