Bug 866050

Summary: [abrt] evolution-3.6.0-1.fc18: g_malloc0: Process /usr/bin/evolution was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: Kjartan Maraas <kmaraas>
Component: evolutionAssignee: Matthew Barnes <mbarnes>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: lucilanga, mbarnes, mcrha
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:073b3d036893c9aafe5f3804b100de478a6f7b52
Fixed In Version: evolution-3.6.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-22 09:38:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: core_backtrace
none
File: environ
none
File: var_log_messages
none
File: backtrace
none
File: limits
none
File: cgroup
none
File: smolt_data
none
File: maps
none
File: dso_list
none
File: build_ids
none
File: proc_pid_status
none
File: open_fds
none
Message that crashes evolution none

Description Kjartan Maraas 2012-10-13 12:37:53 UTC 
Description of problem:
Tried to open a newsletter with HTML in it.

Version-Release number of selected component:
evolution-3.6.0-1.fc18

Additional info:
libreport version: 2.0.16
abrt_version:   2.0.15
backtrace_rating: 4
cmdline:        evolution
crash_function: g_malloc0
kernel:         3.6.1-1.fc18.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #6 g_malloc0 at gmem.c:189
: #7 folder_scan_header at camel-mime-parser.c:1218
: #8 folder_scan_step at camel-mime-parser.c:1638
: #9 camel_mime_parser_step at camel-mime-parser.c:623
: #10 mime_part_construct_from_parser_sync at camel-mime-part.c:740
: #11 mime_message_construct_from_parser_sync at camel-mime-message.c:306
: #12 camel_mime_part_construct_from_parser_sync at camel-mime-part.c:1431
: #13 mime_part_construct_from_stream_sync at camel-mime-part.c:718
: #14 camel_data_wrapper_construct_from_stream_sync at camel-data-wrapper.c:968
: #15 maildir_folder_get_message_sync at camel-maildir-folder.c:279
Comment 1 Kjartan Maraas 2012-10-13 12:37:56 UTC 
Created attachment 626512 [details]
File: core_backtrace
Comment 2 Kjartan Maraas 2012-10-13 12:37:58 UTC 
Created attachment 626513 [details]
File: environ
Comment 3 Kjartan Maraas 2012-10-13 12:38:00 UTC 
Created attachment 626514 [details]
File: var_log_messages
Comment 4 Kjartan Maraas 2012-10-13 12:38:02 UTC 
Created attachment 626515 [details]
File: backtrace
Comment 5 Kjartan Maraas 2012-10-13 12:38:03 UTC 
Created attachment 626516 [details]
File: limits
Comment 6 Kjartan Maraas 2012-10-13 12:38:05 UTC 
Created attachment 626517 [details]
File: cgroup
Comment 7 Kjartan Maraas 2012-10-13 12:38:07 UTC 
Created attachment 626518 [details]
File: smolt_data
Comment 8 Kjartan Maraas 2012-10-13 12:38:09 UTC 
Created attachment 626519 [details]
File: maps
Comment 9 Kjartan Maraas 2012-10-13 12:38:12 UTC 
Created attachment 626520 [details]
File: dso_list
Comment 10 Kjartan Maraas 2012-10-13 12:38:14 UTC 
Created attachment 626521 [details]
File: build_ids
Comment 11 Kjartan Maraas 2012-10-13 12:38:17 UTC 
Created attachment 626522 [details]
File: proc_pid_status
Comment 12 Kjartan Maraas 2012-10-13 12:38:19 UTC 
Created attachment 626523 [details]
File: open_fds
Comment 13 Milan Crha 2012-10-17 07:01:29 UTC 
Thanks for a bug report. I see it crashed on "corrupted double-linked list", which means that something corrupted memory. Is this reproducible with the respective message right after start, or it just happens after some time of using evolution?
Comment 14 Kjartan Maraas 2012-10-18 06:38:39 UTC 
It's reproducable. Evolution has crashed on a couple different messages lately.
Comment 15 Milan Crha 2012-10-18 07:18:10 UTC 
*** Bug 866053 has been marked as a duplicate of this bug. ***
Comment 16 Milan Crha 2012-10-18 07:20:31 UTC 
*** Bug 867575 has been marked as a duplicate of this bug. ***
Comment 17 Milan Crha 2012-10-18 07:30:21 UTC 
Let's try to investigate this. I can think of two options here:
a) involve valgrind, it may shed a bit of light on it
b) get the offending message(s) for testing

I'm not sure which one of these you prefer to start. Let's say with b)? I would close preview panel (Ctrl+M), then select one of the messages you got crashing on your side, and save it as mbox. Then upload it here, or even test if it still reproduces the issue, by importing it to one of On This Computer folders and selecting it - maybe multiple times, as I guess it depends on message selection order, in a way that the previously selected message garbles memory of currently selected (and rendered) message.

One important thing, as these are HTML messages, what is your setting in Edit->Preferences->Mail Preferences->HTML Messages? Especially image loading policy and plain text preferences. I fixed recently [1], which was causing other kind of issues with HTML messages, but the backtrace was different, same as symptoms, because the Evolution didn't crash immediately.

Another question, as you mention Newsletter, is this related to NNTP anyhow? I'm thinking of bug #866697, but again, that is with a different backtrace, and different symptoms.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=686278
Comment 18 Kjartan Maraas 2012-10-20 19:22:21 UTC 
I ran Evolution under valgrind and got invalid reads on one of the messages. It looks like it just hangs on some message and then generates invalid reads when you try to move back up one message in the message list.
Comment 19 Kjartan Maraas 2012-10-20 19:24:48 UTC 
==14109== Conditional jump or move depends on uninitialised value(s)
==14109==    at 0x3D8EF899DB: WebCore::PresentationAttributeCacheCleaner::cleanCache(WebCore::Timer<WebCore::PresentationAttributeCacheCleaner>*) (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4)
==14109==    by 0x3D8F49A121: WebCore::ThreadTimers::sharedTimerFiredInternal() (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4)
==14109==    by 0x3D8FDD83B1: WebCore::timeout_cb(void*) (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4)
==14109==    by 0x3D81E4861A: g_timeout_dispatch (gmain.c:4026)
==14109==    by 0x3D81E47A94: g_main_context_dispatch (gmain.c:2715)
==14109==    by 0x3D81E47DC7: g_main_context_iterate.isra.24 (gmain.c:3290)
==14109==    by 0x3D81E481C1: g_main_loop_run (gmain.c:3484)
==14109==    by 0x3D8538DA9C: gtk_main (gtkmain.c:1160)
==14109==    by 0x40318E: main (main.c:704)
==14109==
==14109== Thread 11:
==14109== Invalid read of size 8
==14109==    at 0x3D9502007D: e_mail_part_unref (e-mail-part.c:157)
==14109==    by 0x3D81E63CBC: g_slist_foreach (gslist.c:894)
==14109==    by 0x3D81E63CDA: g_slist_free_full (gslist.c:177)
==14109==    by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44)
==14109==    by 0x3D8261486A: g_object_unref (gobject.c:3023)
==14109==    by 0x10E412B9: handle_mail_request (e-mail-request.c:165)
==14109==    by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869)
==14109==    by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162)
==14109==    by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14109==    by 0x3D81E6B614: g_thread_proxy (gthread.c:797)
==14109==    by 0x37FEC07D14: start_thread (pthread_create.c:308)
==14109==    by 0x37FE4F22CC: clone (clone.S:114)
==14109==  Address 0x2e81eb90 is 0 bytes inside a block of size 80 free'd
==14109==    at 0x4A077A6: free (vg_replace_malloc.c:446)
==14109==    by 0x3D81E4D7DE: g_free (gmem.c:252)
==14109==    by 0x3D81E63CBC: g_slist_foreach (gslist.c:894)
==14109==    by 0x3D81E63CDA: g_slist_free_full (gslist.c:177)
==14109==    by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44)
==14109==    by 0x3D8261486A: g_object_unref (gobject.c:3023)
==14109==    by 0x10E412B9: handle_mail_request (e-mail-request.c:165)
==14109==    by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869)
==14109==    by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162)
==14109==    by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14109==    by 0x3D81E6B614: g_thread_proxy (gthread.c:797)
==14109==    by 0x37FEC07D14: start_thread (pthread_create.c:308)
==14109==    by 0x37FE4F22CC: clone (clone.S:114)
==14109==
==14109== Invalid read of size 4
==14109==    at 0x3D95020089: e_mail_part_unref (e-mail-part.c:159)
==14109==    by 0x3D81E63CBC: g_slist_foreach (gslist.c:894)
==14109==    by 0x3D81E63CDA: g_slist_free_full (gslist.c:177)
==14109==    by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44)
==14109==    by 0x3D8261486A: g_object_unref (gobject.c:3023)
==14109==    by 0x10E412B9: handle_mail_request (e-mail-request.c:165)
==14109==    by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869)
==14109==    by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162)
==14109==    by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14109==    by 0x3D81E6B614: g_thread_proxy (gthread.c:797)
==14109==    by 0x37FEC07D14: start_thread (pthread_create.c:308)
==14109==    by 0x37FE4F22CC: clone (clone.S:114)
==14109==  Address 0x6f766528202a2a0a is not stack'd, malloc'd or (recently) free'd
==14109==
==14109==
==14109== Process terminating with default action of signal 11 (SIGSEGV)
==14109==  General Protection Fault
==14109==    at 0x3D95020089: e_mail_part_unref (e-mail-part.c:159)
==14109==    by 0x3D81E63CBC: g_slist_foreach (gslist.c:894)
==14109==    by 0x3D81E63CDA: g_slist_free_full (gslist.c:177)
==14109==    by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44)
==14109==    by 0x3D8261486A: g_object_unref (gobject.c:3023)
==14109==    by 0x10E412B9: handle_mail_request (e-mail-request.c:165)
==14109==    by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869)
==14109==    by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162)
==14109==    by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14109==    by 0x3D81E6B614: g_thread_proxy (gthread.c:797)
==14109==    by 0x37FEC07D14: start_thread (pthread_create.c:308)
==14109==    by 0x37FE4F22CC: clone (clone.S:114)
Comment 20 Kjartan Maraas 2012-10-20 19:32:02 UTC 
Created attachment 630619 [details]
Message that crashes evolution

Here's the message that causes problems.
Comment 21 Milan Crha 2012-10-22 09:38:21 UTC 
Thanks for the update and data. I cannot reproduce this after patch from [1], and if I revert that commit, then I get different issue, but still caused by the same thing, which is the text/html part being in the mail before the text/plain part. I believe this is fixed by [1], thus I'm closing this as such. if you wish, I can create a test build of evolution with the patch included, unless you'll want to wait for testing for 3.6.2.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=686278