Bug 709162 – [abrt] Use-after-free on a reminder snooze

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 709162 - [abrt] Use-after-free on a reminder snooze


Summary:	[abrt] Use-after-free on a reminder snooze


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Calendar
Version:	3.10.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-calendar-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Duplicates:	734085 (view as bug list)
Depends on:
Blocks:

Reported:	2013-10-01 07:23 UTC by Milan Crha
Modified:	2014-10-08 10:40 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Milan Crha 2013-10-01 07:23:41 UTC

Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1013711

Version-Release number of selected component:
evolution-3.8.5-2.fc19

Additional info:
reporter:       libreport-2.1.7
backtrace_rating: 4
cmdline:        /usr/libexec/evolution/3.8/evolution-alarm-notify
crash_function: allocator_memalign
executable:     /usr/libexec/evolution/3.8/evolution-alarm-notify
kernel:         3.11.1-200.fc19.x86_64

Core was generated by `/usr/libexec/evolution/3.8/evolution-alarm-notify'.
Program terminated with signal 6, Aborted.

+ Trace 232559

Thread 1 (Thread 0x7fabb9834a40 (LWP 22888))

#0 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
#1 __GI_abort
at abort.c line 90
#2 __libc_message
at ../sysdeps/unix/sysv/linux/libc_fatal.c line 196
#3 malloc_printerr
at malloc.c line 4937
#4 malloc_consolidate
at malloc.c line 4106
#5 _int_malloc
at malloc.c line 3385
#6 _int_memalign
at malloc.c line 4354
#7 __GI___libc_memalign
at malloc.c line 3037
#8 __posix_memalign
at malloc.c line 4967
#9 allocator_memalign
at gslice.c line 1381
#10 allocator_add_slab
at gslice.c line 1252
#11 slab_allocator_alloc_chunk
at gslice.c line 1300
#12 magazine_cache_pop_magazine
at gslice.c line 719
#13 thread_memory_magazine1_reload
at gslice.c line 794
#14 g_slice_alloc
at gslice.c line 992
#15 g_slice_alloc0
at gslice.c line 1029
#16 g_type_create_instance
at gtype.c line 1897
#17 g_object_constructor
at gobject.c line 1855
#18 g_object_newv
at gobject.c line 1638
#19 g_object_new
at gobject.c line 1548
#20 _gtk_icon_helper_new
at gtkiconhelper.c line 577
#21 construct_icon_info
at gtkentry.c line 3043
#22 gtk_entry_set_icon_from_pixbuf
at gtkentry.c line 8034
#23 gtk_entry_dispose
at gtkentry.c line 2807
#24 g_object_run_dispose
at gobject.c line 1062
#25 gtk_grid_forall
at gtkgrid.c line 502
#26 gtk_container_destroy
at gtkcontainer.c line 1377
#27 g_closure_invoke
at gclosure.c line 777
#28 signal_emit_unlocked_R
at gsignal.c line 3700
#29 g_signal_emit_valist
at gsignal.c line 3328
#30 g_signal_emit
at gsignal.c line 3384
#31 gtk_widget_dispose
at gtkwidget.c line 10771
#32 g_object_run_dispose
at gobject.c line 1062
#33 gtk_grid_forall
at gtkgrid.c line 502
#34 gtk_container_destroy
at gtkcontainer.c line 1377
#35 g_closure_invoke
at gclosure.c line 777
#36 signal_emit_unlocked_R
at gsignal.c line 3700
#37 g_signal_emit_valist
at gsignal.c line 3328
#38 g_signal_emit
at gsignal.c line 3384
#39 gtk_widget_dispose
at gtkwidget.c line 10771
#40 g_object_run_dispose
at gobject.c line 1062
#41 gtk_box_forall
at gtkbox.c line 1865
#42 gtk_container_destroy
at gtkcontainer.c line 1377
#43 g_closure_invoke
at gclosure.c line 777
#44 signal_emit_unlocked_R
at gsignal.c line 3700
#45 g_signal_emit_valist
at gsignal.c line 3328
#46 g_signal_emit
at gsignal.c line 3384
#47 gtk_widget_dispose
at gtkwidget.c line 10771
#48 g_object_run_dispose
at gobject.c line 1062
#49 gtk_container_destroy
at gtkcontainer.c line 1377
#50 g_closure_invoke
at gclosure.c line 777
#51 signal_emit_unlocked_R
at gsignal.c line 3700
#52 g_signal_emit_valist
at gsignal.c line 3328
#53 g_signal_emit
at gsignal.c line 3384
#54 gtk_widget_dispose
at gtkwidget.c line 10771
#55 g_object_run_dispose
at gobject.c line 1062
#56 gtk_widget_destroy
at gtkwidget.c line 4093
#57 notify_dialog_cb
at alarm-queue.c line 1367
#58 snooze_pressed_cb
at alarm-notify-dialog.c line 229
#59 _g_closure_invoke_va
at gclosure.c line 840
#60 g_signal_emit_valist
at gsignal.c line 3234
#61 g_signal_emit
at gsignal.c line 3384
#62 gtk_real_button_released
at gtkbutton.c line 1973
#63 _g_closure_invoke_va
at gclosure.c line 840
#64 g_signal_emit_valist
at gsignal.c line 3234
#65 g_signal_emit
at gsignal.c line 3384
#66 gtk_button_button_release
at gtkbutton.c line 1805
#67 _gtk_marshal_BOOLEAN__BOXED
at gtkmarshalers.c line 85
#68 g_closure_invoke
at gclosure.c line 777
#69 signal_emit_unlocked_R
at gsignal.c line 3622
#70 g_signal_emit_valist
at gsignal.c line 3338
#71 g_signal_emit
at gsignal.c line 3384
#72 gtk_widget_event_internal
at gtkwidget.c line 6714
#73 gtk_widget_event
at gtkwidget.c line 6371
#74 propagate_event_up
at gtkmain.c line 2393
#75 propagate_event
at gtkmain.c line 2501
#76 gtk_main_do_event
at gtkmain.c line 1716
#77 gdk_event_source_dispatch
at gdkeventsource.c line 364
#78 g_main_dispatch
at gmain.c line 3054
#79 g_main_context_dispatch
at gmain.c line 3630
#80 g_main_context_iterate
at gmain.c line 3701
#81 g_main_context_iteration
at gmain.c line 3762
#82 g_application_run
at gapplication.c line 1623
#83 main
at notify-main.c line 117

Comment 1 Brian J. Murrell 2013-10-04 17:37:33 UTC

I have also seen this just now.

Comment 2 Milan Crha 2014-01-14 16:04:49 UTC

Another downstream bug report from Fedora 20:
https://bugzilla.redhat.com/show_bug.cgi?id=1049075

Description of problem:
I didn't use Evolution, just had it open. I got a reminder popup in gnome-shell for a event I added to evolution's calendar. this crash happened just after delaying the reminder for 1 day. It happened at 00:00 local time.

Version-Release number of selected component:
evolution-3.10.3-1.fc20

Additional info:
reporter:       libreport-2.1.10
backtrace_rating: 4
cmdline:        /usr/libexec/evolution/3.10/evolution-alarm-notify
crash_function: ptr_array_free
executable:     /usr/libexec/evolution/3.10/evolution-alarm-notify
kernel:         3.12.6-300.fc20.x86_64

+ Trace 233032

Thread 1 (Thread 0x7ff112127a40 (LWP 2961))

#0 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
#1 __GI_abort
at abort.c line 89
#2 __libc_message
at ../sysdeps/posix/libc_fatal.c line 175
#3 malloc_printerr
at malloc.c line 4930
#4 malloc_consolidate
at malloc.c line 4099
#5 _int_free
at malloc.c line 3999
#6 g_free
at gmem.c line 197
#7 ptr_array_free
at garray.c line 1082
#8 g_ptr_array_unref
at garray.c line 1031
#9 gtk_css_computed_values_dispose
at gtkcsscomputedvalues.c line 49
#10 g_object_unref
at gobject.c line 3160
#11 style_data_unref
at gtkstylecontext.c line 527
#12 g_hash_table_remove_all_nodes
at ghash.c line 500
#13 g_hash_table_remove_all
at ghash.c line 1347
#14 g_hash_table_destroy
at ghash.c line 1051
#15 gtk_style_context_finalize
at gtkstylecontext.c line 860
#16 g_object_unref
at gobject.c line 3197
#17 gtk_spin_button_finalize
at gtkspinbutton.c line 695
#18 g_object_unref
at gobject.c line 3197
#19 gtk_grid_forall
at gtkgrid.c line 546
#20 gtk_container_destroy
at gtkcontainer.c line 1403
#21 g_closure_invoke
at gclosure.c line 777
#22 signal_emit_unlocked_R
at gsignal.c line 3702
#23 g_signal_emit_valist
at gsignal.c line 3330
#24 g_signal_emit
at gsignal.c line 3386
#25 gtk_widget_dispose
at gtkwidget.c line 11279
#26 g_object_run_dispose
at gobject.c line 1067
#27 gtk_grid_forall
at gtkgrid.c line 546
#28 gtk_container_destroy
at gtkcontainer.c line 1403
#29 g_closure_invoke
at gclosure.c line 777
#30 signal_emit_unlocked_R
at gsignal.c line 3702
#31 g_signal_emit_valist
at gsignal.c line 3330
#32 g_signal_emit
at gsignal.c line 3386
#33 gtk_widget_dispose
at gtkwidget.c line 11279
#34 g_object_run_dispose
at gobject.c line 1067
#35 gtk_box_forall
at gtkbox.c line 2096
#36 gtk_container_destroy
at gtkcontainer.c line 1403
#37 g_closure_invoke
at gclosure.c line 777
#38 signal_emit_unlocked_R
at gsignal.c line 3702
#39 g_signal_emit_valist
at gsignal.c line 3330
#40 g_signal_emit
at gsignal.c line 3386
#41 gtk_widget_dispose
at gtkwidget.c line 11279
#42 g_object_run_dispose
at gobject.c line 1067
#43 gtk_window_forall
at gtkwindow.c line 7611
#44 gtk_container_destroy
at gtkcontainer.c line 1403
#45 g_closure_invoke
at gclosure.c line 777
#46 signal_emit_unlocked_R
at gsignal.c line 3702
#47 g_signal_emit_valist
at gsignal.c line 3330
#48 g_signal_emit
at gsignal.c line 3386
#49 gtk_widget_dispose
at gtkwidget.c line 11279
#50 g_object_run_dispose
at gobject.c line 1067
#51 gtk_widget_destroy
at gtkwidget.c line 4268
#52 notify_dialog_cb
at alarm-queue.c line 1369
#53 snooze_pressed_cb
at alarm-notify-dialog.c line 229
#54 _g_closure_invoke_va
at gclosure.c line 840
#55 g_signal_emit_valist
at gsignal.c line 3238
#56 g_signal_emit
at gsignal.c line 3386
#57 gtk_real_button_released
at gtkbutton.c line 2106
#58 g_closure_invoke
at gclosure.c line 777
#59 signal_emit_unlocked_R
at gsignal.c line 3516
#60 g_signal_emit_valist
at gsignal.c line 3330
#61 g_signal_emit
at gsignal.c line 3386
#62 gtk_button_button_release
at gtkbutton.c line 1938
#63 _gtk_marshal_BOOLEAN__BOXEDv
at gtkmarshalers.c line 130
#64 _g_closure_invoke_va
at gclosure.c line 840
#65 g_signal_emit_valist
at gsignal.c line 3238
#66 g_signal_emit
at gsignal.c line 3386
#67 gtk_widget_event_internal
at gtkwidget.c line 7168
#68 gtk_widget_event
at gtkwidget.c line 6830
#69 propagate_event_up
at gtkmain.c line 2391
#70 propagate_event
at gtkmain.c line 2499
#71 gtk_main_do_event
at gtkmain.c line 1714
#72 gdk_event_source_dispatch
at gdkeventsource.c line 364
#73 g_main_dispatch
at gmain.c line 3066
#74 g_main_context_dispatch
at gmain.c line 3642
#75 g_main_context_iterate
at gmain.c line 3713
#76 g_main_context_iteration
at gmain.c line 3774
#77 g_application_run
at gapplication.c line 1635
#78 main
at notify-main.c line 117

Comment 3 Milan Crha 2014-02-17 14:38:43 UTC

Created commit 3219d7a in evo master (3.11.91+) [1]

[1] https://git.gnome.org/browse/evolution/commit/?id=3219d7a

Comment 4 Milan Crha 2014-10-08 10:40:23 UTC

*** Bug 734085 has been marked as a duplicate of this bug. ***