Bug 117972

Summary: Random crashes on glibc double-free when displaying messages
Product: [Unmaintained] kmail Reporter: Björn Fahller <bjorn>
Component: generalAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: crash CC: r3m1.benoit
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Björn Fahller 2005-12-09 01:08:02 UTC 
Version:            (using KDE KDE 3.5.0)
Installed from:    Gentoo Packages
Compiler:          gcc 3.4.4 
OS:                Linux

kmail 3.5.0-r3

When attempting to view a message in an imap folder, kmail randomly (frequently) crashes due to a double-free detected by glibc. Unfortunately I do not have a core-dump with symbols, but a log from a debug-build might be of some help:

kmail: connections to server x.y.z now 0
kmail: processNextCheck, remaining 0
kmail: account x finished check
kmail: 2 new message(s) in .1633406481.directory/INBOX
kmail: ImapJob::slotGetMessageResult - retrieved part
kmail: (125222, last 0) subject sender, readyToShow true
kmail: [const QTextCodec* KMReaderWin::overrideCodec() const]  mOverrideEncoding == 'iso-8859-1'
kmail: [const QTextCodec* KMReaderWin::overrideCodec() const]  mOverrideEncoding == 'iso-8859-1'
kmail: parseMsg(KMMessage* aMsg == aMsg )
kmail: + Text/Plain
kmail:       Inserting one item into MimePartTree
kmail:                 Content-Type: Text/Plain
kmail: partNode::findType() is looking at Text/Plain
kmail: [static KMail::SpamScores KMail::SpamHeaderAnalyzer::getSpamScores(const KMMessage*)]
kmail: Multiple / No addressees matched email address; Count is 0
*** glibc detected *** double free or corruption (out): 0x082c7b18 ***
*** KMail got signal 6 (Crashing)


Next start of kmail after such a crash always leads to a SIGSEGV instead:

kmail: KMFolderImap::processNewMail - waiting for connection: FFK
kmail: KMFolderImap::processNewMail - imapPath of RFK is empty!
kmail: slotListNamespaces - waiting for connection
kmail: slotListNamespaces - waiting for connection
*** KMail got signal 11 (Crashing)
   _
/Bjorn.
Comment 1 Björn Fahller 2005-12-12 20:46:53 UTC 
Caught this one with a non-stripped build.

The original crash:

#0  0xffffe410 in ?? ()
#1  0xbfd3cfe8 in ?? ()
#2  0x00000006 in ?? ()
#3  0x00001eb5 in ?? ()
#4  0xb5824651 in raise () from /lib/tls/libc.so.6
#5  0xb582615c in abort () from /lib/tls/libc.so.6
#6  0xb585735b in __fsetlocking () from /lib/tls/libc.so.6
#7  0xb5860c99 in mallopt () from /lib/tls/libc.so.6
#8  0xb585fa0d in mallopt () from /lib/tls/libc.so.6
#9  0xb585e7c9 in free () from /lib/tls/libc.so.6
#10 0xb59e23f1 in operator delete ()
   from /usr/lib/gcc/i686-pc-linux-gnu/3.4.4/libstdc++.so.6
#11 0xb7b91e93 in __gnu_cxx::new_allocator<DwFieldBody*>::deallocate (this=0xbfd3d380,
    __p=0x85ed428) at new_allocator.h:86
#12 0xb7b9185b in std::_Vector_base<DwFieldBody*, std::allocator<DwFieldBody*> >::_M_deallocate (this=0xbfd3d380, __p=0x85ed428, __n=1) at stl_vector.h:117
#13 0xb7b90d46 in ~_Vector_base (this=0xbfd3d380) at stl_vector.h:106
#14 0xb7b8ff60 in ~vector (this=0xbfd3d380) at stl_vector.h:256
#15 0xb7b85674 in KMMessage::headerFields (this=0x8596dc8, field=@0xbfd3d3d0)
    at kmmessage.cpp:2187
#16 0xb7b83b00 in KMMessage::cc (this=0x8596dc8) at kmmessage.cpp:1831
#17 0xb7d54eb1 in KMail::FancyHeaderStyle::format (this=0x83fa448, message=0x8596dc8,
    strategy=0x805e7d0, vCardName=@0xbfd42b40, printing=false) at headerstyle.cpp:630
#18 0xb7c569aa in KMReaderWin::writeMsgHeader (this=0x836f670, aMsg=0x8596dc8,
    hasVCard=false) at kmreaderwin.cpp:1646
#19 0xb7c55cb9 in KMReaderWin::parseMsg (this=0x836f670, aMsg=0x8596dc8)
    at kmreaderwin.cpp:1529
#20 0xb7c55711 in KMReaderWin::displayMessage (this=0x836f670) at kmreaderwin.cpp:1468
#21 0xb7c551db in KMReaderWin::updateReaderWin (this=0x836f670) at kmreaderwin.cpp:1404
#22 0xb7c52136 in KMReaderWin::update (this=0x836f670, observable=0x8596de4)
    at kmreaderwin.cpp:835
#23 0xb7ddcfd8 in KMail::ISubject::notify (this=0x8596de4) at isubject.cpp:35
#24 0xb7b8c6cd in KMMessage::updateBodyPart (this=0x8596dc8, partSpecifier=
      {static null = {static null = <same as static member of an already seen type>, d = 0x804e070, static shared_null = 0x804e070}, d = 0x8548dd0, static shared_null = 0x804e070},
    data=@0x85edd7c) at kmmessage.cpp:4050
#25 0xb7dc04b5 in KMail::ImapJob::slotGetMessageResult (this=0x85f4320, job=0x85edb98)
    at imapjob.cpp:414
#26 0xb7dc16c6 in KMail::ImapJob::qt_invoke (this=0x85f4320, _id=2, _o=0xbfd43100)
    at imapjob.moc:126
#27 0xb5fe5934 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#28 0xb6be3fed in KIO::Job::result () from /usr/kde/3.5/lib/libkio.so.4
#29 0x085edb98 in ?? ()
#30 0x085eddd0 in ?? ()
#31 0xbfd43100 in ?? ()
#32 0xffffffff in ?? ()
#33 0xb64693e4 in TID_QUType_enum () from /usr/qt/3/lib/libqt-mt.so.3
#34 0xb5911820 in __after_morecore_hook () from /lib/tls/libc.so.6
#35 0x085eec68 in ?? ()
#36 0xb5a04c9c in ?? () from /usr/lib/gcc/i686-pc-linux-gnu/3.4.4/libstdc++.so.6
#37 0xb585f2e1 in mallopt () from /lib/tls/libc.so.6


This seems freaky. Line 2187 in kmmessage.cpp it the return line in headerFields, and the destroyed object is a local std::vector of ptrs. That vector should only be free'd once, and that is on the return line.

(Un)fortunately, it is very easy for me to reproduce. All I have to do is to click on my work imap server. :-(
   _
/Bjorn.
Comment 2 Tommi Tervo 2005-12-13 10:40:42 UTC 
See http://bugs.kde.org/show_bug.cgi?id=111115
Have you used -fvisibility?
Comment 3 Philip Rodrigues 2006-09-19 17:45:53 UTC 
No answer from reporter, so assuming this is the fvisibility problem

*** This bug has been marked as a duplicate of 111115 ***
Comment 4 Rémi Benoit 2014-05-04 19:43:36 UTC 
Git commit a4960b99578620374ac2a1086a0c94f415b798eb by Rémi Benoit.
Committed on 01/05/2014 at 16:30.
Pushed by remibenoit into branch 'master'.

Implement Note serializer for Akonadi backend

M  +1    -0    src/akonadi/CMakeLists.txt
M  +15   -6    src/akonadi/akonadiserializer.cpp
M  +1    -1    tests/testlib/CMakeLists.txt
M  +1    -1    tests/units/akonadi/CMakeLists.txt
M  +133  -0    tests/units/akonadi/akonadiserializertest.cpp

http://commits.kde.org/zanshin/a4960b99578620374ac2a1086a0c94f415b798eb
Comment 5 Rémi Benoit 2014-05-08 11:01:54 UTC 

*** This bug has been marked as a duplicate of bug 111115 ***