Thanks for a bug report. I was investigating this recently, but I wasn't able to reproduce it  myself. As your log shows bbdb plugin, and it was a clue in the other bug which I cannot find right now, I would try to disable it and see whether it'll help. You can find it at Edit->Preferences->Contacts->Automatic Contacts tab (bbdb is an internal name for Automatic Contacts).

It would be helpful, in case you can still reproduce this, to run evolution under valgrind and test whether it'll catch anything useful. The valgrind command may look like this:
   $ G_SLICE=always-malloc valgrind --num-callers=20 evolution &>log.txt
only make sure you'll have installed debuginfo packages for evolution-data-server and evolution itself of the same versions as the binary packages, thus the valgrind log will be usable.

Hi,

Thanks for looking into this.
I can still reproduce, although I upgraded to 3.12.7 (from 3.12.2), up-to-date Jessie system
I have now turned of the automatic contacts, and was not able to reproduce since.

I'll attach the valgrind output shortly, it was taken with the automatic contacts still enabled, but the process didn't crash. Valgrind certainly seems to catch something accourding to the output, but I'm not familiar enough with it to make any conclusions.

I'll try to reproduce the segfault itself with valgrind and attach that one as well.

Regards,
Steven

Created attachment 291756 [details]
valgrind output (no segfault occured)

Thanks a lot for the update. Even there are missing debuginfo packages for evolution (no line numbers shown), then there are couple clues what could break. As you mentioned, the valgrind did catch the crash and logged about it ( those "invalid free/delete/..." traces).

I finally found the incorrect place, but it was a challenge, because the valgrind log shows an issue inside todo_queue_process_thread(), which also prints a GError, but it's all clean there. That's why debuginfo packages matter.

The valgrind log also shows another issue, there was a problem with the evolution-addressbook-factory, it probably crashed or something. It would be good to investigate what happened there and fixed that as well. The log shows that the bbdb plugin was trying to open a Contacts address book. Is it an evolution-ews or evolution-mapi address book? In other words, what address book type it is, please? It's probably causing the crash of the address book factory. Maybe if you can open a new bug report and paste there a result of the following:
a) close evolution
b) run the evolution-addressbook-factory in a terminal under gdb:
   $ gdb --batch /usr/libexec/evolution-addressbook-factory --ex "r -w" \
     --ex "t a a bt" --ex q &>bt.txt
   Please check the bt.txt for any private information, like passwords, email
   address, server addresses,... I usually search for "pass" at least (quotes
   for clarity only).
c) run evolution and reproduce the issue there
d) see whether the addressbook factory process stopped on its own; if not,
   press Ctrl+C
e) check the bt.txt and paste it into a new bug report (and give a reference
   to it here)
Thanks in advance.

For the use-after-free bug:

Created commit 4fe0f52 in evo master (3.13.9+) [1]
Created commit 997d967 in evo evolution-3-12 (3.12.9+)

[1] https://git.gnome.org/browse/evolution/commit/?id=4fe0f52

Hi Milan,

Many thanks for looking into this, I'll add a comment to the Debian bug report about this.

I opened a new bug as you requested:
https://bugzilla.gnome.org/show_bug.cgi?id=741002

Also, as far as debug packages are concerned, I have evolution-dbg and evolution-data-server-dbg installed. There are no other evolution related debug packages on first sight.

Regards,
Steven

*** Bug 742524 has been marked as a duplicate of this bug. ***

*** Bug 756928 has been marked as a duplicate of this bug. ***