Bug 235096

Summary: evolution crashes when poping up 90% quota message
Product: [Fedora] Fedora Reporter: Ray Strode [halfline] <rstrode>
Component: evolutionAssignee: Matthew Barnes <mbarnes>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: evolution-2.10.1-2.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-11 03:26:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150226    

Description Ray Strode [halfline] 2007-04-03 19:08:39 UTC 
Since this morning, every time I start evolution I get an empty dialog that pops
up and after that evolution just hangs.

Matt and I did some debugging and found out the dialog was a quota message from
the imap server telling me my mailbox is 90% full.

Running things under valgrind reveals:

==15385== 
==15385== Invalid read of size 4
==15385==    at 0x653C951: periodic_processing (mail-mt.c:455)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385==  Address 0x6076848 is 16 bytes inside a block of size 56 free'd
==15385==    at 0x40220FF: free (vg_replace_malloc.c:233)
==15385==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x653C605: mail_msg_free (mail-mt.c:222)
==15385==    by 0x65441DF: do_user_message (mail-session.c:349)
==15385==    by 0x653C950: periodic_processing (mail-mt.c:455)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385== 
==15385== Invalid read of size 4
==15385==    at 0x653C547: mail_msg_free (mail-mt.c:187)
==15385==    by 0x653C967: periodic_processing (mail-mt.c:458)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385==  Address 0x6076848 is 16 bytes inside a block of size 56 free'd
==15385==    at 0x40220FF: free (vg_replace_malloc.c:233)
==15385==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x653C605: mail_msg_free (mail-mt.c:222)
==15385==    by 0x65441DF: do_user_message (mail-session.c:349)
==15385==    by 0x653C950: periodic_processing (mail-mt.c:455)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385== 
==15385== Invalid read of size 4
==15385==    at 0x6543B75: free_user_message (mail-session.c:358)
==15385==    by 0x653C555: mail_msg_free (mail-mt.c:188)
==15385==    by 0x653C967: periodic_processing (mail-mt.c:458)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385==  Address 0x6076868 is 48 bytes inside a block of size 56 free'd
==15385==    at 0x40220FF: free (vg_replace_malloc.c:233)
==15385==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x653C605: mail_msg_free (mail-mt.c:222)
==15385==    by 0x65441DF: do_user_message (mail-session.c:349)
==15385==    by 0x653C950: periodic_processing (mail-mt.c:455)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385== 
==15385== Invalid free() / delete / delete[]
==15385==    at 0x40220FF: free (vg_replace_malloc.c:233)
==15385==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x6543B7F: free_user_message (mail-session.c:358)
==15385==    by 0x653C555: mail_msg_free (mail-mt.c:188)
==15385==    by 0x653C967: periodic_processing (mail-mt.c:458)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)
==15385==  Address 0x6016168 is 0 bytes inside a block of size 83 free'd
==15385==    at 0x40220FF: free (vg_replace_malloc.c:233)
==15385==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x6543B7F: free_user_message (mail-session.c:358)
==15385==    by 0x653C555: mail_msg_free (mail-mt.c:188)
==15385==    by 0x65441DF: do_user_message (mail-session.c:349)
==15385==    by 0x653C950: periodic_processing (mail-mt.c:455)
==15385==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==15385==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==15385==    by 0x805EB5F: main (main.c:586)

over and over again, so it looks like messages are getting freed but not being
removed from a message queue somewhere.
Comment 1 Ray Strode [halfline] 2007-04-03 19:33:14 UTC 
Possibly unrelated but after clicking the close button on the evolution window I
went back to the valgrind terminal and noticed this additional output:

(evolution:15385): GLib-CRITICAL **: g_async_queue_lock: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_try_pop_unlocked: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_unlock: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_unref: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_lock: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_try_pop_unlocked: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_unlock: assertion
`g_atomic_int_get (&queue->ref_count) > 0' failed

(evolution:15385): GLib-CRITICAL **: g_async_queue_unref: assertion
`g_atomic_int_get (&queue->ref_count) > 0'
Comment 2 Matthew Barnes 2007-04-03 21:07:33 UTC 
Ray was using evolution-2.10.0-5.fc7.i386.

The latest round of threading code revisions was introduced in -6.
Comment 3 Ray Strode [halfline] 2007-04-03 21:39:20 UTC 
I upgraded to -8.fc7.i386 and here is the updated valgrind output

==16690== Invalid read of size 4
==16690==    at 0x652F641: periodic_processing (mail-mt.c:454)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690==  Address 0x10C4C6EC is 4 bytes inside a block of size 44 free'd
==16690==    at 0x40220FF: free (vg_replace_malloc.c:233)
==16690==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x652F2F5: mail_msg_free (mail-mt.c:221)
==16690==    by 0x6536ECF: do_user_message (mail-session.c:349)
==16690==    by 0x652F640: periodic_processing (mail-mt.c:454)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690== 
==16690== Invalid read of size 4
==16690==    at 0x652F237: mail_msg_free (mail-mt.c:186)
==16690==    by 0x652F657: periodic_processing (mail-mt.c:457)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690==  Address 0x10C4C6EC is 4 bytes inside a block of size 44 free'd
==16690==    at 0x40220FF: free (vg_replace_malloc.c:233)
==16690==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x652F2F5: mail_msg_free (mail-mt.c:221)
==16690==    by 0x6536ECF: do_user_message (mail-session.c:349)
==16690==    by 0x652F640: periodic_processing (mail-mt.c:454)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690== 
==16690== Invalid read of size 4
==16690==    at 0x6536865: free_user_message (mail-session.c:358)
==16690==    by 0x652F245: mail_msg_free (mail-mt.c:187)
==16690==    by 0x652F657: periodic_processing (mail-mt.c:457)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690==  Address 0x10C4C70C is 36 bytes inside a block of size 44 free'd
==16690==    at 0x40220FF: free (vg_replace_malloc.c:233)
==16690==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x652F2F5: mail_msg_free (mail-mt.c:221)
==16690==    by 0x6536ECF: do_user_message (mail-session.c:349)
==16690==    by 0x652F640: periodic_processing (mail-mt.c:454)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690== 
==16690== Invalid free() / delete / delete[]
==16690==    at 0x40220FF: free (vg_replace_malloc.c:233)
==16690==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x653686F: free_user_message (mail-session.c:358)
==16690==    by 0x652F245: mail_msg_free (mail-mt.c:187)
==16690==    by 0x652F657: periodic_processing (mail-mt.c:457)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
==16690==  Address 0x6B3B3C0 is 0 bytes inside a block of size 83 free'd
==16690==    at 0x40220FF: free (vg_replace_malloc.c:233)
==16690==    by 0x50968C0: g_free (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x653686F: free_user_message (mail-session.c:358)
==16690==    by 0x652F245: mail_msg_free (mail-mt.c:187)
==16690==    by 0x6536ECF: do_user_message (mail-session.c:349)
==16690==    by 0x652F640: periodic_processing (mail-mt.c:454)
==16690==    by 0x508FBF5: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x508F621: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50925FE: (within /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x50929A8: g_main_loop_run (in /lib/libglib-2.0.so.0.1200.11)
==16690==    by 0x47D67E2: bonobo_main (in /usr/lib/libbonobo-2.so.0.0.0)
==16690==    by 0x805EB5F: main (main.c:586)
Comment 4 Matthew Barnes 2007-04-03 21:41:50 UTC 
No GAsyncQueue warnings this time due to the EMsgPort -> EFlag transition in -6.

That narrows down which messages it could be...
Comment 5 Matthew Barnes 2007-04-10 14:59:46 UTC 
Ray, I'm still figuring out a good way to reproduce this for myself.

In the meantime, can I have you try setting a breakpoint at a function called
'alert_user' and posting another traceback from that point?  That function
creates and pushes the message that's getting free'd twice, so it would be
helpful to know what's calling it and what code path it takes from there.
Comment 6 Ray Strode [halfline] 2007-04-10 15:04:29 UTC 
ahhh, I just deleted a metric tonne of my mail.  I'm not where near the quota
anymore.

You could recreate it pretty easily by just taking a mail folder and copying it
to a new folder a few times until your quota fills up.
Comment 7 Matthew Barnes 2007-04-11 03:26:34 UTC 
Fixed in evolution-2.10.1-2.fc7.