[Bug 956843] [NEW] Access to freed memory in timezone handling causes crash

Launchpad Bug Tracker 956843 at bugs.launchpad.net
Wed Apr 4 12:59:43 UTC 2012 

You have been subscribed to a public bug by Robie Basak (racb):

When I start evolution and then click the button at the bottom of the
left pane to switch to the calendar, evolution crashes. If I right-click
on the evolution icon in Unity and click on "Calendar" to go straight to
the calendar, evolution also crashes. This reproduced on my machine 31
out of 32 attempts, and produces a variety of backtraces (attached,
summary below). For privacy reasons, I regret that I am not willing to
post the core dumps.

I have searched through previous bugs and found a number of bugs that I
believe are the same problem. For example: bug 900534, bug 951201, bug
952368, bug 954220, bug 900534.

Although I am still on Oneiric, looking at the existing bugs the same
crash appears to also be present in Precise.

The problem seems to be that calendar items have a builtin_timezone
field set that is not initialised. I have not yet managed to figure out
where it is supposed to be initialised. For example:

#5  0x00007f2f479925a6 in e_calendar_item_draw_day_numbers (cells_y=45, 
    cells_x=7, start_weekday=3, month=2, year=2012, col=0, row=0, 
    cr=0x7f2f456ec9e0, calitem=0x7f2f4b154cd0, width=<optimized out>, 
    height=<optimized out>) at e-calendar-item.c:1485
1485			today_tm = (*calitem->time_callback) (calitem, calitem->time_callback_data);
(gdb) p ((GnomeCalendar *)(((ECalShellView *)calitem->time_callback_data)->priv->cal_shell_content->priv->calendar))->priv->model->priv->zone->builtin_timezone
$49 = (icaltimezone *) 0x2000000020

I've found this in modules/calendar/e-cal-shell-backend.c which I think
may be related:

        /* XXX Pre-load all built-in timezones in libical.
         *
         *     Built-in time zones in libical 0.43 are loaded on demand,
         *     but not in a thread-safe manner, resulting in a race when
         *     multiple threads call icaltimezone_load_builtin_timezone()
         *     on the same time zone.  Until built-in time zone loading
         *     in libical is made thread-safe, work around the issue by
         *     loading all built-in time zones now, so libical's internal
         *     time zone array will be fully populated before any threads
         *     are spawned.
         */


As this bug is so difficult to reproduce and I can reproduce it reliably at the moment, I will try and get to the bottom of this. Any help would be appreciated.


Here are my 31 crash stack frames:

#0  0x00007f1c0ca611ad in icaltimezone_load_builtin_timezone (
#0  0x00007f4a000007e1 in ?? ()
#0  0x00007fb420a511ad in icaltimezone_load_builtin_timezone (
#0  0x00007fbc08d94ac7 in icaltimezone_get_utc_offset_of_utc_time (
#0  0x00007fc23a37eac7 in icaltimezone_get_utc_offset_of_utc_time (
#0  0x00007feb4a4401ad in icaltimezone_load_builtin_timezone (
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:259
#0  icalarray_free (array=0x7f2000000001)
#0  icalcomponent_get_first_component (c=0xc8000006f3000000, 
#0  icalcomponent_get_first_component (c=0xd00000009, kind=ICAL_ANY_COMPONENT)
#0  icaltimezone_compare_change_fn (elem1=0x7fff75af4f60, elem2=0x2)
#0  icaltimezone_ensure_coverage (zone=0x1, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x20, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x21, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x36, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x4008000000000000, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x6, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x7f1500000004, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x7f3000000001, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x7f9400000003, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x7fda00000004, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x8ffecfbcaff6a5e, end_year=2012)
#0  icaltimezone_ensure_coverage (zone=0x900001100000000, end_year=2012)
#0  pvl_head (L=0x42555347e0300100)

Backtraces of all of these are attached.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: evolution 3.2.2-0ubuntu0.1
ProcVersionSignature: Ubuntu 3.0.0-16.28-generic 3.0.17
Uname: Linux 3.0.0-16-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Fri Mar 16 10:25:02 2012
ProcEnviron:
 LC_COLLATE=C
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: evolution
UpgradeStatus: Upgraded to oneiric on 2011-09-03 (194 days ago)

** Affects: libical (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric running-unity
-- 
Access to freed memory in timezone handling causes crash
https://bugs.launchpad.net/bugs/956843
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list