GNOME Bugzilla – Bug 690092
[abrt] Crash under format_full_headers()
Last modified: 2013-03-06 18:39:08 UTC
Moving this from a downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=886024 Description of problem: I was browsing when evolution crashed (it was running in the background, i wasn't working in it). Version-Release number of selected component: evolution-3.6.2-3.fc18 Additional info: backtrace_rating: 4 cmdline: evolution crash_function: g_ascii_strcasecmp executable: /usr/bin/evolution kernel: 3.6.9-4.fc18.x86_64 Core was generated by `evolution'. Program terminated with signal 11, Segmentation fault.
+ Trace 231285
Thread 2 (Thread 0x7f97783f0a00 (LWP 2531))
Created attachment 231754 [details] [review] evo patch for evolution; It seems to me that this is caused by a use-after-free in format_full_headers(). The function gets list of headers at the beginning of it, and uses it all the time, usually in a dedicated thread. The backtrace shows that the main thread received a change notification from GSettings in a main thread, which could free the returned GQueue and thus make the values in the dedicated thread freed. I added a property_lock and ..._dup_... functions on three allocated properties and use them along the code to avoid this use-after-free.
May or may not be relevant: the same crash happened and I _think_ it was when I had Evolution accessing an Exchange account in which emails were pulled using POP3 at the same time.
Oops, this patch got forgotten :-/
Created commit 0d96f08 in evo master (3.7.92+)