Closed
Bug 230251
Opened 21 years ago
Closed 21 years ago
crash sorting large folder by subject
Categories
(MailNews Core :: Backend, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Bienvenu, Assigned: Bienvenu)
Details
(Keywords: crash)
Attachments
(1 file)
1.04 KB,
patch
|
neil
:
review+
mscott
:
superreview+
|
Details | Diff | Splinter Review |
I suspect this was caused by the sort optimization Neil made (or exposed by it, at least). Purify reports the following: [E] ABW: Array bounds write in memcpy {1 occurrence} Writing 203 bytes to 0x16b6b430 (43 bytes at 0x16b6b4d0 illegal) Address 0x16b6b430 is 16 bytes into a 176 byte block at 0x16b6b420 Address 0x16b6b430 points to a malloc'd block in heap 0x02440000 Thread ID: 0x860 Error location memcpy [memcpy.asm:109] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3496] info->folder = curFolder; } => memcpy(info->key, keyValue, actualFieldLen); //In order to align memory for systems that require it, such as HP-UX //calculate the correct value to pad the actualFieldLen value const PRUint32 align = sizeof(IdKey) - sizeof(IdDWord) - 1; nsMsgThreadedDBView::Sort(int,int) [nsMsgThreadedDBView.cpp:346] [E] ABW: Array bounds write in memcpy {1 occurrence} Writing 203 bytes to 0x16b6b430 (43 bytes at 0x16b6b4d0 illegal) Address 0x16b6b430 is 16 bytes into a 176 byte block at 0x16b6b420 Address 0x16b6b430 points to a malloc'd block in heap 0x02440000 Thread ID: 0x860 Error location memcpy [memcpy.asm:109] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3496] info->folder = curFolder; } => memcpy(info->key, keyValue, actualFieldLen); //In order to align memory for systems that require it, such as HP-UX //calculate the correct value to pad the actualFieldLen value const PRUint32 align = sizeof(IdKey) - sizeof(IdDWord) - 1; nsMsgThreadedDBView::Sort(int,int) [nsMsgThreadedDBView.cpp:346] Allocation location malloc [dbgheap.c:129] PR_Malloc [prmem.c:474] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3470] if ((PRUint32)(pTemp - pBase) + (keyOffset + actualFieldLen) >= allocSize) { maxSize = (keyOffset + maxLen) * (arraySize - numSoFar); allocSize = PR_MIN(maxBlockSize, maxSize); => pTemp = (char *) PR_Malloc(allocSize); NS_ASSERTION(pTemp, "out of memory, can't sort"); if (!pTemp) {
Assignee | ||
Comment 1•21 years ago
|
||
note this happens on my bug notification folder, which has 2000 messages, most with long subjects. Sorting this folder by sender, or other folders by subject, doesn't cause a crash.
Severity: normal → critical
Keywords: crash
Comment 2•21 years ago
|
||
Could it be that this folder has one too many messages to sort in a single block, so it allocates a new block for the last subject, but uses the default allocation size, whereas the subject is actually longer than that? I think that the old code could have suffered from the problem as well, you were just lucky that the boundaries were different in your case, here's the old code: maxSize = (PRUint32)(maxLen + sizeof(EntryInfo) + 1) * (PRUint32)(arraySize - numSoFar); maxBlockSize = (PRUint32) 0xf000L; allocSize = PR_MIN(maxBlockSize, maxSize); and for comparison the new code: maxSize = (keyOffset + maxLen) * (arraySize - numSoFar); allocSize = PR_MIN(maxBlockSize, maxSize); keyOffset is my equivalent of sizeof(EntryInfo) - I could restore the + 1 if you thought it would help, but I think the real fix is to calculate the max size based on the maximum of the default size and the current item's size, i.e. maxSize = (keyOffset + PR_MAX(actualFieldLen, maxLen)) * (arraySize - numSoFar); This guarantees that you allocate enough memory when numSoFar == 1.
Assignee | ||
Comment 3•21 years ago
|
||
Neil, yes, that's what's going on, and the fix is to calculate the max size correctly. I think the reason this isn't usually a problem is because collation keys usually are shorter than our default max len for subject strings.
Assignee | ||
Comment 4•21 years ago
|
||
make sure alloc'd block is big enough for the current field. Subsequent fields will be handled by the existing overflow check.
Comment 5•21 years ago
|
||
Comment on attachment 138518 [details] [diff] [review] proposed fix Yeah, that's a better idea.
Attachment #138518 -
Flags: review+
Updated•21 years ago
|
Attachment #138518 -
Flags: superreview+
Assignee | ||
Comment 6•21 years ago
|
||
fixed
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•