Bug 1240769

Summary: [abrt] evolution: g_str_hash(): evolution killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Petr Muller <pmuller>
Component: evolutionAssignee: Milan Crha <mcrha>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: lucilanga, mbarnes, mcrha, mkolman, ohudlick, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/528ec92798a0f4cc9773dc5808e93204734c0b84
Whiteboard: abrt_hash:ba55e867c86511a05a226988b5a5577f28dbcc9b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-19 16:21:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Petr Muller 2015-07-07 17:17:51 UTC 
Version-Release number of selected component:
evolution-3.16.3-2.fc22

Additional info:
reporter:       libreport-2.6.0
backtrace_rating: 4
cmdline:        evolution
crash_function: g_str_hash
executable:     /usr/bin/evolution
global_pid:     950
kernel:         4.0.6-300.fc22.x86_64
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 g_str_hash at /lib64/libglib-2.0.so.0
 #1 g_hash_table_lookup at /lib64/libglib-2.0.so.0
 #2 e_mail_label_list_store_lookup at /usr/lib64/evolution/libevolution-mail.so
 #3 add_label_if_known at /usr/lib64/evolution/libevolution-mail.so
 #4 add_all_labels_foreach at /usr/lib64/evolution/libevolution-mail.so
 #5 for_node_and_subtree_if_collapsed at /usr/lib64/evolution/libevolution-mail.so
 #6 ml_tree_value_at_ex.isra at /usr/lib64/evolution/libevolution-mail.so
 #7 ect_draw at /usr/lib64/evolution/libevolution-util.so
 #8 e_cell_draw at /usr/lib64/evolution/libevolution-util.so
 #9 eti_draw at /usr/lib64/evolution/libevolution-util.so
Comment 1 Petr Muller 2015-07-07 17:17:54 UTC 
Created attachment 1049492 [details]
File: backtrace
Comment 2 Petr Muller 2015-07-07 17:17:56 UTC 
Created attachment 1049493 [details]
File: cgroup
Comment 3 Petr Muller 2015-07-07 17:17:58 UTC 
Created attachment 1049494 [details]
File: core_backtrace
Comment 4 Petr Muller 2015-07-07 17:18:00 UTC 
Created attachment 1049495 [details]
File: dso_list
Comment 5 Petr Muller 2015-07-07 17:18:01 UTC 
Created attachment 1049496 [details]
File: environ
Comment 6 Petr Muller 2015-07-07 17:18:02 UTC 
Created attachment 1049497 [details]
File: limits
Comment 7 Petr Muller 2015-07-07 17:18:04 UTC 
Created attachment 1049498 [details]
File: maps
Comment 8 Petr Muller 2015-07-07 17:18:06 UTC 
Created attachment 1049499 [details]
File: mountinfo
Comment 9 Petr Muller 2015-07-07 17:18:07 UTC 
Created attachment 1049500 [details]
File: namespaces
Comment 10 Petr Muller 2015-07-07 17:18:08 UTC 
Created attachment 1049501 [details]
File: open_fds
Comment 11 Petr Muller 2015-07-07 17:18:10 UTC 
Created attachment 1049502 [details]
File: proc_pid_status
Comment 12 Petr Muller 2015-07-07 17:18:11 UTC 
Created attachment 1049503 [details]
File: var_log_messages
Comment 13 Milan Crha 2015-07-08 13:43:21 UTC 
Thanks for a bug report. I see from the backtrace that this crashed when the message list has been drawn, concretely the column with message Labels. I tried to reproduce it here, by adding the column into the view, but evolution didn't crash here. I could be just lucky, it's also possible.

Are you able to reproduce the crash consistently (probably in certain folder, when scrolling its content and thus causing redraw of the Labels column), please?
Comment 14 Petr Muller 2015-07-08 14:06:24 UTC 
Nope, this is not anything that I am able to reproduce - it just happened once, while I was browsing message using the Space key repeatedly. 

What is interesting that I do not use 'Labels' column in any of my folders...
Comment 15 Milan Crha 2015-07-09 07:22:57 UTC 
You are right, this is not only for the Labels column, I forgot it is also used when the color of the row is determined - in case only one label is set on the message the color of that label is used as the text color.

I'm afraid this is part of some use-after-free, some part of the code overwriting some memory which it shouldn't. I see some odd crashes reported here and there, which perfectly fits to such use-after-free.
Comment 16 Martin Kolman 2015-10-29 10:49:40 UTC 
Another user experienced a similar problem:

I think I clicked on a message of folder.

reporter:       libreport-2.6.2
backtrace_rating: 4
cmdline:        evolution
crash_function: g_str_hash
executable:     /usr/bin/evolution
global_pid:     31701
kernel:         4.1.8-200.fc22.x86_64
package:        evolution-3.16.5-3.fc22
reason:         evolution killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 17 Milan Crha 2016-01-19 16:21:46 UTC 

*** This bug has been marked as a duplicate of bug 1273751 ***