GNOME Bugzilla – Bug 332717
Copy-Paste signature cause Evolution to crash
Last modified: 2006-04-05 10:49:50 UTC
Steps to reproduce: 1)Launch Evolution -> on the top menu Goto "Edit" 2)Choose "Preferences" -> On "Mail Accounts" Choose your current account. 3)Click "Edit" -> On "Identity" tab choose "Signature" to "Autogenerated" -> Ok. 4)Send a new email -> Copy and paste the signature by "Ctrl+C" 5)Then paste it by using "Ctrl+V" press it continously. Stack trace: cfba93d5 waitid (0, 6c71, 8046730, 3) cfb9ccab waitpid (6c71, 8046844, 0) + 70 d1a513da libgnomeui_segv_handle (b) + aa 08075cc7 segv_redirect (b, 0, 8046904) + 27 cfba7a8f __sighndlr (b, 0, 8046904, 8075ca0) + f cfb9d814 call_user_handler (b, 0, 8046904) + 247 cfb9d99c sigacthandler (b, 0, 8046904) + bc --- called from signal handler with signal 11 (SIGSEGV) --- d0cbe4d5 g_slice_alloc (c) + 105 d0cbe52a g_slice_alloc0 (c) + 1e d0ca6bba g_list_alloc (8115038, 2, d0d945e8, 14, 8115038, 8115038) + 1a d0d5c690 g_object_init (8e2f4b0, 81150d0) + 58 d0d74580 g_type_create_instance (8115038) + 2e4 d0d5e3a7 g_object_constructor (8115038, 0, 0) + 23 d0d5d93b g_object_newv (8115038, 0, 0) + 357 d0d5e346 g_object_new_valist (8115038, 0, 8046e84) + 392 d0d5d506 g_object_new (8115038, 0) + 62 d0f972de gdk_pixmap_new (883b278, 241, 31, ffffffff) + 156 d1c20a21 begin (83abcc8, a, 3a, 24a, 6a) + 111 d1c34bf2 html_painter_begin (83abcc8, a, 3a, 24a, 6a) + 102 d1c17f4c html_engine_draw_real (83a8258, a, 3a, 240, 30, 1) + 3bc d1c180db html_engine_expose (83a8258, 80474bc) + 8b d1bc8528 expose (9320800, 80474bc, 810cb30) + 48 d1323f51 _gtk_marshal_BOOLEAN__BOXED (81e2848, 80470d0, 2, 804718c, 80470ec, d1bc84e0) + 71 d0d5aba1 g_type_class_meta_marshal (81e2848, 80470d0, 2, 804718c, 80470ec, c8) + 4d d0d5a8a6 g_closure_invoke (81e2848, 80470d0, 2, 804718c, 80470ec) + 112 d0d6fd21 signal_emit_unlocked_R (81e2060, 0, 9320800, 804730c, 804718c) + 995 d0d6eb7b g_signal_emit_valist (9320800, 57, 0, 8047400) + 663 d0d6ef81 g_signal_emit (9320800, 57, 0, 80474bc, 8047424) + 29 d1405aaa gtk_widget_event_internal (9320800, 80474bc) + 212 d14057f6 gtk_widget_send_expose (9320800, 80474bc) + 82 d1321b94 gtk_main_do_event (80474bc, 0) + 40c d0f7e7e7 gdk_window_process_updates_internal (883b278) + 15b d0f7e882 gdk_window_process_all_updates (d0d13fa8, 8047560, d0cac6ab, 0, d0d13fa8, 80475e8) + 66 d0f7e626 gdk_window_update_idle (0) + 26 d0cac6ab g_idle_dispatch (8a42e70, d0f7e600, 0) + 1f d0ca9664 g_main_dispatch (80b43a8) + 1c8 d0caa74d g_main_context_dispatch (80b43a8) + 85 d0caab6d g_main_context_iterate (80b43a8, 1, 1, 809a448) + 3d1 d0cab172 g_main_loop_run (81ad948) + 1ba d178f40e bonobo_main (80478a8, 80477d0, d27fb840, 8047720, 8047790, 8162670) + 5e 080762fd main (1, 8047814, 804781c) + 47d 0806256a _start (1, 8047910, 0, 8047920, 80479a0, 80479a4) + 7a It seems that there are not same stack traces every time. This is another one: d0cbe4d5 g_slice_alloc (c, 88410e0, 10, cc701a34, 82da068, 8046df4) + 105 d14daba4 pango_ot_buffer_new (88410e0) + 1c cc6f158a basic_engine_shape (8381300, 88410e0, 8ccb3da, 10, 8ce3f24, 8dde500) + 8a d0e13f15 _pango_engine_shape_shape (8381300, 88410e0, 8ccb3da, 10, 8ce3f24, 8dde500) + 41 d0e23422 pango_shape (8ccb3da, 10, 8ce3f24, 8dde500) + f2 d1c513a4 html_text_get_pango_info (8dd6180, 83ab1d8) + 3e4 d1c4fe0f html_text_calc_part_width (8dd6180, 83ab1d8, 8ccb3d0, 0, 1b, 8dd619c) + 1cf d1c500c8 calc_preferred_width (8dd6180, 83ab1d8) + 58 d1c2f898 html_object_calc_preferred_width (8dd6180, 83ab1d8) + 48 d1be1a7e calc_preferred_width (8dd8d00, 83ab1d8) + 5e d1c2f898 html_object_calc_preferred_width (8dd8d00, 83ab1d8) + 48 d1bdc94c calc_preferred_width (8de2080, 83ab1d8) + 4c d1be968d calc_preferred_width (8de2080, 83ab1d8) + 3d d1c4c61e calc_preferred_width (8de2080, 83ab1d8) + ae d1c2f898 html_object_calc_preferred_width (8de2080, 83ab1d8) + 48 d1c45dcd calc_column_width_step (80a2d00, 83ab1d8, 8c6d950, 8dd7e70, d1c2f850, 1) + 14d d1c463f3 calc_column_width_template (80a2d00, 83ab1d8, 8c6d950, d1c2f850, 8c6d950) + 123 d1c47cd5 calc_min_width (80a2d00, 83ab1d8) + 55 d1c2f808 html_object_calc_min_width (80a2d00, 83ab1d8) + 48 d1c49b9d html_table_set_max_width (80a2d00, 83ab1d8, 240) + 6d d1c2f59e html_object_set_max_width (80a2d00, 83ab1d8, 240) + 3e d1be05ab set_max_width (8dd2600, 83ab1d8, 240) + 6b d1c2f59e html_object_set_max_width (8dd2600, 83ab1d8, 240) + 3e d1be9760 set_max_width (8bd9ed8, 83ab1d8, 240) + 80 d1c2f59e html_object_set_max_width (8bd9ed8, 83ab1d8, 240) + 3e d1c188de html_engine_calc_size (83a8618, 8047464) + 11e d1c1a523 thaw_idle (83a8618) + c3 d0cac6ab g_idle_dispatch (8675e30, d1c1a460, 83a8618) + 1f d0ca9664 g_main_dispatch (80b4448) + 1c8 d0caa74d g_main_context_dispatch (80b4448) + 85 d0caab6d g_main_context_iterate (80b4448, 1, 1, 80995a8) + 3d1 d0cab172 g_main_loop_run (81ad9f8) + 1ba d178f40e bonobo_main (80477cc, 80476f0, d27fb840, 8047640, 80476b0, 8162770) + 5e 080762fd main (1, 8047734, 804773c) + 47d 0806256a _start (1, 8047834, 0, 8047867, 80478a5, 80478ec) + 7a Other information:
I find the real cause! In funtion htmlengine-edit-cut-and-paste.c:insert_object_do 894 remove_empty_and_merge (e, TRUE, last, right, orig); 895 remove_empty_and_merge (e, TRUE, left, first, orig); 896 897 g_list_free (first); 898 g_list_free (last); 899 g_list_free (left); 900 g_list_free (right); the glist may be freed twice because in function remove_empty_and_merge, the list will be freed in some cases. In function remove_empty_and_merge 245 while (left && left->data && right && right->data) { 246 247 lo = HTML_OBJECT (left->data); 248 ro = HTML_OBJECT (right->data); 249 250 left = left->next; 251 right = right->next; 252 : : 312 if (merge && lo && ro) { 313 if (!html_object_merge (lo, ro, e, &left, &right, c)) 314 break; 315 if (ro == e->cursor->object) { 316 e->cursor->object = lo; 317 e->cursor->offset += html_object_get_length (lo);; 318 } 319 } while doing table merge, two glists of left and right will be freed first. But at this time, left and right are not headers of the list.
It is not so easy to reproduce this bug in Linux, but if you paste many times, it will happen. You can test it with an example programe of GTKHtml, test_editor. If you can't reproduce it when you paste, you can close the application. Perhaps it will crash.
This is a gtkhtml bug. Plase change the Product.
Created attachment 60302 [details] [review] Clone glist object to prevent it from being freed twice Hi, the patch foucuses on two points: 1. A glist should not be freed twice. 2. A glist should be freed from the header while not from some elements amid it. So I add some temporoary varialbes and glist objects to ensure this.
(In reply to comment #1) > I find the real cause! > In funtion htmlengine-edit-cut-and-paste.c:insert_object_do > > 894 remove_empty_and_merge (e, TRUE, last, right, orig); > 895 remove_empty_and_merge (e, TRUE, left, first, orig); > 896 > 897 g_list_free (first); > 898 g_list_free (last); > 899 g_list_free (left); > 900 g_list_free (right); > > the glist may be freed twice because in function remove_empty_and_merge, the > list will be freed in some cases. > > In function > remove_empty_and_merge > > 245 while (left && left->data && right && right->data) { > 246 > 247 lo = HTML_OBJECT (left->data); > 248 ro = HTML_OBJECT (right->data); > 249 > 250 left = left->next; > 251 right = right->next; > 252 > : > : > 312 if (merge && lo && ro) { > 313 if (!html_object_merge (lo, ro, e, &left, > &right, c)) > 314 break; > 315 if (ro == e->cursor->object) { > 316 e->cursor->object = lo; > 317 e->cursor->offset += > html_object_get_length (lo);; > 318 } > 319 } > > > while doing table merge, two glists of left and right will be freed first. But > at this time, left and right are not headers of the list. > In htmltable.c::merge 631 if (!could_merge (t1, t2)) 632 return FALSE; 633 634 g_list_free (*left); 635 *left = NULL; 636 g_list_free (*right); 637 *right = NULL; left and right glists are freed
On linux, you can reproduce this bug by: 1. Select all texts in a table cell 2. press Ctrl+C 3. press Ctrl+V many times.
Patch works fine. Crash doesn't occur anymore
Committed the patch to HEAD and gnome-2-14 branch.