Re: mutt_free_header -> free -> mutt_sort_headers -> segfault

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

Mh.  I can't reproduce the first thing without efence; looks like I
have to install that.  The second segfault, though, looks like it
should be reproducible without (NULL pointer deference), and I don't
get that one, either.

Can you confirm whether the second problem is reproducible without
efence?  Also, what optimization settings are you using?

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.






On 2003-11-04 17:02:47 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> From: q4xk3j002@xxxxxxxxxxxxxx
> To: mutt-dev@xxxxxxxx
> Date: 4 Nov 2003 17:02:47 -0000
> Subject: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
> X-Spam-Level: 
> 
> ok, should be easy to reproduce.
> seems like you have to enable thread sorting and
> have  return-path: <>
> 
> $ cd /tmp
> 
> $ muttrc
> set delete=yes
> mailboxes "/tmp/mutttest"
> set sort=threads
> 
> $ maildirmake mutttest
> 
> $ gdb /usr/local/src/mutt/mutt
> (gdb) efe
> (gdb) run -F /tmp/muttrc -f /tmp/mutttest
> 
> ( commands starting with $ executed in another shell )
> 
> $ printf 'return-path: <>\nsubject: barbar\nmessage-id: <001@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [enter] [q] [d] [$]
> 
> $ printf 'return-path: <>\nsubject: barbar\nmessage-id: <002@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [enter] [q] [d] [$]
> 
> $ printf 'return-path: <>\nsubject: barbar\nmessage-id: <003@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [crash'n'burn]
> 
> Sorting mailbox...                                                            
>                  
> (gdb) print *ctx
> $1 = {path = 0x41202ff0 "/tmp/mutttest", fp = 0x0, mtime = 1067963800, 
>   mtime_cur = 1067962089, size = 58, vsize = 0, pattern = 0x0, limit_pattern 
> = 0x0, 
>   hdrs = 0x4129af9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x412a9ff8, 
>   thread_hash = 0x412a1ff8, v2r = 0x4129df9c, hdrmax = 25, msgcount = 1, 
> vcount = 1, 
>   tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
> -1, data = 0x0, 
>   magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 
> 0, quiet = 0, 
>   collapsed = 0, closing = 0}
> (gdb) print *cur
> $2 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, changed = 
> 0, 
>   attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied = 
> 0, 
>   subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0, 
> active = 0, 
>   trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched = 
> 0, 
>   collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0, 
> date_sent = 0, 
>   received = 0, offset = 0, lines = 0, index = 0, msgno = 0, virtual = 0, 
> score = 0, 
>   env = 0x41429fbc, content = 0x4142dfbc, 
>   path = 0x4141afd0 "new/1067963810.8072859724.safari.finland.fbi", tree = 
> 0x0, thread = 0x0, 
>   chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> (gdb) print *cur->env
> $3 = {return_path = 0x41431ff0, from = 0x0, to = 0x0, cc = 0x0, bcc = 0x0, 
> sender = 0x0, 
>   reply_to = 0x0, mail_followup_to = 0x0, subject = 0x4143bff8 "barbar", 
>   real_subj = 0x4143bff8 "barbar", message_id = 0x41437ff0 "<003@invalid>", 
> supersedes = 0x0, 
>   date = 0x0, x_label = 0x0, references = 0x0, in_reply_to = 0x0, userhdrs = 
> 0x0}
> 
> 
> OR another way to crash, with different subjects
> 
> $ printf 'return-path: <>\nsubject: barbar001\nmessage-id: <000@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [enter] [q] [d] [$]
> 
> $ printf 'return-path: <>\nsubject: barbar002\nmessage-id: <001@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [enter] [q] [d] [$]
> 
> $ printf 'return-path: <>\nsubject: barbar003\nmessage-id: <002@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [enter] [q] [d] [$]
> 
> $ printf 'return-path: <>\nsubject: barbar004\nmessage-id: <003@invalid>\n' |
> safecat mutttest/tmp mutttest/new
> 
> [tab] [crash'n'burn]
>  
> 
> ---Mutt: /tmp/mutttest 
> [Msgs:0]---(threads/date)---------------------------------------(all)---
> Sorting mailbox...                                                            
>                  
> Program received signal SIGSEGV, Segmentation fault.
> 0x080b38db in mutt_sort_subthreads (thread=0x0, init=0) at thread.c:597
> 597         if (init || !thread->sort_key)
> (gdb) bt
> #0  0x080b38db in mutt_sort_subthreads (thread=0x0, init=0) at thread.c:597
> #1  0x080b43f9 in mutt_sort_threads (ctx=0x8152f38, init=0) at thread.c:950
> #2  0x080b12e2 in mutt_sort_headers (ctx=0x8152f38, init=0) at sort.c:234
> #3  0x0806319c in update_index (menu=0x8154b10, ctx=0x8152f38, check=1, 
> oldcount=0, 
>     index_hint=0) at curs_main.c:313
> #4  0x080637f7 in mutt_index_menu () at curs_main.c:488
> #5  0x080802c1 in main (argc=5, argv=0xbfffea84) at main.c:907
> #6  0x40213907 in __libc_start_main () from /lib/libc.so.6
> (gdb) frame 3
> #3  0x0806319c in update_index (menu=0x8154b10, ctx=0x8152f38, check=1, 
> oldcount=0, 
>     index_hint=0) at curs_main.c:313
> 313       mutt_sort_headers (Context, (check == M_REOPENED));
> (gdb) print *ctx
> $1 = {path = 0x8154a90 "/tmp/mutttest", fp = 0x0, mtime = 1067964007, 
> mtime_cur = 1067962089, 
>   size = 61, vsize = 0, pattern = 0x0, limit_pattern = 0x0, hdrs = 0x8155c40, 
> tree = 0x0, 
>   id_hash = 0x0, subj_hash = 0x8155b20, thread_hash = 0x8155af0, v2r = 
> 0x8155a88, 
>   hdrmax = 25, msgcount = 1, vcount = 1, tagged = 0, new = 1, unread = 1, 
> deleted = 0, 
>   flagged = 0, msgnotreadyet = -1, data = 0x0, magic = 4, locked = 0, changed 
> = 0, 
>   readonly = 0, dontwrite = 0, append = 0, quiet = 0, collapsed = 0, closing 
> = 0}
> (gdb) 
>