After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 673525 - Crash under efh_write_message()
Crash under efh_write_message()
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
3.6.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
evolution[webkit]
Depends on:
Blocks:
 
 
Reported: 2012-04-04 18:04 UTC by Milan Crha
Modified: 2013-09-13 01:08 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch (819 bytes, patch)
2012-04-10 15:55 UTC, Dan Vrátil 		committed Details | Review

Description Milan Crha 2012-04-04 18:04:23 UTC 
I quickly moved from one message to another, both were bugzilla emails. I was also testing patch from bug #673108, checked "Use system font" and moved to a different message, with Preferences window left opened.

+ Trace 230013

Thread 3 (Thread 0x7f91cdff9700 (LWP 30491))

  • #0 waitpid
    from /lib64/libpthread.so.0
  • #1 g_spawn_sync
    at gspawn.c line 405
  • #2 g_spawn_command_line_sync
    at gspawn.c line 722
  • #3 run_bug_buddy
    at gnome-segvhanlder.c line 240
  • #4 bugbuddy_segv_handle
    at gnome-segvhanlder.c line 191
  • #5 <signal handler called>
  • #6 g_str_has_suffix
    at gstrfuncs.c line 2744
  • #7 efh_write_message
    at em-format-html.c line 1741
  • #8 efh_write
    at em-format-html.c line 1789
  • #9 em_format_write
    at em-format.c line 1975
  • #10 handle_mail_request
    at e-mail-request.c line 111
  • #11 run_in_thread
    at gsimpleasyncresult.c line 861
  • #12 io_job_thread
    at gioscheduler.c line 177
  • #13 g_thread_pool_thread_proxy
    at gthreadpool.c line 309
  • #14 g_thread_proxy
    at gthread.c line 801
  • #15 start_thread
    from /lib64/libpthread.so.0
  • #16 clone
    from /lib64/libc.so.6 






Comment 1


Dan Vrátil





          2012-04-10 15:55:36 UTC
        



Created attachment 211764 [details] [review]
Patch

The crash seems to be unrelated to the fonts patch. 

I was not able to reproduce it (and I tried really hard), the only cause I can think of is that the EMFormat was destroyed from the main thread when you switched the emails while the efh_write_message() was running in a different thread (the write operations are async).

The attached patch makes sure that the formatter lives until the async writing operation in EMailRequest is finished.






Comment 2


Milan Crha





          2012-04-13 08:43:25 UTC
        



I cannot reproduce it now, but the change looks correct. Please change the patch that it'll cover all assignments to emr->priv->efh (I found two in the file), and commit it. Thanks.






Comment 3


Dan Vrátil





          2012-04-13 09:54:53 UTC
        



Fixed and committed to master as 2f530637b15a2a07bd1df1aabef91ffc4f26ddee

http://git.gnome.org/browse/evolution/commit/?id=2f530637b15a2a07bd1df1aabef91ffc4f26ddee






Comment 4


Milan Crha





          2012-04-18 06:26:57 UTC
        



Hrm, it's still there. I'm at 3cfe8da and I just got this one. I was moving between IMAP folders, marked couple messages as read (in bunch with multiselect) and then selected one message and waited till all the updating of folder settles. It settled, but instead of a message I got a crash report.






+
Trace
    230079






Thread 3
          (Thread 0x7f2847fff700 (LWP 17817))


    

  • 
#0
waitpid

    
                from
                /lib64/libpthread.so.0

    

    • 

  • 
#1
g_spawn_sync

    
                at gspawn.c
                  line
                  405

    

    • 

  • 
#2
g_spawn_command_line_sync

    
                at gspawn.c
                  line
                  722

    

    • 

  • 
#3
run_bug_buddy

    
                at gnome-segvhanlder.c
                  line
                  240

    

    • 

  • 
#4
bugbuddy_segv_handle

    
                at gnome-segvhanlder.c
                  line
                  191

    

    • 

  • 
#5
<signal handler called>

    • 

  • 
#6
g_str_has_suffix

    
                at gstrfuncs.c
                  line
                  2744

    

    • 

  • 
#7
efh_write_message

    
                at em-format-html.c
                  line
                  1602

    

    • 

  • 
#8
efh_write

    
                at em-format-html.c
                  line
                  1650

    

    • 

  • 
#9
em_format_write

    
                at em-format.c
                  line
                  1975

    

    • 

  • 
#10
handle_mail_request

    
                at e-mail-request.c
                  line
                  111

    

    • 

  • 
#11
run_in_thread

    
                at gsimpleasyncresult.c
                  line
                  861

    

    • 

  • 
#12
io_job_thread

    
                at gioscheduler.c
                  line
                  177

    

    • 

  • 
#13
g_thread_pool_thread_proxy

    
                at gthreadpool.c
                  line
                  309

    

    • 

  • 
#14
g_thread_proxy

    
                at gthread.c
                  line
                  801

    

    • 

  • 
#15
start_thread

    
                from
                /lib64/libpthread.so.0

    

    • 

  • 
#16
clone

    
                from
                /lib64/libc.so.6

    

    • 













Comment 5


Milan Crha





          2012-05-02 13:03:58 UTC
        



I can reproduce this consistently with a message from brno-list from Today at 11:51 from lkocm... I can reproduce it even under valgrind, and it gives me these:

 Thread 5:
 Conditional jump or move depends on uninitialised value(s)
    at 0x175A2AEA: em_format_parse_part_as (em-format.c:2047)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x1759FCAF: emf_parse_inlinepgp_signed (em-format.c:909)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x168799BE: efh_parse_text_plain (em-format-html.c:303)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
 
 Conditional jump or move depends on uninitialised value(s)
    at 0x175A2AEA: em_format_parse_part_as (em-format.c:2047)
    by 0x1759FD1F: emf_parse_inlinepgp_signed (em-format.c:917)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x168799BE: efh_parse_text_plain (em-format-html.c:303)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
 
 Invalid read of size 8
    at 0xA8E403C: g_object_unref (gobject.c:2910)
    by 0x73A4522: medium_dispose (camel-medium.c:96)
    by 0xA8E420C: g_object_unref (gobject.c:2981)
    by 0xAD6B89E: g_list_foreach (glist.c:900)
    by 0x73C3913: multipart_dispose (camel-multipart.c:47)
    by 0xA8E420C: g_object_unref (gobject.c:2981)
    by 0x168799F5: efh_parse_text_plain (em-format-html.c:308)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
  Address 0x7b6e3080 is 0 bytes inside a block of size 136 free'd
    at 0x4A0662E: free (vg_replace_malloc.c:366)
    by 0xAD76332: standard_free (gmem.c:98)
    by 0xAD764F5: g_free (gmem.c:252)
    by 0xAD8E5D7: g_slice_free1 (gslice.c:1111)
    by 0xA8F965E: g_type_free_instance (gtype.c:1937)
    by 0xA8E4343: g_object_unref (gobject.c:3031)
    by 0x1759FD4F: emf_parse_inlinepgp_signed (em-format.c:924)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x168799BE: efh_parse_text_plain (em-format-html.c:303)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
 
 Invalid read of size 8
    at 0xA8FD07E: g_type_check_instance_is_a (gtype.c:3961)
    by 0xA8E406F: g_object_unref (gobject.c:2910)
    by 0x73A4522: medium_dispose (camel-medium.c:96)
    by 0xA8E420C: g_object_unref (gobject.c:2981)
    by 0xAD6B89E: g_list_foreach (glist.c:900)
    by 0x73C3913: multipart_dispose (camel-multipart.c:47)
    by 0xA8E420C: g_object_unref (gobject.c:2981)
    by 0x168799F5: efh_parse_text_plain (em-format-html.c:308)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
  Address 0x7b6e3080 is 0 bytes inside a block of size 136 free'd
    at 0x4A0662E: free (vg_replace_malloc.c:366)
    by 0xAD76332: standard_free (gmem.c:98)
    by 0xAD764F5: g_free (gmem.c:252)
    by 0xAD8E5D7: g_slice_free1 (gslice.c:1111)
    by 0xA8F965E: g_type_free_instance (gtype.c:1937)
    by 0xA8E4343: g_object_unref (gobject.c:3031)
    by 0x1759FD4F: emf_parse_inlinepgp_signed (em-format.c:924)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x168799BE: efh_parse_text_plain (em-format-html.c:303)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
 

(evolution:4536): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
 Invalid read of size 8
    at 0x1687C704: efh_write_message (em-format-html.c:1612)
    by 0x1687C87C: efh_write (em-format-html.c:1660)
    by 0x175A2799: em_format_write (em-format.c:1974)
    by 0x168433F0: handle_mail_request (e-mail-request.c:111)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
  Address 0x7b749938 is 40 bytes inside a block of size 104 free'd
    at 0x4A0662E: free (vg_replace_malloc.c:366)
    by 0xAD76332: standard_free (gmem.c:98)
    by 0xAD764F5: g_free (gmem.c:252)
    by 0x175A4288: em_format_puri_free (em-format.c:2592)
    by 0x175A0E89: mail_part_table_item_free (em-format.c:1483)
    by 0xAD5BB0C: g_hash_table_insert_node (ghash.c:920)
    by 0xAD5BFB0: g_hash_table_insert_internal (ghash.c:1153)
    by 0xAD5BFDF: g_hash_table_insert (ghash.c:1176)
    by 0x175A1E4A: em_format_add_puri (em-format.c:1782)
    by 0x16879960: efh_parse_text_plain (em-format-html.c:300)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
 
 Invalid read of size 1
    at 0xAD933A5: g_str_has_suffix (gstrfuncs.c:2744)
    by 0x1687C716: efh_write_message (em-format-html.c:1612)
    by 0x1687C87C: efh_write (em-format-html.c:1660)
    by 0x175A2799: em_format_write (em-format.c:1974)
    by 0x168433F0: handle_mail_request (e-mail-request.c:111)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)
  Address 0x7b7499c0 is 0 bytes inside a block of size 20 free'd
    at 0x4A0662E: free (vg_replace_malloc.c:366)
    by 0xAD76332: standard_free (gmem.c:98)
    by 0xAD764F5: g_free (gmem.c:252)
    by 0x175A41EA: em_format_puri_free (em-format.c:2575)
    by 0x175A0E89: mail_part_table_item_free (em-format.c:1483)
    by 0xAD5BB0C: g_hash_table_insert_node (ghash.c:920)
    by 0xAD5BFB0: g_hash_table_insert_internal (ghash.c:1153)
    by 0xAD5BFDF: g_hash_table_insert (ghash.c:1176)
    by 0x175A1E4A: em_format_add_puri (em-format.c:1782)
    by 0x16879960: efh_parse_text_plain (em-format-html.c:300)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2CB0: em_format_parse_part (em-format.c:2090)
    by 0x175A013C: emf_parse_message (em-format.c:1036)
    by 0x175A2BDB: em_format_parse_part_as (em-format.c:2062)
    by 0x175A2632: em_format_parse (em-format.c:1955)
    by 0x175A27DF: emf_start_async_parser (em-format.c:1982)
    by 0xA3B5E08: run_in_thread (gsimpleasyncresult.c:861)
    by 0xA3A0741: io_job_thread (gioscheduler.c:177)
    by 0xAD9A989: g_thread_pool_thread_proxy (gthreadpool.c:309)
    by 0xAD9A3C4: g_thread_proxy (gthread.c:801)
    by 0x39D5607D8F: start_thread (in /lib64/libpthread-2.14.90.so)
    by 0x39D52F0F5C: clone (in /lib64/libc-2.14.90.so)






Comment 6


Milan Crha





          2012-05-03 08:25:43 UTC
        



Even if I fix the uninitialized memory and invalid unref from emf_parse_inlinepgp_signed() (the 'dw' may not be unreffed), then it still crashes with the last two issues reported in the previous valgrind log.






Comment 7


Dan Vrátil





          2012-06-08 15:41:38 UTC
        



Could you please try if this happens with the new formatter as well?






Comment 8


Milan Crha





          2012-06-11 11:19:06 UTC
        



OK, I tried wit that message and it doesn't crash now, neither valgrind claims issues (only some from webkit in plugins about using unintialized memory).