Bug 668006 – Crash when dragging column headers of Tasks list

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 668006 - Crash when dragging column headers of Tasks list


Summary:	Crash when dragging column headers of Tasks list


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Tasks
Version:	3.10.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-calendar-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-01-16 12:42 UTC by André Klapper
Modified:	2014-06-06 12:17 UTC

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=782372
GNOME target:	---
GNOME version:	3.1/3.2

Description André Klapper 2012-01-16 12:42:44 UTC

evolution-3.2.2-1.fc16.i686

STEPS:
1. Go to tasks view
2. As used from the mailer view, try two or three times to drag any of the column headers to the left or right.
3. Crash

REPRO:
2/2

Program received signal SIGSEGV, Segmentation fault.
0x49b146b9 in eti_header_structure_changed (eth=0x85a6a40 [ETableHeader], a11y=0x8702d10) at gal-a11y-e-table-item.c:857
857			for (j = 0; j < prev_n_cols && prev_cols[j]; j++) {
(gdb) thread apply all bt

+ Trace 229457

Thread 2 (Thread 0xb7dadb40 (LWP 4281))

#0 __kernel_vsyscall
#1 read
at ../sysdeps/unix/syscall-template.S line 82
#2 read
at /usr/include/bits/unistd.h line 45
#3 unix_signal_helper_thread
at gmain.c line 4551
#4 g_thread_create_proxy
at gthread.c line 1962
#5 start_thread
at pthread_create.c line 309
#6 clone
at ../sysdeps/unix/sysv/linux/i386/clone.S line 133

Thread 1 (Thread 0xb7fc98c0 (LWP 4277))

#0 eti_header_structure_changed
at gal-a11y-e-table-item.c line 857
#1 g_cclosure_marshal_VOID__VOID
at gmarshal.c line 85
#2 g_closure_invoke
at gclosure.c line 774
#3 signal_emit_unlocked_R
at gsignal.c line 3272
#4 g_signal_emit_valist
at gsignal.c line 3003
#5 g_signal_emit
at gsignal.c line 3060
#6 e_table_header_move
at e-table-header.c line 680
#7 ethi_drag_data_received
at e-table-header-item.c line 830
#8 _gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINT
at gtkmarshalers.c line 2314
#9 g_closure_invoke
at gclosure.c line 774
#10 signal_emit_unlocked_R
at gsignal.c line 3272
#11 g_signal_emit_valist
at gsignal.c line 3003
#12 g_signal_emit_by_name
at gsignal.c line 3097
#13 gtk_drag_selection_received
at gtkdnd.c line 1812
#14 _gtk_marshal_VOID__BOXED_UINT
at gtkmarshalers.c line 1462
#15 g_closure_invoke
at gclosure.c line 774
#16 signal_emit_unlocked_R
at gsignal.c line 3272
#17 g_signal_emit_valist
at gsignal.c line 3003
#18 g_signal_emit_by_name
at gsignal.c line 3097
#19 gtk_selection_retrieval_report
at gtkselection.c line 2985
#20 gtk_selection_convert
at gtkselection.c line 1116
#21 gtk_drag_get_data
at gtkdnd.c line 1025
#22 ethi_drag_drop
at e-table-header-item.c line 896
#23 _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT
at gtkmarshalers.c line 412
#24 g_closure_invoke
at gclosure.c line 774
#25 signal_emit_unlocked_R
at gsignal.c line 3272
#26 g_signal_emit_valist
at gsignal.c line 3013
#27 g_signal_emit_by_name
at gsignal.c line 3097
#28 gtk_drag_dest_drop
at gtkdnd.c line 2317
#29 gtk_drag_find_widget
at gtkdnd.c line 1894
#30 _gtk_drag_dest_handle_event
at gtkdnd.c line 1648
#31 gtk_main_do_event
at gtkmain.c line 1916
#32 _gdk_event_emit
at gdkevents.c line 71
#33 gdk_event_source_dispatch
at gdkeventsource.c line 360
#34 g_main_dispatch
at gmain.c line 2425
#35 g_main_context_dispatch
at gmain.c line 2995
#36 g_main_context_iterate
at gmain.c line 3073
#37 g_main_loop_run
at gmain.c line 3281
#38 gtk_main
at gtkmain.c line 1362
#39 main
at main.c line 696


(gdb) info registers
eax            0x0	0
ecx            0xb0b0eef0	-1330581776
edx            0x5	5
ebx            0x49b31ff4	1236475892
esp            0xbfffdf30	0xbfffdf30
ebp            0x0	0x0
esi            0x1	1
edi            0x1	1
eip            0x49b146b9	0x49b146b9 <eti_header_structure_changed+265>
eflags         0x10202	[ IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

(gdb) list
852		prev_state = g_malloc0 (sizeof (gint) * prev_n_cols);
853		reorder = g_malloc0 (sizeof (gint) * n_cols);
854	
855	        /* Compare with previously saved column headers. */
856		for (i = 0; i < n_cols && cols[i]; i++) {
857			for (j = 0; j < prev_n_cols && prev_cols[j]; j++) {
858				if (prev_cols[j] == cols[i] && i != j) {
859	
860					reorder_found = TRUE;
861					state[i] = ETI_HEADER_REORDERED;

Comment 1 André Klapper 2012-01-16 12:46:50 UTC

Interesting, this seems to work in 3.3.x webkit branch for me.

Comment 2 Matthew Barnes 2012-01-16 13:19:36 UTC

Crash seems to be from ETable a11y code.

I'm this -><- close to just ripping out the a11y code once and for all.

Comment 3 Milan Crha 2012-01-18 10:16:16 UTC

Downstream bug report about the same from 3.2.2:
https://bugzilla.redhat.com/show_bug.cgi?id=782372

Comment 4 André Klapper 2012-01-29 12:04:23 UTC

Similar trace for the same issue:

+ Trace 229552

Thread 1 (Thread 0xb7fc7b00 (LWP 23568))

#0 __kernel_vsyscall
#1 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 64
#2 __GI_abort
at abort.c line 91
#3 __libc_message
at ../sysdeps/unix/sysv/linux/libc_fatal.c line 198
#4 malloc_printerr
at malloc.c line 5021
#5 _int_free
at malloc.c line 3942
#6 standard_free
at gmem.c line 101
#7 g_free
at gmem.c line 263
#8 eti_header_structure_changed
at gal-a11y-e-table-item.c line 935
#9 g_cclosure_marshal_VOID__VOID
at gmarshal.c line 85
#10 g_closure_invoke
at gclosure.c line 774
#11 signal_emit_unlocked_R
at gsignal.c line 3272
#12 g_signal_emit_valist
at gsignal.c line 3003
#13 g_signal_emit
at gsignal.c line 3060
#14 e_table_header_add_column
at e-table-header.c line 430
#15 ethi_drag_data_received
at e-table-header-item.c line 840
#16 _gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINT
at gtkmarshalers.c line 2314
#17 g_closure_invoke
at gclosure.c line 774
#18 signal_emit_unlocked_R
at gsignal.c line 3272
#19 g_signal_emit_valist
at gsignal.c line 3003
#20 g_signal_emit_by_name
at gsignal.c line 3097
#21 gtk_drag_selection_received
at gtkdnd.c line 1812
#22 _gtk_marshal_VOID__BOXED_UINT
at gtkmarshalers.c line 1462
#23 g_closure_invoke
at gclosure.c line 774
#24 signal_emit_unlocked_R
at gsignal.c line 3272
#25 g_signal_emit_valist
at gsignal.c line 3003
#26 g_signal_emit_by_name
at gsignal.c line 3097
#27 gtk_selection_retrieval_report
at gtkselection.c line 2985
#28 gtk_selection_convert
at gtkselection.c line 1116
#29 gtk_drag_get_data
at gtkdnd.c line 1025
#30 ethi_drag_drop
at e-table-header-item.c line 896
#31 _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT
at gtkmarshalers.c line 412
#32 g_closure_invoke
at gclosure.c line 774
#33 signal_emit_unlocked_R
at gsignal.c line 3272
#34 g_signal_emit_valist
at gsignal.c line 3013
#35 g_signal_emit_by_name
at gsignal.c line 3097
#36 gtk_drag_dest_drop
at gtkdnd.c line 2317
#37 gtk_drag_find_widget
at gtkdnd.c line 1894
#38 _gtk_drag_dest_handle_event
at gtkdnd.c line 1648
#39 gtk_main_do_event
at gtkmain.c line 1916
#40 _gdk_event_emit
at gdkevents.c line 71
#41 gdk_event_source_dispatch
at gdkeventsource.c line 360
#42 g_main_dispatch
at gmain.c line 2441
#43 g_main_context_dispatch
at gmain.c line 3011
#44 g_main_context_iterate
at gmain.c line 3089
#45 g_main_loop_run
at gmain.c line 3297
#46 gtk_main
at gtkmain.c line 1362
#47 main
at main.c line 696

Comment 5 Milan Crha 2014-06-06 07:50:28 UTC

Downstream bug report about the same from 3.10.4:
https://bugzilla.redhat.com/show_bug.cgi?id=1104776

Description of problem:
I added new column in the task view.

Version-Release number of selected component:
evolution-3.10.4-2.fc20

Additional info:
reporter:       libreport-2.2.2
backtrace_rating: 4
cmdline:        evolution
crash_function: g_malloc0
executable:     /usr/bin/evolution
kernel:         3.14.4-200.fc20.x86_64

+ Trace 233670

Thread 1 (Thread 0x7f787d8faa40 (LWP 7011))

#0 g_logv
at gmessages.c line 989
#1 g_log
at gmessages.c line 1025
#2 g_malloc0
at gmem.c line 139
#3 eti_header_structure_changed
at gal-a11y-e-table-item.c line 880
#4 g_closure_invoke
at gclosure.c line 777
#5 signal_emit_unlocked_R
at gsignal.c line 3586
#6 g_signal_emit_valist
at gsignal.c line 3330
#7 g_signal_emit
at gsignal.c line 3386
#8 e_table_header_add_column
at e-table-header.c line 444
#9 ethi_drag_data_received
at e-table-header-item.c line 824
#10 _gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINT
at gtkmarshalers.c line 5444
#11 g_closure_invoke
at gclosure.c line 777
#12 signal_emit_unlocked_R
at gsignal.c line 3586
#13 g_signal_emit_valist
at gsignal.c line 3330
#14 g_signal_emit_by_name
at gsignal.c line 3426
#15 gtk_drag_selection_received
at gtkdnd.c line 1923
#16 g_closure_invoke
at gclosure.c line 777
#17 signal_emit_unlocked_R
at gsignal.c line 3586
#18 g_signal_emit_valist
at gsignal.c line 3330
#19 g_signal_emit_by_name
at gsignal.c line 3426
#20 gtk_selection_retrieval_report
at gtkselection.c line 2986
#21 gtk_selection_convert
at gtkselection.c line 1114
#22 gtk_drag_get_data
at gtkdnd.c line 1144
#23 ethi_drag_drop
at e-table-header-item.c line 883
#24 _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT
at gtkmarshalers.c line 808
#25 g_closure_invoke
at gclosure.c line 777
#26 signal_emit_unlocked_R
at gsignal.c line 3586
#27 g_signal_emit_valist
at gsignal.c line 3340
#28 g_signal_emit_by_name
at gsignal.c line 3426
#29 gtk_drag_dest_drop
at gtkdnd.c line 2427
#30 gtk_drag_find_widget
at gtkdnd.c line 2005
#31 _gtk_drag_dest_handle_event
at gtkdnd.c line 1761
#32 gtk_main_do_event
at gtkmain.c line 1747
#33 gdk_event_source_dispatch
at gdkeventsource.c line 364
#34 g_main_dispatch
at gmain.c line 3066
#35 g_main_context_dispatch
at gmain.c line 3642
#36 g_main_context_iterate
at gmain.c line 3713
#37 g_main_loop_run
at gmain.c line 3907
#38 gtk_main
at gtkmain.c line 1158
#39 main
at main.c line 683

Comment 6 Milan Crha 2014-06-06 12:17:59 UTC

Use-after-free, caused by the gal-a11y object not disconnecting from a signal handler when it is freed.

Created commit a7c87d1 in evo master (3.13.3+) [1]
Created commit 69914f7 in evo evolution-3-12 (3.12.3+)

[1] https://git.gnome.org/browse/evolution/commit?id=a7c87d1