Bug 171682 - evolution hangs on HTML cut&paste into new mail
evolution hangs on HTML cut&paste into new mail
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: gtkhtml3 (Show other bugs)
4.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Matthew Barnes
: Reopened
Depends On:
Blocks: 234251
  Show dependency treegraph
 
Reported: 2005-10-25 04:11 EDT by Jan Iven
Modified: 2010-10-21 23:36 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-31 16:59:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot of evo while being stuck in HTML delete (140.60 KB, image/png)
2005-12-01 04:36 EST, Jan Iven
no flags Details
SWF capture (1.98 MB, image/vnd.rn-realflash)
2005-12-01 06:11 EST, Jan Iven
no flags Details

  None (edit)
Description Jan Iven 2005-10-25 04:11:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Red Hat/1.0.7-1.4.1 Firefox/1.0.7

Description of problem:
After using cut&paste from an email with "proper" signature (introduced via "--CR", ) into a previously-plaintext new mail message, and then trying to delete characters from the newly-pasted bit, evo started to use 100%cpu and became unresponsive.

used gdb to attch to the "evolution" process. It seems to cycle around html_engine_copy().

#0  0x07433ba0 in html_object_reset () from /usr/lib/libgtkhtml-3.1.so.11
#1  0x07436536 in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11
#2  0x07436688 in html_object_next_cursor () from /usr/lib/libgtkhtml-3.1.so.11
#3  0x07407371 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11
#4  0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x073ebc70 in gtk_html_im_reset () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) where 4
#0  0x073ebc70 in gtk_html_im_reset () from /usr/lib/libgtkhtml-3.1.so.11
#1  0x0740740a in html_cursor_forward () from /usr/lib/libgtkhtml-3.1.so.11
#2  0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
#3  0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11
(More stack frames follow...)
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x07435988 in html_object_next_not_type () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x07407340 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) where 4
#0  0x07407340 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11
#1  0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
#2  0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11
#3  0x073f889b in gtk_html_zoom_in () from /usr/lib/libgtkhtml-3.1.so.11
(More stack frames follow...)
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x0740fc71 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) where 4
#0  0x0740fc71 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
#1  0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11
#2  0x073f889b in gtk_html_zoom_in () from /usr/lib/libgtkhtml-3.1.so.11
#3  0x00b87677 in g_cclosure_marshal_VOID__ENUM (closure=0xb169250, return_value=0xbff47e00,
    n_param_values=2, param_values=0xb068318, invocation_hint=0xbff47cd8, marshal_data=0x73f82b0)
    at gmarshal.c:356
(More stack frames follow...)
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x0743652b in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11
(gdb) where 4
#0  0x0743652b in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11
#1  0x07436688 in html_object_next_cursor () from /usr/lib/libgtkhtml-3.1.so.11
#2  0x07407371 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11
#3  0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11
(More stack frames follow...)



strace shows no system call activity while the process is looping.


Version-Release number of selected component (if applicable):
evolution-2.0.2-22
gtkhtml3-3.3.2-6.EL

How reproducible:
Always

Steps to Reproduce:
1. open new plaintext mail, write some text
2. from INBOX, select mail with proper signature
3. from INBOX mail, select/highlight some part of text and the signature
4. paste via middle-mouse button into new mail
5. highlight signature in new mail (cursor changes to large vertical bar on right - "HTML" mode?)
6. press backspace  
  

Actual Results:  evo stuck
or
evo crashes


Expected Results:  highlighted parts of the new mail should disappear.

Additional info:
Comment 1 Dave Malcolm 2005-10-27 14:12:45 EDT
Thanks for this bug report.  This sounds similar to an occasionally-reported bug
which has been difficult to reproduce reliably.  The detailed information you
gave in the bug report is extremely helpful as it should help isolate the problem.

If you can supply further details (e.g. the exact data that would be used in
each of the steps of your recipe) that would be even better.

I'm currently investigating this bug, and hope to fix this in a forthcoming update.
Comment 2 Bastien Nocera 2005-10-28 08:49:30 EDT
I wasn't able to reproduce with those instructions. Any chance to have some more
detailed instructions? Using some like http://xvidcap.sourceforge.net/ might be
useful to capture the exact steps required.
Comment 3 Jan Iven 2005-12-01 04:36:20 EST
Created attachment 121669 [details]
screenshot of evo while being stuck in HTML delete
Comment 4 Jan Iven 2005-12-01 06:06:25 EST
so 100% reproduceable is saying too much, it now takes some effort for me as
well. Hence no video. But i

I have installed the gtkhtm3-debuginfo package, so hopefully can provide better
backtraces (tell me if you have any symbol etc that needs to be looked at in
particular). With this, I seem to be stuck on this loop:


582             while (tail->offset == 0 && HTML_IS_TABLE (tail->object) &&
e->mark->position != e->cursor->position)
583                     html_cursor_backward (tail, e);

(so html_cursor_backward() actually finishes, but "c"ontinuing just seems to be
staying in there)
(gdb) bt 1
#0  0x00b66936 in delete_object (e=0xa5543d8, ret_object=0x0, ret_len=0x0,
    dir=HTML_UNDO_UNDO, add_undo=1) at htmlengine-edit-cut-and-paste.c:583
(gdb) print e->cursor->position
$10 = 972
(gdb) print e->mark->position
$11 = 791
(gdb) print tail
$19 = {HTMLObject *(HTMLObject *)} 0xb556a1 <tail>

(I see to have trouble accessing anything on the inside of this "tail" thingy)
(gdb) print *((HTMLObject *)tail)
$27 = {klass = 0x53e58955, parent = 0xfed909e8, prev = 0xeac381ff,
  next = 0x83000630, change = 1166738668, x = 1213238024, y = 125096581,
  ascent = 948109963, descent = -2096597991, min_width = -796326716,
  width = -1983685285, pref_width = 1357390868, max_width = -2080375135,
  percent = 1566246084, flags = 195 'Ã', redraw_pending = 1, selected = 0,
  free_pending = 1, draw_focused = 0, object_data = 0xcfe85356,
  object_data_nocp = 0x81fffed8}


(gdb) finish
Run till exit from #0  0x00b66936 in delete_object (e=0xa5543d8,
    ret_object=0x0, ret_len=0x0, dir=HTML_UNDO_UNDO, add_undo=1)
    at htmlengine-edit-cut-and-paste.c:583

Program received signal SIGINT, Interrupt.
prev (self=0xb584c98, child=0xb839288) at htmlobject.c:619
619             return child->prev;

(and I can "finish" all function below delete_object).
Comment 5 Jan Iven 2005-12-01 06:11:13 EST
Created attachment 121675 [details]
SWF capture

Example message is
 Date: Wed, 31 Aug 2005 05:45:25 -0400	(11:45 CEST)
 From: Caitlyn M. Martin <cmartin@redhat.com>
 To: nahant-beta-list@redhat.com
 Message-ID: <20050831054525.433838e3@adric>

Cut&Paste is via mouse (button2). Mark newly-pasted message from bottom up with
Mouse button 1, delete via keyboard "Del" (or "Backspace").
Comment 6 Bastien Nocera 2005-12-02 08:47:11 EST
This particular while loop was moved to check_table_0() in the current upstream
HEAD.
Comment 7 Bastien Nocera 2005-12-02 08:51:19 EST
And it's also in check_table_0() in our code (even though it doesn't show up in
the backtraces above).
Comment 8 Dave Malcolm 2005-12-02 17:48:36 EST
Many thanks for the SWF capture, and the identification of the mail.  I can
reproduce this bug reliably now.

When dragging out the selection of the email, sometimes I start inside the frame
of the email content, and sometimes outside (in the darker grey header area). 
This seems to be the condition here to get the bug to manifest.

If I drag purely inside the frame, everything is fine.  If I drag starting
outside the frame, then upon pasting into the new email, the pasted content gets
a dotted border (as seen in the SWF capture) and the large vertical cursor
reported in the initial report.  I can then reproduce the hang you report.
Comment 12 RHEL Product and Program Management 2006-07-21 10:44:38 EDT
Development Management has reviewed and declined this request.  You may appeal this decision by reopening this request.
Comment 16 RHEL Product and Program Management 2006-08-18 13:09:10 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 18 Matthew Barnes 2006-08-31 23:36:50 EDT
devel_ack -- I'll have a look at this one.

The stack traces show this to be a gtkhtml bug, so I'm changing the component.
Comment 19 Matthew Barnes 2006-09-05 15:32:11 EDT
Found an upstream bug report that sounds similar:
http://bugzilla.gnome.org/show_bug.cgi?id=240818
Comment 22 Matthew Barnes 2006-12-13 11:05:29 EST
I found a series of CVS commits that may be related to this bug, based on the
date this was claimed to be fixed in the upstream bug report [1] (2003-04-07).

The CVS history [2] shows a series of changes to htmlengine-edit-cut-and-paste.c
in revisions 1.89 - 1.92, which were committed between 2003-04-02 and 2003-04-07.

[1] http://bugzilla.gnome.org/show_bug.cgi?id=240818#c3
[2]
http://cvs.gnome.org/viewcvs/gtkhtml/src/htmlengine-edit-cut-and-paste.c?rev=1.117&view=log
Comment 23 Matthew Barnes 2006-12-13 11:41:48 EST
Alas, those changes were already in the version we shipped in RHEL-4.

I'm able to reproduce the bug as seen in the SWF capture, though it usually
takes some playing around with pasting and deleting to get it to lock up.  But
the backtrace I'm seeing when the lock up occurs is similar to what was reported.
Comment 24 Matthew Barnes 2006-12-13 12:36:22 EST
Here's another ChangeLog entry (post RHEL-4 this time) that may be relevant:

2005-02-03  Radek Doulik  <rodo@novell.com>

	* test-suite.c (test_delete_nested_cluevs_and_undo): added new
	test for deletion across nested cluev's

	* htmlobject.c (html_object_get_insert_level): fix level
	calculation for nested cluev's

	* htmlengine-edit-cut-and-paste.c (html_engine_delete): do the
	"simple" delete for nested cluev's

	* htmlclueflow.c (op_helper): update length calculation logic to
	work with nested cluev's

	* htmlcluev.c (copy): copy direction and background color

	* htmltext.c (copy): copy direction

	* htmlclueflow.c (copy): copy direction
Comment 25 Matthew Barnes 2006-12-13 14:09:03 EST
I assembled a patch based on the above ChangeLog entry and tested it.
Evolution still hung in the same loop.  Back to the drawing board.
Comment 28 RHEL Product and Program Management 2007-06-09 09:26:27 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 29 Matthew Barnes 2007-07-31 16:59:14 EDT
We believe this bug will be fixed in the Evolution 2.8 upgrade option scheduled
for RHEL 4.6.  Please feel free to reopen this bug report if the problem still
exists in Evolution 2.8.

Note You need to log in before you can comment on or make changes to this bug.