Bug 188714

Summary: Evolution crashes with "corrupted double-linked list" error
Product: [Fedora] Fedora Reporter: Mayank Jain <majain>
Component: evolutionAssignee: Matthew Barnes <mbarnes>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: eng-i18n-bugs
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-02 15:31:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150223, 196239    

Description Mayank Jain 2006-04-12 14:57:37 UTC 
Description of problem:
Evolution crashes with corrupted double-linked list error on the console.

Version-Release number of selected component (if applicable):
evolution-data-server-1.5.92-1
evolution-2.6.0-1
evolution-debuginfo-2.6.0-1
evolution-webcal-2.4.1-3.2
evolution-sharp-0.10.2-9
evolution-data-server-devel-1.5.92-1

How reproducible:
1) Start evolution, switch to calender view
2) Select any vertical time slab in day view
3) type "a" to make it selected, hit enter,
4) single click on the same time slab, delete "a", notice that the color will
remain bluish
5) right click on it (when its non-editable) & select CUT
6) click on the same time slab, right click, PASTE
7) Application will crash with following output on console

*** glibc detected ***
/home/makuchaku/code/evolution/evolution/shell/.libs/lt-evolution: corrupted
double-linked list: 0x0000000000b52cd0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3489c6bb97]
/lib64/libc.so.6[0x3489c6e00d]
/lib64/libc.so.6(malloc+0x7d)[0x3489c6f74d]
/usr/lib64/libglib-2.0.so.0(g_malloc+0x2b)[0x348c72e0cb]
/usr/lib64/libORBit-2.so.0(ORBit_alloc_string+0xd)[0x3490f3382d]
/usr/lib64/libORBit-2.so.0(CORBA_string_dup+0x2e)[0x3490f3353e]
/usr/lib64/libORBit-2.so.0(ORBit_demarshal_value+0x1d9)[0x3490f375d9]
/usr/lib64/libORBit-2.so.0(ORBit_demarshal_value+0x7cc)[0x3490f37bcc]
/usr/lib64/libORBit-2.so.0(ORBit_demarshal_arg+0x44)[0x3490f37db4]
/usr/lib64/libORBit-2.so.0(ORBit_small_invoke_adaptor+0x664)[0x3490f30074]
/usr/lib64/libORBit-2.so.0[0x3490f3eef6]
/usr/lib64/libORBit-2.so.0[0x3490f3f4da]
/usr/lib64/libORBit-2.so.0(giop_thread_queue_process+0xa7)[0x3490f29507]
/usr/lib64/libORBit-2.so.0[0x3490f29ae9]
/usr/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1ba)[0x348c726f7a]
/usr/lib64/libglib-2.0.so.0[0x348c72a105]
/usr/lib64/libglib-2.0.so.0(g_main_loop_run+0x1cd)[0x348c72a42d]
/usr/lib64/libbonobo-2.so.0(bonobo_main+0x46)[0x349272d2c6]
/home/makuchaku/code/evolution/evolution/shell/.libs/lt-evolution[0x4157c9]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3489c1d084]
/home/makuchaku/code/evolution/evolution/shell/.libs/lt-evolution[0x40a5d9]
======= Memory map: ========
00400000-0041e000 r-xp 00000000 08:01 11633474                          
/home/makuchaku/code/evolution/evolution/shell/.libs/lt-evolution
0051d000-00520000 rw-p 0001d000 08:01 11633474                          
/home/makuchaku/code/evolution/evolution/shell/.libs/lt-evolution
00520000-00b71000 rw-p 00520000 00:00 0                                  [heap]
40000000-40001000 ---p 40000000 00:00 0
40001000-40041000 rw-p 40001000 00:00 0
40041000-40042000 ---p 40041000 00:00 0
40042000-40a42000 rw-p 40042000 00:00 0
40a42000-40a43000 ---p 40a42000 00:00 0
40a43000-41443000 rw-p 40a43000 00:00 0
41e44000-41e45000 ---p 41e44000 00:00 0
41e45000-42845000 rw-p 41e45000 00:00 0
3489a00000-3489a19000 r-xp 00000000 08:01 852197                        
/lib64/ld-2.4.so
3489b19000-3489b1a000 r--p 00019000 08:01 852197                        
/lib64/ld-2.4.so
3489b1a000-3489b1b000 rw-p 0001a000 08:01 852197                        
/lib64/ld-2.4.so
3489c00000-3489d3f000 r-xp 00000000 08:01 852198                        
/lib64/libc-2.4.so
3489d3f000-3489e3f000 ---p 0013f000 08:01 852198                        
/lib64/libc-2.4.so
3489e3f000-3489e43000 r--p 0013f000 08:01 852198                        
/lib64/libc-2.4.so
3489e43000-3489e44000 rw-p 00143000 08:01 852198                        
/lib64/libc-2.4.so
3489e44000-3489e49000 rw-p 3489e44000 00:00 0
3489f00000-3489f80000 r-xp 00000000 08:01 852199                        
/lib64/libm-2.4.so
3489f80000-348a080000 ---p 00080000 08:01 852199                        
/lib64/libm-2.4.so
348a080000-348a081000 r--p 00080000 08:01 852199                        
/lib64/libm-2.4.so
348a081000-348a082000 rw-p 00081000 08:01 852199                        
/lib64/libm-2.4.so
348a100000-348a102000 r-xp 00000000 08:01 852200                        
/lib64/libdl-2.4.so
348a102000-348a202000 ---p 00002000 08:01 852200                        
/lib64/libdl-2.4.so
348a202000-348a203000 r--p 00002000 08:01 852200                        
/lib64/libdl-2.4.so
348a203000-348a204000 rw-p 00003000 08:01 852200                        
/lib64/libdl-2.4.so
348a300000-348a305000 r-xp 00000000 08:01 3042438                       
/usr/lib64/libXdmcp.so.6.0.0
348a305000-348a404000 ---p 00005000 08:01 3042438                       
/usr/lib64/libXdmcp.so.6.0.0
348a404000-348a405000 rw-p 00004000 08:01 3042438                       
/usr/lib64/libXdmcp.so.6.0.0
348a500000-348a502000 r-xp 00000000 08:01 3042437                       
/usr/lib64/libXau.so.6.0.0
348a502000-348a602000 ---p 00002000 08:01 3042437                       
/usr/lib64/libXau.so.6.0.0
348a602000-348a603000 rw-p 00002000 08:01 3042437                       
/usr/lib64/libXau.so.6.0.0
348a700000-348a800000 r-xp 00000000 08:01 30424


The GDB backtrace shows
Program received signal SIGABRT, Aborted.
[Switching to Thread 47598907993040 (LWP 568)]
0x0000003489c2f765 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) backtrace
#0  0x0000003489c2f765 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003489c31050 in *__GI_abort () at abort.c:88
#2  0x0000003489c665eb in __libc_message (do_abort=2, fmt=0x3489d17d88 "***
glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003489c6bb97 in malloc_consolidate (av=0x3489e44980) at malloc.c:5616
#4  0x0000003489c6e00d in _int_malloc (av=0x3489e44980, bytes=972) at malloc.c:3964
#5  0x0000003489c6f74d in *__GI___libc_malloc (bytes=972) at malloc.c:3382
#6  0x000000348c72e0cb in IA__g_malloc (n_bytes=972) at gmem.c:131
#7  0x0000003490f3382d in ORBit_alloc_string () from /usr/lib64/libORBit-2.so.0
#8  0x0000003490f3353e in CORBA_string_dup () from /usr/lib64/libORBit-2.so.0
#9  0x0000003490f375d9 in ORBit_demarshal_value () from /usr/lib64/libORBit-2.so.0
#10 0x0000003490f37bcc in ORBit_demarshal_value () from /usr/lib64/libORBit-2.so.0
#11 0x0000003490f37db4 in ORBit_demarshal_arg () from /usr/lib64/libORBit-2.so.0
#12 0x0000003490f30074 in ORBit_small_invoke_adaptor () from
/usr/lib64/libORBit-2.so.0
#13 0x0000003490f3eef6 in ORBit_recv_buffer_return_sys_exception () from
/usr/lib64/libORBit-2.so.0
#14 0x0000003490f3f4da in ORBit_recv_buffer_return_sys_exception () from
/usr/lib64/libORBit-2.so.0
#15 0x0000003490f29507 in giop_thread_queue_process () from
/usr/lib64/libORBit-2.so.0
#16 0x0000003490f29ae9 in giop_init () from /usr/lib64/libORBit-2.so.0
#17 0x000000348c726f7a in IA__g_main_context_dispatch (context=0x553210) at
gmain.c:1916
#18 0x000000348c72a105 in g_main_context_iterate (context=0x553210, block=1,
dispatch=1, self=Variable "self" is not available.
) at gmain.c:2547
#19 0x000000348c72a42d in IA__g_main_loop_run (loop=0x5c93e0) at gmain.c:2751
#20 0x000000349272d2c6 in bonobo_main () from /usr/lib64/libbonobo-2.so.0
#21 0x00000000004157c9 in main (argc=Variable "argc" is not available.
) at main.c:610


--
Mayank

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Mayank Jain 2006-04-12 14:59:42 UTC 
Oops!
In reproducing, its "horizontal" time slab rather than vertical - step (2)
Comment 2 Mayank Jain 2006-04-19 10:18:43 UTC 
Filed this bug upstream
http://bugzilla.gnome.org/show_bug.cgi?id=338994
Comment 3 A S Alam 2006-07-18 11:06:26 UTC 
Bug present in Latest Version for Evolution
evolution-2.7.4-2
Comment 4 A S Alam 2006-07-18 11:09:03 UTC 
Terminal Message is below:
----------------

(evolution-2.8:6742): Gtk-CRITICAL **: gtk_option_menu_set_history: assertion
`GTK_IS_OPTION_MENU (option_menu)' failed
libnm_glib_nm_state_cb: dbus returned an error.
  (org.freedesktop.DBus.Error.ServiceUnknown) The name
org.freedesktop.NetworkManager was not provided by any .service files

(evolution-2.8:6742): calendar-gui-CRITICAL **: e_week_view_add_event: assertion
`start <= end' failed

(evolution-2.8:6742): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(evolution-2.8:6742): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion
`G_TYPE_CHECK_INSTANCE (instance)' failed

(evolution-2.8:6742): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(evolution-2.8:6742): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion
`G_TYPE_CHECK_INSTANCE (instance)' failed

(evolution-2.8:6742): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(evolution-2.8:6742): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion
`G_TYPE_CHECK_INSTANCE (instance)' failed
----------------
Comment 5 Matthew Barnes 2006-07-18 15:55:26 UTC 
This may be a duplicate of bug #167157 (or at least related).

I've been seeing these errors myself, and all of my tracing of the relevant code
paths leads to libical, which is an unmaintained third-party library.  Libical
does it's own memory-management and rolls its own data structures (e.g. linked
lists, dynamic arrays, string caches, etc.), and so my suspicion is that it's
double-freeing a pointer somewhere.  Unfortunately tracking this down is proving
to be a real bugger.
Comment 6 Matthew Barnes 2006-07-31 16:42:54 UTC 
(In reply to comment #3)
> Bug present in Latest Version for Evolution
> evolution-2.7.4-2

(comment #2, from upstream bug #338994)
> yes, confirmed that this behaviour is not reproducable on evo 2.7.x
> 
> Thanks,
> makuchaku


Conflicting reports here.  I'm not sure I understand steps 3 and 4, but the
pasting of an appointment does indeed trigger a crash in evolution-2.7.4-3.

I was looking at this over the weekend for bug #167157, and I believe I have a
solution which should resolve this problem as well.  Waiting for upstream to
comment on it.

See http://bugzilla.gnome.org/show_bug.cgi?id=334464#c14
Comment 7 Mayank Jain 2006-08-01 08:00:00 UTC 
Hi Matthew,

Step 3 & 4 are just to make the text widget editable. 

BTW, thanks for taking a look.
Comment 8 Matthew Barnes 2006-08-01 14:41:01 UTC 
Mayank,

Just built evolution-2.7.4-4 with a patch for bug #167157.
See if it also fixes this one for you.
Comment 9 Mayank Jain 2006-08-02 09:32:34 UTC 
Matthew, I'm using 
Gnome evolution-2.8 2.7.90
and am not able to reproduce this problem.
Comment 10 Mayank Jain 2006-08-02 10:08:00 UTC 
Tested 2.7.4-4 version on x86_64, unable to produce the problem
Comment 11 Mayank Jain 2006-08-02 10:12:51 UTC 
2.7.4-3 crashed with the above steps.

But please check that CVS head for evo does not has this prob. Have you pushed
your patch upstream or this was fixed without your patch?
Comment 12 Matthew Barnes 2006-08-02 15:25:46 UTC 
Actually, Chen responded to my proposed fix on GNOME Bugzilla and said that he
cannot reproduce the crash on paste, and that furthermore my fix is wrong.

So that leads me to believe the problem is in one of Red Hat's patches, and all
I'm doing is masking it.  That's actually good news, because it dramatically
reduces the amount of code to search through.
Comment 13 Matthew Barnes 2006-08-02 15:31:59 UTC 
I think Mayank has provided enough data to show that this is a duplicate of bug
#167157, so I'm going to close this bug.

*** This bug has been marked as a duplicate of 167157 ***
Comment 14 Mayank Jain 2006-08-03 06:46:33 UTC 
Okay :)
Thanks for your time.