Description of problem: Tried to open a newsletter with HTML in it. Version-Release number of selected component: evolution-3.6.0-1.fc18 Additional info: libreport version: 2.0.16 abrt_version: 2.0.15 backtrace_rating: 4 cmdline: evolution crash_function: g_malloc0 kernel: 3.6.1-1.fc18.x86_64 truncated backtrace: :Thread no. 1 (10 frames) : #6 g_malloc0 at gmem.c:189 : #7 folder_scan_header at camel-mime-parser.c:1218 : #8 folder_scan_step at camel-mime-parser.c:1638 : #9 camel_mime_parser_step at camel-mime-parser.c:623 : #10 mime_part_construct_from_parser_sync at camel-mime-part.c:740 : #11 mime_message_construct_from_parser_sync at camel-mime-message.c:306 : #12 camel_mime_part_construct_from_parser_sync at camel-mime-part.c:1431 : #13 mime_part_construct_from_stream_sync at camel-mime-part.c:718 : #14 camel_data_wrapper_construct_from_stream_sync at camel-data-wrapper.c:968 : #15 maildir_folder_get_message_sync at camel-maildir-folder.c:279
Created attachment 626512 [details] File: core_backtrace
Created attachment 626513 [details] File: environ
Created attachment 626514 [details] File: var_log_messages
Created attachment 626515 [details] File: backtrace
Created attachment 626516 [details] File: limits
Created attachment 626517 [details] File: cgroup
Created attachment 626518 [details] File: smolt_data
Created attachment 626519 [details] File: maps
Created attachment 626520 [details] File: dso_list
Created attachment 626521 [details] File: build_ids
Created attachment 626522 [details] File: proc_pid_status
Created attachment 626523 [details] File: open_fds
Thanks for a bug report. I see it crashed on "corrupted double-linked list", which means that something corrupted memory. Is this reproducible with the respective message right after start, or it just happens after some time of using evolution?
It's reproducable. Evolution has crashed on a couple different messages lately.
*** Bug 866053 has been marked as a duplicate of this bug. ***
*** Bug 867575 has been marked as a duplicate of this bug. ***
Let's try to investigate this. I can think of two options here: a) involve valgrind, it may shed a bit of light on it b) get the offending message(s) for testing I'm not sure which one of these you prefer to start. Let's say with b)? I would close preview panel (Ctrl+M), then select one of the messages you got crashing on your side, and save it as mbox. Then upload it here, or even test if it still reproduces the issue, by importing it to one of On This Computer folders and selecting it - maybe multiple times, as I guess it depends on message selection order, in a way that the previously selected message garbles memory of currently selected (and rendered) message. One important thing, as these are HTML messages, what is your setting in Edit->Preferences->Mail Preferences->HTML Messages? Especially image loading policy and plain text preferences. I fixed recently [1], which was causing other kind of issues with HTML messages, but the backtrace was different, same as symptoms, because the Evolution didn't crash immediately. Another question, as you mention Newsletter, is this related to NNTP anyhow? I'm thinking of bug #866697, but again, that is with a different backtrace, and different symptoms. [1] https://bugzilla.gnome.org/show_bug.cgi?id=686278
I ran Evolution under valgrind and got invalid reads on one of the messages. It looks like it just hangs on some message and then generates invalid reads when you try to move back up one message in the message list.
==14109== Conditional jump or move depends on uninitialised value(s) ==14109== at 0x3D8EF899DB: WebCore::PresentationAttributeCacheCleaner::cleanCache(WebCore::Timer<WebCore::PresentationAttributeCacheCleaner>*) (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4) ==14109== by 0x3D8F49A121: WebCore::ThreadTimers::sharedTimerFiredInternal() (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4) ==14109== by 0x3D8FDD83B1: WebCore::timeout_cb(void*) (in /usr/lib64/libwebkitgtk-3.0.so.0.17.4) ==14109== by 0x3D81E4861A: g_timeout_dispatch (gmain.c:4026) ==14109== by 0x3D81E47A94: g_main_context_dispatch (gmain.c:2715) ==14109== by 0x3D81E47DC7: g_main_context_iterate.isra.24 (gmain.c:3290) ==14109== by 0x3D81E481C1: g_main_loop_run (gmain.c:3484) ==14109== by 0x3D8538DA9C: gtk_main (gtkmain.c:1160) ==14109== by 0x40318E: main (main.c:704) ==14109== ==14109== Thread 11: ==14109== Invalid read of size 8 ==14109== at 0x3D9502007D: e_mail_part_unref (e-mail-part.c:157) ==14109== by 0x3D81E63CBC: g_slist_foreach (gslist.c:894) ==14109== by 0x3D81E63CDA: g_slist_free_full (gslist.c:177) ==14109== by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44) ==14109== by 0x3D8261486A: g_object_unref (gobject.c:3023) ==14109== by 0x10E412B9: handle_mail_request (e-mail-request.c:165) ==14109== by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869) ==14109== by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162) ==14109== by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309) ==14109== by 0x3D81E6B614: g_thread_proxy (gthread.c:797) ==14109== by 0x37FEC07D14: start_thread (pthread_create.c:308) ==14109== by 0x37FE4F22CC: clone (clone.S:114) ==14109== Address 0x2e81eb90 is 0 bytes inside a block of size 80 free'd ==14109== at 0x4A077A6: free (vg_replace_malloc.c:446) ==14109== by 0x3D81E4D7DE: g_free (gmem.c:252) ==14109== by 0x3D81E63CBC: g_slist_foreach (gslist.c:894) ==14109== by 0x3D81E63CDA: g_slist_free_full (gslist.c:177) ==14109== by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44) ==14109== by 0x3D8261486A: g_object_unref (gobject.c:3023) ==14109== by 0x10E412B9: handle_mail_request (e-mail-request.c:165) ==14109== by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869) ==14109== by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162) ==14109== by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309) ==14109== by 0x3D81E6B614: g_thread_proxy (gthread.c:797) ==14109== by 0x37FEC07D14: start_thread (pthread_create.c:308) ==14109== by 0x37FE4F22CC: clone (clone.S:114) ==14109== ==14109== Invalid read of size 4 ==14109== at 0x3D95020089: e_mail_part_unref (e-mail-part.c:159) ==14109== by 0x3D81E63CBC: g_slist_foreach (gslist.c:894) ==14109== by 0x3D81E63CDA: g_slist_free_full (gslist.c:177) ==14109== by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44) ==14109== by 0x3D8261486A: g_object_unref (gobject.c:3023) ==14109== by 0x10E412B9: handle_mail_request (e-mail-request.c:165) ==14109== by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869) ==14109== by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162) ==14109== by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309) ==14109== by 0x3D81E6B614: g_thread_proxy (gthread.c:797) ==14109== by 0x37FEC07D14: start_thread (pthread_create.c:308) ==14109== by 0x37FE4F22CC: clone (clone.S:114) ==14109== Address 0x6f766528202a2a0a is not stack'd, malloc'd or (recently) free'd ==14109== ==14109== ==14109== Process terminating with default action of signal 11 (SIGSEGV) ==14109== General Protection Fault ==14109== at 0x3D95020089: e_mail_part_unref (e-mail-part.c:159) ==14109== by 0x3D81E63CBC: g_slist_foreach (gslist.c:894) ==14109== by 0x3D81E63CDA: g_slist_free_full (gslist.c:177) ==14109== by 0x3D950203C2: e_mail_part_list_finalize (e-mail-part-list.c:44) ==14109== by 0x3D8261486A: g_object_unref (gobject.c:3023) ==14109== by 0x10E412B9: handle_mail_request (e-mail-request.c:165) ==14109== by 0x3D82E6DEDD: run_in_thread (gsimpleasyncresult.c:869) ==14109== by 0x3D82E5C2D5: io_job_thread (gioscheduler.c:162) ==14109== by 0x3D81E6BE31: g_thread_pool_thread_proxy (gthreadpool.c:309) ==14109== by 0x3D81E6B614: g_thread_proxy (gthread.c:797) ==14109== by 0x37FEC07D14: start_thread (pthread_create.c:308) ==14109== by 0x37FE4F22CC: clone (clone.S:114)
Created attachment 630619 [details] Message that crashes evolution Here's the message that causes problems.
Thanks for the update and data. I cannot reproduce this after patch from [1], and if I revert that commit, then I get different issue, but still caused by the same thing, which is the text/html part being in the mail before the text/plain part. I believe this is fixed by [1], thus I'm closing this as such. if you wish, I can create a test build of evolution with the patch included, unless you'll want to wait for testing for 3.6.2. [1] https://bugzilla.gnome.org/show_bug.cgi?id=686278