Bug 500591 – Crash when viewing a large message

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 500591 - Crash when viewing a large message


Summary:	Crash when viewing a large message


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	2.30.x (obsolete)
Hardware:	Other All

Importance:	High critical
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Duplicates:	622357 623044 624163 624819 (view as bug list)
Depends on:
Blocks:

Reported:	2007-11-30 04:36 UTC by nanu.kachari
Modified:	2010-10-05 12:52 UTC

See Also:
GNOME target:	---
GNOME version:	2.29/2.30

Attachments
evo patch (597 bytes, patch) 2010-10-05 12:47 UTC, Milan Crha	committed	Details \| Review

Description nanu.kachari 2007-11-30 04:36:08 UTC

Version: 2.12

What were you doing when the application crashed?



Distribution: Fedora release 8 (Werewolf)
Gnome Release: 2.20.1 2007-10-15 (Red Hat, Inc)
BugBuddy Version: 2.20.1

System: Linux 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686
X Vendor: The X.Org Foundation
X Vendor Release: 10300000
Selinux: Enforcing
Accessibility: Disabled
GTK+ Theme: Nodoka
Icon Theme: Fedora

Memory status: size: 169959424 vsize: 169959424 resident: 65409024 share: 18862080 rss: 65409024 rss_rlim: 4294967295
CPU usage: start_time: 1196397246 rtime: 231 utime: 200 stime: 31 cutime:0 cstime: 0 timeout: 0 it_real_value: 0 frequency: 100

Backtrace was generated from '/usr/local/bin/evolution'

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1208850144 (LWP 7795)]
[New Thread -1298846832 (LWP 7814)]
[New Thread -1275880560 (LWP 7813)]
[New Thread -1265390704 (LWP 7811)]
[New Thread -1254900848 (LWP 7808)]
[New Thread -1242891376 (LWP 7806)]
[New Thread -1232397424 (LWP 7804)]
[New Thread -1221907568 (LWP 7801)]
0x00110402 in __kernel_vsyscall ()

+ Trace 180183

Thread 1 (Thread -1208850144 (LWP 7795))

#0 __kernel_vsyscall
#1 waitpid
from /lib/libpthread.so.0
#2 g_spawn_sync
from /lib/libglib-2.0.so.0
#3 g_spawn_command_line_sync
from /lib/libglib-2.0.so.0
#4 ??
from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#5 ??
from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#6 google_breakpad::ExceptionHandler::InternalWriteMinidump
from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#7 google_breakpad::ExceptionHandler::HandleException
from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#8 <signal handler called>
#9 efhd_attachment_optional
at em-format-html-display.c line 2533
#10 efh_object_requested
at em-format-html.c line 618
#11 html_g_cclosure_marshal_BOOLEAN__OBJECT
from /usr/lib/libgtkhtml-3.14.so.19
#12 g_closure_invoke
from /lib/libgobject-2.0.so.0
#13 ??
from /lib/libgobject-2.0.so.0
#14 g_signal_emit_valist
from /lib/libgobject-2.0.so.0
#15 g_signal_emit
from /lib/libgobject-2.0.so.0
#16 ??
from /usr/lib/libgtkhtml-3.14.so.19
#17 html_g_cclosure_marshal_BOOLEAN__OBJECT
from /usr/lib/libgtkhtml-3.14.so.19
#18 g_closure_invoke
from /lib/libgobject-2.0.so.0
#19 ??
from /lib/libgobject-2.0.so.0
#20 g_signal_emit_valist
from /lib/libgobject-2.0.so.0
#21 g_signal_emit
from /lib/libgobject-2.0.so.0
#22 ??
from /usr/lib/libgtkhtml-3.14.so.19
#23 ??
from /usr/lib/libgtkhtml-3.14.so.19
#24 ??
from /usr/lib/libgtkhtml-3.14.so.19
#25 html_engine_flush
from /usr/lib/libgtkhtml-3.14.so.19
#26 gtk_html_flush
from /usr/lib/libgtkhtml-3.14.so.19
#27 emhs_sync_flush
at em-html-stream.c line 127
#28 emcs_gui_received
at em-sync-stream.c line 161
#29 ??
from /lib/libglib-2.0.so.0
#30 g_main_context_dispatch
from /lib/libglib-2.0.so.0
#31 ??
from /lib/libglib-2.0.so.0
#32 g_main_loop_run
from /lib/libglib-2.0.so.0
#33 bonobo_main
from /usr/lib/libbonobo-2.so.0
#34 main
at main.c line 602
#0 __kernel_vsyscall



----------- .xsession-errors ---------------------
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/c6/5e4def59c02d60b8e87d8632c4ca648881fd91.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/f2/c9583eac8c6389b1e7625d267cc23cd3ecaf8b.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/4b/2c911bc74df1b7083252e89a2b472f675953f6.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/91/c3577f45017cd96aefb973ac580e45f33e5770.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/c1/7f632e82a01851150787c999fadea9d27655de.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/48/514761f84bb2fba2a3edbaea2ae9b61977cf51.debug
warning: Missing the separate debug info file: /usr/lib/debug/.build-id/13/43098bfb6c33ba11392b8cc202272de5e7e7cb.debug
Cannot access memory at address 0x0
Cannot access memory at address 0x0
--------------------------------------------------

Comment 1 Akhil Laddha 2007-12-04 04:13:55 UTC

Good trace

+ Trace 180667

#9 efhd_attachment_optional
at em-format-html-display.c line 2533
#10 efh_object_requested
at em-format-html.c line 618

Comment 2 Milan Crha 2008-09-10 15:54:43 UTC

It depends what you did. Did you "quickly" move from one message to another?

Comment 3 Tobias Mueller 2009-04-02 08:47:17 UTC

Hey folks,

I don't think, the reporter could remember what she did as it crashed 2.5 yrs ago. Sadly, I'm closing this bug, although it has a good trace. Please reopen if this bug is of any importance.

Comment 4 Akhil Laddha 2010-06-28 15:35:26 UTC

*** Bug 623044 has been marked as a duplicate of this bug. ***

Comment 5 Akhil Laddha 2010-06-28 15:36:41 UTC

last dupe against 2.30.x

Comment 6 Akhil Laddha 2010-07-12 15:35:25 UTC

*** Bug 622357 has been marked as a duplicate of this bug. ***

Comment 7 Akhil Laddha 2010-07-12 15:35:33 UTC

*** Bug 624163 has been marked as a duplicate of this bug. ***

Comment 8 Akhil Laddha 2010-07-12 15:36:11 UTC

really good traces in bug 622357 against 2.30.x

Comment 9 Milan Crha 2010-07-13 12:57:18 UTC

Should be related to large file support and bug #612082, thus I'm marking this as a duplicate of it, because it contains a fix for it. Meanwhile probably easiest to disable large file support on evolution-data-server.

*** This bug has been marked as a duplicate of bug 612082 ***

Comment 10 Akhil Laddha 2010-07-21 03:43:23 UTC

*** Bug 624819 has been marked as a duplicate of this bug. ***

Comment 11 Milan Crha 2010-10-05 12:28:00 UTC

OK, I was wrong (comment #9), I can reproduce the crash on evolution's git master (2.91.0), simply by setting
   /apps/evolution/mail/display/message_text_part_limit
to 4 (4KB) and selecting some message which has more that 4KB of text in it.

Top of the backtrace is:

+ Trace 224013

#0 g_type_check_instance_is_a
at gtype.c line 3941
#1 camel_stream_mem_get_byte_array
at camel-stream-mem.c line 320
#2 efhd_attachment_optional
at em-format-html-display.c line 1067
#3 efh_object_requested
at em-format-html.c line 1587
#4 html_g_cclosure_marshal_BOOLEAN__OBJECT
at htmlmarshal.c line 81
#5 g_closure_invoke
at gclosure.c line 766
#6 signal_emit_unlocked_R
at gsignal.c line 3252
#7 g_signal_emit_valist
at gsignal.c line 2993
#8 g_signal_emit
at gsignal.c line 3040
#9 html_engine_object_requested_cb
at gtkhtml.c line 552



and valgrind says:
==8616== Invalid read of size 4
==8616==    at 0x45AAA7D: camel_stream_mem_get_byte_array (camel-stream-mem.c:320)
==8616==    by 0x51B08DF: efhd_attachment_optional (em-format-html-display.c:1067)
==8616==    by 0x51AAE5F: efh_object_requested (em-format-html.c:1587)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)
==8616==    by 0x47F8DF7: g_signal_emit (gsignal.c:3040)
==8616==    by 0x4442DD7: html_engine_object_requested_cb (gtkhtml.c:552)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==  Address 0x573f5f8 is 0 bytes inside a block of size 64 free'd
==8616==    at 0x40057F6: free (vg_replace_malloc.c:325)
==8616==    by 0x4F19FEE: g_free (gmem.c:263)
==8616==    by 0x4F32239: g_slice_free1 (gslice.c:907)
==8616==    by 0x47FF536: g_type_free_instance (gtype.c:1932)
==8616==    by 0x47E973E: g_object_unref (gobject.c:2708)
==8616==    by 0x520302F: em_format_format_text (em-format.c:1428)
==8616==    by 0x51AB4FD: efh_text_plain (em-format-html.c:1804)
==8616==    by 0x52016F0: em_format_part_as (em-format.c:842)
==8616==    by 0x52017CE: em_format_part (em-format.c:876)
==8616==    by 0x51ADF99: efh_format_message (em-format-html.c:2945)
==8616==    by 0x51A792D: efh_format_exec (em-format-html.c:216)
==8616==    by 0x51C3725: mail_msg_proxy (mail-mt.c:473)
==8616== 
==8616== Invalid read of size 4
==8616==    at 0x4802E31: g_type_check_instance_is_a (gtype.c:3936)
==8616==    by 0x45AAAA9: camel_stream_mem_get_byte_array (camel-stream-mem.c:320)
==8616==    by 0x51B08DF: efhd_attachment_optional (em-format-html-display.c:1067)
==8616==    by 0x51AAE5F: efh_object_requested (em-format-html.c:1587)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)
==8616==    by 0x47F8DF7: g_signal_emit (gsignal.c:3040)
==8616==    by 0x4442DD7: html_engine_object_requested_cb (gtkhtml.c:552)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==  Address 0x573f5f8 is 0 bytes inside a block of size 64 free'd
==8616==    at 0x40057F6: free (vg_replace_malloc.c:325)
==8616==    by 0x4F19FEE: g_free (gmem.c:263)
==8616==    by 0x4F32239: g_slice_free1 (gslice.c:907)
==8616==    by 0x47FF536: g_type_free_instance (gtype.c:1932)
==8616==    by 0x47E973E: g_object_unref (gobject.c:2708)
==8616==    by 0x520302F: em_format_format_text (em-format.c:1428)
==8616==    by 0x51AB4FD: efh_text_plain (em-format-html.c:1804)
==8616==    by 0x52016F0: em_format_part_as (em-format.c:842)
==8616==    by 0x52017CE: em_format_part (em-format.c:876)
==8616==    by 0x51ADF99: efh_format_message (em-format-html.c:2945)
==8616==    by 0x51A792D: efh_format_exec (em-format-html.c:216)
==8616==    by 0x51C3725: mail_msg_proxy (mail-mt.c:473)
==8616== 

(evolution:8616): camel-CRITICAL **: camel_stream_mem_get_byte_array: assertion `CAMEL_IS_STREAM_MEM (mem)' failed
==8616== Invalid read of size 4
==8616==    at 0x51B08E6: efhd_attachment_optional (em-format-html-display.c:1069)
==8616==    by 0x51AAE5F: efh_object_requested (em-format-html.c:1587)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)
==8616==    by 0x47F8DF7: g_signal_emit (gsignal.c:3040)
==8616==    by 0x4442DD7: html_engine_object_requested_cb (gtkhtml.c:552)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)
==8616==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==8616== 
==8616== 
==8616== Process terminating with default action of signal 11 (SIGSEGV)
==8616==  Access not within mapped region at address 0x4
==8616==    at 0x51B08E6: efhd_attachment_optional (em-format-html-display.c:1069)
==8616==    by 0x51AAE5F: efh_object_requested (em-format-html.c:1587)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)
==8616==    by 0x47F8DF7: g_signal_emit (gsignal.c:3040)
==8616==    by 0x4442DD7: html_engine_object_requested_cb (gtkhtml.c:552)
==8616==    by 0x449C89D: html_g_cclosure_marshal_BOOLEAN__OBJECT (htmlmarshal.c:81)
==8616==    by 0x47E2888: g_closure_invoke (gclosure.c:766)
==8616==    by 0x47F9739: signal_emit_unlocked_R (gsignal.c:3252)
==8616==    by 0x47F8B97: g_signal_emit_valist (gsignal.c:2993)

Comment 12 Milan Crha 2010-10-05 12:47:38 UTC

Created attachment 171759 [details] [review]
evo patch

for evolution;

Finally a one-liner. The valgrind log above explains it all, the mem stream gone before it was done with it and that was only a matter of luck whether the GSlice memory part for it was overwritten or not.

Comment 13 Milan Crha 2010-10-05 12:52:32 UTC

Created commit 5268a86 in evo master (2.91.1+)
Created commit e831407 in evo gnome-2-32 (2.32.1+)