Bug#986564: Crash on pool-evolution

Bernhard Übelacker bernhardu at mailbox.org
Tue Apr 20 14:19:44 BST 2021 

Dear Maintainer,
with the help of the dbgsym package the "Code:" line
points to this line [1]:
     0x00007fffebed7f9c in camel_imapx_folder_set_mailbox at ./src/camel/providers/imapx/camel-imapx-folder.c:1371

The function camel_imapx_folder_set_mailbox then points
to this upstream bug report [2].
That also mentions another Debian report #985353, which
shows the same line and instruction offset.

Kind regards,
Bernhard


[1]
     https://sources.debian.org/src/evolution-data-server/3.38.3-1/src/camel/providers/imapx/camel-imapx-folder.c/#L1371
     https://gitlab.gnome.org/GNOME/evolution-data-server/-/blob/master/src/camel/providers/imapx/camel-imapx-folder.c#L1364

[2]
     https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/312

#985353
     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985353
-------------- next part --------------



From submitter:
kernel: [27363.195104] pool-evolution[76405]: segfault at 28 ip 00007f6d1e663f9c sp 00007f6d0b7fd7a0 error 4 in libcamelimapx.so[7f6d1e656000+3b000]
kernel: [27363.195115] Code: c6 e8 78 48 ff ff 48 89 c7 e8 b0 36 ff ff 4c 89 ee 48 89 c7 e8 65 48 ff ff 4c 89 e7 49 89 c5 e8 ba 56 ff ff 85 c0 74 10 89 c6 <49> 3b 75 28 74 08 48 89 ef e8 b6 36 ff ff 48 89 ef be 50 00 00 00


https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash


"error 4" == 0b00000100
    bit 0 ==    0: no page found
    bit 1 ==    0: read access
    bit 2 ==    1: user-mode access


echo -n "find /b ..., ..., 0x" && \
echo "c6 e8 78 48 ff ff 48 89 c7 e8 b0 36 ff ff 4c 89 ee 48 89 c7 e8 65 48 ff ff 4c 89 e7 49 89 c5 e8 ba 56 ff ff 85 c0 74 10 89 c6 <49> 3b 75 28 74 08 48 89 ef e8 b6 36 ff ff 48 89 ef be 50 00 00 00" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'

find /b ..., ..., 0xc6, 0xe8, 0x78, 0x48, 0xff, 0xff, 0x48, 0x89, 0xc7, 0xe8, 0xb0, 0x36, 0xff, 0xff, 0x4c, 0x89, 0xee, 0x48, 0x89, 0xc7, 0xe8, 0x65, 0x48, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0x49, 0x89, 0xc5, 0xe8, 0xba, 0x56, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x89, 0xc6, 0x49, 0x3b, 0x75, 0x28, 0x74, 0x08, 0x48, 0x89, 0xef, 0xe8, 0xb6, 0x36, 0xff, 0xff, 0x48, 0x89, 0xef, 0xbe, 0x50, 0x00, 0x00, 0x00





# single-use Bullseye/testing amd64 qemu VM 2021-04-20

echo "set enable-bracketed-paste off" >> /etc/inputrc; bash

apt update

# to speedup testing
mv /etc/manpath.config /etc/manpath.config.renamed
apt install libeatmydata1
export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libeatmydata.so

apt dist-upgrade
apt install systemd-coredump gdb evolution evolution-dbgsym evolution-data-server-dbgsym





gdb -q
set width 0
set pagination off
file /usr/bin/evolution
tb main
run
call dlopen("/usr/lib/evolution-data-server/camel-providers/libcamelimapx.so",0x102)
info share
find /b 0x00007fffebecda50, 0x00007fffebf044f1, 0xc6, 0xe8, 0x78, 0x48, 0xff, 0xff, 0x48, 0x89, 0xc7, 0xe8, 0xb0, 0x36, 0xff, 0xff, 0x4c, 0x89, 0xee, 0x48, 0x89, 0xc7, 0xe8, 0x65, 0x48, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0x49, 0x89, 0xc5, 0xe8, 0xba, 0x56, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x89, 0xc6, 0x49, 0x3b, 0x75, 0x28, 0x74, 0x08, 0x48, 0x89, 0xef, 0xe8, 0xb6, 0x36, 0xff, 0xff, 0x48, 0x89, 0xef, 0xbe, 0x50, 0x00, 0x00, 0x00
b * (0x7fffebed7f72 + 42)
info b
disassemble camel_imapx_folder_set_mailbox



(gdb) info share
From                To                  Syms Read   Shared Object Library
...
0x00007fffebecda50  0x00007fffebf044f1  Yes         /usr/lib/evolution-data-server/camel-providers/libcamelimapx.so

(gdb) find /b 0x00007fffebecda50, 0x00007fffebf044f1, 0xc6, 0xe8, 0x78, 0x48, 0xff, 0xff, 0x48, 0x89, 0xc7, 0xe8, 0xb0, 0x36, 0xff, 0xff, 0x4c, 0x89, 0xee, 0x48, 0x89, 0xc7, 0xe8, 0x65, 0x48, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0x49, 0x89, 0xc5, 0xe8, 0xba, 0x56, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x89, 0xc6, 0x49, 0x3b, 0x75, 0x28, 0x74, 0x08, 0x48, 0x89, 0xef, 0xe8, 0xb6, 0x36, 0xff, 0xff, 0x48, 0x89, 0xef, 0xbe, 0x50, 0x00, 0x00, 0x00
0x7fffebed7f72 <camel_imapx_folder_set_mailbox+146>
1 pattern found.

(gdb) b * (0x7fffebed7f72 + 42)
Breakpoint 2 at 0x7fffebed7f9c: file ./src/camel/providers/imapx/camel-imapx-folder.c, line 1371.

(gdb) info b
Num     Type           Disp Enb Address            What
2       breakpoint     keep y   0x00007fffebed7f9c in camel_imapx_folder_set_mailbox at ./src/camel/providers/imapx/camel-imapx-folder.c:1371

(gdb) disassemble camel_imapx_folder_set_mailbox
Dump of assembler code for function camel_imapx_folder_set_mailbox:
   0x00007fffebed7ee0 <+0>:     push   %r13
   0x00007fffebed7ee2 <+2>:     push   %r12
   0x00007fffebed7ee4 <+4>:     mov    %rsi,%r12
   0x00007fffebed7ee7 <+7>:     push   %rbp
   0x00007fffebed7ee8 <+8>:     mov    %rdi,%rbp
   0x00007fffebed7eeb <+11>:    call   0x7fffebecc7c0 <camel_imapx_folder_get_type at plt>
   0x00007fffebed7ef0 <+16>:    test   %rbp,%rbp
   0x00007fffebed7ef3 <+19>:    je     0x7fffebed7fd0 <camel_imapx_folder_set_mailbox+240>
   0x00007fffebed7ef9 <+25>:    mov    %rax,%rsi
   0x00007fffebed7efc <+28>:    mov    0x0(%rbp),%rax
   0x00007fffebed7f00 <+32>:    test   %rax,%rax
   0x00007fffebed7f03 <+35>:    je     0x7fffebed7f0a <camel_imapx_folder_set_mailbox+42>
   0x00007fffebed7f05 <+37>:    cmp    %rsi,(%rax)
   0x00007fffebed7f08 <+40>:    je     0x7fffebed7f1a <camel_imapx_folder_set_mailbox+58>
   0x00007fffebed7f0a <+42>:    mov    %rbp,%rdi
   0x00007fffebed7f0d <+45>:    call   0x7fffebecc400 <g_type_check_instance_is_a at plt>
   0x00007fffebed7f12 <+50>:    test   %eax,%eax
   0x00007fffebed7f14 <+52>:    je     0x7fffebed7fd0 <camel_imapx_folder_set_mailbox+240>
   0x00007fffebed7f1a <+58>:    test   %r12,%r12
   0x00007fffebed7f1d <+61>:    je     0x7fffebed7f41 <camel_imapx_folder_set_mailbox+97>
   0x00007fffebed7f1f <+63>:    call   0x7fffebecc780 <camel_imapx_mailbox_get_type at plt>
   0x00007fffebed7f24 <+68>:    mov    %rax,%rsi
   0x00007fffebed7f27 <+71>:    mov    (%r12),%rax
   0x00007fffebed7f2b <+75>:    test   %rax,%rax
   0x00007fffebed7f2e <+78>:    je     0x7fffebed7f35 <camel_imapx_folder_set_mailbox+85>
   0x00007fffebed7f30 <+80>:    cmp    %rsi,(%rax)
   0x00007fffebed7f33 <+83>:    je     0x7fffebed7f50 <camel_imapx_folder_set_mailbox+112>
   0x00007fffebed7f35 <+85>:    mov    %r12,%rdi
   0x00007fffebed7f38 <+88>:    call   0x7fffebecc400 <g_type_check_instance_is_a at plt>
   0x00007fffebed7f3d <+93>:    test   %eax,%eax
   0x00007fffebed7f3f <+95>:    jne    0x7fffebed7f50 <camel_imapx_folder_set_mailbox+112>
   0x00007fffebed7f41 <+97>:    lea    0x2daa8(%rip),%rdx        # 0x7fffebf059f0
   0x00007fffebed7f48 <+104>:   jmp    0x7fffebed7fd7 <camel_imapx_folder_set_mailbox+247>
   0x00007fffebed7f4d <+109>:   nopl   (%rax)
   0x00007fffebed7f50 <+112>:   mov    0x30(%rbp),%rax
   0x00007fffebed7f54 <+116>:   mov    %r12,%rsi
   0x00007fffebed7f57 <+119>:   lea    0x8(%rax),%rdi
   0x00007fffebed7f5b <+123>:   call   0x7fffebecbfe0 <g_weak_ref_set at plt>
   0x00007fffebed7f60 <+128>:   call   0x7fffebecb210 <camel_imapx_summary_get_type at plt>
   0x00007fffebed7f65 <+133>:   mov    %rax,%r13
   0x00007fffebed7f68 <+136>:   call   0x7fffebecd3f0 <camel_folder_get_type at plt>
   0x00007fffebed7f6d <+141>:   mov    %rbp,%rdi
   0x00007fffebed7f70 <+144>:   mov    %rax,%rsi
   0x00007fffebed7f73 <+147>:   call   0x7fffebecc7f0 <g_type_check_instance_cast at plt>
   0x00007fffebed7f78 <+152>:   mov    %rax,%rdi
   0x00007fffebed7f7b <+155>:   call   0x7fffebecb630 <camel_folder_get_folder_summary at plt>
   0x00007fffebed7f80 <+160>:   mov    %r13,%rsi
   0x00007fffebed7f83 <+163>:   mov    %rax,%rdi
   0x00007fffebed7f86 <+166>:   call   0x7fffebecc7f0 <g_type_check_instance_cast at plt>
   0x00007fffebed7f8b <+171>:   mov    %r12,%rdi
   0x00007fffebed7f8e <+174>:   mov    %rax,%r13
   0x00007fffebed7f91 <+177>:   call   0x7fffebecd650 <camel_imapx_mailbox_get_uidvalidity at plt>
   0x00007fffebed7f96 <+182>:   test   %eax,%eax
   0x00007fffebed7f98 <+184>:   je     0x7fffebed7faa <camel_imapx_folder_set_mailbox+202>
   0x00007fffebed7f9a <+186>:   mov    %eax,%esi
   0x00007fffebed7f9c <+188>:   cmp    0x28(%r13),%rsi                                                <<<<<<<<<<<<<<<<<<<<<<<<<<<

   0x00007fffebed7fa0 <+192>:   je     0x7fffebed7faa <camel_imapx_folder_set_mailbox+202>
   0x00007fffebed7fa2 <+194>:   mov    %rbp,%rdi
   0x00007fffebed7fa5 <+197>:   call   0x7fffebecb660 <camel_imapx_folder_invalidate_local_cache at plt>
   0x00007fffebed7faa <+202>:   mov    %rbp,%rdi
   0x00007fffebed7fad <+205>:   mov    $0x50,%esi
   0x00007fffebed7fb2 <+210>:   call   0x7fffebecc7f0 <g_type_check_instance_cast at plt>
   0x00007fffebed7fb7 <+215>:   pop    %rbp
   0x00007fffebed7fb8 <+216>:   lea    0x3217a(%rip),%rsi        # 0x7fffebf0a139
   0x00007fffebed7fbf <+223>:   pop    %r12
   0x00007fffebed7fc1 <+225>:   mov    %rax,%rdi
   0x00007fffebed7fc4 <+228>:   pop    %r13
   0x00007fffebed7fc6 <+230>:   jmp    0x7fffebecb130 <g_object_notify at plt>
   0x00007fffebed7fcb <+235>:   nopl   0x0(%rax,%rax,1)
   0x00007fffebed7fd0 <+240>:   lea    0x2f279(%rip),%rdx        # 0x7fffebf07250
   0x00007fffebed7fd7 <+247>:   pop    %rbp
   0x00007fffebed7fd8 <+248>:   lea    0x2f741(%rip),%rsi        # 0x7fffebf07720 <__func__.11>
   0x00007fffebed7fdf <+255>:   lea    0x2d415(%rip),%rdi        # 0x7fffebf053fb
   0x00007fffebed7fe6 <+262>:   pop    %r12
   0x00007fffebed7fe8 <+264>:   pop    %r13
   0x00007fffebed7fea <+266>:   jmp    0x7fffebecbec0 <g_return_if_fail_warning at plt>
End of assembler dump.




https://sources.debian.org/src/evolution-data-server/3.38.3-1/src/camel/providers/imapx/camel-imapx-folder.c/#L1371
https://gitlab.gnome.org/GNOME/evolution-data-server/-/blob/master/src/camel/providers/imapx/camel-imapx-folder.c#L1364

https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/312
https://bugzilla.redhat.com/show_bug.cgi?id=1914917
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985353

More information about the pkg-gnome-maintainers mailing list