After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 669460 - [abrt] Can pick freed connection
[abrt] Can pick freed connection
Status: RESOLVED FIXED
Product: evolution-ews
Classification: Other
Component: Mail
3.4.x
Other Linux
: Normal critical
: ---
Assigned To: Evolution EWS maintainer(s)
Evolution EWS maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2012-02-06 10:48 UTC by Milan Crha
Modified: 2012-07-16 19:49 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
ews patch (905 bytes, patch)
2012-07-16 17:10 UTC, Milan Crha 		committed Details | Review

Description Milan Crha 2012-02-06 10:48:20 UTC 
Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=787514

libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        evolution
crash_function: strcmp
executable:     /usr/bin/evolution
kernel:         3.1.9-1.fc16.x86_64
reason:         Process /usr/bin/evolution was killed by signal 11 (SIGSEGV)
time:           Sat 04 Feb 2012 08:10:28 AM PST

Core was generated by `evolution'.
Program terminated with signal 11, Segmentation fault.

+ Trace 229610

Thread 5 (Thread 0x7fb547de5700 (LWP 7753))

  • #0 read
    at ../sysdeps/unix/syscall-template.S line 82
  • #1 read
    at /usr/include/bits/unistd.h line 45
  • #2 unix_signal_helper_thread
    at gmain.c line 4567
  • #3 g_thread_create_proxy
    at gthread.c line 1962
  • #4 start_thread
    at pthread_create.c line 309
  • #5 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 115 






Comment 1


Milan Crha





          2012-06-04 09:58:20 UTC
        



Similar issue from Fedora 17 (evolution-ews 3.4.1):
https://bugzilla.redhat.com/show_bug.cgi?id=827488





+
Trace
    230302






Thread 1
          (Thread 0x7f0961a1c700 (LWP 27469))


    

  • 
#0
e_ews_folder_get_folder_type

    
                at e-ews-folder.c
                  line
                  283

    

    • 

  • 
#1
sync_updated_folders

    
                at camel-ews-utils.c
                  line
                  425

    

    • 

  • 
#2
ews_utils_sync_folders

    
                at camel-ews-utils.c
                  line
                  626

    

    • 

  • 
#3
ews_update_folder_hierarchy

    
                at camel-ews-store.c
                  line
                  223

    

    • 

  • 
#4
ews_authenticate_sync

    
                at camel-ews-store.c
                  line
                  438

    

    • 

  • 
#5
camel_service_authenticate_sync

    
                at camel-service.c
                  line
                  1324

    

    • 

  • 
#6
mail_session_authenticate_sync

    
                at e-mail-session.c
                  line
                  1411

    

    • 

  • 
#7
camel_session_authenticate_sync

    
                at camel-session.c
                  line
                  1641

    

    • 

  • 
#8
ews_connect_sync

    
                at camel-ews-store.c
                  line
                  308

    

    • 

  • 
#9
camel_service_connect_sync

    
                at camel-service.c
                  line
                  1135

    

    • 

  • 
#10
ews_get_folder_info_sync

    
                at camel-ews-store.c
                  line
                  688

    

    • 

  • 
#11
camel_store_get_folder_info_sync

    • 

  • 
#12
store_get_folder_info_thread

    
                at camel-store.c
                  line
                  497

    

    • 

  • 
#13
run_in_thread

    
                at gsimpleasyncresult.c
                  line
                  861

    

    • 

  • 
#14
io_job_thread

    
                at gioscheduler.c
                  line
                  177

    

    • 

  • 
#15
g_thread_pool_thread_proxy

    
                at gthreadpool.c
                  line
                  309

    

    • 

  • 
#16
g_thread_proxy

    
                at gthread.c
                  line
                  801

    

    • 

  • 
#17
start_thread

    
                at pthread_create.c
                  line
                  309

    

    • 

  • 
#18
clone

    
                at ../sysdeps/unix/sysv/linux/x86_64/clone.S
                  line
                  115

    

    • 













Comment 2


Milan Crha





          2012-07-16 16:53:25 UTC
        



From another similar downstream bug report I suspect that EWS picked old connection and was going to reuse it, which it was freed either already or meanwhile. The other crash happened in
   e_ews_connection_new
     g_object_set (G_OBJECT (cnc->priv->soup_session),
         SOUP_SESSION_USE_NTLM, use_ntlm, NULL);
   ews_connect_sync

when the cnc is set to 0x8d74220, which is not that suspicious, but
the xsession_error contains a warning:

   GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT
   (object)' failed

which can be from just few lines before the g_object_set() call.






Comment 3


Milan Crha





          2012-07-16 17:10:18 UTC
        



Created attachment 218936 [details] [review]
ews patch

for evolution-ews;

This may fix it. The e_ews_connection_dispose didn't use 'connecting' lock when accessing 'loaded_connections_permissions' hash table, thus one thread could disposing the connection while another could pick it as working, leading into using freed memory in the other thread.






Comment 4


Milan Crha





          2012-07-16 17:13:35 UTC
        



Created commit b7f5053 in ews master (3.5.5+)
Created commit e867f70 in ews gnome-3-4 (3.4.4+)