Bug 169646

Summary: Kmail crashes when applying filter with no rules
Product: [Unmaintained] kmail Reporter: th
Component: filteringAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: christophe, clement.cc, jatoivol
Priority: NOR    
Version: 1.10.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Suggested fix

Description th 2008-08-23 09:52:34 UTC 
Version:           1.10.0 (using 4.1.00 (KDE 4.1.0), Kubuntu packages)
Compiler:          cc
OS:                Linux (i686) release 2.6.26-5-generic

Kmail 1.10.0 (KDE 4.1.0) crashes when applying filter with no rules.


To reproduce:

1) 2nd click on any email and choose Create filter > Filter on Subject
2) Filter Rules window opens - don't choose any action or target folder, just hit OK
3) Hit CTRL-J (Apply All Filters) on the message
4) PUF! The application KMail (kmail) crashed and caused the signal 11 (SIGSEGV).



Backtrace:

Application: KMail (kmail), signal SIGSEGV
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0xb40fa700 (LWP 10266)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[KCrash handler]
#6  0xb7975bdc in ?? () from /usr/lib/libkmailprivate.so.4
#7  0xb7976bf6 in ?? () from /usr/lib/libkmailprivate.so.4
#8  0xb7976e8d in ?? () from /usr/lib/libkmailprivate.so.4
#9  0xb700e7e0 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#10 0xb700f562 in QMetaObject::activate () from /usr/lib/libQtCore.so.4
#11 0xb7049587 in QTimer::timeout () from /usr/lib/libQtCore.so.4
#12 0xb701518e in QTimer::timerEvent () from /usr/lib/libQtCore.so.4
#13 0xb70092bf in QObject::event () from /usr/lib/libQtCore.so.4
#14 0xb66eebfc in QApplicationPrivate::notify_helper ()
   from /usr/lib/libQtGui.so.4
#15 0xb66f6a6e in QApplication::notify () from /usr/lib/libQtGui.so.4
#16 0xb74c7d7d in KApplication::notify () from /usr/lib/libkdeui.so.5
#17 0xb6ff9bbf in QCoreApplication::notifyInternal ()
   from /usr/lib/libQtCore.so.4
#18 0xb7027b11 in ?? () from /usr/lib/libQtCore.so.4
#19 0xb70242b0 in ?? () from /usr/lib/libQtCore.so.4
#20 0xb4a937e1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#21 0xb4a96e83 in ?? () from /usr/lib/libglib-2.0.so.0
#22 0xb4a97041 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#23 0xb7024208 in QEventDispatcherGlib::processEvents ()
   from /usr/lib/libQtCore.so.4
#24 0xb6788b45 in ?? () from /usr/lib/libQtGui.so.4
#25 0xb6ff828a in QEventLoop::processEvents () from /usr/lib/libQtCore.so.4
#26 0xb6ff844a in QEventLoop::exec () from /usr/lib/libQtCore.so.4
#27 0xb6ffab05 in QCoreApplication::exec () from /usr/lib/libQtCore.so.4
#28 0xb66eea77 in QApplication::exec () from /usr/lib/libQtGui.so.4
#29 0x0804a6c0 in _start ()
#0  0xb7f01424 in __kernel_vsyscall ()
Comment 1 Christophe Marin 2008-08-23 11:26:56 UTC 
Please read the following page and provide a useful backtrace for this crash : http://techbase.kde.org/Development/Tutorials/Debugging/How_to_create_useful_crash_reports
Comment 2 Thomas McGuire 2008-08-23 11:40:29 UTC 
I can not reproduce this. With a clean configuration / new user, I composed a empty test message with just a subject, saved that as a draft, created a folder named "Test" under the inbox and moved the draft message to there. Then I tried your steps. No crash.
Please try to reproduce this with a clean config or a new user and post the steps to reproduce.
Also, your backtrace is unfortunately useless, because it misses the debug symbols of KMail. See http://techbase.kde.org/Development/Tutorials/Debugging/How_to_create_useful_crash_reports on how to get a better backtrace.
Comment 3 Bram Schoenmakers 2008-10-27 20:01:23 UTC 
Closing due to lack of feedback. Please reopen if you obtained a better backtrace by following the steps described in http://techbase.kde.org/Development/Tutorials/Debugging/How_to_create_useful_crash_reports . Thank you.
Comment 4 Siu Chung (Clement) Cheung 2010-04-17 05:41:45 UTC 
This bug is still happening.

kmail 1.13.2
KDE 4.4.2
linux kernel 2.6.33-gentoo-r1 (x86_64)
Gentoo packages.

Interestingly, my other setup with 32-bit linux on Sabayon Linux doesn't crash using exact same rule. Not sure why.

Backtrace:
Thread 1 (Thread 0x7f457240c750 (LWP 11155)):
[KCrash Handler]
#5  0x00007f4570dbfb62 in KMail::ActionScheduler::actionMessage(KMFilterAction::ReturnCode) () from /usr/lib64/libkmailprivate.so.4
#6  0x00007f4570dbfe1a in KMail::ActionScheduler::filterMessage() () from /usr/lib64/libkmailprivate.so.4
#7  0x00007f4570dc05ba in KMail::ActionScheduler::qt_metacall(QMetaObject::Call, int, void**) () from /usr/lib64/libkmailprivate.so.4
#8  0x00007f456ccb7147 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib64/qt4/libQtCore.so.4
#9  0x00007f456ccb3bd3 in QObject::event(QEvent*) () from /usr/lib64/qt4/libQtCore.so.4

Liberal sprinkling of debug statements in the area reveals that the variable "action" is pointing at 0x21, an invalid but non-zero address which passes the mFilterAction check in actionMessage(). This causes a segfault when accessed later.

How does that happen? Here's the current code that checks for the end of the action list:
498 	 KMFilterAction *action = mFilterAction;
499 	// mFilterAction = (*mFilterIt).actions()->next();
500 	if ( ++mFilterActionIt == (*mFilterIt)->actions()->end() )
501 	mFilterAction = 0;
502 	else mFilterAction = (*mFilterActionIt);
503 	action->processAsync( *mMessageIt );
504 	}

The problem is we're checking if the *NEXT* action is the end. What about the *CURRENT* one? Sure it's supposed to be already checked when we advance the pointer there. Except that the first action isn't assigned by this iterator advancing code. It's initialized in filterMessage():
      mFilterActionIt = (*mFilterIt)->actions()->begin();
      mFilterAction = (*mFilterActionIt);
      actionMessage();

What's happening here is that begin() == end() since the list is empty. We didn't verify that mFilterActionIt isn't end (and therefore invalid) before dereferencing it. Since this is an iterator, not a pointer, we won't crash -- yet. But mFilterAction will get random garbage. If said random garbage happens to be non-zero, actionMessage() will then try to dereference it as a pointer and hence the crash.
Comment 5 Siu Chung (Clement) Cheung 2010-04-17 05:44:57 UTC 
Created attachment 42833 [details]
Suggested fix

Check the interator instead of the pointer derived from the iterator, which could be invalid but non-null.
Comment 6 Siu Chung (Clement) Cheung 2010-04-17 05:54:55 UTC 
As a temporary work around, people like me who need this to set a "stop processing here" rule with no action and matching sender = my_boss@my_company.com to make sure important messages doesn't get filtered can assign a sound as action.

That action will have no effect except being extremely irritating when a whole bunch of messages matching the rule arrives. This can be avoided by recording a wav file of silence and using it as the action.
Comment 7 Mr. Janne Toivola 2011-02-06 22:34:51 UTC 
*** Bug 265649 has been marked as a duplicate of this bug. ***
Comment 8 Christophe Marin 2011-02-10 11:26:31 UTC 

*** This bug has been marked as a duplicate of bug 169048 ***