Bug 759101 – Unset old cursor after clean up of the message list

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 759101 - Unset old cursor after clean up of the message list


Summary:	Unset old cursor after clean up of the message list


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	3.18.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:	https://bugs.debian.org/cgi-bin/bugre...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-12-06 20:41 UTC by Joerg C. Frings-Fuerst
Modified:	2016-02-17 18:16 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Joerg C. Frings-Fuerst 2015-12-06 20:41:41 UTC

Hi,

reproducible evolution at deleting imap folders with a "Segmentation fault".

The traceback are:

[New Thread 0x7fff4ffff700 (LWP 15356)]
[New Thread 0x7fff43df4700 (LWP 15357)]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt

+ Trace 235789

#0 ??
#1 is_node_selectable
at message-list.c line 3912
#2 find_next_selectable
at message-list.c line 3960
#3 message_list_regen_done_cb
at message-list.c line 5825
#4 g_simple_async_result_complete
from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 ??
from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#6 g_main_context_dispatch
from /lib/x86_64-linux-
#7 ??
from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 g_main_loop_run
from /lib/x86_64-linux-
#9 gtk_main
from /usr/lib/x86_64-linux-
#10 main
at main.c line 654






-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500, 'testing-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages evolution depends on:
ii  dbus                   1.10.4-1
ii  debconf [debconf-2.0]  1.5.58
ii  evolution-common       3.18.2-1
ii  evolution-data-server  3.18.2-1
ii  libc6                  2.19-22
ii  libcamel-1.2-54        3.18.2-1
ii  libclutter-gtk-1.0-0   1.6.6-1
ii  libecal-1.2-19         3.18.2-1
ii  libedataserver-1.2-21  3.18.2-1
ii  libevolution           3.18.2-1
ii  libglib2.0-0           2.46.2-1
ii  libgtk-3-0             3.18.5-1
ii  libical1a              1.0.1-0.1
ii  libnotify4             0.7.6-2
ii  libsoup2.4-1           2.52.1-1
ii  libwebkitgtk-3.0-0     2.4.9-2+b1
ii  libxml2                2.9.2+zdfsg1-4
ii  psmisc                 22.21-2.1+b1

Versions of packages evolution recommends:
ii  bogofilter         1.2.4+dfsg1-3
ii  evolution-plugins  3.18.2-1
ii  yelp               3.16.1-1

Versions of packages evolution suggests:
pn  evolution-ews                   <none>
pn  evolution-plugins-experimental  <none>
ii  gnupg                           1.4.19-6
ii  network-manager                 1.0.8-1

-- debconf information:
  evolution/kill_processes:
  evolution/needs_shutdown:

Comment 1 Milan Crha 2016-01-19 18:47:53 UTC

Thanks for taking the time to report this.
This particular bug has already been reported into our bug tracking system, but we are happy to tell you that the problem has already been fixed in the code repository.

*** This bug has been marked as a duplicate of bug 757789 ***

Comment 2 Milan Crha 2016-02-17 16:46:03 UTC

I'm reopening this. I found out a different circumstances, which could cause the crash even with changes from bug #757789.

Comment 3 Milan Crha 2016-02-17 18:16:05 UTC

The other instance was related to message delete. It could happen that the message list had been regenerated from scratch, but the stored cursor node had been left there, already deleted. That was a use-after-free, which resulted in an odd pointer dereference in the is_node_selectable() function. I made the cursor reset in the code, to avoid this.

Created commit 647275a in evo master (3.19.91+)