After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 679613 - Invalid free in e_exchange_calendar_pcalendar_on_change()
Invalid free in e_exchange_calendar_pcalendar_on_change()
Status: RESOLVED FIXED
Product: Evolution Exchange
Classification: Deprecated
Component: Connector
3.3.x
Other Linux
: Normal critical
: ---
Assigned To: Connector Maintainer
Ximian Connector QA
Depends on:
Blocks:
 
 
Reported: 2012-07-09 08:43 UTC by Milan Crha
Modified: 2012-07-09 09:11 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
eex patch (635 bytes, patch)
2012-07-09 09:08 UTC, Milan Crha
committed Details | Review

Description Milan Crha 2012-07-09 08:43:13 UTC
Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=837807

Name        : evolution
Arch        : x86_64
Version     : 3.4.3
Release     : 1.fc17

Name        : evolution-exchange
Arch        : x86_64
Version     : 3.4.3
Release     : 1.fc17

Set up account to MS Exchange server using evolution-exchange. All seems to work ok.

Go to Tasks. Tasks on exchange server display ok. Right click on exchange Tasks and view 'Task List Properties'. Press color button. Pick another color and 'Select'. Press Apply on 'Task List Properties'. Evolution crashes every time ......

Same thing happens when picking another color for Calendar.

.................................

(evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed

(evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed

(evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed

(evolution:9561): Gtk-CRITICAL **: gtk_tree_selection_get_selected: assertion `GTK_IS_TREE_SELECTION (selection)' failed

(evolution:9561): Gtk-CRITICAL **: gtk_tree_model_get: assertion `GTK_IS_TREE_MODEL (tree_model)' failed

(evolution:9561): e-data-server-CRITICAL **: e_source_set_relative_uri: assertion `E_IS_SOURCE (source)' failed
*** glibc detected *** evolution: double free or corruption (out): 0x00000000021c77c0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x323fa7c80e]
/lib64/libglib-2.0.so.0(g_free+0xf)[0x323f64d3cf]
/usr/lib64/evolution/3.4/plugins/liborg-gnome-exchange-operations.so(e_exchange_calendar_pcalendar_on_change+0xa3)[0x7fe843ad6cb3]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0x194)[0x324320f664]
/lib64/libgobject-2.0.so.0[0x32432206d8]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324ba87143]
/lib64/libgtk-3.so.0(gtk_tree_view_set_model+0x3f6)[0x324ba89906]
/lib64/libgtk-3.so.0[0x324ba89c39]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b9e298e]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b884a90]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b94427f]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b8afaea]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
/lib64/libgtk-3.so.0[0x324b99ec16]
/lib64/libgtk-3.so.0[0x324b8f4ddb]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3]
/lib64/libgobject-2.0.so.0[0x32432209c5]
/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d]
/lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2]
/lib64/libgtk-3.so.0[0x324baac66e]
/lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
Comment 1 Milan Crha 2012-07-09 08:46:06 UTC
I can confirm this, my console shows:

(evolution:15281): Gtk-CRITICAL **: gtk_tree_selection_get_selected: assertion `GTK_IS_TREE_SELECTION (selection)' failed

(evolution:15281): Gtk-CRITICAL **: gtk_tree_model_get: assertion `GTK_IS_TREE_MODEL (tree_model)' failed

(evolution:15281): e-data-server-CRITICAL **: e_source_set_relative_uri: assertion `E_IS_SOURCE (source)' failed
*** glibc detected *** evolution: munmap_chunk(): invalid pointer: 0x0000003b16c2064d ***
======= Backtrace: =========
/lib64/libc.so.6[0x3ddcc7b616]
/lib64/libglib-2.0.so.0(g_free+0xf)[0x3b1644d3cf]
/build/branch/lib/evolution/3.4/plugins/liborg-gnome-exchange-operations.so(e_exchange_calendar_pcalendar_on_change+0xcd)[0x7fb177248d1b]
/lib64/libgobject-2.0.so.0(g_closure_invoke+0x194)[0x3b16c0f664]
...

and the gdb backtrace is:

Thread 1 (Thread 0x7fb1a2e63a00 (LWP 15281))

  • #0 waitpid
    from /lib64/libpthread.so.0
  • #1 g_spawn_sync
    from /lib64/libglib-2.0.so.0
  • #2 g_spawn_command_line_sync
    from /lib64/libglib-2.0.so.0
  • #3 run_bug_buddy
    at gnome-segvhanlder.c line 240
  • #4 bugbuddy_segv_handle
    at gnome-segvhanlder.c line 191
  • #5 <signal handler called>
  • #6 raise
    from /lib64/libc.so.6
  • #7 abort
    from /lib64/libc.so.6
  • #8 __libc_message
    from /lib64/libc.so.6
  • #9 malloc_printerr
    from /lib64/libc.so.6
  • #10 g_free
    from /lib64/libglib-2.0.so.0
  • #11 e_exchange_calendar_pcalendar_on_change
    at exchange-calendar.c line 142
  • #12 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #13 ??
    from /lib64/libgobject-2.0.so.0
  • #14 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #15 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #16 gtk_tree_view_real_set_cursor
    at gtktreeview.c line 13298
  • #17 gtk_tree_view_set_model
    at gtktreeview.c line 11514
  • #18 gtk_tree_view_destroy
    at gtktreeview.c line 2099
  • #19 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #20 ??
    from /lib64/libgobject-2.0.so.0
  • #21 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #22 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #23 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #24 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #25 gtk_scrolled_window_forall
    at gtkscrolledwindow.c line 1598
  • #26 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #27 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #28 ??
    from /lib64/libgobject-2.0.so.0
  • #29 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #30 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #31 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #32 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #33 gtk_table_forall
    at deprecated/gtktable.c line 1278
  • #34 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #35 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #36 ??
    from /lib64/libgobject-2.0.so.0
  • #37 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #38 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #39 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #40 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #41 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #42 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #43 ??
    from /lib64/libgobject-2.0.so.0
  • #44 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #45 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #46 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #47 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #48 gtk_frame_forall
    at gtkframe.c line 377
  • #49 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #50 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #51 ??
    from /lib64/libgobject-2.0.so.0
  • #52 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #53 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #54 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #55 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #56 gtk_box_forall
    at gtkbox.c line 1858
  • #57 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #58 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #59 ??
    from /lib64/libgobject-2.0.so.0
  • #60 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #61 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #62 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #63 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #64 gtk_notebook_forall
    at gtknotebook.c line 4482
  • #65 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #66 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #67 ??
    from /lib64/libgobject-2.0.so.0
  • #68 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #69 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #70 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #71 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #72 gtk_box_forall
    at gtkbox.c line 1858
  • #73 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #74 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #75 ??
    from /lib64/libgobject-2.0.so.0
  • #76 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #77 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #78 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #79 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #80 gtk_container_destroy
    at gtkcontainer.c line 1370
  • #81 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #82 ??
    from /lib64/libgobject-2.0.so.0
  • #83 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #84 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #85 gtk_widget_dispose
    at gtkwidget.c line 10338
  • #86 g_object_run_dispose
    from /lib64/libgobject-2.0.so.0
  • #87 ec_dialog_response
    at e-config.c line 1263
  • #88 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #89 ??
    from /lib64/libgobject-2.0.so.0
  • #90 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #91 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #92 ??
    from /lib64/libgobject-2.0.so.0
  • #93 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #94 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #95 gtk_real_button_released
    at gtkbutton.c line 2007
  • #96 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #97 ??
    from /lib64/libgobject-2.0.so.0
  • #98 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #99 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #100 gtk_button_button_release
    at gtkbutton.c line 1842
  • #101 gtk_button_button_release
    at gtkbutton.c line 1834
  • #102 _gtk_marshal_BOOLEAN__BOXEDv
    at gtkmarshalers.c line 130
  • #103 ??
    from /lib64/libgobject-2.0.so.0
  • #104 g_signal_emit_valist
    from /lib64/libgobject-2.0.so.0
  • #105 g_signal_emit
    from /lib64/libgobject-2.0.so.0
  • #106 gtk_widget_event_internal
    at gtkwidget.c line 6380
  • #107 gtk_widget_event
    at gtkwidget.c line 6037
  • #108 propagate_event_up
    at gtkmain.c line 2390
  • #109 propagate_event
    at gtkmain.c line 2490
  • #110 gtk_main_do_event
    at gtkmain.c line 1713
  • #111 gdk_event_source_dispatch
    at gdkeventsource.c line 358
  • #112 g_main_context_dispatch
    from /lib64/libglib-2.0.so.0
  • #113 ??
    from /lib64/libglib-2.0.so.0
  • #114 g_main_loop_run
    from /lib64/libglib-2.0.so.0
  • #115 gtk_main
    at gtkmain.c line 1161
  • #116 main
    at main.c line 681

Comment 2 Milan Crha 2012-07-09 09:08:30 UTC
Created attachment 218318 [details] [review]
eex patch

for evolution-exchange;

The GtkTreeView can return NULL GtkSelection in time of its dispose, when it resets its model to NULL. The evolution-exchange did not check for this, neither whether getting value of an iterator succeeded, which led to use/free uninitialized memory.
Comment 3 Milan Crha 2012-07-09 09:11:44 UTC
Created commit 63dc313 in eex master (3.5.4+)
Created commit e6051b4 in eex gnome-3-4 (3.4.4+)