GNOME Bugzilla – Bug 578685
evolution crashed with SIGSEGV in IA__g_ascii_strcasecmp()
Last modified: 2009-04-15 14:38:13 UTC
The bug has been opened on https://bugs.launchpad.net/bugs/358104 "evolution been crashing quite a bit in jaunty as of april 8, 2009
+ Trace 214373
the crash is new since jaunty updated e-d-s and evo from 2.26.0 to current svn to give it some testing before 2.26.1
https://bugs.edge.launchpad.net/bugs/358223 could be the same issue and is getting lot of duplicates "==17206== Invalid read of size 1 ==17206== at 0x4A0A034: strlen (mc_replace_strmem.c:242) ==17206== by 0x3A19C4975D: vfprintf (in /lib/libc-2.9.so) ==17206== by 0x3A19CFED7F: __vasprintf_chk (in /lib/libc-2.9.so) ==17206== by 0x3A1B86F34A: g_vasprintf (in /usr/lib/libglib-2.0.so.0.2000.0) ==17206== by 0x3A1B85CB6D: g_string_append_vprintf (in /usr/lib/libglib-2.0.so.0.2000.0) ==17206== by 0x3A1B85CC87: g_string_append_printf (in /usr/lib/libglib-2.0.so.0.2000.0) ==17206== by 0x913977C: em_format_describe_part (em-format.c:1167) ==17206== by 0x91335A4: efhd_format_attachment (em-format-html-display.c:2502) ==17206== by 0x913A8ED: em_format_part_as (em-format.c:634) ==17206== by 0x913AA61: em_format_part (em-format.c:653) ==17206== by 0x913B38B: emf_multipart_mixed (em-format.c:1259) ==17206== by 0x913A98F: em_format_part_as (em-format.c:626) ==17206== by 0x913AA61: em_format_part (em-format.c:653) ==17206== by 0x9136EEB: efh_format_message (em-format-html.c:2088) ==17206== by 0x9135C4F: efh_format_exec (em-format-html.c:1274) ==17206== by 0x915BA39: mail_msg_proxy (mail-mt.c:520) ==17206== by 0x3A1B864EB6: (within /usr/lib/libglib-2.0.so.0.2000.0) ==17206== by 0x3A1B863953: (within /usr/lib/libglib-2.0.so.0.2000.0) ==17206== by 0x3A1A8073B9: start_thread (in /lib/libpthread-2.9.so) ==17206== by 0x3A19CE5FCC: clone (in /lib/libc-2.9.so) ==17206== Address 0x8aae999 is not stack'd, malloc'd or (recently) free'd"
random crashers since the upgrade: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358223 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358425 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358460 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358522 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358529 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358593 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358593 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358615 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358615 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358677 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358697 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358756 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358852 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/359333 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/359423 https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/359515 do you want bugs for each crasher? they could be a similar corruption issue
other valgrind log on https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/358615 "==20832== Invalid read of size 1 ==20832== at 0x4027A0F: strcmp (mc_replace_strmem.c:337) ==20832== by 0x6D43435: em_format_describe_part (em-format.c:1166) ==20832== by 0x6D3C527: efhd_format_attachment (em-format-html-display.c:2502) ==20832== by 0x6D4460C: em_format_part_as (em-format.c:634) ==20832== by 0x6D44754: em_format_part (em-format.c:653) ==20832== by 0x6D450DA: emf_multipart_mixed (em-format.c:1259) ==20832== by 0x6D4467A: em_format_part_as (em-format.c:626) ==20832== by 0x6D44754: em_format_part (em-format.c:653) ==20832== by 0x6D4072B: efh_format_message (em-format-html.c:2088) ==20832== by 0x6D3F0CD: efh_format_exec (em-format-html.c:1274) ==20832== by 0x6D6B1F8: mail_msg_proxy (mail-mt.c:520) ==20832== by 0x557FCD5: g_thread_pool_thread_proxy (gthreadpool.c:265) ==20832== by 0x557E66E: g_thread_create_proxy (gthread.c:635) ==20832== by 0x479C4FE: start_thread (pthread_create.c:297) ==20832== by 0x56B549D: clone (clone.S:130) ==20832== Address 0xb807dc1 is 1 bytes inside a block of size 64 free'd ==20832== at 0x4025DFA: free (vg_replace_malloc.c:323) ==20832== by 0x555BFF5: g_free (gmem.c:190) ==20832== by 0x4062D8D: update (e-attachment-bar.c:460) ==20832== by 0x6D38B72: efhd_update_bar (em-format-html-display.c:2359) ==20832== by 0x6D3E138: efh_object_requested (em-format-html.c:638) ==20832== by 0x4956FA5: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:83) ==20832== by 0x54E6C7A: g_closure_invoke (gclosure.c:767) ==20832== by 0x54FCE0E: signal_emit_unlocked_R (gsignal.c:3244) ==20832== by 0x54FE31E: g_signal_emit_valist (gsignal.c:2987) ==20832== by 0x54FE905: g_signal_emit (gsignal.c:3034) ==20832== by 0x490E86B: html_engine_object_requested_cb (gtkhtml.c:538) ==20832== by 0x4956FA5: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:83) ==20832== by 0x54E6C7A: g_closure_invoke (gclosure.c:767) ==20832== by 0x54FCE0E: signal_emit_unlocked_R (gsignal.c:3244) ==20832== by 0x54FE31E: g_signal_emit_valist (gsignal.c:2987) ==20832== by 0x54FE905: g_signal_emit (gsignal.c:3034) ==20832== by 0x4948933: element_parse_object (htmlengine.c:1635) ==20832== by 0x493FA4C: parse_one_token (htmlengine.c:3984) ==20832== by 0x494D910: html_engine_timer_event (htmlengine.c:1439) ==20832== by 0x494DA47: html_engine_flush (htmlengine.c:6909) ==20832== by 0x490A56F: gtk_html_flush (gtkhtml.c:6288) ==20832== by 0x6D4650B: emhs_sync_flush (em-html-stream.c:130) ==20832== by 0x6D59B8F: emss_process_message (em-sync-stream.c:83) ==20832== by 0x5551B50: g_idle_dispatch (gmain.c:3922) ==20832== by 0x5553A57: g_main_context_dispatch (gmain.c:1814) ==20832== by 0x5556FBA: g_main_context_iterate (gmain.c:2448) ==20832== by 0x5557489: g_main_loop_run (gmain.c:2656) ==20832== by 0x4B91CC2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0) ==20832== by 0x805D562: main (main.c:704)"
The issue is due to http://svn.gnome.org/viewvc/evolution?view=revision&revision=37497
the _get_description line should probably be strdup-ed too
Created attachment 132513 [details] [review] suggested change to fix the issue
Created attachment 132514 [details] [review] suggested change to fix the issue
Right idea, though I think I'd put strdup() here: if (!desc || *desc == '\0') { ... } else desc = g_strdup (desc); Avoids a tiny memory leak if *desc == '\0'. Marking this 2.26.1 BLOCKER so we don't miss it.
You're right. I didn't notice the condition of if (desc), sorry. Please integrate the strdup fix. Thanks.
As the fix above had been committed in this [1] revision, closing as fixed. [1] http://svn.gnome.org/viewvc/evolution?view=revision&revision=37520
eh, we have new warnings because of this :( e-attachment-bar.c: In function ‘update’: e-attachment-bar.c:444: warning: assignment discards qualifiers from pointer target type e-attachment-bar.c:450: warning: assignment discards qualifiers from pointer target type Just for a record, this patch didn't get it in for 2.26.1 tarball.
I think Jony goofed up the commit part. He has in his local git, but not on the tarball. This, as well as the unmatched vfolder missed like this. Jony, we must do a 2.26.1.1. Up for that? /me has 1200 mails to act on after a 10 day vacation.
(In reply to comment #13) > Jony, we must do a 2.26.1.1. Up for that? /me has 1200 mails to act on after a > 10 day vacation. > Pushed 2.26.1.1 with this patch. Apologies for the trouble.