From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Red Hat/1.0.7-1.4.1 Firefox/1.0.7 Description of problem: After using cut&paste from an email with "proper" signature (introduced via "--CR", ) into a previously-plaintext new mail message, and then trying to delete characters from the newly-pasted bit, evo started to use 100%cpu and became unresponsive. used gdb to attch to the "evolution" process. It seems to cycle around html_engine_copy(). #0 0x07433ba0 in html_object_reset () from /usr/lib/libgtkhtml-3.1.so.11 #1 0x07436536 in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11 #2 0x07436688 in html_object_next_cursor () from /usr/lib/libgtkhtml-3.1.so.11 #3 0x07407371 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11 #4 0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x073ebc70 in gtk_html_im_reset () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) where 4 #0 0x073ebc70 in gtk_html_im_reset () from /usr/lib/libgtkhtml-3.1.so.11 #1 0x0740740a in html_cursor_forward () from /usr/lib/libgtkhtml-3.1.so.11 #2 0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 #3 0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11 (More stack frames follow...) (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x07435988 in html_object_next_not_type () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x07407340 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) where 4 #0 0x07407340 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11 #1 0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 #2 0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11 #3 0x073f889b in gtk_html_zoom_in () from /usr/lib/libgtkhtml-3.1.so.11 (More stack frames follow...) (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x0740fc71 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) where 4 #0 0x0740fc71 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 #1 0x07411745 in html_engine_delete () from /usr/lib/libgtkhtml-3.1.so.11 #2 0x073f889b in gtk_html_zoom_in () from /usr/lib/libgtkhtml-3.1.so.11 #3 0x00b87677 in g_cclosure_marshal_VOID__ENUM (closure=0xb169250, return_value=0xbff47e00, n_param_values=2, param_values=0xb068318, invocation_hint=0xbff47cd8, marshal_data=0x73f82b0) at gmarshal.c:356 (More stack frames follow...) (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x0743652b in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11 (gdb) where 4 #0 0x0743652b in html_object_prev_leaf_not_type () from /usr/lib/libgtkhtml-3.1.so.11 #1 0x07436688 in html_object_next_cursor () from /usr/lib/libgtkhtml-3.1.so.11 #2 0x07407371 in html_cursor_normalize () from /usr/lib/libgtkhtml-3.1.so.11 #3 0x0740fca1 in html_engine_copy () from /usr/lib/libgtkhtml-3.1.so.11 (More stack frames follow...) strace shows no system call activity while the process is looping. Version-Release number of selected component (if applicable): evolution-2.0.2-22 gtkhtml3-3.3.2-6.EL How reproducible: Always Steps to Reproduce: 1. open new plaintext mail, write some text 2. from INBOX, select mail with proper signature 3. from INBOX mail, select/highlight some part of text and the signature 4. paste via middle-mouse button into new mail 5. highlight signature in new mail (cursor changes to large vertical bar on right - "HTML" mode?) 6. press backspace Actual Results: evo stuck or evo crashes Expected Results: highlighted parts of the new mail should disappear. Additional info:
Thanks for this bug report. This sounds similar to an occasionally-reported bug which has been difficult to reproduce reliably. The detailed information you gave in the bug report is extremely helpful as it should help isolate the problem. If you can supply further details (e.g. the exact data that would be used in each of the steps of your recipe) that would be even better. I'm currently investigating this bug, and hope to fix this in a forthcoming update.
I wasn't able to reproduce with those instructions. Any chance to have some more detailed instructions? Using some like http://xvidcap.sourceforge.net/ might be useful to capture the exact steps required.
Created attachment 121669 [details] screenshot of evo while being stuck in HTML delete
so 100% reproduceable is saying too much, it now takes some effort for me as well. Hence no video. But i I have installed the gtkhtm3-debuginfo package, so hopefully can provide better backtraces (tell me if you have any symbol etc that needs to be looked at in particular). With this, I seem to be stuck on this loop: 582 while (tail->offset == 0 && HTML_IS_TABLE (tail->object) && e->mark->position != e->cursor->position) 583 html_cursor_backward (tail, e); (so html_cursor_backward() actually finishes, but "c"ontinuing just seems to be staying in there) (gdb) bt 1 #0 0x00b66936 in delete_object (e=0xa5543d8, ret_object=0x0, ret_len=0x0, dir=HTML_UNDO_UNDO, add_undo=1) at htmlengine-edit-cut-and-paste.c:583 (gdb) print e->cursor->position $10 = 972 (gdb) print e->mark->position $11 = 791 (gdb) print tail $19 = {HTMLObject *(HTMLObject *)} 0xb556a1 <tail> (I see to have trouble accessing anything on the inside of this "tail" thingy) (gdb) print *((HTMLObject *)tail) $27 = {klass = 0x53e58955, parent = 0xfed909e8, prev = 0xeac381ff, next = 0x83000630, change = 1166738668, x = 1213238024, y = 125096581, ascent = 948109963, descent = -2096597991, min_width = -796326716, width = -1983685285, pref_width = 1357390868, max_width = -2080375135, percent = 1566246084, flags = 195 'Ã', redraw_pending = 1, selected = 0, free_pending = 1, draw_focused = 0, object_data = 0xcfe85356, object_data_nocp = 0x81fffed8} (gdb) finish Run till exit from #0 0x00b66936 in delete_object (e=0xa5543d8, ret_object=0x0, ret_len=0x0, dir=HTML_UNDO_UNDO, add_undo=1) at htmlengine-edit-cut-and-paste.c:583 Program received signal SIGINT, Interrupt. prev (self=0xb584c98, child=0xb839288) at htmlobject.c:619 619 return child->prev; (and I can "finish" all function below delete_object).
Created attachment 121675 [details] SWF capture Example message is Date: Wed, 31 Aug 2005 05:45:25 -0400 (11:45 CEST) From: Caitlyn M. Martin <cmartin> To: nahant-beta-list Message-ID: <20050831054525.433838e3@adric> Cut&Paste is via mouse (button2). Mark newly-pasted message from bottom up with Mouse button 1, delete via keyboard "Del" (or "Backspace").
This particular while loop was moved to check_table_0() in the current upstream HEAD.
And it's also in check_table_0() in our code (even though it doesn't show up in the backtraces above).
Many thanks for the SWF capture, and the identification of the mail. I can reproduce this bug reliably now. When dragging out the selection of the email, sometimes I start inside the frame of the email content, and sometimes outside (in the darker grey header area). This seems to be the condition here to get the bug to manifest. If I drag purely inside the frame, everything is fine. If I drag starting outside the frame, then upon pasting into the new email, the pasted content gets a dotted border (as seen in the SWF capture) and the large vertical cursor reported in the initial report. I can then reproduce the hang you report.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
devel_ack -- I'll have a look at this one. The stack traces show this to be a gtkhtml bug, so I'm changing the component.
Found an upstream bug report that sounds similar: http://bugzilla.gnome.org/show_bug.cgi?id=240818
I found a series of CVS commits that may be related to this bug, based on the date this was claimed to be fixed in the upstream bug report [1] (2003-04-07). The CVS history [2] shows a series of changes to htmlengine-edit-cut-and-paste.c in revisions 1.89 - 1.92, which were committed between 2003-04-02 and 2003-04-07. [1] http://bugzilla.gnome.org/show_bug.cgi?id=240818#c3 [2] http://cvs.gnome.org/viewcvs/gtkhtml/src/htmlengine-edit-cut-and-paste.c?rev=1.117&view=log
Alas, those changes were already in the version we shipped in RHEL-4. I'm able to reproduce the bug as seen in the SWF capture, though it usually takes some playing around with pasting and deleting to get it to lock up. But the backtrace I'm seeing when the lock up occurs is similar to what was reported.
Here's another ChangeLog entry (post RHEL-4 this time) that may be relevant: 2005-02-03 Radek Doulik <rodo> * test-suite.c (test_delete_nested_cluevs_and_undo): added new test for deletion across nested cluev's * htmlobject.c (html_object_get_insert_level): fix level calculation for nested cluev's * htmlengine-edit-cut-and-paste.c (html_engine_delete): do the "simple" delete for nested cluev's * htmlclueflow.c (op_helper): update length calculation logic to work with nested cluev's * htmlcluev.c (copy): copy direction and background color * htmltext.c (copy): copy direction * htmlclueflow.c (copy): copy direction
I assembled a patch based on the above ChangeLog entry and tested it. Evolution still hung in the same loop. Back to the drawing board.
We believe this bug will be fixed in the Evolution 2.8 upgrade option scheduled for RHEL 4.6. Please feel free to reopen this bug report if the problem still exists in Evolution 2.8.