Page MenuHome GnuPG
Create Task
Maniphest T6861

GpgOL: Crash when switching from calendar back to mailview
Closed, ResolvedPublic
Actions

Description

Reported by a customer, for at least one user it is 100% reproducible with standard Addins enabled. I was able to live view the crashes. But I can't reproduce it on our current Outlook test versions and the state is complicated to say the least.

Outlook 16.0.0.10404 with GpgOL 2.5.9

The problem appears to be that the mail is deconstructed _within_ the get_mail_from_control call. That leads to the crash in the end since we end up with a dangling pointer to a Non existing Mail object and when we then go to inquire the signature state of it we crash. The underlying reason is that the Mailitem in question is unloaded within the get_mail_from_control call, which might be an indication of a double release somewhere earlier in the code.

  • We are destructing the Mailobject. But after the destruction there is still a reference to:

    13:43:31/8076/DBG_MEM/0000012257acb990:_MailItem : 1

^ This is still from get_mail_from control

But the Mail was destroyed:

13:43:31/8076/DBG_MEM/Mail : 0

13:43:31/8076/DBG_OOM/mail.cpp:~Mail: releasing mailitem
13:43:31/8076/DBG_MEM/mail.cpp:~Mail:233: Object: 0000012257ac86f0 released ref: 0 
13:43:31/8076/DBG_OOM/mail.cpp:~Mail: destroyed: 00000122614a1ea0 uuid: 8982732c-0423-4f67-9a2f-7bdc131a4e44
13:43:31/8076/DBG_OOM/mail.cpp:~Mail: nulling shared pointer
13:43:31/8076/TRACE/parsecontroller.cpp:~ParseController:150 enter
13:43:31/8076/parsecontroller.cpp:~ParseController
13:43:31/8076/TRACE/mimedataprovider.cpp:~MimeDataProvider:722 enter
13:43:31/8076/mimedataprovider.cpp:~MimeDataProvider
13:43:31/8076/mimedataprovider.cpp: rfc822 event Close
13:43:31/8076/TRACE/mimedataprovider.cpp:~MimeDataProvider:741: return
13:43:31/8076/attachment.cpp:~Attachment
13:43:31/8076/TRACE/mimedataprovider.cpp:~MimeDataProvider:722 enter
13:43:31/8076/mimedataprovider.cpp:~MimeDataProvider
13:43:31/8076/mimedataprovider.cpp: rfc822 event Close
13:43:31/8076/TRACE/mimedataprovider.cpp:~MimeDataProvider:741: return
13:43:31/8076/TRACE/parsecontroller.cpp:~ParseController:155: return
13:43:31/8076/TRACE/mail.cpp:releaseCurrentItem:4837 enter
13:43:31/8076/TRACE/mail.cpp:releaseCurrentItem:4840: return
13:43:31/8076/TRACE/mail.cpp:~Mail:259: lock 000000006b27e340 unlock.
13:43:31/8076/DBG_OOM/mail.cpp:~Mail: returning
13:43:31/8076/TRACE/mail.cpp:~Mail:262: return
13:43:31/8076/DBG_OOM/mailitem-events.cpp:Invoke: deletion done
13:43:31/8076/DBG_MEM/------------------------------MEMORY DUMP----------------------------------
13:43:31/8076/DBG_MEM/-- C++ Objects --
13:43:31/8076/DBG_MEM/ParseController	: 0
13:43:31/8076/DBG_MEM/Attachment	: 0
13:43:31/8076/DBG_MEM/MimeDataProvider	: 0
13:43:31/8076/DBG_MEM/Mail	: 0
13:43:31/8076/DBG_MEM/-- C++ End --
13:43:31/8076/DBG_MEM/-- OL Objects --
13:43:31/8076/DBG_MEM/0000012257acb990:_MailItem	: 1
13:43:31/8076/DBG_MEM/00000122614f7520:ansi_charset_to_utf8	: 1
13:43:31/8076/DBG_MEM/000001225c14dc48:install_ApplicationEvents_sink	: 1
13:43:31/8076/DBG_MEM/0000012261488860:install_ExplorersEvents_sink	: 1
13:43:31/8076/DBG_MEM/000001225bcc8780:_Application	: 2
13:43:31/8076/DBG_MEM/000001225c2b1ca0:_Explorer	: 1
13:43:31/8076/DBG_MEM/00000122614393e0:install_ApplicationEvents_sink	: 1
13:43:31/8076/DBG_MEM/000001225c2b1020:_Explorers	: 1
13:43:31/8076/DBG_MEM/0000012261439440:install_ExplorerEvents_sink	: 1
13:43:31/8076/DBG_MEM/000001225c14d858:install_ExplorerEvents_sink	: 1
13:43:31/8076/DBG_MEM/000001225c2234c0:Picture	: 1
13:43:31/8076/DBG_MEM/000001225c058f60:MAPIFolder	: 1
13:43:31/8076/DBG_MEM/000001225be52608:install_FolderEvents_sink	: 1
13:43:31/8076/DBG_MEM/00000122614a12a0:install_FolderEvents_sink	: 1
13:43:31/8076/DBG_MEM/000001225c14da18:install_ExplorersEvents_sink	: 1
13:43:31/8076/DBG_MEM/-- OL End --
13:43:31/8076/DBG_MEM/-- Allocated Addresses --
13:43:31/8076/DBG_MEM/windowmessages.cpp:do_in_ui_thread_async:616: 000001226146f2b0
13:43:31/8076/DBG_MEM/windowmessages.cpp:do_in_ui_thread_async:616: 00000122614aed90
13:43:31/8076/DBG_MEM/w32-gettext.cpp:load_domain:1378: 000001226145ad10
13:43:31/8076/DBG_MEM/w32-gettext.cpp:load_domain:1410: 00000122519b7470
13:43:31/8076/DBG_MEM/w32-gettext.cpp:load_domain:1345: 0000012261470a40
13:43:31/8076/DBG_MEM/-- Allocated Addresses End --
13:43:31/8076/DBG_MEM/------------------------------MEMORY END ----------------------------------
13:43:31/8076/TRACE/mailitem-events.cpp:Invoke:910: return
13:43:31/8076/DBG_MEM/ribbon-callbacks.cpp:get_mail_from_control:561: Object: 0000012257acb990 released ref: 0 
13:43:31/8076/TRACE/mail.cpp:getCryptoSummary:3494 enter
13:43:31/8076/TRACE/mail.cpp:get_signature_level:3851 enter

Revisions and Commits

rO GpgOL
rO9717f5744bfd Fix crash on temporary mailref from ribbon control

Event Timeline

aheinecke triaged this task as High priority.Nov 30 2023, 4:17 PM
aheinecke created this task.
aheinecke added a comment.Dec 15 2023, 12:14 PM

The issue was obvious but I looked at the wrong place. I looked for a ref counting error but the issue was that the control only returned a temporary pointer that had exactly one reference.

So:
13:43:31/8076/DBG_MEM/ribbon-callbacks.cpp:get_mail_from_control:561: Object: 0000012257acb990 released ref: 0

^ means that it triggered the destruction of the Mail object above.

13:43:31/8076/TRACE/mail.cpp:getCryptoSummary:3494 enter
13:43:31/8076/TRACE/mail.cpp:get_signature_level:3851 enter

^ Then it still jumps into mail code. But this is now released memory. Causing the crash.

aheinecke added a commit: rO9717f5744bfd: Fix crash on temporary mailref from ribbon control.Dec 15 2023, 1:18 PM
aheinecke closed this task as Resolved.Jan 8 2024, 8:25 AM
aheinecke added a project: vsd32 (vsd-3.2.0).

Since this is hard / impossible to test for, but the fix was obvious I am closing this directly. The fix for this is in GpgOL 2.5.12.