Summary: | Claws Mail randomly segfaults with invalid pointer free() in slist_free_strings_full at utils.c:261 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Claws Mail (GTK 2) | Reporter: | joydeep.biswas | ||||||
Component: | Folders/IMAP | Assignee: | users | ||||||
Status: | RESOLVED WORKSFORME | ||||||||
Severity: | major | CC: | joydeep.biswas | ||||||
Priority: | P3 | ||||||||
Version: | 3.9.3 | ||||||||
Hardware: | PC | ||||||||
OS: | Linux | ||||||||
Attachments: |
|
Description
joydeep.biswas
2015-03-16 15:53:56 UTC
if yu can reproduce this with the latest release, re-open this Reopened, since bug persists in trunk. Attached below is a GDB backtrace from the version post commit de6f18826fe06f2592e2436b70a340cb20241df0 from trunk. [New Thread 0x7fffe22c0700 (LWP 22921)] [Thread 0x7fffe22c0700 (LWP 22921) exited] *** Error in `/home/joydeepb/projects/claws-mail/claws/src/claws-mail': free(): invalid pointer: 0x00000000021d4620 *** DeanMoore Program received signal SIGABRT, Aborted. 0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) thread apply all bt Thread 4 (Thread 0x7fffe3fff700 (LWP 28011)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 #1 0x00007ffff4954803 in mailsem_internal_wait (s=0x105eac0) at mailsem.c:133 #2 0x000000000067e9e7 in thread_run (data=0xf2eaa0) at etpan-thread-manager.c:320 #3 0x00007ffff531d182 in start_thread (arg=0x7fffe3fff700) at pthread_create.c:312 #4 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 3 (Thread 0x7fffeabc7700 (LWP 27950)): #0 0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #2 0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007ffff5c9a129 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #4 0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #5 0x00007ffff531d182 in start_thread (arg=0x7fffeabc7700) at pthread_create.c:312 #6 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 2 (Thread 0x7fffeb3c8700 (LWP 27949)): #0 0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #2 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007ffff6c07336 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #4 0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #5 0x00007ffff531d182 in start_thread (arg=0x7fffeb3c8700) at pthread_create.c:312 #6 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 1 (Thread 0x7ffff7fada00 (LWP 27939)): #0 0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff45930d8 in __GI_abort () at abort.c:89 #2 0x00007ffff45ccf24 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff46db6c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff45d91fe in malloc_printerr (ptr=<optimized out>, str=0x7ffff46d77b9 "free(): invalid pointer", action=1) at malloc.c:4996 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x00007ffff5cb66b8 in g_slist_foreach () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #6 0x00007ffff5cb66db in g_slist_free_full () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #7 0x000000000066b6eb in slist_free_strings_full (list=0x191dd80) at utils.c:281 #8 0x00000000004cbf70 in imap_get_flags_thread (data=0x21c2200) at imap.c:5330 #9 0x00000000004cc1c5 in imap_get_flags (folder=0xf5e200, item=0xf8ec00, msginfo_list=0x219d290, msgflags=0x21e6a40) at imap.c:5392 #10 0x00000000004a1024 in syncronize_flags (item=0xf8ec00, msglist=0x219d290) at folder.c:1933 #11 0x00000000004a2813 in folder_item_scan_full (item=0xf8ec00, filtering=1) at folder.c:2330 #12 0x00000000004a317e in folder_item_scan (item=0xf8ec00) at folder.c:2493 #13 0x00000000004b296b in folderview_check_new (folder=0xf5e200) at folderview.c:1117 #14 0x00000000004d2839 in inc_all_account_mail (mainwin=0xbfc700, autocheck=1, notify=0) at inc.c:362 #15 0x00000000004d5fa8 in inc_autocheck_func (data=0xbfc700) at inc.c:1495 #16 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #17 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #18 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #19 0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #20 0x00007ffff7280641 in gtk_main_iteration () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 #21 0x000000000064c7d8 in threaded_run (folder=0xf96650, param=0x7fffffffdb30, result=0x7fffffffdb20, func=0x64daa6 <noop_run>) at imap-thread.c:427 #22 0x000000000064dbc3 in imap_threaded_noop (folder=0xf96650, p_exists=0x7fffffffdb64, p_recent=0x7fffffffdb68, p_expunge=0x7fffffffdb6c, p_unseen=0x7fffffffdb70, p_uidnext=0x7fffffffdb74, p_uidval=0x7fffffffdb78) at imap-thread.c:1074 #23 0x00000000004c88e5 in imap_cmd_noop (session=0x1436f60) at imap.c:4100 #24 0x00000000004befed in imap_ping (data=0x1436f60) at imap.c:565 #25 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #26 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #27 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #28 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #29 0x00007ffff7280447 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 #30 0x00000000004d8a58 in main (argc=1, argv=0x7fffffffdf18) at main.c:1559 (gdb) Another stack trace, pretty much identical to the previous one: ** (claws-mail:8514): WARNING **: GDBus.Error:org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user [Thread 0x7fffe0e13700 (LWP 28548) exited] *** Error in `/home/joydeepb/projects/claws-mail/claws/src/claws-mail': free(): invalid pointer: 0x00000000015f0c60 *** DeanMoorebodybody Program received signal SIGABRT, Aborted. 0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) thread apply all bt Thread 4 (Thread 0x7fffe3fff700 (LWP 8563)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 #1 0x00007ffff4954803 in mailsem_internal_wait (s=0x1065310) at mailsem.c:133 #2 0x000000000067e9e7 in thread_run (data=0x1063230) at etpan-thread-manager.c:320 #3 0x00007ffff531d182 in start_thread (arg=0x7fffe3fff700) at pthread_create.c:312 #4 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 3 (Thread 0x7fffeabc7700 (LWP 8524)): #0 0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #2 0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007ffff5c9a129 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #4 0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #5 0x00007ffff531d182 in start_thread (arg=0x7fffeabc7700) at pthread_create.c:312 #6 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 2 (Thread 0x7fffeb3c8700 (LWP 8522)): #0 0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #2 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007ffff6c07336 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #4 0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #5 0x00007ffff531d182 in start_thread (arg=0x7fffeb3c8700) at pthread_create.c:312 #6 0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Thread 1 (Thread 0x7ffff7fada00 (LWP 8514)): #0 0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff45930d8 in __GI_abort () at abort.c:89 #2 0x00007ffff45ccf24 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff46db6c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff45d91fe in malloc_printerr (ptr=<optimized out>, str=0x7ffff46d77b9 "free(): invalid pointer", action=1) at malloc.c:4996 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x00007ffff5cb66b8 in g_slist_foreach () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #6 0x00007ffff5cb66db in g_slist_free_full () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #7 0x000000000066b6eb in slist_free_strings_full (list=0x15f0c30) at utils.c:281 #8 0x00000000004cbf70 in imap_get_flags_thread (data=0x2240dd0) at imap.c:5330 #9 0x00000000004cc1c5 in imap_get_flags (folder=0xeb5e00, item=0xf8eae0, msginfo_list=0x1ccc640, msgflags=0x17e1cc0) at imap.c:5392 #10 0x00000000004a1024 in syncronize_flags (item=0xf8eae0, msglist=0x1ccc640) at folder.c:1933 #11 0x00000000004a2813 in folder_item_scan_full (item=0xf8eae0, filtering=1) at folder.c:2330 #12 0x00000000004a317e in folder_item_scan (item=0xf8eae0) at folder.c:2493 #13 0x00000000004b296b in folderview_check_new (folder=0xeb5e00) at folderview.c:1117 #14 0x00000000004d2839 in inc_all_account_mail (mainwin=0xbdc9a0, autocheck=1, notify=0) at inc.c:362 #15 0x00000000004d5fa8 in inc_autocheck_func (data=0xbdc9a0) at inc.c:1495 #16 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #17 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #18 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #19 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #20 0x00007ffff7280447 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 #21 0x00000000004d8a58 in main (argc=1, argv=0x7fffffffdf18) at main.c:1559 Created attachment 1638 [details] Check tags before freeing it Hi, g_hash_table_lookup returns the associated value, or NULL if the key is not found (https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-lookup) The tags pointer may be NULL, in which case calling slist_free_strings_full on it crash the application. This patch simply check that tags is not NULL before calling slist_free_strings_full. Hi, Thanks for the patch ! Unfortunately it won't fix this crash, as slist_free_strings_full() tolerates a NULL list, and as you can see from the backtraces, it's called with a non-null list there. The problem comes from somewhere else... A valgrind log would probably help more figuring this out. no response for 10 months or so... |