After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 606811 - evolution crashed in match_content_type at camel-folder-summary.c:5066
evolution crashed in match_content_type at camel-folder-summary.c:5066
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
2.30.x (obsolete)
Other Linux
: Urgent critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
: 607282 607646 608278 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2010-01-13 05:14 UTC by Akhil Laddha
Modified: 2013-09-13 01:04 UTC
See Also:
GNOME target: ---
GNOME version: 2.27/2.28


Attachments
EDS patch (490 bytes, patch)
2010-02-01 05:12 UTC, Bharath Acharya
committed Details | Review
sample message (2.88 KB, text/plain)
2010-02-09 14:05 UTC, Milan Crha
  Details

Description Akhil Laddha 2010-01-13 05:14:32 UTC
Evolution 2.29.5 

I searched for particular mails. After getting search results, i selected all the mails (which fulfilled search criteria) with mouse but some how all mails were opened in separate windows. Now without closing those windows, i just deleted all the mails. Later i saw a message window was opened, i clicked on it and evolution crashed.


Program received signal SIGSEGV, Segmentation fault.
0xb7c1cc4d in match_content_type (info_ctype=0x0, ctype=0x8f4f120)
    at camel-folder-summary.c:5066
5066		if (!compare_strings (info_ctype->type, ctype->type))
(gdb) t a a bt

Thread 1 (Thread 0xb6333760 (LWP 2766))

  • #0 match_content_type
    at camel-folder-summary.c line 5066
  • #1 camel_folder_summary_guess_content_info
    at camel-folder-summary.c line 5088
  • #2 efhd_attachment_button
    at em-format-html-display.c line 813
  • #3 efh_object_requested
    at em-format-html.c line 1519
  • #4 html_g_cclosure_marshal_BOOLEAN__OBJECT
    at htmlmarshal.c line 81
  • #5 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #6 signal_emit_unlocked_R
    from /usr/lib/libgobject-2.0.so.0
  • #7 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #8 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #9 html_engine_object_requested_cb
    at gtkhtml.c line 549
  • #10 html_g_cclosure_marshal_BOOLEAN__OBJECT
    at htmlmarshal.c line 81
  • #11 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #12 signal_emit_unlocked_R
    from /usr/lib/libgobject-2.0.so.0
  • #13 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #14 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #15 element_parse_object
    at htmlengine.c line 1624
  • #16 parse_one_token
    at htmlengine.c line 3975
  • #17 new_parse_body
    at htmlengine.c line 1429
  • #18 html_engine_timer_event
    at htmlengine.c line 4928
  • #19 html_engine_flush
    at htmlengine.c line 6907
  • #20 gtk_html_flush
    at gtkhtml.c line 6317
  • #21 emhs_sync_flush
    at em-html-stream.c line 86
  • #22 emss_process_message
    at em-sync-stream.c line 83
  • #23 g_idle_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #24 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #25 g_main_context_iterate
    from /usr/lib/libglib-2.0.so.0
  • #26 g_main_loop_run
    from /usr/lib/libglib-2.0.so.0
  • #27 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0
  • #28 main
    at main.c line 609
  • #0 match_content_type
    at camel-folder-summary.c line 5066
  • #1 camel_folder_summary_guess_content_info
    at camel-folder-summary.c line 5088
  • #2 efhd_attachment_button
    at em-format-html-display.c line 813
  • #3 efh_object_requested
    at em-format-html.c line 1519
  • #4 html_g_cclosure_marshal_BOOLEAN__OBJECT
    at htmlmarshal.c line 81
  • #5 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #6 signal_emit_unlocked_R
    from /usr/lib/libgobject-2.0.so.0
  • #7 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #8 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #9 html_engine_object_requested_cb
    at gtkhtml.c line 549
  • #10 html_g_cclosure_marshal_BOOLEAN__OBJECT
    at htmlmarshal.c line 81
  • #11 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #12 signal_emit_unlocked_R
    from /usr/lib/libgobject-2.0.so.0
  • #13 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #14 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #15 element_parse_object
    at htmlengine.c line 1624
  • #16 parse_one_token
    at htmlengine.c line 3975
  • #17 new_parse_body
  • #18 html_engine_timer_event
    at htmlengine.c line 4928
  • #19 html_engine_flush
    at htmlengine.c line 6907
  • #20 gtk_html_flush
    at gtkhtml.c line 6317
  • #21 emhs_sync_flush
    at em-html-stream.c line 86
  • #22 emss_process_message
    at em-sync-stream.c line 83
  • #23 g_idle_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #24 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #25 g_main_context_iterate
    from /usr/lib/libglib-2.0.so.0
  • #26 g_main_loop_run
    from /usr/lib/libglib-2.0.so.0
  • #27 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0
  • #28 main
    at main.c line 609

Comment 1 Akhil Laddha 2010-01-18 10:20:43 UTC
*** Bug 607282 has been marked as a duplicate of this bug. ***
Comment 2 Akhil Laddha 2010-01-21 10:56:28 UTC
*** Bug 607646 has been marked as a duplicate of this bug. ***
Comment 3 Akhil Laddha 2010-01-27 05:03:48 UTC
I am getting this crash often. Today i searched for a string, deleted mails from search results, evolution crashes as soon as i try to clear search. 

==2009== Conditional jump or move depends on uninitialised value(s)
==2009==    at 0x592CB20: re_compile_fastmap_iter (regcomp.c:326)
==2009==    by 0x592D18D: re_compile_fastmap (regcomp.c:276)
==2009==    by 0x592D9CA: regcomp (regcomp.c:512)
==2009==    by 0x48C0CD1: mailing_list_init (camel-mime-utils.c:4516)
==2009==    by 0x4DB00AF: pthread_once (pthread_once.S:122)
==2009==    by 0x7C45968: imap_get_message (camel-imap-folder.c:3050)
==2009==    by 0x43DA0B4: camel_folder_get_message (camel-folder.c:1107)
==2009==    by 0x65DB122: get_message_exec (mail-ops.c:1858)
==2009==    by 0x65D6A7E: mail_msg_proxy (mail-mt.c:459)
==2009==    by 0x5817716: g_thread_pool_thread_proxy (gthreadpool.c:265)
==2009==    by 0x5816093: g_thread_create_proxy (gthread.c:635)
==2009==    by 0x4DAA6E4: start_thread (pthread_create.c:297)
==2009== 
==2009== Thread 1:
==2009== Invalid read of size 4
==2009==    at 0x43D6FFD: match_content_type (camel-folder-summary.c:5066)
==2009==    by 0x43D70D5: camel_folder_summary_guess_content_info (camel-folder-summary.c:5088)
==2009==    by 0x65C53CE: efhd_attachment_button (em-format-html-display.c:813)
==2009==    by 0x65C0996: efh_object_requested (em-format-html.c:1518)
==2009==    by 0x45E4A0D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==2009==    by 0x57721A1: g_closure_invoke (gclosure.c:767)
==2009==    by 0x5787C65: signal_emit_unlocked_R (gsignal.c:3247)
==2009==    by 0x5788EDF: g_signal_emit_valist (gsignal.c:2990)
==2009==    by 0x1: ???
Comment 4 Fabio Durán Verdugo 2010-01-27 18:48:55 UTC
*** Bug 608278 has been marked as a duplicate of this bug. ***
Comment 5 Paul Bolle 2010-01-30 12:32:51 UTC
0) Similar crash with evolution-2.29.6-1.fc13.i686 and evolution-data-server-2.29.6-1.fc13.i686 (current Fedora rawhide). Triggered by nothing in particular (ie, hopping around between messages).

1) backtrace (truncated):
 bt 6
  • #0 match_content_type
    at camel-folder-summary.c line 5066
  • #1 camel_folder_summary_guess_content_info
    at camel-folder-summary.c line 5088
  • #2 efhd_attachment_button
    at em-format-html-display.c line 813
  • #3 efh_object_requested
    at em-format-html.c line 1518
  • #4 html_g_cclosure_marshal_BOOLEAN__OBJECT
    from /usr/lib/libgtkhtml-3.14.so.19
  • #5 g_closure_invoke
    from /lib/libgobject-2.0.so.0
  • #0 match_content_type
    at camel-folder-summary.c line 5066
  • #1 camel_folder_summary_guess_content_info
    at camel-folder-summary.c line 5088
child = 0xb072f580
ci = <value optimized out>
(gdb) print child->type
$9 = (CamelContentType *) 0x0
(gdb) print ctype

3) This particular crash, at this particular location, could probably simply be avoided with some "([...] != NULL)" test, but since I'm not familiar at all with  the context of match_content_type() I won't even bother.

(Does it actually make sense for a (CamelContentType *) info_ctype->type to be NULL or is there some race condition or whatever?)
Comment 6 Paul Bolle 2010-01-30 13:21:59 UTC
(In reply to comment #5)
> 0) [...] Triggered by
> nothing in particular (ie, hopping around between messages).

0) It feels like hopping between two messages each with an attachment triggers this. Can someone confirm?
Comment 7 Paul Bolle 2010-01-30 13:37:29 UTC
(In reply to comment #6)
> 0) It feels like hopping between two messages each with an attachment triggers
> this. Can someone confirm?

0) More specifically, it seems triggered by just trying to render messages with a header like:
    Content-Disposition: inline; filename=foo

but without headers like
    MIME-Version: [...]
or
    Content-Type: [...]

Does that make sense?
Comment 8 Akhil Laddha 2010-02-01 04:34:52 UTC
I get this crash every day two times at least :-(
Comment 9 Bharath Acharya 2010-02-01 05:12:08 UTC
Created attachment 152705 [details] [review]
EDS patch

Avoids the crash. But let chen decide on the issue. It is a regression because of this. http://git.gnome.org/browse/evolution/commit/?id=6a72dacb7db51cd0f6b84e9aefd248677c0ff4e0
Comment 10 Chenthill P 2010-02-01 11:31:53 UTC
Bharath, can u please check if its valid for ctype to be NULL there. 
And if its valid, please add the null check inside match_content_type.

You could use the case which Paul has mentioned at comment #7.
Comment 11 Milan Crha 2010-02-09 14:03:56 UTC
OK, so the patch in bug #606316 isn't complete.

I can reproduce this with a message received through IMAP, which has this structure:

> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-
>    signature"; boundary="=-yqg7yh4yZiX3N+24Xr/J"
> X-Mailer: Evolution 2.29.5
> 
> --=-yqg7yh4yZiX3N+24Xr/J
> Content-Type: multipart/mixed; boundary="=-ta7ez+tFRV4KmE08invO"
> 
>
> --=-ta7ez+tFRV4KmE08invO
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
>...

when I export it and import it to a local store it has the second child->type properly set to multipart/mixed, but with the initial email with IMAP it has it set to NULL. It even doesn't seem to have the full message structure there, as with a local one.

Thus two things, I would add a check for NULL as Bharath did, and have a look into the IMAP code.
Comment 12 Milan Crha 2010-02-09 14:05:14 UTC
Created attachment 153329 [details]
sample message

Import this to an IMAP folder in offline, then go online, let it re-fetch the message, and try to view it. It crashes for me this way.
Comment 13 Chenthill P 2010-02-09 15:34:47 UTC
Bharath, do you want to complete the patch or shall I take it over ?
Comment 14 Adam Williamson 2010-02-10 20:08:57 UTC
Just to confirm there's still at least one message giving me this crash in 2.29.90 as well.
Comment 15 Bharath Acharya 2010-02-11 10:36:21 UTC
Comment on attachment 152705 [details] [review]
EDS patch

Committed the patch to avoid the crash. Will look into the second portion
Comment 16 Milan Crha 2010-02-16 18:44:01 UTC
OK, I looked around and it turned out that the mbox is not providing any content info, whereas IMAP is trying to provide at least something.The place the NULL is created is here for me (see it didn't get any headers):

> #0  content_info_new_from_header (s=0x10eaab0, h=0x0) at camel-folder-
> summary.c:3551
> #1  0x00007ffff6573286 in content_info_new_from_message (s=0x10eaab0,
> mp=0xa6cd20) at camel-folder-summary.c:2996
> #2  0x00007ffff6576221 in summary_build_content_info_message (s=0x10eaab0,
> msginfo=0x7fffbc03cc30, object=0xa6cd20) at camel-folder-summary.c:3961
> #3  0x00007ffff657652b in summary_build_content_info_message (s=0x10eaab0,
> msginfo=0x7fffbc03cc30, object=0x7fffc8010000) at camel-folder-summary.c:4011
> #4  0x00007ffff6571836 in camel_folder_summary_info_new_from_message
> (s=0x10eaab0, msg=0x7fffc8010000, 
>    bodystructure=0x7fffa8073e80 "(((\"TEXT\" \"PLAIN\" NIL NIL NIL \"QUOTED-
>PRINTABLE\" 16 1 NIL NIL NIL NIL)(\"TEXT\" \"X-PATCH\" (\"NAME\" \"evo.patch\"
> \"CHARSET\" \"UTF-8\") NIL NIL \"BASE64\" 1904 26 NIL (\"attachment\"
> (\"FILENAME\" \"evo.patch\")) NIL "...) at camel-folder-summary.c:2203
> #5  0x00007fffe94b789c in add_message_from_data (folder=0x13dd990,
> messages=0x7fffa8083a40, first=54, data=0x7fffa8083b60) at camel-
> imap-folder.c:3269

To be honest, I do not care as that much, thus I'm closing this for Bharath as fixed. Enjoy.
Comment 17 Adam Williamson 2010-02-23 18:03:52 UTC
when is there going to be a new release? Using 2.29.90 resembles a game of Minesweeper - you never know which unread email is going to make Evolution explode...
Comment 18 Milan Crha 2010-02-23 19:00:02 UTC
It (2.29.91) was released yesterday. Built for F13 this morning. I'm not planing  to update for Rawhide until 2.31, somehow.
Comment 19 Adam Williamson 2010-02-23 19:04:39 UTC
ah, thanks. i'll grab the f13 build out of koji, just for my personal sanity...