Bug 358162 – Crash in gal_a11y_e_cell_popup_new()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 358162 - Crash in gal_a11y_e_cell_popup_new()


Summary:	Crash in gal_a11y_e_cell_popup_new()


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	general
Version:	3.10.x (obsolete)
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Evolution Shell Maintainers Team
QA Contact:	Evolution QA team

URL:
Whiteboard:	evolution[etable]

Duplicates:	360407 399788 (view as bug list)
Depends on:
Blocks:

Reported:	2006-09-28 17:45 UTC by T_pugliese
Modified:	2015-08-14 12:25 UTC

See Also:
GNOME target:	---
GNOME version:	2.23/2.24

Attachments
stacktrace (149.23 KB, text/plain) 2006-09-28 21:23 UTC, T_pugliese	Details

Description T_pugliese 2006-09-28 17:45:12 UTC

What were you doing when the application crashed?



Distribution: Ubuntu 6.10 (edgy)
Gnome Release: 2.16.0 2006-09-04 (Ubuntu)
BugBuddy Version: 2.16.0

Memory status: size: 108953600 vsize: 0 resident: 108953600 share: 0 rss: 27447296 rss_rlim: 0
CPU usage: start_time: 1159465234 rtime: 0 utime: 321 stime: 0 cutime:296 cstime: 0 timeout: 25 it_real_value: 0 frequency: 0

Backtrace was generated from '/usr/bin/evolution-2.8'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1208908112 (LWP 5849)]
[New Thread -1251165280 (LWP 5859)]
[New Thread -1227482208 (LWP 5853)]
0xffffe410 in __kernel_vsyscall ()

+ Trace 73489

Comment 1 Karsten Bräckelmann 2006-09-28 18:17:14 UTC

Thanks for taking the time to report this bug.

This bug report isn't very useful because it doesn't describe the bug well. If you have time and can still reproduce the bug, please read http://bugzilla.gnome.org/bug-HOWTO.html and add a description of how to reproduce this bug.

Also, unfortunately, that stack trace is not very useful in determining the cause of the crash. Can you get us one with debugging symbols? Please see http://live.gnome.org/GettingTraces for more information on how to do so.

Can you reproduce the issue?

Comment 2 T_pugliese 2006-09-28 18:26:02 UTC

I've seen this happen a few times and it always happens the same way.  I have evolution open using the calendar view.  I click on the task pane to add a task.  It crashes after entering the task description before it switches to the field to populate the date.  When I've noticed it, it seems to always occur when I am adding multiple tasks.  The first one works but the second one causes a crash.

Comment 3 Karsten Bräckelmann 2006-09-28 20:56:21 UTC

Thanks for the detailed description. :)

However, we still need a better stacktrace (see comment 1). NEEDINFO. Please install the relevant debugging packages, reproduce the crash, and add the resulting stacktrace to this bug report. Thanks.

(The link mentioned in comment 1 has distro specific instructions how to do so.)

Comment 4 T_pugliese 2006-09-28 21:23:12 UTC

Created attachment 73597 [details]
stacktrace

Comment 5 Karsten Bräckelmann 2006-09-28 21:53:00 UTC

Thanks for that good stacktrace. :)

Seems to be unique so far, REOPENing. Moving over to GAL. Pasting the relevant part of the top-most crashing thread here for searching pleasure.

+ Trace 73510

#4 <signal handler called>
#5 gal_a11y_e_cell_popup_new
at gal-a11y-e-cell-popup.c line 103
#6 gal_a11y_e_cell_registry_get_object
at gal-a11y-e-cell-registry.c line 117
#7 eti_ref_at
at gal-a11y-e-table-item.c line 345
#8 eti_a11y_reset_focus_object
at gal-a11y-e-table-item.c line 171

Comment 6 André Klapper 2006-09-29 14:01:40 UTC

confirming as we have a nice stacktrace with symbols and line numbers.

Comment 7 T_pugliese 2006-10-07 15:25:30 UTC

*** Bug 360407 has been marked as a duplicate of this bug. ***

Comment 8 Kjartan Maraas 2007-01-23 14:07:37 UTC

*** Bug 399788 has been marked as a duplicate of this bug. ***

Comment 9 Kjartan Maraas 2007-01-23 14:09:18 UTC

Bug 399788 has a quite good backtrace etc too. I got that when I tried to open a task that I had added.

Comment 10 Shahar Or 2009-03-19 17:22:34 UTC

I think this happens to me, also but I can't reproduce it.

Comment 11 Shahar Or 2009-03-21 00:20:23 UTC

It happened again. Can I help with anything, being not a developer?

Comment 12 Shahar Or 2009-04-08 15:22:08 UTC

I've added another backtrace downstream in Ubuntu. This is https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/332055 .

See attachments in it's duplicates.

Comment 13 Shahar Or 2009-06-08 15:53:52 UTC

Dear friends,

This keeps happening to me.

Is there a place to place bounties?

Many blessings.

Comment 14 André Klapper 2013-08-03 09:48:13 UTC

Shahar / T_pugliese: Does this still happen to hyou in 3.8 or 3.6?

Comment 15 T_pugliese 2013-08-06 16:38:03 UTC

I haven't used this program in a long time so I can't say if the bug still exists.

Comment 16 Milan Crha 2014-04-11 05:23:20 UTC

Similar downstream bug report from 3.10.4:
https://bugzilla.redhat.com/show_bug.cgi?id=1086467

Description of problem:
adding a new task to caldav task list

Version-Release number of selected component:
evolution-3.10.4-2.fc20

Additional info:
reporter:       libreport-2.2.1
backtrace_rating: 4
cmdline:        evolution
crash_function: gal_a11y_e_cell_popup_new
executable:     /usr/bin/evolution
kernel:         3.13.9-200.fc20.x86_64

Maybe recent changes around bug #722938 finally fixed the issue.

Core was generated by `evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.

+ Trace 233458

Thread 1 (Thread 0x7f8c3ceeda40 (LWP 14639))

#0 gal_a11y_e_cell_popup_new
at gal-a11y-e-cell-popup.c line 102
#1 eti_ref_at
at gal-a11y-e-table-item.c line 404
#2 eti_a11y_reset_focus_object
at gal-a11y-e-table-item.c line 218
#3 g_closure_invoke
at gclosure.c line 777
#4 signal_emit_unlocked_R
at gsignal.c line 3586
#5 g_signal_emit_valist
at gsignal.c line 3330
#6 g_signal_emit
at gsignal.c line 3386
#7 e_selection_model_maybe_do_something
at e-selection-model.c line 557
#8 eti_event
at e-table-item.c line 2470
#9 ffi_call_unix64
at ../src/x86/unix64.S line 76
#10 ffi_call
at ../src/x86/ffi64.c line 522
#11 g_cclosure_marshal_generic
at gclosure.c line 1454
#12 g_closure_invoke
at gclosure.c line 777
#13 signal_emit_unlocked_R
at gsignal.c line 3624
#14 g_signal_emit_valist
at gsignal.c line 3340
#15 g_signal_emit_by_name
at gsignal.c line 3426
#16 canvas_emit_event
at e-canvas.c line 151
#17 _gtk_marshal_BOOLEAN__BOXEDv
at gtkmarshalers.c line 130
#18 _g_closure_invoke_va
at gclosure.c line 840
#19 g_signal_emit_valist
at gsignal.c line 3238
#20 g_signal_emit
at gsignal.c line 3386
#21 gtk_widget_event_internal
at gtkwidget.c line 7168
#22 gtk_widget_event
at gtkwidget.c line 6830
#23 propagate_event_up
at gtkmain.c line 2391
#24 propagate_event
at gtkmain.c line 2499
#25 gtk_main_do_event
at gtkmain.c line 1714
#26 gdk_event_source_dispatch
at gdkeventsource.c line 364
#27 g_main_dispatch
at gmain.c line 3066
#28 g_main_context_dispatch
at gmain.c line 3642
#29 g_main_context_iterate
at gmain.c line 3713
#30 g_main_loop_run
at gmain.c line 3907
#31 gtk_main
at gtkmain.c line 1158
#32 main
at main.c line 683

Comment 17 Milan Crha 2015-08-14 11:56:08 UTC

Downstream bug report from 3.16.4:
https://bugzilla.redhat.com/show_bug.cgi?id=1253348

Still there, also in git master (to be 3.17.90), reproducible with the steps from comment #2.

Comment 18 Milan Crha 2015-08-14 12:25:58 UTC

Use-after-free, accessing structure which was already freed.

Created commit aa1c1ae in evo master (3.17.90+)