[Mail] crashes in BTwoDimensionalLayout::CompoundLayouter::InvalidateLayout ()

[diver]

Start Mail->Edit->Preferences
Reply preamble-> select "[] - newline" and click Cancel

Thread 1246 caused an exception: Segment violation
Reading symbols from /boot/system/runtime_loader...done.
Loaded symbols for /boot/system/runtime_loader
Reading symbols from /boot/system/lib/libbe.so...done.
Loaded symbols for /boot/system/lib/libbe.so
Reading symbols from /boot/system/lib/libtracker.so...done.
Loaded symbols for /boot/system/lib/libtracker.so
Reading symbols from /boot/system/lib/libstdc++.r4.so...done.
Loaded symbols for /boot/system/lib/libstdc++.r4.so
Reading symbols from /boot/system/lib/liblocale.so...done.
Loaded symbols for /boot/system/lib/liblocale.so
Reading symbols from /boot/system/lib/libmail.so...done.
Loaded symbols for /boot/system/lib/libmail.so
Reading symbols from /boot/system/lib/libtextencoding.so...done.
Loaded symbols for /boot/system/lib/libtextencoding.so
Reading symbols from /boot/system/lib/libroot.so...done.
Loaded symbols for /boot/system/lib/libroot.so
Reading symbols from /boot/system/lib/libtranslation.so...done.
Loaded symbols for /boot/system/lib/libtranslation.so
Reading symbols from /boot/system/lib/libicu-common.so.4.2...done.
Loaded symbols for /boot/system/lib/libicu-common.so.4.2
Reading symbols from /boot/system/lib/libicu-i18n.so.4.2...done.
Loaded symbols for /boot/system/lib/libicu-i18n.so.4.2
Reading symbols from /boot/system/lib/libnetwork.so...done.
Loaded symbols for /boot/system/lib/libnetwork.so
Reading symbols from /boot/system/lib/libicu-data.so.4.2...done.
Loaded symbols for /boot/system/lib/libicu-data.so.4.2
Reading symbols from /boot/system/add-ons/locale/catalogs/plaintext...done.
Loaded symbols for /boot/system/add-ons/locale/catalogs/plaintext
Reading symbols from /boot/system/add-ons/locale/catalogs/zeta...done.
Loaded symbols for /boot/system/add-ons/locale/catalogs/zeta
[tcsetpgrp failed in terminal_inferior: Invalid Argument]
[Switching to team /boot/system/apps/Mail (1234) thread w>Mail preferences (1246)]
0x003f7e1e in BTwoDimensionalLayout::CompoundLayouter::InvalidateLayout ()
   from /boot/system/lib/libbe.so
(gdb) bt
#0  0x003f7e1e in BTwoDimensionalLayout::CompoundLayouter::InvalidateLayout ()
   from /boot/system/lib/libbe.so
#1  0x003f8464 in BTwoDimensionalLayout::VerticalCompoundLayouter::InvalidateLayout () from /boot/system/lib/libbe.so
#2  0x003f8c95 in BTwoDimensionalLayout::LocalLayouter::InvalidateLayout ()
   from /boot/system/lib/libbe.so
#3  0x003f77f0 in BTwoDimensionalLayout::InvalidateLayout ()
   from /boot/system/lib/libbe.so
#4  0x00403e5e in BView::InvalidateLayout () from /boot/system/lib/libbe.so
#5  0x0040250b in BView::_RemoveSelf () from /boot/system/lib/libbe.so
#6  0x00398580 in BLayout::RemoveItem () from /boot/system/lib/libbe.so
#7  0x0039847a in BLayout::RemoveView () from /boot/system/lib/libbe.so
#8  0x00402429 in BView::RemoveSelf () from /boot/system/lib/libbe.so
#9  0x003fadfa in BView::~BView () from /boot/system/lib/libbe.so
#10 0x003922ac in BGroupView::~BGroupView () from /boot/system/lib/libbe.so
#11 0x003fae3f in BView::~BView () from /boot/system/lib/libbe.so
#12 0x004075df in BWindow::~BWindow () from /boot/system/lib/libbe.so
#13 0x0025f386 in TPrefsWindow::~TPrefsWindow ()
#14 0x003479b6 in BLooper::Quit () from /boot/system/lib/libbe.so
#15 0x00407d5e in BWindow::Quit () from /boot/system/lib/libbe.so
#16 0x0025fce4 in TPrefsWindow::MessageReceived ()
#17 0x0034754f in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#18 0x0040aaad in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#19 0x0040ec40 in BWindow::task_looper () from /boot/system/lib/libbe.so
---Type <return> to continue, or q <return> to quit---
#20 0x00348aab in BLooper::_task0_ () from /boot/system/lib/libbe.so
#21 0x008cffe6 in thread_entry () from /boot/system/lib/libroot.so
#22 0x70102fec in ?? ()
(gdb)

Sometimes it crashes with different backtraces.
Tested with hrev35982 in VirtualBox 3.0.12

[bonefish]

The layout API seems innocent in this regard. When running Mail with "LD_PRELOAD=libroot_debug.so" it already crashes when changing the "Reply preamble":

Thread 223 called debugger(): leak check info has invalid size 6647401 for element
size 16, probably memory has been overwritten past allocation size
[...]
[Switching to team /boot/system/apps/Mail (208) thread w>Mail preferences (223)]
0xffff0114 in ?? ()
(gdb) bt
#0  0xffff0114 in ?? ()
#1  0x002253f3 in debugger () from /boot/system/lib/libroot_debug.so
#2  0x00295a2a in panic () from /boot/system/lib/libroot_debug.so
#3  0x0029678b in heap_free () from /boot/system/lib/libroot_debug.so
#4  0x00296dcf in free () from /boot/system/lib/libroot_debug.so
#5  0x004a4326 in BPrivate::_BTextInput_::InsertText ()
   from /boot/system/lib/libbe.so
#6  0x004a79ec in BTextView::_DoInsertText () from /boot/system/lib/libbe.so
#7  0x004ac27e in BTextView::Insert () from /boot/system/lib/libbe.so
#8  0x00349a03 in TPrefsWindow::MessageReceived ()
#9  0x0040f935 in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#10 0x004c713a in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#11 0x004c2a61 in BWindow::task_looper () from /boot/system/lib/libbe.so
#12 0x00411146 in BLooper::_task0_ () from /boot/system/lib/libbe.so
#13 0x00229100 in thread_entry () from /boot/system/lib/libroot_debug.so
#14 0x70102fec in ?? ()

[zooey]

Unable to reproduce in hrev38006 (which fixed a similar bug) - closing.