[Bug 186502] Crash when selecting message with encapsulated message with online IMAP [QTreeWidget*, KMMimePartTreeItem, partNode::fillMimePartTree, KMail::ObjectTreeParser::insertAndParseNewChildNode]
Thomas Jarosch
thomas.jarosch at intra2net.com
Fri Apr 2 11:44:09 BST 2010
https://bugs.kde.org/show_bug.cgi?id=186502
--- Comment #59 from Thomas Jarosch <thomas jarosch intra2net com> 2010-04-02 12:43:54 ---
I gave it another valgrind run and this turned out to be an IMAP server
response speed race condition. It's easily triggerable if you run kmail via
valgrind as it gets reaaaallly slooooooow.
Here's the command:
valgrind --trace-children=yes --log-file=kmail.crash --free-fill=0 kmail
Backtrace of the bug:
==5906== Invalid read of size 8
==5906== at 0x9CF9BF9: QTreeWidgetItem::addChild(QTreeWidgetItem*) (in
/usr/lib64/libQtGui.so.4.6.2)
==5906== by 0x9CFA002: QTreeWidgetItem::QTreeWidgetItem(QTreeWidgetItem*,
int) (in /usr/lib64/libQtGui.so.4.6.2)
==5906== by 0x5E36DA8:
KMMimePartTreeItem::KMMimePartTreeItem(KMMimePartTreeItem*, partNode*, QString
const&, QString const&, QString const&, unsigned long long, bool)
(kmmimeparttree.cpp:378)
==5906== by 0x5E7B362: partNode::fillMimePartTree(KMMimePartTreeItem*,
KMMimePartTree*, QString const&, QString const&, QString const&, unsigned long
long, bool) (partNode.cpp:549)
==5906== by 0x5E69D0B:
KMail::ObjectTreeParser::insertAndParseNewChildNode(partNode&, char const*,
char const*, bool, bool) (objecttreeparser.cpp:232)
==5906== by 0x5E6DAFF:
KMail::ObjectTreeParser::processMessageRfc822Subtype(partNode*,
KMail::ProcessResult&) (objecttreeparser.cpp:1582)
==5906== by 0x5E69438: KMail::ObjectTreeParser::parseObjectTree(partNode*)
(objecttreeparser.cpp:318)
==5906== by 0x5E69754: KMail::ObjectTreeParser::stdChildHandling(partNode*)
(objecttreeparser.cpp:1278)
==5906== by 0x5E69B03:
KMail::ObjectTreeParser::processMultiPartMixedSubtype(partNode*,
KMail::ProcessResult&) (objecttreeparser.cpp:1291)
==5906== by 0x5E69438: KMail::ObjectTreeParser::parseObjectTree(partNode*)
(objecttreeparser.cpp:318)
==5906== by 0x5CECF3F: KMReaderWin::parseMsg(KMMessage*)
(kmreaderwin.cpp:1612)
==5906== by 0x5CE326F: KMReaderWin::displayMessage() (kmreaderwin.cpp:1536)
==5906== Address 0x1f2d39c0 is 48 bytes inside a block of size 80 free'd
==5906== at 0x4C23E3F: operator delete(void*) (vg_replace_malloc.c:342)
==5906== by 0x9CFD678: QTreeWidgetItem::~QTreeWidgetItem() (in
/usr/lib64/libQtGui.so.4.6.2)
==5906== by 0x5E38772: KMMimePartTreeItem::~KMMimePartTreeItem()
(kmmimeparttree.h:105)
==5906== by 0x9CF4BB5: (within /usr/lib64/libQtGui.so.4.6.2)
==5906== by 0x5E34795: KMMimePartTree::clearAndResetSortOrder()
(kmmimeparttree.cpp:103)
==5906== by 0x5CE3190: KMReaderWin::displayMessage() (kmreaderwin.cpp:1518)
==5906== by 0x5CE343F: KMReaderWin::updateReaderWin() (kmreaderwin.cpp:1479)
==5906== by 0x5CE3D14: KMReaderWin::update(KMail::Interface::Observable*)
(kmreaderwin.cpp:904)
==5906== by 0x5F08210: KMail::ISubject::notify() (isubject.cpp:33)
==5906== by 0x5C08BCB: KMMessage::updateBodyPart(QString, QByteArray const&)
(kmmessage.cpp:3185)
==5906== by 0x5EDFF58: KMail::ImapJob::slotGetMessageResult(KJob*)
(imapjob.cpp:435)
==5906== by 0x5EE1ADA: KMail::ImapJob::qt_metacall(QMetaObject::Call, int,
void**) (imapjob.moc:88)
If you look close, displayMessage() is currently running while a callback
enters displayMessage() again. The first thing displayMessage() does is a
clearAndResetSortOrder() which frees the memory the first displayMessage() call
is currently working on -> Boom.
Attached is a proof-of-concept workaround patch.
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list