Following milan's suggestion.  I disabled vfolders in gconf (/apps/evolution/mail/display/enable_vfolders), reran under a debugger and triggered the crash.   Here's the backtrace:

+ Trace 219915

Hrm, I do not understand the second crash. When I try to reproduce it, and it's enough to create a new appointment there, then it is working fine for me. Also the code walk-through, with the dbus code as well, doesn't show any issue. Cannot be your build somehow corrupted? Because otherwise more people would see this, I would guess.

Pretty the same applies to the first trace, which is independent of this one, as far as I can tell.

Maybe try to run this under valgrind, whether it'll show any invalid reads/writes or similar.

I ran under valgrind (which I managed to crash).  I've attached the log.

Created attachment 150914 [details]
Valgrind output

Let's start with basic things. I just noticed in your valgrind output these things:
(evolution:22683): evolution-plugin-lib-WARNING **: can't load plugin '/opt/garnome-svn-2.29.4/lib/evolution/2.30/plugins/liborg-gnome-exchange-mapi.so': libmapi.so.0: cannot open shared object file: No such file or directory

(evolution:22683): evolution-plugin-lib-WARNING **: can't load plugin '/opt/garnome-svn-2.29.4/lib/evolution/2.30/plugins/liborg-gnome-exchange-mapi.so': libmapi.so.0: cannot open shared object file: No such file or directory

(evolution:22683): evolution-plugin-lib-WARNING **: can't load plugin '/opt/garnome-svn-2.29.4/lib/evolution/2.30/plugins/liborg-gnome-exchange-mapi.so': libmapi.so.0: cannot open shared object file: No such file or directory

(evolution:22683): e-utils-CRITICAL **: Plugin "Exchange MAPI" is missing a function named e_plugin_ui_init()

Try to get rid of them, probably by recompiling exchange-mapi, and then will see. Am I right you are trying to create an event in MAPI calendar?

I've got my mapi account disabled, although I currently don't have evo-mapi built (I'm having issues with building openchange).

The calendar in question is a local one.

I also removed all the exchange plugins from evo's plugin dir.

Just for a record, as you told me on IRC, you switched to 2.28 and it doesn't exhibit this, but evo family on master and rest (most) gnome on 2.29.4 does exhibit this. You were also talking about issues with gnome panel and other system components on 2.29.4.

More or less correct.   The 2.29.4 tree is based on the current releases of gnome and other applications and a completely fresh build.  After this I rebuild and reinstall evo and friends.   What I called 2.28.0 started out as a fresh build when 2.28.0 was released, but has been incrementally upgraded in the mean time.   The evolution on the 2.28.0 tree is the git master of Dec 16.

To be sure there are other 2.29.4 apps that aren't behaving correctly (e.g., gnome-panel, seahorse, gnome-keyring) which strongly suggests that something low level is responsible for much of this.   Since there is no ABI/API freeze yet, perhaps this is the root cause?

I just upgraded gnome to 2.29.90 and rebuilt/installed evolution & friends (git/master).  I'm still seeing a hang when I try to create a new calendar entry.  I got the following bt running in GDB from the console:

+ Trace 220509

I ran evolution under valgrind (boy is it slow.........).  Here's what I get:

==1699== Memcheck, a memory error detector.
==1699== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==1699== Using LibVEX rev 1884, a library for dynamic binary translation.
==1699== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==1699== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==1699== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==1699== For more details, rerun with: -v
==1699== 
==1699== Syscall param writev(vector[...]) points to uninitialised byte(s)
==1699==    at 0x60513B3: writev (in /lib/libc-2.7.so)
==1699==    by 0x5169D76: write_data_T (linc-connection.c:1048)
==1699==    by 0x516A180: link_connection_writev (linc-connection.c:1244)
==1699==    by 0x513FB4E: giop_send_buffer_write (giop-send-buffer.c:464)
==1699==    by 0x514686F: orbit_small_marshal (orbit-small.c:368)
==1699==    by 0x514744B: ORBit_small_invoke_stub (orbit-small.c:648)
==1699==    by 0x51471A6: ORBit_small_invoke_stub_n (orbit-small.c:577)
==1699==    by 0x5160D5E: ORBit_c_stub_invoke (poa.c:2649)
==1699==    by 0x51124ED: ConfigServer_ping (GConfX-stubs.c:279)
==1699==    by 0x50F724E: gconf_activate_server (gconf-internals.c:2859)
==1699==    by 0x510566B: gconf_get_config_server (gconf.c:2241)
==1699==    by 0x510638A: gconf_engine_connect (gconf.c:359)
==1699==  Address 0x62ddf82 is 10 bytes inside a block of size 2,048 alloc'd
==1699==    at 0x4024CFE: malloc (vg_replace_malloc.c:207)
==1699==    by 0x5E0D293: g_malloc (gmem.c:131)
==1699==    by 0x513F7F6: get_next_indirect (giop-send-buffer.c:312)
==1699==    by 0x513F8B2: giop_send_buffer_append_copy (giop-send-buffer.c:334)
==1699==    by 0x513F937: giop_send_buffer_append (giop-send-buffer.c:351)
==1699==    by 0x513F0D4: giop_send_buffer_use_request (giop-send-buffer.c:108)
==1699==    by 0x514668A: orbit_small_marshal (orbit-small.c:326)
==1699==    by 0x514744B: ORBit_small_invoke_stub (orbit-small.c:648)
==1699==    by 0x51471A6: ORBit_small_invoke_stub_n (orbit-small.c:577)
==1699==    by 0x5160D5E: ORBit_c_stub_invoke (poa.c:2649)
==1699==    by 0x51124ED: ConfigServer_ping (GConfX-stubs.c:279)
==1699==    by 0x50F724E: gconf_activate_server (gconf-internals.c:2859)
(evolution:1699): e-data-server-DEBUG: Loading categories from "/home/ronis/.evolution/categories.xml"
(evolution:1699): e-data-server-DEBUG: Loaded 36 categories
evolution-shell-Message: Preparing for online mode...
evolution-shell-Message: Online preparations complete.
==1699== 
==1699== Syscall param writev(vector[...]) points to uninitialised byte(s)
==1699==    at 0x6051414: writev (in /lib/libc-2.7.so)
==1699==    by 0x5169D76: write_data_T (linc-connection.c:1048)
==1699==    by 0x516A180: link_connection_writev (linc-connection.c:1244)
==1699==    by 0x513FB4E: giop_send_buffer_write (giop-send-buffer.c:464)
==1699==    by 0x514686F: orbit_small_marshal (orbit-small.c:368)
==1699==    by 0x514744B: ORBit_small_invoke_stub (orbit-small.c:648)
==1699==    by 0x51471A6: ORBit_small_invoke_stub_n (orbit-small.c:577)
==1699==    by 0x5160D5E: ORBit_c_stub_invoke (poa.c:2649)
==1699==    by 0x51127FE: ConfigDatabase3_add_listener_with_properties (GConfX-stubs.c:234)
==1699==    by 0x5109E19: gconf_engine_notify_add (gconf.c:837)
==1699==    by 0x510DA38: gconf_client_add_dir (gconf-client.c:569)
==1699==    by 0x4D94D33: e_account_list_construct (e-account-list.c:248)
==1699==  Address 0x62ddf82 is 10 bytes inside a block of size 2,048 alloc'd
==1699==    at 0x4024CFE: malloc (vg_replace_malloc.c:207)
==1699==    by 0x5E0D293: g_malloc (gmem.c:131)
==1699==    by 0x513F7F6: get_next_indirect (giop-send-buffer.c:312)
==1699==    by 0x513F8B2: giop_send_buffer_append_copy (giop-send-buffer.c:334)
==1699==    by 0x513F937: giop_send_buffer_append (giop-send-buffer.c:351)
==1699==    by 0x513F0D4: giop_send_buffer_use_request (giop-send-buffer.c:108)
==1699==    by 0x514668A: orbit_small_marshal (orbit-small.c:326)
==1699==    by 0x514744B: ORBit_small_invoke_stub (orbit-small.c:648)
==1699==    by 0x51471A6: ORBit_small_invoke_stub_n (orbit-small.c:577)
==1699==    by 0x5160D5E: ORBit_c_stub_invoke (poa.c:2649)
==1699==    by 0x51124ED: ConfigServer_ping (GConfX-stubs.c:279)
==1699==    by 0x50F724E: gconf_activate_server (gconf-internals.c:2859)

** (evolution:1699): WARNING **: Failed to send buffer

** (evolution:1699): WARNING **: Failed to send buffer
** (evolution:1699): DEBUG: Loading Exchange MAPI Plugin 

This is where the main EVO UI maps: <=================================

** (evolution:1699): DEBUG: MAPI listener is constructed with 1 listed MAPI accounts 
==1699== 
==1699== Syscall param writev(vector[...]) points to uninitialised byte(s)
==1699==    at 0x6051414: writev (in /lib/libc-2.7.so)
==1699==    by 0x5BF733A: _xcb_conn_wait (in /usr/lib/libxcb.so.1.1.0)
==1699==  Address 0x61431f3 is 571 bytes inside a block of size 16,384 alloc'd
==1699==    at 0x4022DB2: calloc (vg_replace_malloc.c:397)
==1699==    by 0x5AC3084: XOpenDisplay (in /usr/lib/libX11.so.6.3.0)

Here's where I tried to creat a new appointment.

(evolution:1699): calendar-gui-WARNING **: Couldn't find event window


(evolution:1699): calendar-gui-WARNING **: Couldn't find event window


(evolution:1699): calendar-gui-WARNING **: Couldn't find event window


(evolution:1699): calendar-gui-WARNING **: Couldn't find event window


(evolution:1699): calendar-gui-WARNING **: Couldn't find event window

I actually get a blank appointment window around here.  <=======================

==1699== 
==1699== Invalid write of size 1
==1699==    at 0x402652C: mempcpy (mc_replace_strmem.c:677)
==1699==    by 0x5FEBB0D: _IO_default_xsputn (in /lib/libc-2.7.so)
==1699==    by 0x5FC56FA: vfprintf (in /lib/libc-2.7.so)
==1699==    by 0x5FE0A6B: vsprintf (in /lib/libc-2.7.so)
==1699==    by 0x52366A1: _dbus_string_append_printf_valist (dbus-string.c:1264)
==1699==    by 0x52144BB: dbus_set_error (dbus-errors.c:384)
==1699==    by 0x521FE07: dbus_set_error_from_message (dbus-message.c:3616)
==1699==    by 0x51E4BC9: dbus_g_proxy_end_call_internal (dbus-gproxy.c:2359)
==1699==    by 0x51E55A1: dbus_g_proxy_call (dbus-gproxy.c:2601)
==1699==    by 0x49A6761: e_cal_get_objects_for_uid (e-data-cal-bindings.h:482)
==1699==    by 0x7FEE3DC: sensitize_buttons (recurrence-page.c:615)
==1699==    by 0x7FEF454: recurrence_page_fill_widgets (recurrence-page.c:1609)
==1699==  Address 0xa9e8908 is 0 bytes after a block of size 16 alloc'd
==1699==    at 0x4024E1C: realloc (vg_replace_malloc.c:429)
==1699==    by 0x52343DB: dbus_realloc (dbus-memory.c:601)
==1699==    by 0x52358AA: set_length (dbus-string.c:364)
==1699==    by 0x523667C: _dbus_string_append_printf_valist (dbus-string.c:1257)
==1699==    by 0x52144BB: dbus_set_error (dbus-errors.c:384)
==1699==    by 0x521FE07: dbus_set_error_from_message (dbus-message.c:3616)
==1699==    by 0x51E4BC9: dbus_g_proxy_end_call_internal (dbus-gproxy.c:2359)
==1699==    by 0x51E55A1: dbus_g_proxy_call (dbus-gproxy.c:2601)
==1699==    by 0x49A6761: e_cal_get_objects_for_uid (e-data-cal-bindings.h:482)
==1699==    by 0x7FEE3DC: sensitize_buttons (recurrence-page.c:615)
==1699==    by 0x7FEF454: recurrence_page_fill_widgets (recurrence-page.c:1609)
==1699==    by 0x7FDB1F8: comp_editor_page_fill_widgets (comp-editor-page.c:326)
==1699== 
==1699== Invalid write of size 1
==1699==    at 0x5FE0A7C: vsprintf (in /lib/libc-2.7.so)
==1699==    by 0x52366A1: _dbus_string_append_printf_valist (dbus-string.c:1264)
==1699==    by 0x52144BB: dbus_set_error (dbus-errors.c:384)
==1699==    by 0x521FE07: dbus_set_error_from_message (dbus-message.c:3616)
==1699==    by 0x51E4BC9: dbus_g_proxy_end_call_internal (dbus-gproxy.c:2359)
==1699==    by 0x51E55A1: dbus_g_proxy_call (dbus-gproxy.c:2601)
==1699==    by 0x49A6761: e_cal_get_objects_for_uid (e-data-cal-bindings.h:482)
==1699==    by 0x7FEE3DC: sensitize_buttons (recurrence-page.c:615)
==1699==    by 0x7FEF454: recurrence_page_fill_widgets (recurrence-page.c:1609)
==1699==    by 0x7FDB1F8: comp_editor_page_fill_widgets (comp-editor-page.c:326)
==1699==    by 0x7FD8C40: real_edit_comp (comp-editor.c:2541)
==1699==    by 0x7FDF311: event_editor_edit_comp (event-editor.c:559)
==1699==  Address 0xa9e891c is not stack'd, malloc'd or (recently) free'd

valgrind: m_mallocfree.c:243 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 64, hi = 0.
Probably caused by overrunning/underrunning a heap block's bounds.

==1699==    at 0x3802714D: report_and_quit (m_libcassert.c:140)
==1699==    by 0x3802744E: vgPlain_assert_fail (m_libcassert.c:205)
==1699==    by 0x38033822: vgPlain_arena_free (m_mallocfree.c:240)
==1699==    by 0x3804CA88: vgPlain_cli_free (replacemalloc_core.c:110)
==1699==    by 0x38001D8D: die_and_free_mem (mc_malloc_wrappers.c:123)
==1699==    by 0x38002A77: vgMemCheck_realloc (mc_malloc_wrappers.c:467)
==1699==    by 0x3804F295: vgPlain_scheduler (scheduler.c:1311)
==1699==    by 0x380642D8: run_a_thread_NORETURN (syswrap-linux.c:89)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==1699==    at 0x4024E1C: realloc (vg_replace_malloc.c:429)
==1699==    by 0x597A0AE: _add_edge (cairo-polygon.c:116)
==1699==    by 0x597A4FC: _add_clipped_edge (cairo-polygon.c:339)
==1699==    by 0x597A781: _cairo_polygon_add_edge (cairo-polygon.c:370)
==1699==    by 0x597A9A9: _cairo_polygon_add_external_edge (cairo-polygon.c:380)
==1699==    by 0x59725F3: _tessellate_fan (cairo-path-stroke.c:391)
==1699==    by 0x5972DE6: _cairo_stroker_join (cairo-path-stroke.c:451)
==1699==    by 0x5973FE7: _cairo_stroker_line_to (cairo-path-stroke.c:1002)
==1699==    by 0x5981A7F: _cairo_spline_decompose_into (cairo-spline.c:85)
==1699==    by 0x5981B8E: _cairo_spline_decompose_into (cairo-spline.c:197)
==1699==    by 0x5981BA6: _cairo_spline_decompose_into (cairo-spline.c:201)
==1699==    by 0x5981BA6: _cairo_spline_decompose_into (cairo-spline.c:201)
==1699==    by 0x5981C57: _cairo_spline_decompose (cairo-spline.c:212)
==1699==    by 0x5974358: _cairo_stroker_curve_to (cairo-path-stroke.c:1226)
==1699==    by 0x596FB68: _cairo_path_fixed_interpret (cairo-path-fixed.c:776)
==1699==    by 0x5973218: _cairo_path_fixed_stroke_to_polygon (cairo-path-stroke.c:1362)
==1699==    by 0x59889C3: _cairo_surface_fallback_stroke (cairo-surface-fallback.c:1254)
==1699==    by 0x5984FEE: _cairo_surface_stroke (cairo-surface.c:2098)
==1699==    by 0x59627C3: _cairo_gstate_stroke (cairo-gstate.c:1053)
==1699==    by 0x5959135: cairo_stroke_preserve (cairo.c:2229)
==1699==    by 0x5959161: cairo_stroke (cairo.c:2202)
==1699==    by 0x657DABC: clearlooks_gummy_draw_button (clearlooks_draw_gummy.c:174)
==1699==    by 0x6561F45: clearlooks_style_draw_box (clearlooks_style.c:610)
==1699==    by 0x542FDED: gtk_paint_box (gtkstyle.c:6194)
==1699==    by 0x52CAB52: _gtk_button_paint (gtkbutton.c:1522)
==1699==    by 0x52CBBE8: gtk_button_expose (gtkbutton.c:1575)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x52FF4A5: gtk_container_expose_child (gtkcontainer.c:2623)
==1699==    by 0x52C289F: gtk_box_forall (gtkbox.c:1249)
==1699==    by 0x52FDF93: gtk_container_forall (gtkcontainer.c:1499)
==1699==    by 0x52FF44B: gtk_container_expose (gtkcontainer.c:2646)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x52FF4A5: gtk_container_expose_child (gtkcontainer.c:2623)
==1699==    by 0x52C289F: gtk_box_forall (gtkbox.c:1249)
==1699==    by 0x52FDF93: gtk_container_forall (gtkcontainer.c:1499)
==1699==    by 0x52FF44B: gtk_container_expose (gtkcontainer.c:2646)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x52FF4A5: gtk_container_expose_child (gtkcontainer.c:2623)
==1699==    by 0x543D3FA: gtk_table_forall (gtktable.c:907)
==1699==    by 0x52FDF93: gtk_container_forall (gtkcontainer.c:1499)
==1699==    by 0x52FF44B: gtk_container_expose (gtkcontainer.c:2646)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x52FF4A5: gtk_container_expose_child (gtkcontainer.c:2623)
==1699==    by 0x52C289F: gtk_box_forall (gtkbox.c:1249)
==1699==    by 0x52FDF93: gtk_container_forall (gtkcontainer.c:1499)
==1699==    by 0x52FF44B: gtk_container_expose (gtkcontainer.c:2646)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x52FF4A5: gtk_container_expose_child (gtkcontainer.c:2623)
==1699==    by 0x52C289F: gtk_box_forall (gtkbox.c:1249)
==1699==    by 0x52FDF93: gtk_container_forall (gtkcontainer.c:1499)
==1699==    by 0x52FF44B: gtk_container_expose (gtkcontainer.c:2646)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)
==1699==    by 0x5D857A5: g_signal_emit (gsignal.c:3033)
==1699==    by 0x54E1F9D: gtk_widget_event_internal (gtkwidget.c:4941)
==1699==    by 0x52FD2D2: gtk_container_propagate_expose (gtkcontainer.c:2735)
==1699==    by 0x53C6FCE: gtk_notebook_expose (gtknotebook.c:2338)
==1699==    by 0x539EFF7: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84)
==1699==    by 0x5D6D138: g_type_class_meta_marshal (gclosure.c:878)
==1699==    by 0x5D6E9D7: g_closure_invoke (gclosure.c:767)
==1699==    by 0x5D83B8F: signal_emit_unlocked_R (gsignal.c:3281)
==1699==    by 0x5D84F6E: g_signal_emit_valist (gsignal.c:2986)

Thread 2: status = VgTs_WaitSys
==1699==    at 0x5DB76F0: pthread_cond_wait@@GLIBC_2.3.2 (in /lib/libpthread-2.7.so)
==1699==    by 0x5DDFD95: g_async_queue_pop (gasyncqueue.c:398)
==1699==    by 0x4B8048C: sync_request_thread_cb (camel-db.c:78)
==1699==    by 0x5E2F17E: g_thread_create_proxy (gthread.c:1893)
==1699==    by 0x5DB3368: start_thread (in /lib/libpthread-2.7.so)
==1699==    by 0x6058CFD: clone (in /lib/libc-2.7.so)

Thread 3: status = VgTs_WaitSys
==1699==    at 0x5DB76F0: pthread_cond_wait@@GLIBC_2.3.2 (in /lib/libpthread-2.7.so)
==1699==    by 0x5DDFD95: g_async_queue_pop (gasyncqueue.c:398)
==1699==    by 0x4B8048C: sync_request_thread_cb (camel-db.c:78)
==1699==    by 0x5E2F17E: g_thread_create_proxy (gthread.c:1893)
==1699==    by 0x5DB3368: start_thread (in /lib/libpthread-2.7.so)
==1699==    by 0x6058CFD: clone (in /lib/libc-2.7.so)

*** Bug 609705 has been marked as a duplicate of this bug. ***

Isn't it possible your locally built dbus is somehow fighting with a system one? Or some configuration, anything, because the above duplicate is from gio/gvfs library, even called g_file_get_path in Evolution.

I don't think so:
 
ps auxww | grep  dbus
ronis    21367  0.0  0.0   3768   876 tty1     S    11:21   0:00 /opt/gnome/bin/dbus-launch --exit-with-session /opt/gnome/bin/gnome-session
ronis    21368  0.0  0.0   3892  1612 ?        Ss   11:21   0:00 /opt/garnome-svn-2.29.5/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
81       25235  0.0  0.0   2740  1268 ?        Ss   Feb10   0:02 /opt/gnome/bin/dbus-daemon --system

Also remember: I'm running garnome--moving a single link takes me back to 2.28.x for ALL of gnome and friends; this includes dbus.   If I do, (and restart dbus) the problems go away.  I don't see how that could be a system conflict.   My bet is that one of the lower-level libs in 2.29.x has a problem.

OK, I've just spent some time in the debugger.  The crash is triggered by a SIGSEGV in bus-sysdeps-unix.c:3230:

**
 * Measure the length of the given format string and arguments,
 * not including the terminating nul.
 *
 * @param format a printf-style format string
 * @param args arguments for the format string
 * @returns length of the given format string and args
 */

int
_dbus_printf_string_upper_bound (const char *format,
                                 va_list     args)
{
  char c;
  return vsnprintf (&c, 1, format, args);

Format is %s, which means that there is no place to put anything in c, but that should simply get vsnprintf to return the number space needed by the arguments.  Here's the appropriate section of the man page:

The functions snprintf() and vsnprintf() do not write  more  than  size
	  bytes  (including  the trailing `\0').  If the output was truncated due
	  to this limit then the return value is the number  of  characters  (not
	  including the trailing `\0') which would have been written to the final
	  string if enough space had been available.  Thus,  a  return  value  of
	  size  or  more  means  that  the output was truncated.  (See also below
	  under NOTES.)

I'm concerned by the note in one of the calling frames at dbus-string.c:1256 which says that the string it's passing is not null terminated.

Do you think something is wrong/changed with vsnprintf? What is your glibc version you are using with 2.29 and 2.28? Maybe try downgrade that one. Also, do you download it from git repositories shown in [1] or from elsewhere?

[1] http://sources.redhat.com/glibc/

Maybe a typo in this commit? (I think I see there one, but I do not know glibc internals at all.)

http://sourceware.org/git/?p=glibc.git;a=commit;h=f521be31b96b5ca8b6d24c388d644f5dfcafac7d

I'm using libc-2.7 for both 2.28 and 2.29 (I'm crazy about being on the bleeding edge, but not THAT crazy).   That's what comes with slackware 12.   I have a slackware 13.0 box at home and I believe that it's got libc-2.9 installed.  I'll see if that has the same issue.

What bothers me about all this is that the problem only manifests itself in the 2.29 tree; the core platform is the same, especially glibc!

OK I just reproduced the crash in on another box.  This one runs slackware-13.0 and has glibc-2.9 installed.   The gnome tree is garnome 2.28.x, with the exception of evolution and friends that are using a 2.29.x era git master.

The difference between evo 2.28 and 2.29 is with bonobo (2.28) and dbus (2.29). Not seeing the crash in 2.28 makes sense, as it's using dbus minimally (I guess only new mail notification plugin, and that only if configured to do so), and the crash comes from dbus itself.

After spending a morning with Milan on IRC and in gdb, we figured it out.  Turns out libical contains its own copy of vsnprintf (libical/src/vsnprintf.c) that should be used on windows boxes but not on unix.   The logic was broken after revision 985 and the protection stopped working.   Fixing it up eliminates this problem.

Milan will contact the libical folks.