Closed Bug 230251 Opened 21 years ago Closed 21 years ago

crash sorting large folder by subject

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Bienvenu, Assigned: Bienvenu)

Details

(Keywords: crash)

Attachments

(1 file)

proposed fix
1.04 KB, patch
neil
: review+
mscott
: superreview+
Details | Diff | Splinter Review
I suspect this was caused by the sort optimization Neil made (or exposed by it, at least). Purify reports the following: [E] ABW: Array bounds write in memcpy {1 occurrence} Writing 203 bytes to 0x16b6b430 (43 bytes at 0x16b6b4d0 illegal) Address 0x16b6b430 is 16 bytes into a 176 byte block at 0x16b6b420 Address 0x16b6b430 points to a malloc'd block in heap 0x02440000 Thread ID: 0x860 Error location memcpy [memcpy.asm:109] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3496] info->folder = curFolder; } => memcpy(info->key, keyValue, actualFieldLen); //In order to align memory for systems that require it, such as HP-UX //calculate the correct value to pad the actualFieldLen value const PRUint32 align = sizeof(IdKey) - sizeof(IdDWord) - 1; nsMsgThreadedDBView::Sort(int,int) [nsMsgThreadedDBView.cpp:346] [E] ABW: Array bounds write in memcpy {1 occurrence} Writing 203 bytes to 0x16b6b430 (43 bytes at 0x16b6b4d0 illegal) Address 0x16b6b430 is 16 bytes into a 176 byte block at 0x16b6b420 Address 0x16b6b430 points to a malloc'd block in heap 0x02440000 Thread ID: 0x860 Error location memcpy [memcpy.asm:109] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3496] info->folder = curFolder; } => memcpy(info->key, keyValue, actualFieldLen); //In order to align memory for systems that require it, such as HP-UX //calculate the correct value to pad the actualFieldLen value const PRUint32 align = sizeof(IdKey) - sizeof(IdDWord) - 1; nsMsgThreadedDBView::Sort(int,int) [nsMsgThreadedDBView.cpp:346] Allocation location malloc [dbgheap.c:129] PR_Malloc [prmem.c:474] nsMsgDBView::Sort(int,int) [nsMsgDBView.cpp:3470] if ((PRUint32)(pTemp - pBase) + (keyOffset + actualFieldLen) >= allocSize) { maxSize = (keyOffset + maxLen) * (arraySize - numSoFar); allocSize = PR_MIN(maxBlockSize, maxSize); => pTemp = (char *) PR_Malloc(allocSize); NS_ASSERTION(pTemp, "out of memory, can't sort"); if (!pTemp) {
note this happens on my bug notification folder, which has 2000 messages, most with long subjects. Sorting this folder by sender, or other folders by subject, doesn't cause a crash.
Severity: normal → critical
Keywords: crash
Could it be that this folder has one too many messages to sort in a single block, so it allocates a new block for the last subject, but uses the default allocation size, whereas the subject is actually longer than that? I think that the old code could have suffered from the problem as well, you were just lucky that the boundaries were different in your case, here's the old code: maxSize = (PRUint32)(maxLen + sizeof(EntryInfo) + 1) * (PRUint32)(arraySize - numSoFar); maxBlockSize = (PRUint32) 0xf000L; allocSize = PR_MIN(maxBlockSize, maxSize); and for comparison the new code: maxSize = (keyOffset + maxLen) * (arraySize - numSoFar); allocSize = PR_MIN(maxBlockSize, maxSize); keyOffset is my equivalent of sizeof(EntryInfo) - I could restore the + 1 if you thought it would help, but I think the real fix is to calculate the max size based on the maximum of the default size and the current item's size, i.e. maxSize = (keyOffset + PR_MAX(actualFieldLen, maxLen)) * (arraySize - numSoFar); This guarantees that you allocate enough memory when numSoFar == 1.
Neil, yes, that's what's going on, and the fix is to calculate the max size correctly. I think the reason this isn't usually a problem is because collation keys usually are shorter than our default max len for subject strings.
Attached patch proposed fixSplinter Review
make sure alloc'd block is big enough for the current field. Subsequent fields will be handled by the existing overflow check.
Comment on attachment 138518 [details] [diff] [review] proposed fix Yeah, that's a better idea.
Attachment #138518 - Flags: review+
Attachment #138518 - Flags: superreview+
fixed
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: