Bug 544049 – Evolution crashs when fetching/refreshing mails in an imap account

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 544049 - Evolution crashs when fetching/refreshing mails in an imap account


Summary:	Evolution crashs when fetching/refreshing mails in an imap account


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	2.24.x (obsolete)
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:	evolution[disk-summary]

Duplicates:	544494 544666 544948 (view as bug list)
Depends on:
Blocks:	543389

Reported:	2008-07-21 19:29 UTC by MatzeB
Modified:	2013-09-13 00:57 UTC

See Also:
GNOME target:	---
GNOME version:	2.19/2.20

Attachments
proposed eds patch (2.88 KB, patch) 2008-07-25 17:49 UTC, Milan Crha	committed	Details \| Review

Description MatzeB 2008-07-21 19:29:18 UTC

Steps to reproduce:
1. I simply start evolution and after fetching summaries for some folders in my imap account it crashs.


Stack trace:
[matze@taylor] ~ > gdb --args evolution 
GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /usr/local/bin/evolution 
[Thread debugging using libthread_db enabled]
[New Thread 0xb64c36c0 (LWP 9093)]
CalDAV Eplugin starting up ...
** (evolution:9093): DEBUG: mailto URL command: evolution %s
** (evolution:9093): DEBUG: mailto URL program: evolution
[New Thread 0xb4ffeb90 (LWP 9099)]
[Thread 0xb4ffeb90 (LWP 9099) exited]
[New Thread 0xb47fdb90 (LWP 9105)]
[Thread 0xb47fdb90 (LWP 9105) exited]
store_db_path /home/matze/.evolution/mail/local/folders.db
folders table succesfully created 
[New Thread 0xb47fdb90 (LWP 9106)]
[New Thread 0xb4ffeb90 (LWP 9107)]
store_db_path /home/matze/.evolution/mail/imap/matze@kreacher.is-a-geek.net/folders.db
folders table succesfully created 
[New Thread 0xb3fd6b90 (LWP 9108)]
[New Thread 0xb37d5b90 (LWP 9109)]

** (evolution:9093): WARNING **: Couldn't open dav://matze@kreacher.is-a-geek.net/webdav/matze.ics: Vorgang nicht unterstützt
[Thread 0xb4ffeb90 (LWP 9107) exited]
[New Thread 0xb2f74b90 (LWP 9110)]
[Thread 0xb47fdb90 (LWP 9106) exited]
[Thread 0xb3fd6b90 (LWP 9108) exited]
[New Thread 0xb3fd6b90 (LWP 9117)]
[New Thread 0xb47fdb90 (LWP 9118)]
[New Thread 0xb4ffeb90 (LWP 9119)]
[Thread 0xb2f74b90 (LWP 9110) exited]
[Thread 0xb3fd6b90 (LWP 9117) exited]
[Thread 0xb4ffeb90 (LWP 9119) exited]
[Thread 0xb37d5b90 (LWP 9109) exited]

Program received signal SIGSEGV, Segmentation fault.

+ Trace 203433

Thread 3028278160 (LWP 9118)

#0 ??
#1 camel_object_init
at camel-object.c line 824
#2 camel_object_init
at camel-object.c line 821
#3 camel_object_init
at camel-object.c line 821
#4 camel_object_init
at camel-object.c line 821
#5 camel_object_init
at camel-object.c line 821
#6 camel_object_init
at camel-object.c line 821
#7 camel_object_new
at camel-object.c line 852
#8 camel_imap_folder_new
at camel-imap-folder.c line 254
#9 get_folder_offline
at camel-imap-store.c line 2105
#10 get_folder_online
#11 disco_get_folder
at camel-disco-store.c line 235
#12 camel_store_get_folder
at camel-store.c line 296
#13 mail_tool_uri_to_folder
at mail-tools.c line 331
#14 refresh_folders_exec
at mail-send-recv.c line 819
#15 mail_msg_proxy
at mail-mt.c line 523
#16 ??
from /usr/lib/libglib-2.0.so.0
#17 ??
#18 ??
#1 camel_object_init
at camel-object.c line 824

$1 = (CamelObject *) 0x84a55f8
(gdb) print type
$2 = (CamelType) 0x8bd0058
(gdb) print type->init
$3 = (void (*)(struct _CamelObject *, struct _CamelObjectClass *)) 0x20
(gdb) q
The program is running.  Exit anyway? (y or n) y


Other information:

Comment 1 Srinivasa Ragavan 2008-07-21 19:48:43 UTC

iirc jony and mcrha too faced similar issues.

Comment 2 MatzeB 2008-07-21 20:37:51 UTC

maybe it's related to INBOX/lists not being a real e-mail folder but just containing other (real) folders.

Comment 3 Milan Crha 2008-07-22 10:48:12 UTC

Yes, I saw this, but after an update to latest svn revisions it gone.
eds: 9165
evo: 35818

Comment 4 Milan Crha 2008-07-22 15:43:17 UTC

OK, it's back. This time not in the camel_..._folder_new, but really when trying to download a message from the server. Thus not fixed. I think I didn't see that before because I downloaded offending message with older version of Evolution.
I was able to download messages for a while, but it's back suddenly.
No idea what to do with it, unfortunately.

0x00000039a8c0e86f in __libc_waitpid (pid=<value optimized out>, stat_loc=<value optimized out>, options=<value optimized out>)
    at ../sysdeps/unix/sysv/linux/waitpid.c:41
41	  int result = INLINE_SYSCALL (wait4, 4, pid, stat_loc, options, NULL);

+ Trace 203505

Thread 3 (Thread 0x42672950 (LWP 29066))

#0 __lll_lock_wait
from /lib64/libpthread.so.0
#1 _L_lock_100
from /lib64/libpthread.so.0
#2 __pthread_mutex_lock
at pthread_mutex_lock.c line 86
#3 segv_redirect
at main.c line 517
#4 <signal handler called>
#5 ??
#6 camel_type_class_init
at camel-object.c line 699
#7 camel_type_class_init
at camel-object.c line 696
#8 camel_type_class_init
at camel-object.c line 696
#9 camel_type_class_init
at camel-object.c line 696
#10 co_type_register
at camel-object.c line 779
#11 camel_type_register
at camel-object.c line 800
#12 camel_seekable_stream_get_type
at camel-seekable-stream.c line 73
#13 camel_stream_mem_get_type
at camel-stream-mem.c line 100
#14 camel_stream_mem_new_with_byte_array
at camel-stream-mem.c line 168
#15 camel_stream_mem_new_with_buffer
at camel-stream-mem.c line 148
#16 parse_fetch_response
#17 imap_update_summary
at camel-imap-folder.c line 2952
#18 camel_imap_folder_changed
at camel-imap-folder.c line 3244
#19 imap_rescan
at camel-imap-folder.c line 1000
#20 camel_imap_folder_selected
at camel-imap-folder.c line 421
#21 imap_refresh_info
at camel-imap-folder.c line 669
#22 disco_refresh_info
at camel-disco-folder.c line 269
#23 camel_folder_refresh_info
at camel-folder.c line 339
#24 refresh_folders_exec
at mail-send-recv.c line 823
#25 mail_msg_proxy
at mail-mt.c line 523
#26 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#27 g_thread_create_proxy
at gthread.c line 635
#28 start_thread
at pthread_create.c line 297

Comment 5 Johnny Jacob 2008-07-22 20:26:44 UTC

Yep.  Got the above trace too ..

+ Trace 203527

Thread 29 (Thread 0xb3362b90 (LWP 14397))

#0 ??
#1 camel_object_init
at camel-object.c line 821
#2 camel_object_init
at camel-object.c line 821
#3 camel_object_init
at camel-object.c line 821
#4 camel_object_init
at camel-object.c line 821
#5 camel_object_new
at camel-object.c line 852
#6 camel_stream_mem_new_with_byte_array
at camel-stream-mem.c line 168
#7 camel_stream_mem_new_with_buffer
at camel-stream-mem.c line 148
#8 parse_fetch_response
#9 imap_update_summary
at camel-imap-folder.c line 2952
#10 camel_imap_folder_changed
at camel-imap-folder.c line 3244
#11 imap_rescan
at camel-imap-folder.c line 1000
#12 camel_imap_folder_selected
at camel-imap-folder.c line 421
#13 imap_command_start
#14 camel_imap_command
at camel-imap-command.c line 111
#15 imap_sync_online
at camel-imap-folder.c line 1244
#16 disco_sync
at camel-disco-folder.c line 300
#17 camel_folder_sync
at camel-folder.c line 309
#18 store_sync
at camel-store.c line 679
#19 camel_store_sync
at camel-store.c line 701
#20 sync_store_exec
at mail-ops.c line 1573
#21 mail_msg_proxy
at mail-mt.c line 523
#22 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#23 g_thread_create_proxy
at gthread.c line 635
#24 start_thread
from /lib/libpthread.so.0
#25 clone
from /lib/libc.so.6

Comment 6 Srinivasa Ragavan 2008-07-23 04:13:00 UTC

Really wondering why it crashes at ... camel_object_init

Not sure, if this has to do with disk summary :( But it crashes after the merge... Milan/Johnny any valgrinding to see if any memcorruption ?

Comment 7 Johnny Jacob 2008-07-23 07:09:29 UTC

Looks like. Valgrind traces :

sexp is : [(match-all (and (not (system-flag "deleted")) (not (system-flag "junk"))))]
Something is returned in the top-level caller : [SELECT uid FROM 'Calendar' WHERE (deleted = 0 AND junk = 0)]
==7731== 
==7731== Thread 5:
==7731== Invalid read of size 4
==7731==    at 0x6F22529: (within /usr/lib/libfreebl3.so)
==7731==    by 0x4E1763D: (within /usr/lib/libsoftokn3.so)
==7731==    by 0x4DFB82C: (within /usr/lib/libsoftokn3.so)
==7731==    by 0x4CF9F17: PK11_CipherOp (in /usr/lib/libnss3.so)
==7731==    by 0x4C7AAEB: (within /usr/lib/libssl3.so)
==7731==    by 0x4C7D2C7: (within /usr/lib/libssl3.so)
==7731==    by 0x4C8F059: (within /usr/lib/libssl3.so)
==7731==    by 0x4C8F1D2: (within /usr/lib/libssl3.so)
==7731==    by 0x4C934D5: (within /usr/lib/libssl3.so)
==7731==    by 0x4F9534E: PR_Write (in /usr/lib/libnspr4.so)
==7731==    by 0x4A6EEB1: stream_write (camel-tcp-stream-ssl.c:487)
==7731==    by 0x4B624AF: camel_stream_write (camel-stream.c:119)
==7731==  Address 0xdb73dfc is 268 bytes inside a block of size 271 alloc'd
==7731==    at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==7731==    by 0x5E1AD4A: vasprintf (in /lib/libc-2.8.so)
==7731==    by 0x48B0277: g_vasprintf (gprintf.c:313)
==7731==    by 0x489598B: g_strdup_vprintf (gstrfuncs.c:218)
==7731==    by 0x4B627CA: camel_stream_printf (camel-stream.c:230)
==7731==    by 0x7FFA049: imap_command_start (camel-imap-command.c:218)
==7731==    by 0x7FF9DD4: camel_imap_command_start (camel-imap-command.c:168)
==7731==    by 0x800277A: imap_update_summary (camel-imap-folder.c:2934)
==7731==    by 0x8003317: camel_imap_folder_changed (camel-imap-folder.c:3244)
==7731==    by 0x7FFD8D8: imap_rescan (camel-imap-folder.c:1000)
==7731==    by 0x7FFC33A: camel_imap_folder_selected (camel-imap-folder.c:421)
==7731==    by 0x7FFCC45: imap_refresh_info (camel-imap-folder.c:669)
==7731== 
==7731== Thread 6:
==7731== Invalid read of size 4
==7731==    at 0x4B57E4C: camel_object_init (camel-object.c:823)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57F49: camel_object_new (camel-object.c:852)
==7731==    by 0x4B60E7C: camel_stream_mem_new_with_byte_array (camel-stream-mem.c:168)
==7731==    by 0x4B60E4F: camel_stream_mem_new_with_buffer (camel-stream-mem.c:148)
==7731==    by 0x8003F3C: parse_fetch_response (camel-imap-folder.c:3489)
==7731==    by 0x8002801: imap_update_summary (camel-imap-folder.c:2952)
==7731==    by 0x8003317: camel_imap_folder_changed (camel-imap-folder.c:3244)
==7731==    by 0x7FFD8D8: imap_rescan (camel-imap-folder.c:1000)
==7731==  Address 0xf11a3f8 is not stack'd, malloc'd or (recently) free'd
==7731== 
==7731== Invalid read of size 4
==7731==    at 0x4B57E56: camel_object_init (camel-object.c:824)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57F49: camel_object_new (camel-object.c:852)
==7731==    by 0x4B60E7C: camel_stream_mem_new_with_byte_array (camel-stream-mem.c:168)
==7731==    by 0x4B60E4F: camel_stream_mem_new_with_buffer (camel-stream-mem.c:148)
==7731==    by 0x8003F3C: parse_fetch_response (camel-imap-folder.c:3489)
==7731==    by 0x8002801: imap_update_summary (camel-imap-folder.c:2952)
==7731==    by 0x8003317: camel_imap_folder_changed (camel-imap-folder.c:3244)
==7731==    by 0x7FFD8D8: imap_rescan (camel-imap-folder.c:1000)
==7731==  Address 0xf11a3f8 is not stack'd, malloc'd or (recently) free'd
==7731== 
==7731== Jump to the invalid address stated on the next line
==7731==    at 0x38: ???
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57F49: camel_object_new (camel-object.c:852)
==7731==    by 0x4B60E7C: camel_stream_mem_new_with_byte_array (camel-stream-mem.c:168)
==7731==    by 0x4B60E4F: camel_stream_mem_new_with_buffer (camel-stream-mem.c:148)
==7731==    by 0x8003F3C: parse_fetch_response (camel-imap-folder.c:3489)
==7731==    by 0x8002801: imap_update_summary (camel-imap-folder.c:2952)
==7731==    by 0x8003317: camel_imap_folder_changed (camel-imap-folder.c:3244)
==7731==    by 0x7FFD8D8: imap_rescan (camel-imap-folder.c:1000)
==7731==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
==7731== 
==7731== Process terminating with default action of signal 11 (SIGSEGV)
==7731==  Bad permissions for mapped region at address 0x38
==7731==    at 0x38: ???
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57E48: camel_object_init (camel-object.c:821)
==7731==    by 0x4B57F49: camel_object_new (camel-object.c:852)
==7731==    by 0x4B60E7C: camel_stream_mem_new_with_byte_array (camel-stream-mem.c:168)
==7731==    by 0x4B60E4F: camel_stream_mem_new_with_buffer (camel-stream-mem.c:148)
==7731==    by 0x8003F3C: parse_fetch_response (camel-imap-folder.c:3489)
==7731==    by 0x8002801: imap_update_summary (camel-imap-folder.c:2952)
==7731==    by 0x8003317: camel_imap_folder_changed (camel-imap-folder.c:3244)
==7731==    by 0x7FFD8D8: imap_rescan (camel-imap-folder.c:1000)

Comment 8 Akhil Laddha 2008-07-24 08:02:19 UTC

*** Bug 544494 has been marked as a duplicate of this bug. ***

Comment 9 Akhil Laddha 2008-07-24 08:04:28 UTC

Valgrind traces of crash at my end


==20136== 
==20136== Thread 4:
==20136== Invalid read of size 4
==20136==    at 0x4386B55: camel_object_init (camel-object.c:823)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386F78: camel_object_new (camel-object.c:852)
==20136==    by 0xBD5BA10: camel_imap_summary_new (camel-imap-summary.c:154)
==20136==    by 0xBD4D531: camel_imap_folder_new (camel-imap-folder.c:263)
==20136==    by 0xBD56C43: get_folder_offline (camel-imap-store.c:2105)
==20136==    by 0xBD570B3: get_folder_online (camel-imap-store.c:1878)
==20136==    by 0x428089E: disco_get_folder (camel-disco-store.c:235)
==20136==    by 0x42AC3E2: camel_store_get_folder (camel-store.c:297)
==20136==    by 0xBD59BDD: imap_can_refresh_folder (camel-imap-store.c:3129)
==20136==  Address 0x5fbae48 is not stack'd, malloc'd or (recently) free'd
==20136== 
==20136== Jump to the invalid address stated on the next line
==20136==    at 0x80: ???
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386F78: camel_object_new (camel-object.c:852)
==20136==    by 0xBD5BA10: camel_imap_summary_new (camel-imap-summary.c:154)
==20136==    by 0xBD4D531: camel_imap_folder_new (camel-imap-folder.c:263)
==20136==    by 0xBD56C43: get_folder_offline (camel-imap-store.c:2105)
==20136==    by 0xBD570B3: get_folder_online (camel-imap-store.c:1878)
==20136==    by 0x428089E: disco_get_folder (camel-disco-store.c:235)
==20136==    by 0x42AC3E2: camel_store_get_folder (camel-store.c:297)
==20136==    by 0xBD59BDD: imap_can_refresh_folder (camel-imap-store.c:3129)
==20136==  Address 0x80 is not stack'd, malloc'd or (recently) free'd
==20136== 
==20136== Process terminating with default action of signal 11 (SIGSEGV)
==20136==  Bad permissions for mapped region at address 0x80
==20136==    at 0x80: ???
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386B54: camel_object_init (camel-object.c:821)
==20136==    by 0x4386F78: camel_object_new (camel-object.c:852)
==20136==    by 0xBD5BA10: camel_imap_summary_new (camel-imap-summary.c:154)
==20136==    by 0xBD4D531: camel_imap_folder_new (camel-imap-folder.c:263)
==20136==    by 0xBD56C43: get_folder_offline (camel-imap-store.c:2105)
==20136==    by 0xBD570B3: get_folder_online (camel-imap-store.c:1878)
==20136==    by 0x428089E: disco_get_folder (camel-disco-store.c:235)
==20136==    by 0x42AC3E2: camel_store_get_folder (camel-store.c:297)
==20136==    by 0xBD59BDD: imap_can_refresh_folder (camel-imap-store.c:3129)

Comment 10 Milan Crha 2008-07-25 17:18:14 UTC

I checked with my account and it's not so much related of them, I removed all except of the imap and it's there. After some investigation I found the place when camel_object_type->parent has been changed from NULL to some "logic" value:

Old value = (struct _CamelObjectClass *) 0x0
New value = (struct _CamelObjectClass *) 0x7f12f4053c90
camel_flag_set (list=0x7f12f40748c0, name=0x7f12f40d3d50 "$Labelwork", value=1) at camel-folder-summary.c:3631
3631		return value;
(gdb) t a a bt

+ Trace 203783

Thread 4 (Thread 0x419ee950 (LWP 5400))

#0 camel_flag_set
at camel-folder-summary.c line 3631
#1 merge_custom_flags
at camel-imap-folder.c line 795
#2 imap_rescan
at camel-imap-folder.c line 962
#3 camel_imap_folder_selected
at camel-imap-folder.c line 421
#4 imap_refresh_info
at camel-imap-folder.c line 669
#5 disco_refresh_info
at camel-disco-folder.c line 269
#6 camel_folder_refresh_info
at camel-folder.c line 339
#7 refresh_folders_exec
at mail-send-recv.c line 823
#8 mail_msg_proxy
at mail-mt.c line 523
#9 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#10 g_thread_create_proxy
at gthread.c line 635
#11 start_thread
at pthread_create.c line 297
#12 clone
from /lib64/libc.so.6

Comment 11 Milan Crha 2008-07-25 17:49:57 UTC

Created attachment 115263 [details] [review]
proposed eds patch

for evolution-data-server;

Comment 12 Srinivasa Ragavan 2008-07-25 17:57:00 UTC

Commit it Milan.

Comment 13 Milan Crha 2008-07-25 18:00:55 UTC

Committed to trunk. Committed revision 9193.

Comment 14 Srinivasa Ragavan 2008-07-26 12:27:30 UTC

*** Bug 544666 has been marked as a duplicate of this bug. ***

Comment 15 Bharath Acharya 2008-07-28 03:07:49 UTC

*** Bug 544948 has been marked as a duplicate of this bug. ***