Core dump from cyrusdb_skiplist.c

[DEMBKOWSKI, Henryk (Henryk)]

Hi,  


We are using cyrus-imapd-2.3.7 to store our messages.
And we got core from imap - file cyrusdb_skiplist.c


#0  myforeach (db=0x814b618, prefix=0xbfffb8c0 "user.6165602930", prefixlen=16, goodp=0x8087dc0 <find_p>,
    cb=0x80871d0 <find_cb>, rock=0xbfffb8b0, tid=0xbfffc91c) at cyrusdb_skiplist.c:1019
1019                    ptr = db->map_base + FORWARD(ptr, 0);
(gdb) t 1
[Switching to thread 1 (process 14237)]#0  myforeach (db=0x814b618, prefix=0xbfffb8c0 "user.6165602930", prefixlen=16,
    goodp=0x8087dc0 <find_p>, cb=0x80871d0 <find_cb>, rock=0xbfffb8b0, tid=0xbfffc91c) at cyrusdb_skiplist.c:1019
1019                    ptr = db->map_base + FORWARD(ptr, 0);
(gdb) where
#0  myforeach (db=0x814b618, prefix=0xbfffb8c0 "user.6165602930", prefixlen=16, goodp=0x8087dc0 <find_p>,
    cb=0x80871d0 <find_cb>, rock=0xbfffb8b0, tid=0xbfffc91c) at cyrusdb_skiplist.c:1019
#1  0x08087ecf in annotatemore_findall (mailbox=0x814b618 "@ş\024\b\a", entry=0x80b4834 "*", proc=0x4effb8, rock=0x4effb8,
    tid=0xbfffc91c) at annotate.c:391
#2  0x0808801b in annotatemore_rename (oldmboxname=0xbfffd730 "user.6165602930",
    newmboxname=0x4effb8 <Address 0x4effb8 out of bounds>, olduserid=0x4effb8 <Address 0x4effb8 out of bounds>,
    newuserid=0x4effb8 <Address 0x4effb8 out of bounds>) at annotate.c:2093
#3  0x08055e39 in cmd_rename (tag=0x8151a28 "1", oldname=0x8151b08 "user.6165602930", newname=0x81c6010 "user.6163078011",
    partition=0x0) at imapd.c:5408
#4  0x0805e3ac in cmdloop () at imapd.c:1532
#5  0x08060a57 in service_main (argc=1, argv=0x8149008, envp=0xbffffd64) at imapd.c:789
#6  0x0804c3a8 in main (argc=3, argv=0xbffffd54, envp=0xbffffd64) at service.c:532


It refers to function myforeach() and code


    980             /* save KEY, KEYLEN */
    981             if (KEYLEN(ptr) > savebuflen) {
    982                 savebuflen = KEYLEN(ptr) + 1024;
    983                 savebuf = xrealloc(savebuf, savebuflen);
    984             }
    985             memcpy(savebuf, KEY(ptr), KEYLEN(ptr));
    986             savebufsize = KEYLEN(ptr);
    987
    988             /* make callback */
    989             cb_r = cb(rock, KEY(ptr), KEYLEN(ptr), DATA(ptr), DATALEN(ptr));
    990             if (cb_r) break;
    991
    992             if (!tid) {
    993                 /* grab a r lock */
    994                 if ((r = read_lock(db)) < 0) {
    995                     return r;
    996                 }
    997             } else {
    998                 /* make sure we're up to date */
    999                 update_lock(db, tp);
   1000             }
   1001
   1002             /* reposition */
   1003             if (!(ino == db->map_ino && sz == db->map_size)) {
   1004                 /* something changed in the file; reseek */
   1005                 ptr = find_node(db, savebuf, savebufsize, 0);
   1006
   1007                 /* 'ptr' might not equal 'savebuf'.  if it's different,
   1008                    we want to stay where we are.  if it's the same, we
   1009                    should move on to the next one */
   1010                 if (savebufsize == KEYLEN(ptr) &&
   1011                     !memcmp(savebuf, KEY(ptr), savebufsize)) {
   1012                     ptr = db->map_base + FORWARD(ptr, 0);
   1013                 } else {
   1014                     /* 'savebuf' got deleted, so we're now pointing at the
   1015                        right thing */
   1016                 }
   1017             } else {
   1018                 /* move to the next one */
   1019                 ptr = db->map_base + FORWARD(ptr, 0);
   1020             }
   1021         } else {
   1022             /* we didn't make the callback; keep going */
   1023             ptr = db->map_base + FORWARD(ptr, 0);
   1024         }
   1025     }



Do you know something about it?



Kind Regards,
Henryk