Bug 1103823

Summary: [abrt] Crash after migration to maildir
Product: Red Hat Enterprise Linux 7 Reporter: Jiri Koten <jkoten>
Component: evolutionAssignee: Matthew Barnes <mbarnes>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: mcrha, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:9923934d5809a0e97d9c79c2d25e0f3805813b73
Fixed In Version: evolution-3.8.5-26 Doc Type: Bug Fix
Doc Text:
Cause: first run (or restore of a backup) with a data from a previous evolution version Consequence: crash after finished migration from mbox to maildir of On This Computer mail account Fix: make sure no events are left in the main loop before freeing migration structures, to avoid use-after-free which caused the crash Result: no crash, evolution runs properly after the migration is finished
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 06:37:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
File: sosreport.tar.xz
none
evo patch none

Description Jiri Koten 2014-06-02 16:08:04 UTC 
Description of problem:
Restore backup created on rhel6 (evolution-2.32).
Evo crashed after the dialog of Migration from mbox to Maildir.

Version-Release number of selected component:
evolution-3.8.5-21.el7.1

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        evolution
crash_function: camel_folder_summary_save_to_db
executable:     /usr/bin/evolution
kernel:         3.10.0-123.el7.x86_64
runlevel:       unknown
type:           CCpp
uid:            1010

Truncated backtrace:
Thread no. 1 (8 frames)
 #0 camel_folder_summary_save_to_db at camel-folder-summary.c:2785
 #1 local_summary_sync at camel-local-summary.c:495
 #2 maildir_summary_sync at camel-maildir-summary.c:831
 #3 local_folder_dispose at camel-local-folder.c:111
 #5 signal_closure_free at camel-store.c:120
 #6 g_source_callback_unref at gmain.c:1545
 #7 g_source_destroy_internal at gmain.c:1204
 #12 gtk_main at gtkmain.c:1156
Comment 1 Jiri Koten 2014-06-02 16:08:06 UTC 
Created attachment 901491 [details]
File: backtrace
Comment 2 Jiri Koten 2014-06-02 16:08:08 UTC 
Created attachment 901492 [details]
File: cgroup
Comment 3 Jiri Koten 2014-06-02 16:08:10 UTC 
Created attachment 901493 [details]
File: core_backtrace
Comment 4 Jiri Koten 2014-06-02 16:08:13 UTC 
Created attachment 901494 [details]
File: dso_list
Comment 5 Jiri Koten 2014-06-02 16:08:14 UTC 
Created attachment 901495 [details]
File: environ
Comment 6 Jiri Koten 2014-06-02 16:08:16 UTC 
Created attachment 901496 [details]
File: limits
Comment 7 Jiri Koten 2014-06-02 16:08:18 UTC 
Created attachment 901497 [details]
File: maps
Comment 8 Jiri Koten 2014-06-02 16:08:20 UTC 
Created attachment 901498 [details]
File: open_fds
Comment 9 Jiri Koten 2014-06-02 16:08:22 UTC 
Created attachment 901499 [details]
File: proc_pid_status
Comment 10 Jiri Koten 2014-06-02 16:08:25 UTC 
Created attachment 901500 [details]
File: var_log_messages
Comment 11 Jiri Koten 2014-06-02 16:08:59 UTC 
Created attachment 901501 [details]
File: sosreport.tar.xz
Comment 13 Milan Crha 2014-06-03 07:52:35 UTC 
The backtrace seems to show some ref/unref imbalance on a CamelFolder/CamelStore, but there is no indication what exactly happened. It is only some async operation end when the bug stroke.
Comment 14 Milan Crha 2014-06-10 12:52:51 UTC 
Created attachment 907244 [details]
evo patch

I managed to reproduce this, even not fully reliably. Nonetheless, I see the cause. The problem is that a CamelFolder delivers its change notifications on idle, but its store can be freed before the idle happens, because it is freed together with a temporary CamelSession in shell/e-convert-local-mail.c:324. Making sure that all what is piled is also delivered during the lifetime of the temporary CamelSession makes this work properly (no use-after-free).
Comment 15 Milan Crha 2014-06-10 12:55:44 UTC 
I forgot to add, my most often reproducer was to restore from a backup, but uncheck [ ] Start Evolution after restore, rather run evolution on my own from a terminal (with simple `evolution`). the issue exhibited like once per 5 starts. 

I can provide a test build with a debug prints which can show whether the event occurred or not, if you want.
Comment 17 Jiri Koten 2014-12-04 10:23:58 UTC 
Evolution still crashes after the dialog of Migration from mbox to Maildir. Backtrace looks different - see bug 1170552
Reproducer is the same.
Comment 18 Milan Crha 2014-12-05 06:01:36 UTC 
Let's deal with it there, it looks like a different issue to me too. Weird it didn't strike earlier. I would guess a change in sqlite3, but that didn't change for you. I will eventually mark that as a duplicate of this, if further investigation will prove so.
Comment 21 errata-xmlrpc 2015-03-05 06:37:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0305.html