GNOME Bugzilla – Bug 468427
crash in start_calendar_server (source=0x0) at itip-formatter.c:314
Last modified: 2008-04-24 15:00:59 UTC
Version: 2.10 What were you doing when the application crashed? moving an appointment from local to MS Exchange calendar Distribution: Fedora release 7 (Moonshine) Gnome Release: 2.18.3 2007-07-02 (Red Hat, Inc) BugBuddy Version: 2.18.0 System: Linux 2.6.22.1-33.fc7 #1 SMP Mon Jul 23 16:59:15 EDT 2007 x86_64 X Vendor: The X.Org Foundation X Vendor Release: 10300000 Selinux: Enforcing Accessibility: Disabled GTK+ Theme: Clearlooks Icon Theme: Fedora Memory status: size: 685424640 vsize: 685424640 resident: 62013440 share: 44568576 rss: 62013440 rss_rlim: 18446744073709551615 CPU usage: start_time: 1187597176 rtime: 175 utime: 149 stime: 26 cutime:1 cstime: 14 timeout: 0 it_real_value: 0 frequency: 100 Backtrace was generated from '/usr/bin/evolution' Using host libthread_db library "/lib64/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread 46912496488592 (LWP 4188)] [New Thread 1136945488 (LWP 4287)] [New Thread 1136679248 (LWP 4228)] [New Thread 1094719824 (LWP 4224)] 0x0000003a0e00d97f in waitpid () from /lib64/libpthread.so.0
+ Trace 156516
Thread 1 (Thread 46912496488592 (LWP 4188))
----------- .xsession-errors (8 sec old) --------------------- (evolution:4188): libecal-WARNING **: e-cal.c:317: Unexpected response (evolution:4188): e-data-server-DEBUG: Loading categories from "/home/torbjorn/.evolution/categories.xml" (evolution:4188): e-data-server-DEBUG: Loaded 29 categories (evolution:4188): libecal-WARNING **: e-cal.c:317: Unexpected response (evolution:4188): libecal-WARNING **: e-cal.c:317: Unexpected response calendar-gui-Message: Check if default client matches (1144237822.2427.9@torbjorn.diagenic.intern 1144237822.2427.9@torbjorn.diagenic.intern) (evolution:4188): libecal-WARNING **: e-cal.c:317: Unexpected response (evolution:4188): libecal-WARNING **: e-cal.c:317: Unexpected response (evolution:4188): e-data-server-CRITICAL **: e_source_peek_uid: assertion `E_IS_SOURCE (source)' failed --------------------------------------------------
Created attachment 103485 [details] [review] Itip-bits-rewrite
See the Changelog of the reason it was crashing all time. This fix isn't for this. But for quite a lot/all of itip-formatter crashes I saw in the stacktrace bug. The data/carrier the callbacks carried were freed. and it always pointed to some dangling pointer. Andre, if you come across itip-formatter issues, please CC me or close it as dupe of this. I'm so sure of this. Chen: For a detailed review :)
srini: querying for "itip-formatter.c" brings up bug 510340, bug 501298, bug 493736, bug 490137, bug 457645, bug 447938, bug 355418, bug 355416.
==30075== Invalid read of size 4 ==30075== at 0x61DA73D: idle_open_cb (itip-formatter.c:1596) ==30075== by 0x5731C20: g_idle_dispatch (gmain.c:4142) ==30075== by 0x57337D5: g_main_context_dispatch (gmain.c:2064) ==30075== by 0x5736BC1: g_main_context_iterate (gmain.c:2697) ==30075== by 0x5736FA6: g_main_loop_run (gmain.c:2905) ==30075== by 0x4B97EA2: bonobo_main (bonobo-main.c:311) ==30075== by 0x805E35A: main (main.c:719) ==30075== Address 0x6DEBB00 is 96 bytes inside a block of size 160 free'd ==30075== at 0x402243F: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==30075== by 0x573B6A0: g_free (gmem.c:187) ==30075== by 0x609C6B0: em_format_html_remove_pobject (em-format-html.c:408) ==30075== by 0x609C6EE: em_format_html_clear_pobject (em-format-html.c:416) ==30075== by 0x609DE4B: efh_format_timeout (em-format-html.c:1371) ==30075== by 0x60957E1: efhd_format_clone (em-format-html-display.c:1388) ==30075== by 0x60A208C: em_format_set_inline (em-format.c:1029) ==30075== by 0x6099113: efhd_attachment_show (em-format-html-display.c:1483) ==30075== by 0x6099140: efhd_attachment_button_show (em-format-html-display.c:1489) ==30075== by 0x56D424E: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==30075== by 0x56C69B1: g_closure_invoke (gclosure.c:490) ==30075== by 0x56DBB7C: signal_emit_unlocked_R (gsignal.c:2440) ==30075== Invalid read of size 4 ==30075== at 0x61D9D7D: view_response_cb (itip-formatter.c:1629) ==30075== by 0x56D4EB4: g_cclosure_marshal_VOID(i_xx_t) (gmarshal.c:216) ==30075== by 0x56C69B1: g_closure_invoke (gclosure.c:490) ==30075== by 0x56DBB7C: signal_emit_unlocked_R (gsignal.c:2440) ==30075== by 0x56DD717: g_signal_emit_valist (gsignal.c:2199) ==30075== by 0x56DDB64: g_signal_emit (gsignal.c:2243) ==30075== by 0x61DC183: button_clicked_cb (itip-view.c:779) ==30075== by 0x56D424E: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==30075== by 0x56C69B1: g_closure_invoke (gclosure.c:490) ==30075== by 0x56DBB7C: signal_emit_unlocked_R (gsignal.c:2440) ==30075== by 0x56DD717: g_signal_emit_valist (gsignal.c:2199) ==30075== by 0x56DDB64: g_signal_emit (gsignal.c:2243) ==30075== Address 0x6DEBABC is 28 bytes inside a block of size 160 free'd ==30075== at 0x402243F: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==30075== by 0x573B6A0: g_free (gmem.c:187) ==30075== by 0x609C6B0: em_format_html_remove_pobject (em-format-html.c:408) ==30075== by 0x609C6EE: em_format_html_clear_pobject (em-format-html.c:416) ==30075== by 0x609DE4B: efh_format_timeout (em-format-html.c:1371) ==30075== by 0x60957E1: efhd_format_clone (em-format-html-display.c:1388) ==30075== by 0x60A208C: em_format_set_inline (em-format.c:1029) ==30075== by 0x6099113: efhd_attachment_show (em-format-html-display.c:1483) ==30075== by 0x6099140: efhd_attachment_button_show (em-format-html-display.c:1489) ==30075== by 0x56D424E: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==30075== by 0x56C69B1: g_closure_invoke (gclosure.c:490) ==30075== by 0x56DBB7C: signal_emit_unlocked_R (gsignal.c:2440) Some of the issues that will be fixed with my patch, but not just limited to this :)
The fix looks good to commit and should solve a lot of crashers around this area.
Patch committed to SVN trunk as r34960 (http://svn.gnome.org/viewvc/evolution?view=revision&revision=34960)
*** Bug 510340 has been marked as a duplicate of this bug. ***
*** Bug 490137 has been marked as a duplicate of this bug. ***
*** Bug 493736 has been marked as a duplicate of this bug. ***