[Bug 956843] Re: Access to freed memory in timezone handling causes crash

Launchpad Bug Tracker 956843 at bugs.launchpad.net
Tue Apr 10 22:06:19 UTC 2012 

** Branch linked: lp:ubuntu/libical

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/956843

Title:
  Access to freed memory in timezone handling causes crash

Status in Libical:
  Unknown
Status in “libical” package in Ubuntu:
  Fix Released

Bug description:
  When I start evolution and then click the button at the bottom of the
  left pane to switch to the calendar, evolution crashes. If I right-
  click on the evolution icon in Unity and click on "Calendar" to go
  straight to the calendar, evolution also crashes. This reproduced on
  my machine 31 out of 32 attempts, and produces a variety of backtraces
  (attached, summary below). For privacy reasons, I regret that I am not
  willing to post the core dumps.

  I have searched through previous bugs and found a number of bugs that
  I believe are the same problem. For example: bug 900534, bug 951201,
  bug 952368, bug 954220, bug 900534.

  Although I am still on Oneiric, looking at the existing bugs the same
  crash appears to also be present in Precise.

  The problem seems to be that calendar items have a builtin_timezone
  field set that is not initialised. I have not yet managed to figure
  out where it is supposed to be initialised. For example:

  #5  0x00007f2f479925a6 in e_calendar_item_draw_day_numbers (cells_y=45, 
      cells_x=7, start_weekday=3, month=2, year=2012, col=0, row=0, 
      cr=0x7f2f456ec9e0, calitem=0x7f2f4b154cd0, width=<optimized out>, 
      height=<optimized out>) at e-calendar-item.c:1485
  1485			today_tm = (*calitem->time_callback) (calitem, calitem->time_callback_data);
  (gdb) p ((GnomeCalendar *)(((ECalShellView *)calitem->time_callback_data)->priv->cal_shell_content->priv->calendar))->priv->model->priv->zone->builtin_timezone
  $49 = (icaltimezone *) 0x2000000020

  I've found this in modules/calendar/e-cal-shell-backend.c which I
  think may be related:

          /* XXX Pre-load all built-in timezones in libical.
           *
           *     Built-in time zones in libical 0.43 are loaded on demand,
           *     but not in a thread-safe manner, resulting in a race when
           *     multiple threads call icaltimezone_load_builtin_timezone()
           *     on the same time zone.  Until built-in time zone loading
           *     in libical is made thread-safe, work around the issue by
           *     loading all built-in time zones now, so libical's internal
           *     time zone array will be fully populated before any threads
           *     are spawned.
           */

  
  As this bug is so difficult to reproduce and I can reproduce it reliably at the moment, I will try and get to the bottom of this. Any help would be appreciated.


  Here are my 31 crash stack frames:

  #0  0x00007f1c0ca611ad in icaltimezone_load_builtin_timezone (
  #0  0x00007f4a000007e1 in ?? ()
  #0  0x00007fb420a511ad in icaltimezone_load_builtin_timezone (
  #0  0x00007fbc08d94ac7 in icaltimezone_get_utc_offset_of_utc_time (
  #0  0x00007fc23a37eac7 in icaltimezone_get_utc_offset_of_utc_time (
  #0  0x00007feb4a4401ad in icaltimezone_load_builtin_timezone (
  #0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:259
  #0  icalarray_free (array=0x7f2000000001)
  #0  icalcomponent_get_first_component (c=0xc8000006f3000000, 
  #0  icalcomponent_get_first_component (c=0xd00000009, kind=ICAL_ANY_COMPONENT)
  #0  icaltimezone_compare_change_fn (elem1=0x7fff75af4f60, elem2=0x2)
  #0  icaltimezone_ensure_coverage (zone=0x1, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x20, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x21, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x36, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x4008000000000000, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x6, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x7f1500000004, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x7f3000000001, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x7f9400000003, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x7fda00000004, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x8ffecfbcaff6a5e, end_year=2012)
  #0  icaltimezone_ensure_coverage (zone=0x900001100000000, end_year=2012)
  #0  pvl_head (L=0x42555347e0300100)

  Backtraces of all of these are attached.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: evolution 3.2.2-0ubuntu0.1
  ProcVersionSignature: Ubuntu 3.0.0-16.28-generic 3.0.17
  Uname: Linux 3.0.0-16-generic x86_64
  ApportVersion: 1.23-0ubuntu4
  Architecture: amd64
  Date: Fri Mar 16 10:25:02 2012
  ProcEnviron:
   LC_COLLATE=C
   PATH=(custom, user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: evolution
  UpgradeStatus: Upgraded to oneiric on 2011-09-03 (194 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/libical/+bug/956843/+subscriptions

More information about the Ubuntu-sponsors mailing list