Red Hat Bugzilla – Bug 231025
evolution segv in mail_msg_free
Last modified: 2018-04-11 11:16:10 EDT
Description of problem:
I start evo, and I get a traceback immediately from a duplicate free() from
mail_msg_free() in evolution/mail/mail-ts.c .
Created attachment 149273 [details]
Created attachment 149274 [details]
patch that seems to make evo work again for me
This patch seems to mitigate it, but I'm kindof stabbing in the dark here, so
I'm not sure that the patch is actually _correct_.
Thanks for the patch. Can I ask you to attach another backtrace of evolution
crashing in this way? The attachment in comment #1 just shows a memory map.
So here's the backtrace from gdb:
#0 0x00fe0402 in __kernel_vsyscall ()
#1 0x06d398de in __lll_mutex_lock_wait () from /lib/libc.so.6
#2 0x06cc970e in _L_lock_14400 () from /lib/libc.so.6
#3 0x06cc8c34 in *__GI___libc_free (mem=0x9546750) at malloc.c:3564
#4 0x00934081 in _dl_map_object_deps (map=0x9547000, preloads=0x0,
npreloads=<value optimized out>, trace_mode=0, open_mode=-2147483648)
#5 0x009389c8 in dl_open_worker (a=0xbfd52268) at dl-open.c:284
#6 0x00934ee6 in _dl_catch_error (objname=0xbfd52290, errstring=0xbfd5228c,
mallocedp=0xbfd52297, operate=0x938880 <dl_open_worker>, args=0xbfd52268)
#7 0x009384a2 in _dl_open (file=0x6d7fd92 "libgcc_s.so.1",
mode=<value optimized out>, caller_dlopen=0x0, nsid=-2, argc=1,
argv=0xbfd52f84, env=0xbfd52f8c) at dl-open.c:557
#8 0x06d62fd2 in do_dlopen (ptr=0xbfd523c0) at dl-libc.c:86
#9 0x00934ee6 in _dl_catch_error (objname=0xbfd523d0, errstring=0xbfd523cc,
mallocedp=0xbfd523d7, operate=0x6d62f70 <do_dlopen>, args=0xbfd523c0)
#10 0x06d63185 in *__GI___libc_dlopen_mode (name=0x6d7fd92 "libgcc_s.so.1",
mode=-2147483647) at dl-libc.c:47
#11 0x06d3fec9 in init () at ../sysdeps/i386/backtrace.c:43
#12 0x00bfb2bb in pthread_once () from /lib/libpthread.so.0
#13 0x06d400a5 in *__GI___backtrace (array=0xbfd529a0, size=64)
---Type <return> to continue, or q <return> to quit---
#14 0x06cbd821 in __libc_message (do_abort=2,
fmt=0x6d82c04 "*** glibc detected *** %s: %s: 0x%s ***\n")
#15 0x06cc55ed in _int_free (av=0x6dad120, mem=0x8e99708) at malloc.c:5788
#16 0x06cc8c40 in *__GI___libc_free (mem=0x8e99708) at malloc.c:3566
#17 0x0052f6e1 in IA__g_free (mem=0x8e99708) at gmem.c:187
#18 0x0152ec20 in free_user_message (mm=0x899eb70) at mail-session.c:358
#19 0x015275e6 in mail_msg_free (msg=0x899eb70) at mail-mt.c:188
#20 0x015279f8 in periodic_processing () at mail-mt.c:458
#21 0x00528a16 in g_timeout_dispatch (source=0x8a7c880, callback=0,
user_data=0x0) at gmain.c:3422
#22 0x00528442 in IA__g_main_context_dispatch (context=0x88f8530)
#23 0x0052b41f in g_main_context_iterate (context=0x88f8530, block=1,
dispatch=1, self=0x88d5660) at gmain.c:2677
#24 0x0052b7c9 in IA__g_main_loop_run (loop=0x892da58) at gmain.c:2881
#25 0x044c07c3 in bonobo_main () at bonobo-main.c:311
#26 0x0805ef8c in main (argc=1, argv=0xbfd52f84) at main.c:611
Thanks, this should be very helpful in tracking down the problem.
*** Bug 221760 has been marked as a duplicate of this bug. ***
The backtrace in comment #4 looks familiar. What's the version/release of the
evolution package you're using?
Is this bug still present in evolution-2.10.0-1.fc7 or later?
I'm trying to determine if this is a dupe of bug #220714, which was recently
fixed. Neither this bug nor bug #221760 states which version of evolution was
Reporter, could you please reply to the previous question?
Reporter, could you please reply to the previous question? If you won't reply in
one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.
I know this is fixed now and I'm pretty sure it's a dupe of bug #220714, so
marking it as such.
*** This bug has been marked as a duplicate of 220714 ***