Re: mutt_free_header -> free -> mutt_sort_headers -> segfault

To: mutt-dev@xxxxxxxx
Subject: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
From: q4xk3j002@xxxxxxxxxxxxxx
Date: 4 Nov 2003 17:02:47 -0000
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?body=unsubscribe>
Sender: owner-mutt-dev@xxxxxxxx

ok, should be easy to reproduce.
seems like you have to enable thread sorting and
have  return-path: <>

$ cd /tmp

$ muttrc
set delete=yes
mailboxes "/tmp/mutttest"
set sort=threads

$ maildirmake mutttest

$ gdb /usr/local/src/mutt/mutt
(gdb) efe
(gdb) run -F /tmp/muttrc -f /tmp/mutttest

( commands starting with $ executed in another shell )

$ printf 'return-path: <>\nsubject: barbar\nmessage-id: <001@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [enter] [q] [d] [$]

$ printf 'return-path: <>\nsubject: barbar\nmessage-id: <002@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [enter] [q] [d] [$]

$ printf 'return-path: <>\nsubject: barbar\nmessage-id: <003@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [crash'n'burn]

Sorting mailbox...                                                              
               
(gdb) print *ctx
$1 = {path = 0x41202ff0 "/tmp/mutttest", fp = 0x0, mtime = 1067963800, 
  mtime_cur = 1067962089, size = 58, vsize = 0, pattern = 0x0, limit_pattern = 
0x0, 
  hdrs = 0x4129af9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x412a9ff8, 
  thread_hash = 0x412a1ff8, v2r = 0x4129df9c, hdrmax = 25, msgcount = 1, vcount 
= 1, 
  tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
-1, data = 0x0, 
  magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 0, 
quiet = 0, 
  collapsed = 0, closing = 0}
(gdb) print *cur
$2 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, changed = 
0, 
  attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied = 0, 
  subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0, 
active = 0, 
  trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched = 
0, 
  collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0, 
date_sent = 0, 
  received = 0, offset = 0, lines = 0, index = 0, msgno = 0, virtual = 0, score 
= 0, 
  env = 0x41429fbc, content = 0x4142dfbc, 
  path = 0x4141afd0 "new/1067963810.8072859724.safari.finland.fbi", tree = 0x0, 
thread = 0x0, 
  chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
(gdb) print *cur->env
$3 = {return_path = 0x41431ff0, from = 0x0, to = 0x0, cc = 0x0, bcc = 0x0, 
sender = 0x0, 
  reply_to = 0x0, mail_followup_to = 0x0, subject = 0x4143bff8 "barbar", 
  real_subj = 0x4143bff8 "barbar", message_id = 0x41437ff0 "<003@invalid>", 
supersedes = 0x0, 
  date = 0x0, x_label = 0x0, references = 0x0, in_reply_to = 0x0, userhdrs = 
0x0}


OR another way to crash, with different subjects

$ printf 'return-path: <>\nsubject: barbar001\nmessage-id: <000@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [enter] [q] [d] [$]

$ printf 'return-path: <>\nsubject: barbar002\nmessage-id: <001@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [enter] [q] [d] [$]

$ printf 'return-path: <>\nsubject: barbar003\nmessage-id: <002@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [enter] [q] [d] [$]

$ printf 'return-path: <>\nsubject: barbar004\nmessage-id: <003@invalid>\n' |
safecat mutttest/tmp mutttest/new

[tab] [crash'n'burn]
 

---Mutt: /tmp/mutttest 
[Msgs:0]---(threads/date)---------------------------------------(all)---
Sorting mailbox...                                                              
               
Program received signal SIGSEGV, Segmentation fault.
0x080b38db in mutt_sort_subthreads (thread=0x0, init=0) at thread.c:597
597         if (init || !thread->sort_key)
(gdb) bt
#0  0x080b38db in mutt_sort_subthreads (thread=0x0, init=0) at thread.c:597
#1  0x080b43f9 in mutt_sort_threads (ctx=0x8152f38, init=0) at thread.c:950
#2  0x080b12e2 in mutt_sort_headers (ctx=0x8152f38, init=0) at sort.c:234
#3  0x0806319c in update_index (menu=0x8154b10, ctx=0x8152f38, check=1, 
oldcount=0, 
    index_hint=0) at curs_main.c:313
#4  0x080637f7 in mutt_index_menu () at curs_main.c:488
#5  0x080802c1 in main (argc=5, argv=0xbfffea84) at main.c:907
#6  0x40213907 in __libc_start_main () from /lib/libc.so.6
(gdb) frame 3
#3  0x0806319c in update_index (menu=0x8154b10, ctx=0x8152f38, check=1, 
oldcount=0, 
    index_hint=0) at curs_main.c:313
313       mutt_sort_headers (Context, (check == M_REOPENED));
(gdb) print *ctx
$1 = {path = 0x8154a90 "/tmp/mutttest", fp = 0x0, mtime = 1067964007, mtime_cur 
= 1067962089, 
  size = 61, vsize = 0, pattern = 0x0, limit_pattern = 0x0, hdrs = 0x8155c40, 
tree = 0x0, 
  id_hash = 0x0, subj_hash = 0x8155b20, thread_hash = 0x8155af0, v2r = 
0x8155a88, 
  hdrmax = 25, msgcount = 1, vcount = 1, tagged = 0, new = 1, unread = 1, 
deleted = 0, 
  flagged = 0, msgnotreadyet = -1, data = 0x0, magic = 4, locked = 0, changed = 
0, 
  readonly = 0, dontwrite = 0, append = 0, quiet = 0, collapsed = 0, closing = 
0}
(gdb)

Follow-Ups:
- Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
  - From: Thomas Roessler

Prev by Date: Re: bug#1660: Repyling with extended charactors in the From:
Next by Date: Re: bug#1660: Repyling with extended charactors in the From:
Previous by thread: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
Next by thread: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
Index(es):
- Date
- Thread