After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 331099 - Implement CamelArgV and CamelArgGetV using flexible arrays
Implement CamelArgV and CamelArgGetV using flexible arrays
Status: RESOLVED OBSOLETE
Product: evolution-data-server
Classification: Platform
Component: Mailer
1.4.x (obsolete)
Other All
: High critical
: ---
Assigned To: Veerapuram Varadhan
Evolution QA team
: 331208 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-02-14 08:21 UTC by Eric Anholt
Modified: 2013-09-10 13:42 UTC
See Also:
GNOME target: ---
GNOME version: 2.11/2.12

Attachments
Fix the allocation by being slightly liberal. (379 bytes, patch)
2006-02-14 08:23 UTC, Eric Anholt 		rejected Details | Review
Updated fix. (706 bytes, patch)
2006-08-28 11:35 UTC, Veerapuram Varadhan 		committed Details | Review
Local FreeBSD patch to fix allocation problems (929 bytes, patch)
2007-01-21 20:58 UTC, Joe Marcus Clarke 		none Details | Review
patch (1.14 KB, patch)
2007-01-26 09:58 UTC, Kjartan Maraas 		none Details | Review
Interim patch (1.19 KB, patch)
2007-05-11 13:29 UTC, Matthew Barnes 		committed Details | Review

Description Eric Anholt 2006-02-14 08:21:38 UTC 
Steps to reproduce:
1. Install evolution-data-server-1.4.2.1_1 and evolution-2.4.2.1 on FreeBSD/amd64.
2. Start evolution
3. Watch your disk thrash until you've filled your 2GB of swap and the OOM
killer finally kicks in

Stack trace:

+ Trace 66156

  • #0 memset
    from /lib/libc.so.6
  • #1 reallocf
    from /lib/libc.so.6
  • #2 malloc
    from /lib/libc.so.6
  • #3 cobject_state_read
    from /usr/X11R6/lib/libcamel-1.2.so.0
  • #4 camel_object_state_read
    from /usr/X11R6/lib/libcamel-1.2.so.0
  • #5 camel_local_folder_construct
    from /usr/X11R6/lib/evolution-data-server-1.2/camel-providers/libcamellocal.so
  • #6 get_folder
    from /usr/X11R6/lib/evolution-data-server-1.2/camel-providers/libcamellocal.so
  • #7 camel_store_get_folder
    from /usr/X11R6/lib/libcamel-provider-1.2.so.6
  • #8 mc_setup_local_store
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #9 mail_component_get_folder
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #10 setup_send_data
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #11 mail_receive_uri
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #12 auto_timeout
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #13 auto_online
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #14 camel_object_trigger_event
    from /usr/X11R6/lib/libcamel-1.2.so.0
  • #15 impl_setLineStatus
    from /usr/X11R6/lib/evolution/2.4/components/libevolution-mail.so
  • #16 ORBit_c_stub_invoke
    from /usr/local/lib/libORBit-2.so.0
  • #17 GNOME_Evolution_Component_setLineStatus
    from /usr/X11R6/lib/evolution/2.4/libeshell.so.0
  • #18 e_shell_attempt_upgrade
  • #19 e_shell_construct
  • #20 e_shell_new
  • #21 es_menu_hook_get_type
  • #22 g_main_context_dispatch
    from /usr/local/lib/libglib-2.0.so.0
  • #23 g_main_context_acquire
    from /usr/local/lib/libglib-2.0.so.0
  • #24 g_main_loop_run
    from /usr/local/lib/libglib-2.0.so.0
  • #25 bonobo_main
    from /usr/local/lib/libbonobo-2.so.0
  • #26 main 


Other information:
Frame #3 is at line 457 of camel-object.c, and "count" is 1.  Workaround patch
to follow.
Comment 1 Eric Anholt 2006-02-14 08:23:44 UTC 
Created attachment 59310 [details] [review]
Fix the allocation by being slightly liberal.

Attached patch fixes the problem for me.  I suspect some issue with type promotion causing a negative (i.e. huge) size to be allocated, but I don't know the rules enough to say for sure.
Comment 2 Joe Marcus Clarke 2006-02-17 06:40:31 UTC 
I verified that on all 64-bit FreeBSD platforms (amd64, sparc64, and ia64), the following code results in sz being 68719476768:

sz = (sizeof (*argv) + (count - CAMEL_ARGV_MAX) * sizeof(argv->argv[0]));

If count == 1.

The same happens on 64-bit Solaris, but instead of malloc'ing the memory, Solaris returns EAGAIN.

On i386, sz is 20 in this example.  Another thought I had about fixing this is explicitly casting the argument to g_try_malloc() to be a guint32.  So:

argv = g_try_malloc ((guint32) (sizeof (*argv) + (count - CAMEL_ARGV_MAX) * sizeof(argv->argv[0])));

By doing this, sz in the above example would be 20 on i386, and 48 on 64-bit FreeBSD architectures.
Comment 3 Joe Marcus Clarke 2006-02-20 00:07:10 UTC 
*** Bug 331208 has been marked as a duplicate of this bug. ***
Comment 4 Harish Krishnaswamy 2006-06-07 08:55:25 UTC 
bumping priority and targeting this to the next release. Assigning it to camel hackers for patch review.
Comment 5 Veerapuram Varadhan 2006-08-28 11:30:09 UTC 
I would rather put it like...

argv = g_try_malloc ((gulong) (sizeof (*argv) + (count - CAMEL_ARGV_MAX) *
sizeof(argv->argv[0])));

as per the glib documentations.
Comment 6 Veerapuram Varadhan 2006-08-28 11:35:25 UTC 
Created attachment 71764 [details] [review]
Updated fix.

Cast the output of the calculation to gulong, as per the glib documentation.
Comment 7 Kjartan Maraas 2006-09-21 08:52:52 UTC 
Did anyone have a chance to test this patch?
Comment 8 Eric Anholt 2006-09-27 07:01:47 UTC 
I won't be able to as in the 9 months since I filed this bug, I've stopped using that machine.
Comment 9 Jeffrey Stedfast 2007-01-21 20:34:45 UTC 
based on Joe's comments/patch, looks like Varadhan's patch should work fine, right? if so, I'd suggest committing.
Comment 10 Joe Marcus Clarke 2007-01-21 20:57:24 UTC 
Yes, this works, but there is another place in the same camel-object.c that needs attention.  Attached is the local patch we are currently using.
Comment 11 Joe Marcus Clarke 2007-01-21 20:58:03 UTC 
Created attachment 80830 [details] [review]
Local FreeBSD patch to fix allocation problems
Comment 12 Kjartan Maraas 2007-01-25 13:54:14 UTC 
But this last patch also changes the previous patch from gulong to guint32? Can we agree on one fix? :-)
Comment 13 Joe Marcus Clarke 2007-01-25 16:52:51 UTC 
Sorry I wasn't clear.  The gulong cast works, but I just submitted my patch to show you the other place where the cast is needed.
Comment 14 Kjartan Maraas 2007-01-26 09:58:58 UTC 
Created attachment 81259 [details] [review]
patch
Comment 15 Kjartan Maraas 2007-01-26 09:59:46 UTC 
Attached a new patch using gulong in those two cases too then. The updated patch has been commited so I marked it as such.
Comment 16 Matthew Barnes 2007-04-03 12:04:52 UTC 
Any chance we could redefine CamelArgv to use a flexible array?  Then we could do away with CAMEL_ARGV_MAX altogether and the allocation would simply be:

   g_try_malloc (sizeof(CamelArgV) + count * sizeof(CamelArg))
Comment 17 Srinivasa Ragavan 2007-05-11 11:30:47 UTC 
Matthew/Varadhan/Sankar: Guys any stand on the comment #14 and comment $16 ? Can we get one of this in for 2.11.2?
Comment 18 Veerapuram Varadhan 2007-05-11 13:14:46 UTC 
(In reply to comment #16)
> Any chance we could redefine CamelArgv to use a flexible array?  Then we could
> do away with CAMEL_ARGV_MAX altogether and the allocation would simply be:
> 
>    g_try_malloc (sizeof(CamelArgV) + count * sizeof(CamelArg))
> 
That would be just great, but, it would result in ABI break.  Neverthless, I think its a good idea to make it a flexible array.

Matthew: got anything in mind?
Comment 19 Matthew Barnes 2007-05-11 13:29:47 UTC 
Created attachment 88009 [details] [review]
Interim patch

I started on a patch for that late last year.  I'll try to finish it.

This is the patch we wound up using in RHEL 5.  It keeps the intermediate values in the expression from going negative.  There's two places where this happens.
Comment 20 Veerapuram Varadhan 2007-05-11 14:00:39 UTC 
(In reply to comment #19)
> Created an attachment (id=88009) [edit]
> Interim patch
> 
> I started on a patch for that late last year.  I'll try to finish it.
> 
> This is the patch we wound up using in RHEL 5.  It keeps the intermediate
> values in the expression from going negative.  There's two places where this
> happens.
> 
patch re-phrases the calculation in a better way - however, just thinking of why can't we make CamelArg a flexible array, as in both the cases we know the count of CamelArgs that we need.
Comment 21 Matthew Barnes 2007-05-11 17:32:09 UTC 
Sure.  I was offering the patch as a temporary fix for 1.10.2 until I or someone else can write the flexible array patch.  Sorry if I wasn't clear on that.
Comment 22 Srinivasa Ragavan 2007-06-10 18:44:26 UTC 
Guys, lets commit the interim patch for stable and head and rephrase the bug then.

Lets get this in before it becomes too late. This is an important bug IMHO.
Comment 23 Matthew Barnes 2007-06-11 01:54:10 UTC 
Interim patch committed to trunk (revision 7813) and stable (revision 7814).

The bug is now about making CamelArgV and CamelArgGetV use flexible arrays and doing away with the hard limit CAMEL_ARGV_MAX.  Changing summary appropriately.
Comment 24 Kandepu Prasad 2008-08-07 08:39:48 UTC 
Any further progress in this? What is the call?
Comment 25 Matthew Barnes 2008-08-07 14:37:21 UTC 
My plan for Camel is to convert CamelObject to a GObject subclass, deprecate most of the CamelObject API, and kill CamelArgV and CamelArgGetV entirely in favor of GObject properties.  Probably won't happen until after 2.24, though.

Once done, and if no one objects to my plan, I'll close this bug as OBSOLETE.
Comment 26 Kjartan Maraas 2010-12-16 17:49:29 UTC 
Closing now that this has been done.