Bug 694112 – [abrt] Crash under e_book_backend_ldap_stop_book_view()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 694112 - [abrt] Crash under e_book_backend_ldap_stop_book_view()


Summary:	[abrt] Crash under e_book_backend_ldap_stop_book_view()


Status:	RESOLVED FIXED

Product:	evolution-data-server
Classification:	Platform
Component:	Contacts
Version:	3.8.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-addressbook-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Depends on:
Blocks:	699448

Reported:	2013-02-18 18:00 UTC by Milan Crha
Modified:	2014-08-28 17:02 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Milan Crha 2013-02-18 18:00:00 UTC

Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=912332

Version-Release number of selected component:
evolution-data-server-3.6.3-1.fc18

Additional info:
backtrace_rating: 3
cmdline:        /usr/libexec/evolution-addressbook-factory
executable:     /usr/libexec/evolution-addressbook-factory
kernel:         3.7.8

Core was generated by `/usr/libexec/evolution-addressbook-factory'.
Program terminated with signal 11, Segmentation fault.

+ Trace 231531

Thread 1 (Thread 0x7f4f84ca7800 (LWP 2117))

#0 ??
#1 ldap_op_finished
at e-book-backend-ldap.c line 1185
#2 e_book_backend_ldap_stop_book_view
at e-book-backend-ldap.c line 5060
#3 impl_DataBookView_dispose
at e-data-book-view.c line 725
#4 e_gdbus_marshallers_BOOLEAN__OBJECT
at e-gdbus-marshallers.c line 124
#5 g_closure_invoke
at gclosure.c line 777
#6 signal_emit_unlocked_R
at gsignal.c line 3551
#7 g_signal_emit_valist
at gsignal.c line 3310
#8 g_signal_emit
at gsignal.c line 3356
#9 e_gdbus_stub_handle_method_call
at e-gdbus-templates.c line 679
#10 call_in_idle_cb
at gdbusconnection.c line 4737
#11 g_main_dispatch
at gmain.c line 2715
#12 g_main_context_dispatch
at gmain.c line 3219
#13 g_main_context_iterate
at gmain.c line 3290
#14 g_main_loop_run
at gmain.c line 3484
#15 dbus_server_run_server
at e-dbus-server.c line 222
#16 ffi_call_unix64
at ../src/x86/unix64.S line 75
#17 ffi_call
at ../src/x86/ffi64.c line 486
#18 g_cclosure_marshal_generic_va
at gclosure.c line 1550
#19 _g_closure_invoke_va
at gclosure.c line 840
#20 g_signal_emit_valist
at gsignal.c line 3211
#21 g_signal_emit
at gsignal.c line 3356
#22 e_dbus_server_run
at e-dbus-server.c line 396
#23 main
at evolution-addressbook-factory.c line 129

Comment 1 Milan Crha 2013-03-04 17:24:45 UTC

Similar another downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=917173

It seems it's not related to LDAP only:

+ Trace 231588

Thread 1 (Thread 0x7f8709ecd800 (LWP 1918))

#0 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 63
#1 __GI_abort
at abort.c line 90
#2 __libc_message
at ../sysdeps/unix/sysv/linux/libc_fatal.c line 197
#3 malloc_printerr
#4 _int_free
at malloc.c line 3826
#5 g_free
at gmem.c line 252
#6 impl_DataBookView_dispose
at e-data-book-view.c line 725
#7 e_gdbus_marshallers_BOOLEAN__OBJECT
at e-gdbus-marshallers.c line 124
#8 g_closure_invoke
at gclosure.c line 777
#9 signal_emit_unlocked_R
at gsignal.c line 3551
#10 g_signal_emit_valist
at gsignal.c line 3310
#11 g_signal_emit
at gsignal.c line 3356
#12 e_gdbus_stub_handle_method_call
at e-gdbus-templates.c line 679
#13 call_in_idle_cb
at gdbusconnection.c line 4737
#14 g_main_dispatch
at gmain.c line 2715
#15 g_main_context_dispatch
at gmain.c line 3219
#16 g_main_context_iterate
at gmain.c line 3290
#17 g_main_loop_run
at gmain.c line 3484
#18 dbus_server_run_server
at e-dbus-server.c line 222
#19 ffi_call_unix64
at ../src/x86/unix64.S line 75
#20 ffi_call
at ../src/x86/ffi64.c line 486
#21 g_cclosure_marshal_generic_va
at gclosure.c line 1550
#22 _g_closure_invoke_va
at gclosure.c line 840
#23 g_signal_emit_valist
at gsignal.c line 3211
#24 g_signal_emit
at gsignal.c line 3356
#25 e_dbus_server_run
at e-dbus-server.c line 396
#26 main
at evolution-addressbook-factory.c line 129

Comment 2 Milan Crha 2013-07-17 07:36:31 UTC

Another upstream bug report from 3.8.3:
https://bugzilla.redhat.com/show_bug.cgi?id=984888

The reporter also mentions LDAP.

Core was generated by `/usr/libexec/evolution-addressbook-factory'.
Program terminated with signal 6, Aborted.

+ Trace 232254

Thread 1 (Thread 0x7f732e1ac840 (LWP 2172))

#0 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
#1 __GI_abort
at abort.c line 90
#2 __libc_message
at ../sysdeps/unix/sysv/linux/libc_fatal.c line 196
#3 malloc_printerr
#4 _int_free
at malloc.c line 3768
#5 g_free
at gmem.c line 252
#6 impl_DataBookView_dispose
at e-data-book-view.c line 311
#7 e_gdbus_marshallers_BOOLEAN__OBJECT
at e-gdbus-marshallers.c line 124
#8 g_closure_invoke
at gclosure.c line 777
#9 signal_emit_unlocked_R
at gsignal.c line 3584
#10 g_signal_emit_valist
at gsignal.c line 3338
#11 g_signal_emit
at gsignal.c line 3384
#12 e_gdbus_stub_handle_method_call
at e-gdbus-templates.c line 679
#13 call_in_idle_cb
at gdbusconnection.c line 4737
#14 g_main_dispatch
at gmain.c line 3054
#15 g_main_context_dispatch
at gmain.c line 3630
#16 g_main_context_iterate
at gmain.c line 3701
#17 g_main_loop_run
at gmain.c line 3895
#18 dbus_server_run_server
at e-dbus-server.c line 222
#19 ffi_call_unix64
at ../src/x86/unix64.S line 76
#20 ffi_call
at ../src/x86/ffi64.c line 522
#21 g_cclosure_marshal_generic_va
at gclosure.c line 1550
#22 _g_closure_invoke_va
at gclosure.c line 840
#23 g_signal_emit_valist
at gsignal.c line 3234
#24 g_signal_emit
at gsignal.c line 3384
#25 e_dbus_server_run
at e-dbus-server.c line 414
#26 main
at evolution-addressbook-factory.c line 132

Comment 3 Milan Crha 2014-08-28 17:02:15 UTC

I finally managed to reproduce this. The problem was that the evolution code tried to be nice to the backend, which means that it initiated a search, but then, when the new search criteria was changed by the user (typing more letters in the To/Ccc/Bcc fields) evolution stopped the search and freed the associated object. The evolution-data-server side run a dedicated thread for the stop operation, while the free operation was done in another thread. The free operation also runs a stop for the associated search, just in case. It could happen, with a good timing, that the stop was called twice on one object's data (internal to LDAP backend), causing access of an already freed memory. Making sure that multiple threads cannot access LDAP's private data of the search fixes the thread interleaving problem here.

I believe this is LDAP specific, the comment #1 says something else, but I believe this is due to accessing already freed memory and overwriting data in a random place, causing crash slightly later.

Created commit f49de9c in eds master (3.13.6+) [1]
Created commit a167bc7 in eds evolution-data-server-3-12 (3.12.6+)

[1] https://git.gnome.org/browse/evolution-data-server/commit/?id=f49de9c