Bug 3402 - Claws Mail randomly segfaults with invalid pointer free() in slist_free_strings_full at utils.c:261
Summary: Claws Mail randomly segfaults with invalid pointer free() in slist_free_strin...
Status: RESOLVED WORKSFORME
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Folders/IMAP (show other bugs)
Version: 3.9.3
Hardware: PC Linux
: P3 major
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2015-03-16 14:53 UTC by joydeep.biswas
Modified: 2017-01-16 10:57 UTC (History)
1 user (show)

See Also:


Attachments
GDB Backtrace of segfault, generated with claws-mail-dbg symbols and "tread apply all bt" (7.20 KB, text/plain)
2015-03-16 14:53 UTC, joydeep.biswas
no flags Details
Check tags before freeing it (589 bytes, patch)
2016-03-24 09:14 UTC, Florian
no flags Details | Diff

Description joydeep.biswas 2015-03-16 14:53:56 UTC
Created attachment 1497 [details]
GDB Backtrace of segfault, generated with claws-mail-dbg symbols and "tread apply all bt"

The version of claws-mail in question is 3.9.3-1ubuntu1 (the version on the Ubuntu 14.04 packages repo). Architecture: amd64.
Further details of the package included at the end.

Claws-mail seems to randomly crash with an invalid pointer free while trying to fetch new mail. There is additional output on stderr, which might, or might not be relevant. I'm pasting the stderr output here, and have included a backtrace,  generated along with debug symbols from all the threads (thread apply all bt). 

========================================================
stderr output
========================================================
(claws-mail:5424): GLib-CRITICAL **: Source ID 4294967295 was not found when attempting to remove it
[New Thread 0x7fffb7fff700 (LWP 5281)]
[Thread 0x7fffb7fff700 (LWP 5281) exited]

(claws-mail:5424): GLib-CRITICAL **: Source ID 109165 was not found when attempting to remove it
[Thread 0x7fffc5c22700 (LWP 5192) exited]

(claws-mail:5424): Claws-Mail-WARNING **: can't open signature file: /home/joydeepb/.signature


(claws-mail:5424): Claws-Mail-WARNING **: can't open signature file: /home/joydeepb/.signature


(claws-mail:5424): GLib-CRITICAL **: Source ID 4294967295 was not found when attempting to remove it
[New Thread 0x7fffc5c22700 (LWP 4288)]
[Thread 0x7fffc5c22700 (LWP 4288) exited]

(claws-mail:5424): GLib-CRITICAL **: Source ID 123532 was not found when attempting to remove it

** (claws-mail:5424): WARNING **: [22:22:12] IMAP error on imap.gmail.com: stream error


** (claws-mail:5424): WARNING **: [22:22:12] IMAP4 connection broken

Learned tokens from 1 message(s) (1 message(s) examined)
Learned tokens from 1 message(s) (1 message(s) examined)
Learned tokens from 1 message(s) (1 message(s) examined)
Created new window in existing browser session.

(claws-mail:5424): Claws-Mail-WARNING **: can't open signature file: /home/joydeepb/.signature

Learned tokens from 1 message(s) (1 message(s) examined)
Learned tokens from 1 message(s) (1 message(s) examined)

(claws-mail:5424): GLib-CRITICAL **: Source ID 93961 was not found when attempting to remove it
Created new window in existing browser session.

(claws-mail:5424): Claws-Mail-WARNING **: can't open signature file: /home/joydeepb/.signature


(claws-mail:5424): GLib-CRITICAL **: Source ID 4294967295 was not found when attempting to remove it
[New Thread 0x7fffc5c22700 (LWP 21128)]
[Thread 0x7fffc5c22700 (LWP 21128) exited]

(claws-mail:5424): GLib-CRITICAL **: Source ID 211946 was not found when attempting to remove it

** (claws-mail:5424): WARNING **: [23:44:18] IMAP error on imap.gmail.com: stream error


** (claws-mail:5424): WARNING **: [23:44:18] IMAP4 connection broken

Learned tokens from 1 message(s) (1 message(s) examined)

** (claws-mail:5424): WARNING **: [12:33:39] IMAP error on imap.srv.cs.cmu.edu: stream error


** (claws-mail:5424): WARNING **: [12:33:39] IMAP4 connection broken


** (claws-mail:5424): WARNING **: [12:33:39] IMAP error on imap.srv.cs.cmu.edu: LOGIN error


** (claws-mail:5424): WARNING **: [12:33:41] IMAP error on imap.srv.cs.cmu.edu: stream error


** (claws-mail:5424): WARNING **: [12:33:41] IMAP4 connection broken

*** Error in `/usr/bin/claws-mail': free(): invalid pointer: 0x0000000001e7da20 ***


========================================================
package description
========================================================
Package: claws-mail
Priority: optional
Section: universe/mail
Installed-Size: 3742
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Ricardo Mones <mones@debian.org>
Architecture: amd64
Version: 3.9.3-1ubuntu1
Replaces: claws-mail-extra-plugins (<< 3.9.1-1)
Provides: imap-client, mail-reader, news-reader
Depends: libc6 (>= 2.15), libcairo2 (>= 1.2.4), libcompfaceg1, libdbus-glib-1-2 (>= 0.78), libenchant1c2a (>= 1.6.0), libetpan15 (>= 1.0), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.37.3), libgnutls26 (>= 2.12.17-0), libgtk2.0-0 (>= 2.24.0), libice6 (>= 1:1.0.0), libldap-2.4-2 (>= 2.4.7), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libpisock9, libsm6, xdg-utils
Recommends: claws-mail-i18n, xfonts-100dpi | xfonts-75dpi | xfonts-100dpi-transcoded | xfonts-75dpi-transcoded, aspell-en | aspell-dictionary
Suggests: claws-mail-doc (= 3.9.3-1ubuntu1), www-browser, gedit | kwrite | mousepad | nedit, claws-mail-tools
Breaks: claws-mail-extra-plugins (<< 3.9.1-1)
Filename: pool/universe/c/claws-mail/claws-mail_3.9.3-1ubuntu1_amd64.deb
Size: 1239492
MD5sum: f97bd40256d61c436322af1dad490ee7
SHA1: 9d3ec164b84130fbcc425d33f99bfe35ee9705a1
SHA256: 6cb276a6959df85962239163730858e17681a713bdf545a6fa21abbbca4854f6
Description-en: Fast, lightweight and user-friendly GTK+2 based email client
 Claws Mail is a powerful and full-featured mail client formerly called
 Sylpheed-Claws. It is also extensible using loadable plugins, which can
 provide support for additional features, like other storage formats,
 feed reader, calendar management, mail filtering, etc.
Description-md5: f9d9f85803d938ab3d5fbc85f90e263a
Homepage: http://www.claws-mail.org
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Comment 1 Paul 2015-03-16 16:15:21 UTC
if yu can reproduce this with the latest release, re-open this
Comment 2 joydeep.biswas 2015-03-20 14:54:40 UTC
Reopened, since bug persists in trunk.
Attached below is a GDB backtrace from the version post commit de6f18826fe06f2592e2436b70a340cb20241df0 from trunk.

[New Thread 0x7fffe22c0700 (LWP 22921)]
[Thread 0x7fffe22c0700 (LWP 22921) exited]
*** Error in `/home/joydeepb/projects/claws-mail/claws/src/claws-mail': free(): invalid pointer: 0x00000000021d4620 ***
DeanMoore
Program received signal SIGABRT, Aborted.
0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) thread apply all bt

Thread 4 (Thread 0x7fffe3fff700 (LWP 28011)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff4954803 in mailsem_internal_wait (s=0x105eac0) at mailsem.c:133
#2  0x000000000067e9e7 in thread_run (data=0xf2eaa0) at etpan-thread-manager.c:320
#3  0x00007ffff531d182 in start_thread (arg=0x7fffe3fff700) at pthread_create.c:312
#4  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 3 (Thread 0x7fffeabc7700 (LWP 27950)):
#0  0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff5c9a129 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff531d182 in start_thread (arg=0x7fffeabc7700) at pthread_create.c:312
#6  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 2 (Thread 0x7fffeb3c8700 (LWP 27949)):
#0  0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff6c07336 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff531d182 in start_thread (arg=0x7fffeb3c8700) at pthread_create.c:312
#6  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fada00 (LWP 27939)):
#0  0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff45930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff45ccf24 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff46db6c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff45d91fe in malloc_printerr (ptr=<optimized out>, str=0x7ffff46d77b9 "free(): invalid pointer", action=1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x00007ffff5cb66b8 in g_slist_foreach () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff5cb66db in g_slist_free_full () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x000000000066b6eb in slist_free_strings_full (list=0x191dd80) at utils.c:281
#8  0x00000000004cbf70 in imap_get_flags_thread (data=0x21c2200) at imap.c:5330
#9  0x00000000004cc1c5 in imap_get_flags (folder=0xf5e200, item=0xf8ec00, msginfo_list=0x219d290, msgflags=0x21e6a40)
    at imap.c:5392
#10 0x00000000004a1024 in syncronize_flags (item=0xf8ec00, msglist=0x219d290) at folder.c:1933
#11 0x00000000004a2813 in folder_item_scan_full (item=0xf8ec00, filtering=1) at folder.c:2330
#12 0x00000000004a317e in folder_item_scan (item=0xf8ec00) at folder.c:2493
#13 0x00000000004b296b in folderview_check_new (folder=0xf5e200) at folderview.c:1117
#14 0x00000000004d2839 in inc_all_account_mail (mainwin=0xbfc700, autocheck=1, notify=0) at inc.c:362
#15 0x00000000004d5fa8 in inc_autocheck_func (data=0xbfc700) at inc.c:1495
#16 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x00007ffff7280641 in gtk_main_iteration () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#21 0x000000000064c7d8 in threaded_run (folder=0xf96650, param=0x7fffffffdb30, result=0x7fffffffdb20, 
    func=0x64daa6 <noop_run>) at imap-thread.c:427
#22 0x000000000064dbc3 in imap_threaded_noop (folder=0xf96650, p_exists=0x7fffffffdb64, p_recent=0x7fffffffdb68, 
    p_expunge=0x7fffffffdb6c, p_unseen=0x7fffffffdb70, p_uidnext=0x7fffffffdb74, p_uidval=0x7fffffffdb78)
    at imap-thread.c:1074
#23 0x00000000004c88e5 in imap_cmd_noop (session=0x1436f60) at imap.c:4100
#24 0x00000000004befed in imap_ping (data=0x1436f60) at imap.c:565
#25 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#27 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#28 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#29 0x00007ffff7280447 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#30 0x00000000004d8a58 in main (argc=1, argv=0x7fffffffdf18) at main.c:1559
(gdb)
Comment 3 joydeep.biswas 2015-03-23 22:02:04 UTC
Another stack trace, pretty much identical to the previous one:


** (claws-mail:8514): WARNING **: GDBus.Error:org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user

[Thread 0x7fffe0e13700 (LWP 28548) exited]
*** Error in `/home/joydeepb/projects/claws-mail/claws/src/claws-mail': free(): invalid pointer: 0x00000000015f0c60 ***
DeanMoorebodybody
Program received signal SIGABRT, Aborted.
0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) thread apply all bt

Thread 4 (Thread 0x7fffe3fff700 (LWP 8563)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00007ffff4954803 in mailsem_internal_wait (s=0x1065310) at mailsem.c:133
#2  0x000000000067e9e7 in thread_run (data=0x1063230) at etpan-thread-manager.c:320
#3  0x00007ffff531d182 in start_thread (arg=0x7fffe3fff700) at pthread_create.c:312
#4  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 3 (Thread 0x7fffeabc7700 (LWP 8524)):
#0  0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff5c9a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff5c9a129 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff531d182 in start_thread (arg=0x7fffeabc7700) at pthread_create.c:312
#6  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 2 (Thread 0x7fffeb3c8700 (LWP 8522)):
#0  0x00007ffff4646cbd in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff5c99fe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff6c07336 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007ffff5cbef05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff531d182 in start_thread (arg=0x7fffeb3c8700) at pthread_create.c:312
#6  0x00007ffff465400d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fada00 (LWP 8514)):
#0  0x00007ffff458fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff45930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff45ccf24 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff46db6c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff45d91fe in malloc_printerr (ptr=<optimized out>, str=0x7ffff46d77b9 "free(): invalid pointer", action=1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x00007ffff5cb66b8 in g_slist_foreach () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff5cb66db in g_slist_free_full () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x000000000066b6eb in slist_free_strings_full (list=0x15f0c30) at utils.c:281
#8  0x00000000004cbf70 in imap_get_flags_thread (data=0x2240dd0) at imap.c:5330
#9  0x00000000004cc1c5 in imap_get_flags (folder=0xeb5e00, item=0xf8eae0, msginfo_list=0x1ccc640, msgflags=0x17e1cc0)
    at imap.c:5392
#10 0x00000000004a1024 in syncronize_flags (item=0xf8eae0, msglist=0x1ccc640) at folder.c:1933
#11 0x00000000004a2813 in folder_item_scan_full (item=0xf8eae0, filtering=1) at folder.c:2330
#12 0x00000000004a317e in folder_item_scan (item=0xf8eae0) at folder.c:2493
#13 0x00000000004b296b in folderview_check_new (folder=0xeb5e00) at folderview.c:1117
#14 0x00000000004d2839 in inc_all_account_mail (mainwin=0xbdc9a0, autocheck=1, notify=0) at inc.c:362
#15 0x00000000004d5fa8 in inc_autocheck_func (data=0xbdc9a0) at inc.c:1495
#16 0x00007ffff5c9a703 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007ffff5c99ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x00007ffff5c9a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007ffff5c9a30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x00007ffff7280447 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#21 0x00000000004d8a58 in main (argc=1, argv=0x7fffffffdf18) at main.c:1559
Comment 4 Florian 2016-03-24 09:14:04 UTC
Created attachment 1638 [details]
Check tags before freeing it

Hi,

g_hash_table_lookup returns the associated value, or NULL if the key is not found (https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-lookup)

The tags pointer may be NULL, in which case calling slist_free_strings_full on it crash the application.

This patch simply check that tags is not NULL before calling slist_free_strings_full.
Comment 5 Colin Leroy 2016-03-24 09:28:05 UTC
Hi,

Thanks for the patch ! Unfortunately it won't fix this crash, as slist_free_strings_full() tolerates a NULL list, and as you can see from the backtraces, it's called with a non-null list there.

The problem comes from somewhere else...
Comment 6 Colin Leroy 2016-03-24 09:31:10 UTC
A valgrind log would probably help more figuring this out.
Comment 7 Paul 2017-01-16 10:57:44 UTC
no response for 10 months or so...

Note You need to log in before you can comment on or make changes to this bug.