Closed Bug 214176 Opened 22 years ago Closed 22 years ago

Crash Opening Mail/News Component

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jay, Assigned: brendan)

References

Details

(Keywords: crash, fixed1.4.1)

Attachments

(2 files)

Stack from a crash on Solaris
3.70 KB, text/plain
Details
fix for the jsscope.c overlarge allocation bug
3.94 KB, patch
brendan
: review+
asa
: approval1.4.1+
Details | Diff | Splinter Review
Win98SE Build 2003072804 1.5b Trunk Opening mail/news causes crash in KERNEL32.DLL 100% reproducible
talkback ID=TB22263310Z
Summary: Crash Opening Mail/News Component → Crash Opening Mail/News Component
I get a hang here on Solaris with today's CVS build when opening the Mail/News component. Rebuilding with Debug on and will provide a stack asap.
Win98SE PC Stack Trace http://www.ufaq.org/mailnewscrash.txt
Here's a nicer UNIX stack. Looks like some sort of memory freeing that's perhaps not allocated (or double free ?) Note, jsscope.c was checked in by brendan onthe 26th so some possibility to be the cause of this.
shouldn't jsscope.c:339 be nbytes = newsize * sizeof(JSScopeProperty *);
I recompiled with my recommended fix and it seems to be working now. Brendan can you confirm/deny the fix pls.
The stack indicates heap corruption, not the bug Mitch found (thanks!) where the new table is over-large. I'm fixing the newsize computation bug Mitch found, but I wonder if there isn't still an impurity somewhere (not clear where) that various malloc callers will still trip over. /be
Lost all my email settings mailboxes, and browser bookmarks. Talkback IDs TB22269547E, TB22269532H. Marking DATALOSS and elevating to Blocker
Severity: critical → blocker
Keywords: dataloss
I take that back. Inadvertently changed profile when restarting, panicked and thought I'd lost all my settings. No dataloss, but DOES crash 100% of the time. I'll leave the blocker.
Keywords: dataloss
But again, this fix seems to me only to hide the impurity, if it makes the crash go away. Without this fix, scope tables that grow or shrink are oversized by a factor of seven. It seems as though that changes the layout of memory enough to cause (or to make more likely) the crash. /be
Comment on attachment 128731 [details] [diff] [review] fix for the jsscope.c overlarge allocation bug This is a non-minimal change. I wondered why I wasn't using the SCOPE_TABLE_SIZE macro, and noticed it wasn't used anywhere. I renamed it and used it to scale consistently throughout. /be
Attachment #128731 - Flags: review?(Mitch)
The followup change to jsscript.c for bug 208030, now backed out in its essential part, may be the cause of this impurity being exposed. Or it may have been the cause of the impurity, period. If someone can retest with an up to date js/src/jsscript.c and verify that the bug here can't be reproduced, with or without my patch attachment 128731 [details] [diff] [review], then I would like to close this bug as a dup of 208030. But I'd like to get the patch in -- Mitch found a real footprint bloat bug, due to a stupid almost-typo (the sizeof(JSScopeProperty) rather than sizeof(JSScopeProperty *) dates from an old version of the jsscope.c code that didn't have a property tree in which to share JSScopeProperty structs, pointed at by many scope hash table entries). /be
Assignee: sspitzer → brendan
Keywords: crash
Brendan, looks fine to me. I can't retest till tomorrow (since i'm at home) on Solaris, but seems to do the right thing by using the macro.
Checked in. I think the crash was a dup of 208030, but I'm just going to close this, since it did turn up a different bug and capture a reviewed patch. /be
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Proposing for 1.4.1. /be
Flags: blocking1.4.x?
Comment on attachment 128731 [details] [diff] [review] fix for the jsscope.c overlarge allocation bug This patch applies with some hunk offset slop to 1.4.1. I have an exact patch created via cvs up -j that I'll check in, if it is approved. /be
Attachment #128731 - Flags: review?(Mitch)
Attachment #128731 - Flags: review+
Attachment #128731 - Flags: approval1.4.x?
Comment on attachment 128731 [details] [diff] [review] fix for the jsscope.c overlarge allocation bug a=asa (on behalf of drivers) for checkin to the 1.4 branch.
Attachment #128731 - Flags: approval1.4.x? → approval1.4.x+
Fixed on the 1.4 branch. /be
Keywords: fixed1.4.1
Flags: blocking1.4.x?
Blocks: 224532
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: