GNOME Bugzilla – Bug 679613
Invalid free in e_exchange_calendar_pcalendar_on_change()
Last modified: 2012-07-09 09:11:44 UTC
Moving this from a downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=837807 Name : evolution Arch : x86_64 Version : 3.4.3 Release : 1.fc17 Name : evolution-exchange Arch : x86_64 Version : 3.4.3 Release : 1.fc17 Set up account to MS Exchange server using evolution-exchange. All seems to work ok. Go to Tasks. Tasks on exchange server display ok. Right click on exchange Tasks and view 'Task List Properties'. Press color button. Pick another color and 'Select'. Press Apply on 'Task List Properties'. Evolution crashes every time ...... Same thing happens when picking another color for Calendar. ................................. (evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed (evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed (evolution:9561): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed (evolution:9561): Gtk-CRITICAL **: gtk_tree_selection_get_selected: assertion `GTK_IS_TREE_SELECTION (selection)' failed (evolution:9561): Gtk-CRITICAL **: gtk_tree_model_get: assertion `GTK_IS_TREE_MODEL (tree_model)' failed (evolution:9561): e-data-server-CRITICAL **: e_source_set_relative_uri: assertion `E_IS_SOURCE (source)' failed *** glibc detected *** evolution: double free or corruption (out): 0x00000000021c77c0 *** ======= Backtrace: ========= /lib64/libc.so.6[0x323fa7c80e] /lib64/libglib-2.0.so.0(g_free+0xf)[0x323f64d3cf] /usr/lib64/evolution/3.4/plugins/liborg-gnome-exchange-operations.so(e_exchange_calendar_pcalendar_on_change+0xa3)[0x7fe843ad6cb3] /lib64/libgobject-2.0.so.0(g_closure_invoke+0x194)[0x324320f664] /lib64/libgobject-2.0.so.0[0x32432206d8] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324ba87143] /lib64/libgtk-3.so.0(gtk_tree_view_set_model+0x3f6)[0x324ba89906] /lib64/libgtk-3.so.0[0x324ba89c39] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b9e298e] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b884a90] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b94427f] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b8afaea] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1] /lib64/libgtk-3.so.0[0x324b99ec16] /lib64/libgtk-3.so.0[0x324b8f4ddb] /lib64/libgobject-2.0.so.0(g_closure_invoke+0xd3)[0x324320f5a3] /lib64/libgobject-2.0.so.0[0x32432209c5] /lib64/libgobject-2.0.so.0(g_signal_emit_valist+0xddd)[0x324322866d] /lib64/libgobject-2.0.so.0(g_signal_emit+0x82)[0x32432287c2] /lib64/libgtk-3.so.0[0x324baac66e] /lib64/libgobject-2.0.so.0(g_object_run_dispose+0x61)[0x32432156d1]
I can confirm this, my console shows: (evolution:15281): Gtk-CRITICAL **: gtk_tree_selection_get_selected: assertion `GTK_IS_TREE_SELECTION (selection)' failed (evolution:15281): Gtk-CRITICAL **: gtk_tree_model_get: assertion `GTK_IS_TREE_MODEL (tree_model)' failed (evolution:15281): e-data-server-CRITICAL **: e_source_set_relative_uri: assertion `E_IS_SOURCE (source)' failed *** glibc detected *** evolution: munmap_chunk(): invalid pointer: 0x0000003b16c2064d *** ======= Backtrace: ========= /lib64/libc.so.6[0x3ddcc7b616] /lib64/libglib-2.0.so.0(g_free+0xf)[0x3b1644d3cf] /build/branch/lib/evolution/3.4/plugins/liborg-gnome-exchange-operations.so(e_exchange_calendar_pcalendar_on_change+0xcd)[0x7fb177248d1b] /lib64/libgobject-2.0.so.0(g_closure_invoke+0x194)[0x3b16c0f664] ... and the gdb backtrace is:
+ Trace 230486
Thread 1 (Thread 0x7fb1a2e63a00 (LWP 15281))
Created attachment 218318 [details] [review] eex patch for evolution-exchange; The GtkTreeView can return NULL GtkSelection in time of its dispose, when it resets its model to NULL. The evolution-exchange did not check for this, neither whether getting value of an iterator succeeded, which led to use/free uninitialized memory.
Created commit 63dc313 in eex master (3.5.4+) Created commit e6051b4 in eex gnome-3-4 (3.4.4+)