[Evolution] SIGSEGV on setting label - gdb output and analysis

[Mika Liljeberg <mika liljeberg welho com>]

Hi,

I have further information on the following bug:

http://bugzilla.ximian.com/show_bug.cgi?id=34164

Observed on Evo 1.2.0. I got this by selecting all messages in a vfolder
and trying to set a label on them.

I managed to trap this in gdb. If I read the code right, it looks like
there is a thread locking problem in e-util/e-msgport.c:e_thread_put():

        switch(e->type) {
        case E_THREAD_QUEUE:
                /* if the queue is full, lose this new addition */
==>             if (e_dlist_length(&e->server_port->queue) < e->queue_limit) {
                        e_msgport_put(e->server_port, msg);
                } else {
                        printf("queue limit reached, dropping new message\n");
                        dmsg = msg;
                }
                break;
        case E_THREAD_DROP:
                /* if the queue is full, lose the oldest (unprocessed) message */
==>             if (e_dlist_length(&e->server_port->queue) < e->queue_limit) {
                        e_msgport_put(e->server_port, msg);
                } else {
                        printf("queue limit reached, dropping old message\n");
                        e_msgport_put(e->server_port, msg);
                        dmsg = e_msgport_get(e->server_port);
                }
                break;

As you can see, there are two calls to e_dlist_length() to find out the
message queue length without locking it first. e_dlist_length() iterates
the whole message queue, which might be modified simultaneously by
another thread. The appended backtrace seems to confirm that the message
queue is indeed corrupted.

Cheers,

        MikaL

--

(gdb) bt
#0  e_dlist_length (l=0x84a1e80) at e-msgport.c:93
#1  0x401b58ef in e_thread_put (e=0x8492c98, msg=0x41b4be58) at e-msgport.c:633
#2  0x400783c8 in session_thread_queue (session=<incomplete type>, msg=0x41b4be58, flags=0)
    at camel-session.c:775
#3  0x40078770 in camel_session_thread_queue (session=<incomplete type>, msg=0x41b4be58, flags=0)
    at camel-session.c:850
#4  0x40088b81 in folder_changed (sub=0x8271580, changes=0x41b4a6c0, vf=0x4142e350)
    at camel-vee-folder.c:1586
#5  0x40088bc6 in message_changed (f=0x8271580, uid=0x8266bfb "106", vf=0x4142e350)
    at camel-vee-folder.c:1606
#6  0x4006a4bf in camel_object_trigger_event (vo=0x8271580, name=0x80fa12e "message_changed",
    event_data=0x8266bfb) at camel-object.c:882
#7  0x0809f549 in mlf_proxy_message_changed (real_folder=0x81864d8, event_data=0x8266bfb,
    user_data=0x8271580) at mail-local.c:440
#8  0x4006a4bf in camel_object_trigger_event (vo=0x81864d8, name=0x415120ae "message_changed",
    event_data=0x8266bfb) at camel-object.c:882
#9  0x4150aa29 in camel_mbox_folder_new ()
   from /usr/lib/evolution/1.2/camel-providers/libcamellocal.so
#10 0x4004e6c2 in camel_folder_set_message_user_tag (folder=<incomplete type>,
    uid=0x8266bfb "106", name=0x80f1d44 "label", value=0x8107b33 "later") at camel-folder.c:881
#11 0x0809f475 in mlf_set_message_user_tag (folder=0x8271580, uid=0x8266bfb "106",
    name=0x80f1d44 "label", value=0x8107b33 "later") at mail-local.c:404
#12 0x4004e6c2 in camel_folder_set_message_user_tag (folder=<incomplete type>,
    uid=0x8266bfb "106", name=0x80f1d44 "label", value=0x8107b33 "later") at camel-folder.c:881
#13 0x40086d06 in vee_set_message_user_tag (folder=0x4144cbf0, uid=0x8548fb0 "Y_YrRLTW106",
    name=0x80f1d44 "label", value=0x8107b33 "later") at camel-vee-folder.c:807
#14 0x4004e6c2 in camel_folder_set_message_user_tag (folder=<incomplete type>,
    uid=0x8548fb0 "Y_YrRLTW106", name=0x80f1d44 "label", value=0x8107b33 "later")
    at camel-folder.c:881
#15 0x0807a53e in set_msg_label (widget=0x860a660, user_data=0x8410a10) at folder-browser.c:1640
#16 0x40fb81b9 in gtk_marshal_NONE__NONE () from /usr/lib/libgtk-1.2.so.0
#17 0x40fe7b6c in gtk_signal_remove_emission_hook () from /usr/lib/libgtk-1.2.so.0
#18 0x40fe6fd5 in gtk_signal_set_funcs () from /usr/lib/libgtk-1.2.so.0
#19 0x40fe50b3 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0
#20 0x4101bc4e in gtk_widget_activate () from /usr/lib/libgtk-1.2.so.0
#21 0x40fc0614 in gtk_menu_shell_activate_item () from /usr/lib/libgtk-1.2.so.0
#22 0x40fbf89a in gtk_menu_shell_deactivate () from /usr/lib/libgtk-1.2.so.0
#23 0x40fb7e43 in gtk_marshal_BOOL__POINTER () from /usr/lib/libgtk-1.2.so.0
#24 0x40fe7013 in gtk_signal_set_funcs () from /usr/lib/libgtk-1.2.so.0
---Type <return> to continue, or q <return> to quit---
#25 0x40fe50b3 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0
#26 0x4101bb0b in gtk_widget_event () from /usr/lib/libgtk-1.2.so.0
#27 0x40fb7d95 in gtk_propagate_event () from /usr/lib/libgtk-1.2.so.0
#28 0x40fb6efe in gtk_main_do_event () from /usr/lib/libgtk-1.2.so.0
#29 0x410654d7 in gdk_wm_protocols_filter () from /usr/lib/libgdk-1.2.so.0
#30 0x410954c8 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#31 0x41095ad3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#32 0x41095c6c in g_main_run () from /usr/lib/libglib-1.2.so.0
#33 0x40fb67f7 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#34 0x4058decd in bonobo_main () from /usr/lib/libbonobo.so.2
#35 0x080af7a4 in main (argc=2, argv=0xbffffc84) at main.c:160
(gdb) f 0
#0  e_dlist_length (l=0x84a1e80) at e-msgport.c:93
93                      nn = n->next;
(gdb) list
88              n = l->head;
89              nn = n->next;
90              while (nn) {
91                      count++;
92                      n = nn;
93                      nn = n->next;
94              }
95
96              return count;
97      }
(gdb) p n
$2 = (EDListNode *) 0x200
(gdb) p *n
Cannot access memory at address 0x200
(gdb)