After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 690092 - [abrt] Crash under format_full_headers()
[abrt] Crash under format_full_headers()
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
3.6.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2012-12-12 11:42 UTC by Milan Crha
Modified: 2013-03-06 18:39 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
evo patch (16.39 KB, patch)
2012-12-17 17:50 UTC, Milan Crha 		committed Details | Review

Description Milan Crha 2012-12-12 11:42:55 UTC 
Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=886024

Description of problem:
I was browsing when evolution crashed (it was running in the background, i wasn't working in it).

Version-Release number of selected component:
evolution-3.6.2-3.fc18

Additional info:
backtrace_rating: 4
cmdline:        evolution
crash_function: g_ascii_strcasecmp
executable:     /usr/bin/evolution
kernel:         3.6.9-4.fc18.x86_64

Core was generated by `evolution'.
Program terminated with signal 11, Segmentation fault.

+ Trace 231285

Thread 2 (Thread 0x7f97783f0a00 (LWP 2531))

  • #0 g_hash_table_lookup
    at ghash.c line 1078
  • #1 quark_from_string
    at gquark.c line 173
  • #2 g_intern_string
    at gquark.c line 326
  • #3 on_source_notify
    at gbinding.c line 360
  • #4 g_closure_invoke
    at gclosure.c line 777
  • #5 signal_emit_unlocked_R
    at gsignal.c line 3551
  • #6 g_signal_emit_valist
    at gsignal.c line 3300
  • #7 g_signal_emit
    at gsignal.c line 3356
  • #8 g_object_dispatch_properties_changed
    at gobject.c line 1041
  • #9 g_object_notify_queue_thaw
    at gobject.c line 291
  • #10 g_object_set_property
    at gobject.c line 2156
  • #11 g_settings_binding_key_changed
    at gsettings.c line 2423
  • #12 g_cclosure_marshal_VOID__STRINGv
    at gmarshal.c line 1004
  • #13 _g_closure_invoke_va
    at gclosure.c line 840
  • #14 g_signal_emit_valist
    at gsignal.c line 3211
  • #15 g_signal_emit
    at gsignal.c line 3356
  • #16 g_settings_real_change_event
    at gsettings.c line 288
  • #17 ffi_call_unix64
    at ../src/x86/unix64.S line 75
  • #18 ffi_call
    at ../src/x86/ffi64.c line 486
  • #19 g_cclosure_marshal_generic_va
    at gclosure.c line 1550
  • #20 _g_closure_invoke_va
    at gclosure.c line 840
  • #21 g_signal_emit_valist
    at gsignal.c line 3211
  • #22 g_signal_emit
    at gsignal.c line 3356
  • #23 settings_backend_path_changed
    at gsettings.c line 363
  • #24 settings_backend_path_changed
    at gsettings.c line 354
  • #25 g_settings_backend_invoke_closure
    at gsettingsbackend.c line 271
  • #26 g_main_dispatch
    at gmain.c line 2715
  • #27 g_main_context_dispatch
    at gmain.c line 3219
  • #28 g_main_context_iterate
    at gmain.c line 3290
  • #29 g_main_loop_run
    at gmain.c line 3484
  • #30 gtk_main
    at gtkmain.c line 1160
  • #31 main
    at main.c line 711 






Comment 1


Milan Crha





          2012-12-17 17:50:09 UTC
        



Created attachment 231754 [details] [review]
evo patch

for evolution;

It seems to me that this is caused by a use-after-free in format_full_headers(). The function gets list of headers at the beginning of it, and uses it all the time, usually in a dedicated thread. The backtrace shows that the main thread received a change notification from GSettings in a main thread, which could free the returned GQueue and thus make the values in the dedicated thread freed. I added a property_lock and ..._dup_... functions on three allocated properties and use them along the code to avoid this use-after-free.






Comment 2


Pedro F.





          2013-03-06 11:33:55 UTC
        



May or may not be relevant: the same crash happened and I _think_ it was when I had Evolution accessing an Exchange account in which emails were pulled using POP3 at the same time.






Comment 3


Milan Crha





          2013-03-06 18:30:18 UTC
        



Oops, this patch got forgotten :-/






Comment 4


Milan Crha





          2013-03-06 18:38:57 UTC
        



Created commit 0d96f08 in evo master (3.7.92+)