After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 767228 - Use-after-free in MessageList rebuild under clear_tree()
Use-after-free in MessageList rebuild under clear_tree()
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
3.20.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
: 774692 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2016-06-04 04:40 UTC by Paul Wise
Modified: 2016-12-01 17:31 UTC
See Also:
GNOME target: ---
GNOME version: 3.19/3.20

Attachments
gdb backtrace of the crash (66.54 KB, text/plain)
2016-06-04 04:40 UTC, Paul Wise 		Details

Description Paul Wise 2016-06-04 04:40:06 UTC 
Created attachment 329107 [details]
gdb backtrace of the crash

I got a random crash (SIGSEGV) in evolution. I am using evolution 3.20.2-2, evolution-data-server 3.20.2-2 and GNOME 3.20 on Debian stretch. If the below gdb backtrace summary and attached full gdb backtrace isn't useful, please close this bug.

Core was generated by `evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.

+ Trace 236301

  • #0 ??
  • #0 0x0000000000000000 in
  • #1 ml_tree_value_at_ex
    at message-list.c line 1772
  • #2 update_cell
    at gal-a11y-e-cell-toggle.c line 129
  • #3 gal_a11y_e_cell_toggle_new
    at gal-a11y-e-cell-toggle.c line 193
  • #4 eti_ref_at
    at gal-a11y-e-table-item.c line 436
  • #5 eti_a11y_reset_focus_object
    at gal-a11y-e-table-item.c line 264
  • #9 <emit signal ??? on instance 0x55985e805b90 [ETreeSelectionModel]>
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./gobject/gsignal.c line 3441
  • #10 e_selection_model_cursor_changed
    at e-selection-model.c line 769
  • #11 e_tree_selection_model_change_cursor
    at e-tree-selection-model.c line 824
  • #12 e_tree_set_cursor
    at e-tree.c line 1787
  • #13 clear_tree
    at message-list.c line 3835
  • #14 message_list_set_folder
    at message-list.c line 4705
  • #15 mail_reader_set_folder
    at e-mail-reader.c line 3401
  • #16 mail_paned_view_set_folder
    at e-mail-paned-view.c line 578
  • #17 mail_shell_view_got_folder_cb
    at e-mail-shell-view-private.c line 81
  • #18 g_task_return_now
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./gio/gtask.c line 1107
  • #19 complete_in_idle_cb
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./gio/gtask.c line 1121
  • #20 g_main_context_dispatch
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./glib/gmain.c line 3154
  • #21 g_main_context_dispatch
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./glib/gmain.c line 3769
  • #22 g_main_context_iterate
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./glib/gmain.c line 3840
  • #23 g_main_loop_run
    at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./glib/gmain.c line 4034
  • #24 gtk_main
    at /build/gtk+3.0-29jmON/gtk+3.0-3.20.5/./gtk/gtkmain.c line 1269
  • #25 main
    at main.c line 660 






Comment 1


Milan Crha





          2016-06-06 09:36:10 UTC
        



Thanks for taking the time to report this.
This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 680471 ***






Comment 2


Milan Crha





          2016-11-28 15:50:02 UTC
        



My fault, the above issue is different that ithe one in the bug #680471, thus I'm reopening this.






Comment 3


Milan Crha





          2016-11-28 16:04:41 UTC
        



The problem here is that the MessageList's clear_tree() frees all the GNode-s, but the associated ETreeTableAdapter still has them stored in its mapping cache. It removes them, but too late, when the MessageList is unfrozen.

Created commit 26537ec in evo master (3.23.3+)
Created commit a62f99a in evo gnome-3-22 (3.22.3+)






Comment 4


Milan Crha





          2016-11-28 17:02:35 UTC
        



Err, and I missed some changes, thus:

Created commit 402b24d in evo master (3.23.3+)
Created commit 1b512d9 in evo gnome-3-22 (3.22.3+)






Comment 5


Milan Crha





          2016-12-01 17:31:24 UTC
        



*** Bug 774692 has been marked as a duplicate of this bug. ***