GNOME Bugzilla – Bug 632532
Double free in imapx_job_done, imapx_command_step_fetch_done
Last modified: 2013-09-14 16:53:52 UTC
evolution 2.91.1 Started evolution after 10 days, hundreds of mails were fetched, i clicked on a message, before this get fetched completely and shown in message preview, i clicked on 'x' to quit evolution and evolution crashed. gdb traces of evolution *** glibc detected *** /home/lakhil/opt/gnome3/bin/evolution: double free or corruption (fasttop): 0xa6a4cc88 *** ======= Backtrace: ========= /lib/libc.so.6(+0x6dffb)[0xb64e8ffb] /lib/libc.so.6(+0x6ed7b)[0xb64e9d7b] /lib/libc.so.6(cfree+0x6d)[0xb64edadd] /home/lakhil/opt/gnome3/lib/libglib-2.0.so.0(g_free+0x35)[0xb6634c87] /home/lakhil/opt/gnome3/lib/libglib-2.0.so.0(g_error_free+0x4a)[0xb6618679] /home/lakhil/opt/gnome3/lib/libglib-2.0.so.0(g_clear_error+0x2e)[0xb661890d] /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelimapx.so(+0x1b1e9)[0xac9001e9] /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelimapx.so(+0x1f047)[0xac904047] /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelimapx.so(+0x1c1c3)[0xac9011c3] /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelimapx.so(+0x2198f)[0xac90698f] /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelimapx.so(+0x21de7)[0xac906de7] /home/lakhil/opt/gnome3/lib/libglib-2.0.so.0(+0x740a9)[0xb665a0a9] /lib/libpthread.so.0(+0x5b25)[0xb66f9b25] /lib/libc.so.6(clone+0x5e)[0xb654e46e] ======= Memory map: ======== 08048000-0804c000 r-xp 00000000 08:06 320574 /home/lakhil/opt/gnome3/bin/evolution 0804c000-0804d000 r--p 00003000 08:06 320574 /home/lakhil/opt/gnome3/bin/evolution 0804d000-0804e000 rw-p 00004000 08:06 320574 /home/lakhil/opt/gnome3/bin/evolution 0804e000-08dfc000 rw-p 00000000 00:00 0 [heap] a59fe000-a59ff000 ---p 00000000 00:00 0 a59ff000-a61ff000 rw-p 00000000 00:00 0 a61ff000-a6200000 ---p 00000000 00:00 0 a6200000-a6a00000 rw-p 00000000 00:00 0 a6a00000-a6aa3000 rw-p 00000000 00:00 0 a6aa3000-a6b00000 ---p 00000000 00:00 0 a6b00000-a6bf6000 rw-p 00000000 00:00 0 a6bf6000-a6c00000 ---p 00000000 00:00 0 a6cfc000-a6cfe000 r-xp 00000000 08:02 1182052 /usr/lib/gconv/ISO8859-15.so a6cfe000-a6cff000 r--p 00001000 08:02 1182052 /usr/lib/gconv/ISO8859-15.so a6cff000-a6d00000 rw-p 00002000 08:02 1182052 /usr/lib/gconv/ISO8859-15.so a6d00000-a6efe000 rw-p 00000000 00:00 0 a6efe000-a6f00000 ---p 00000000 00:00 0 a6f00000-a7100000 rw-p 00000000 00:00 0 a7100000-a7300000 rw-p 00000000 00:00 0 a7300000-a7500000 rw-p 00000000 00:00 0 a7500000-a75fb000 rw-p 00000000 00:00 0 a75fb000-a7600000 ---p 00000000 00:00 0 a7600000-a76fe000 rw-p 00000000 00:00 0 a76fe000-a7700000 ---p 00000000 00:00 0 a7700000-a7900000 rw-p 00000000 00:00 0 a7900000-a7b00000 rw-p 00000000 00:00 0 a7b00000-a7d00000 rw-p 00000000 00:00 0 a7d00000-a7e00000 rw-p 00000000 00:00 0 a7e13000-a7e46000 r--p 00000000 08:02 285596 /usr/share/fonts/truetype/ariali.ttf a7e46000-a7e4a000 r-xp 00000000 08:02 1056799 /usr/lib/sasl2/liblogin.so.2.0.23 a7e4a000-a7e4b000 r--p 00003000 08:02 1056799 /usr/lib/sasl2/liblogin.so.2.0.23 a7e4b000-a7e4c000 rw-p 00004000 08:02 1056799 /usr/lib/sasl2/liblogin.so.2.0.23 a7e4c000-a7e51000 r-xp 00000000 08:02 1056794 /usr/lib/sasl2/libsasldb.so.2.0.23 a7e51000-a7e52000 r--p 00004000 08:02 1056794 /usr/lib/sasl2/libsasldb.so.2.0.23 a7e52000-a7e53000 rw-p 00005000 08:02 1056794 /usr/lib/sasl2/libsasldb.so.2.0.23 a7e53000-a7e5a000 r-xp 00000000 08:02 1056797 /usr/lib/sasl2/libgssapiv2.so.2.0.23 a7e5a000-a7e5b000 r--p 00006000 08:02 1056797 /usr/lib/sasl2/libgssapiv2.so.2.0.23 a7e5b000-a7e5c000 rw-p 00007000 08:02 1056797 /usr/lib/sasl2/libgssapiv2.so.2.0.23 a7e5c000-a7e60000 r-xp 00000000 08:02 1056796 /usr/lib/sasl2/libanonymous.so.2.0.23 a7e60000-a7e61000 r--p 00003000 08:02 1056796 /usr/lib/sasl2/libanonymous.so.2.0.23 a7e61000-a7e62000 rw-p 00004000 08:02 1056796 /usr/lib/sasl2/libanonymous.so.2.0.23 a7e62000-a7e6e000 r-xp 00000000 08:02 1056793 /usr/lib/sasl2/libdigestmd5.so.2.0.23 a7e6e000-a7e6f000 r--p 0000b000 08:02 1056793 /usr/lib/sasl2/libdigestmd5.so.2.0.23 a7e6f000-a7e70000 rw-p 0000c000 08:02 1056793 /usr/lib/sasl2/libdigestmd5.so.2.0.23 a7e70000-a7e83000 rw-s 00000000 08:06 443089 /home/lakhil/.local/share/evolution/mapi-profiles.ldb a7e83000-a7e99000 r-xp 00000000 08:06 442460 /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelmapi.so a7e99000-a7e9a000 r--p 00015000 08:06 442460 /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelmapi.so a7e9a000-a7e9b000 rw-p 00016000 08:06 442460 /home/lakhil/opt/gnome3/lib/evolution-data-server-1.2/camel-providers/libcamelmapi.so a7e9b000-a7efc000 rw-p 00000000 00:00 0 a7efc000-a7efd000 ---p 00000000 00:00 0 a7efd000-a86fd000 rw-p 00000000 00:00 0 a86fd000-a86fe000 ---p 00000000 00:00 0 a86fe000-a8efe000 rw-p 00000000 00:00 0 a8efe000-a8f00000 r-xp 00000000 08:02 1182020 /usr/lib/gconv/IBM850.so a8f00000-a8f01000 r--p 00001000 08:02 1182020 /usr/lib/gconv/IBM850.so a8f01000-a8f02000 rw-p 00002000 08:02 1182020 /usr/lib/gconv/IBM850.so a8f02000-a8f06000 r-xp 00000000 08:02 1056798 /usr/lib/sasl2/libplain.so.2.0.23 a8f06000-a8f07000 r--p 00003000 08:02 1056798 /usr/lib/sasl2/libplain.so.2.0.23 a8f07000-a8f08000 rw-p 00004000 08:02 1056798 /usr/lib/sasl2/libplain.so.2.0.23 a8f08000-a8f0c000 r-xp 00000000 08:02 1056795 /usr/lib/sasl2/libcrammd5.so.2.0.23 a8f0c000-a8f0d000 r--p 00004000 08:02 1056795 /usr/lib/sasl2/libcrammd5.so.2.0.23 a8f0d000-a8f0e000 rw-p 00005000 08:02 1056795 /usr/lib/sasl2/libcrammd5.so.2.0.23 a8f0e000-a8f10000 r-xp 00000000 08:02 1182253 /usr/lib/gconv/UTF-16.so a8f10000-a8f11000 r--p 00002000 08:02 1182253 /usr/lib/gconv/UTF-16.so a8f11000-a8f12000 rw-p 00003000 08:02 1182253 /usr/lib/gconv/UTF-16.so a8f12000-a8f14000 r-xp 00000000 08:02 1182023 /usr/lib/gconv/ISO8859-7.so a8f14000-a8f15000 r--p 00001000 08:02 1182023 /usr/lib/gconv/ISO8859-7.so a8f15000-a8f16000 rw-p 00002000 08:02 1182023 /usr/lib/gconv/ISO8859-7.so a8f16000-a8f18000 r-xp 00000000 08:02 1182084 /usr/lib/gconv/ISO8859-1.so a8f18000-a8f19000 r--p 00001000 08:02 1182084 /usr/lib/gconv/ISO8859-1.so a8f19000-a8f1a000 rw-p 00002000 08:02 1182084 /usr/lib/gconv/ISO8859-1.so a8f1a000-a8f1d000 rw-p 00000000 00:00 0 a8f1d000-a8f37000 r--p 00000000 08:02 285590 /usr/share/fonts/truetype/andalemo.ttf a8f37000-a8f3d000 r-xp 00000000 08:06 1001309 /home/lakhil/opt/gnome3/lib/evolution/2.34/plugins/liborg-gnome-mail-notification.so a8f3d000-a8f3e000 r--p 00005000 08:06 1001309 /home/lakhil/opt/gnome3/lib/evolution/2.34/plugins/liborg-gnome-mail-notification.so a8f3e000-a8f3f000 rw-p 00006000 08:06 1001309 /home/lakhil/opt/gnome3/lib/evolution/2.34/plugins/liborg-gnome-mail-notification.so a8f3f000-a8f40000 ---p 00000000 00:00 0 a8f40000-a9740000 rw-p 00000000 00:00 0 a9740000-a9744000 rw-p 00000000 00:00 0 [New Thread 0xac0e3b70 (LWP 7273)] Program received signal SIGABRT, Aborted.
+ Trace 224220
Thread 2825898864 (LWP 3198)
Created attachment 173772 [details] [review] eds patch for evolution-data-server; I think this was because imapx_command_step_fetch_done reuses the CamelIMAPXCommand, and when there is an error then it is propagated to the 'job', but ic::error is not set to NULL, thus can be used as a freed memory. Because I do not think you'll be able to reproduce this anyhow easily, then I'm committing to master, but feel free to reopen if you'll face again, thus more investigation could be done.
Created commit 5c6065a in eds master (2.91.2+)
Downstream bug report in 2.32.0: https://bugzilla.redhat.com/show_bug.cgi?id=645214 Created commit 7132308 in eds gnome-2-32 (2.32.1+)
*** Bug 618845 has been marked as a duplicate of this bug. ***