Closed Bug 235355 Opened 20 years ago Closed 20 years ago

hangs/crashes after choosing Server Settings in Mail&Newsgroup Account Settings, click o.k.

Categories

(Core :: XPCOM, defect, P1)

x86
Windows 2000
defect

Tracking

()

RESOLVED FIXED
mozilla1.7beta

People

(Reporter: tobias, Assigned: darin.moz)

Details

(Keywords: crash)

Attachments

(1 file)

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7a) Gecko/20040223

In "Mail&Newsgroup Account Settings" left Pane mark one after another the
"Server Settings" without doing any changes, then leaving the Dialogue clicking
"O.K." and Mozilla crashes. 
While crashing Mozilla uses a lot of Memory. The saved Username and Password for
Newsgroup Accounts are deleted after the crash. 

Reproducible: Always
Steps to Reproduce:
1. In Mail-News go to "Edit" "Mail&Newsgroup Account Settings"
2. Mark one after another "Server Settings" for every of the Accounts without
change anything
3. Leave "Mail&Newsgroup Account Settings" with the O.K.-Button

Actual Results:  
Mozilla crashes. 

Expected Results:  
Close the Dialogue. 

This Bug was first reported by Hartmut Figge in d.c.s.m.nb
<4037BA94.20804@hfigge.myfqdn.de> under Debian GNU-Linux, thanks to him. I have
succesfull tried to reproduce this crash under w2k. 

Adding Part of the DrWatson Crash Stack-Back-Trace:

Funktion: nsSubstring::Replace
        1004ab69 55               push    ebp
        1004ab6a 8bcb             mov     ecx,ebx
        1004ab6c e8fffaffff       call    EmptyCString+0x250 (1004a670)
        1004ab71 85ff             test    edi,edi
        1004ab73 7617   jbe nsComponentManager::EnumerateContractIDs+0xbec
(1005368c)
        1004ab75 8b4304           mov     eax,[ebx+0x4]         
ds:00bb7ae6=????????
        1004ab78 8d0c3f           lea     ecx,[edi+edi]         
ds:2f857558=????????
        1004ab7b 8bd1             mov     edx,ecx
        1004ab7d 8d3c68           lea     edi,[eax+ebp*2]       
ds:0fbfffee=????????
        1004ab80 c1e902           shr     ecx,0x2
FEHLER ->1004ab83 f3a5            rep  movsd ds:0012dcb0=006f0074
es:2f857558=????????
        1004ab85 8bca             mov     ecx,edx
        1004ab87 83e103           and     ecx,0x3
        1004ab8a f3a4             rep     movsb         ds:0012dcb0=74
es:2f857558=??
        1004ab8c 5f               pop     edi
        1004ab8d 5e               pop     esi
        1004ab8e 5d               pop     ebp
        1004ab8f 5b               pop     ebx
        1004ab90 81c498000000     add     esp,0x98
        1004ab96 c21000           ret     0x10
        1004ab99 8bbc24b8000000   mov     edi,[esp+0xb8]        
ss:0012db9c=00000006
        1004aba0 83ffff           cmp     edi,0xff

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0FBFFFEE 00000000 00000000 00000000 00000000 00000000 !nsSubstring::Replace
memcpy(unsigned char * 0x2f8c66b6, unsigned char * 0x0012bd58, unsigned long
0x00000042) line 242
nsCharTraits<unsigned short>::copy(unsigned short * 0x2f8c66b6, const unsigned
short * 0x0012bd58, unsigned int 0x00000021) line 150 + 19 bytes
nsSubstring::Replace(unsigned int 0x0fbfffeb, unsigned int 0x00000000, const
unsigned short * 0x0012bd58, unsigned int 0x00000021) line 408 + 29 bytes
nsSubstring::Replace(unsigned int 0x0fbfffeb, unsigned int 0x00000000, const
nsSubstring & {...}) line 230 + 41 bytes
nsString::ReplaceSubstring(const nsString & {...}, const nsString & {...}) line 392
nsMsgIncomingServer::OnUserOrHostNameChanged(nsMsgIncomingServer * const
0x054eb618, const char * 0x00000000, const char * 0x05bf49e0) line 1280
nsNntpIncomingServer::OnUserOrHostNameChanged(nsNntpIncomingServer * const
0x054eb618, const char * 0x00000000, const char * 0x05bf49e0) line 2005 + 18 bytes
nsMsgIncomingServer::SetRealUsername(nsMsgIncomingServer * const 0x054eb618,
const char * 0x05bf49e0) line 1363 + 25 bytes
XPTC_InvokeByIndex(nsISupports * 0x054eb618, unsigned int 0x00000011, unsigned
int 0x00000001, nsXPTCVariant * 0x0012c150) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_SETTER) line 2022 + 43 bytes
XPCWrappedNative::SetAttribute(XPCCallContext & {...}) line 1887 + 14 bytes
XPC_WN_GetterSetter(JSContext * 0x0570dbd8, JSObject * 0x05b94f08, unsigned int
0x00000001, long * 0x05b78e74, long * 0x0012c434) line 1311 + 12 bytes
js_Invoke(JSContext * 0x0570dbd8, unsigned int 0x00000001, unsigned int
0x00000002) line 941 + 23 bytes
js_InternalInvoke(JSContext * 0x0570dbd8, JSObject * 0x05b94f08, long
0x05b95560, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012cd6c,
long * 0x0012cd6c) line 1035 + 20 bytes
js_InternalGetOrSet(JSContext * 0x0570dbd8, JSObject * 0x05b94f08, long
0x054eea00, long 0x05b95560, int 0x00000008, unsigned int 0x00000001, long *
0x0012cd6c, long * 0x0012cd6c) line 1078 + 31 bytes
js_SetProperty(JSContext * 0x0570dbd8, JSObject * 0x05b94f08, long 0x054eea00,
long * 0x0012cd6c) line 2836 + 53 bytes
js_Interpret(JSContext * 0x0570dbd8, long * 0x0012cf0c) line 2816 + 2014 bytes
js_Invoke(JSContext * 0x0570dbd8, unsigned int 0x00000002, unsigned int
0x00000002) line 958 + 13 bytes
js_InternalInvoke(JSContext * 0x0570dbd8, JSObject * 0x05464fe0, long
0x059edb48, unsigned int 0x00000000, unsigned int 0x00000002, long * 0x05a218f0,
long * 0x0012d0a4) line 1035 + 20 bytes
JS_CallFunctionValue(JSContext * 0x0570dbd8, JSObject * 0x05464fe0, long
0x059edb48, unsigned int 0x00000002, long * 0x05a218f0, long * 0x0012d0a4) line
3592 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x05464fe0, JSObject * 0x059edb48,
unsigned int 0x00000002, long * 0x05a218f0, long * 0x0012d0a4) line 1267 + 33 bytes
GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x05a21878) line 5145 + 81 bytes
GlobalWindowImpl::TimerCallback(nsITimer * 0x05a21980, void * 0x05a21878) line 5508
nsTimerImpl::Fire() line 382 + 17 bytes
nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x00f3cbb0) line 616
nsAppShell::GetNativeEvent(nsAppShell * const 0x056cc088, int & 0x00000001, void
* & 0x02230180 msg) line 197
nsXULWindow::ShowModal(nsXULWindow * const 0x0548a388) line 362 + 31 bytes
nsWebShellWindow::ShowModal(nsWebShellWindow * const 0x0548a388) line 1106
nsContentTreeOwner::ShowAsModal(nsContentTreeOwner * const 0x0522f5dc) line 449
nsWindowWatcher::OpenWindowJS(nsWindowWatcher * const 0x010d544c, nsIDOMWindow *
0x04efed24, const char * 0x056b1ba8, const char * 0x0012d7f0, const char *
0x0012d848, int 0x00000001, unsigned int 0x00000001, long * 0x055c7708,
nsIDOMWindow * * 0x0012d8a0) line 784
GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x04efed20, const
nsAString & {...}, const nsAString & {...}, const nsAString & {...}, int
0x00000001, long * 0x055c76fc, unsigned int 0x00000004, nsISupports *
0x00000000, nsIDOMWindow * * 0x0012dc5c) line 4770 + 140 bytes
GlobalWindowImpl::OpenDialog(GlobalWindowImpl * const 0x04efed28, nsIDOMWindow *
* 0x0012dc5c) line 3461 + 59 bytes
XPTC_InvokeByIndex(nsISupports * 0x04efed28, unsigned int 0x00000010, unsigned
int 0x00000001, nsXPTCVariant * 0x0012dc5c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2022 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x04f804e0, JSObject * 0x04e543c8, unsigned int
0x00000004, long * 0x055c76fc, long * 0x0012df2c) line 1287 + 14 bytes
js_Invoke(JSContext * 0x04f804e0, unsigned int 0x00000004, unsigned int
0x00000000) line 941 + 23 bytes
js_Interpret(JSContext * 0x04f804e0, long * 0x0012e860) line 2962 + 15 bytes
js_Invoke(JSContext * 0x04f804e0, unsigned int 0x00000001, unsigned int
0x00000002) line 958 + 13 bytes
js_InternalInvoke(JSContext * 0x04f804e0, JSObject * 0x04e530d8, long
0x05464d20, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012eadc,
long * 0x0012ead8) line 1035 + 20 bytes
JS_CallFunctionValue(JSContext * 0x04f804e0, JSObject * 0x04e530d8, long
0x05464d20, unsigned int 0x00000001, long * 0x0012eadc, long * 0x0012ead8) line
3592 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x04e530d8, JSObject * 0x05464d20,
unsigned int 0x00000001, long * 0x0012eadc, long * 0x0012ead8) line 1267 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x05255498, nsIDOMEvent
* 0x052ef648) line 174 + 52 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x05257ca8,
nsIDOMEvent * 0x052ef648, nsIDOMEventTarget * 0x052ef5f8, unsigned int
0x00000008, unsigned int 0x00000007) line 1434 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x05255440,
nsIPresContext * 0x04efd760, nsEvent * 0x0012f2b8, nsIDOMEvent * * 0x0012f194,
nsIDOMEventTarget * 0x052ef5f8, unsigned int 0x00000007, nsEventStatus *
0x0012f308) line 1527 + 56 bytes
nsXULElement::HandleDOMEvent(nsIPresContext * 0x04efd760, nsEvent * 0x0012f2b8,
nsIDOMEvent * * 0x0012f194, unsigned int 0x00000007, nsEventStatus * 0x0012f308)
line 2881
PresShell::HandleDOMEventWithTarget(PresShell * const 0x04fa1a40, nsIContent *
0x05252298, nsEvent * 0x0012f2b8, nsEventStatus * 0x0012f308) line 6169
nsMenuFrame::Execute(nsGUIEvent * 0x0012f77c) line 1648
nsMenuFrame::HandleEvent(nsMenuFrame * const 0x055d11a8, nsIPresContext *
0x04efd760, nsGUIEvent * 0x0012f77c, nsEventStatus * 0x0012f570) line 447
PresShell::HandleEventInternal(nsEvent * 0x0012f77c, nsIView * 0x054fe5e8,
unsigned int 0x00000001, nsEventStatus * 0x0012f570) line 6133 + 33 bytes
PresShell::HandleEvent(PresShell * const 0x04fa1a5c, nsIView * 0x054fe5e8,
nsGUIEvent * 0x0012f77c, nsEventStatus * 0x0012f570, int 0x00000000, int &
0x00000001) line 5981 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x05734ee8, nsGUIEvent * 0x0012f77c, int
0x00000000) line 2301
nsViewManager::DispatchEvent(nsViewManager * const 0x04fa1148, nsGUIEvent *
0x0012f77c, nsEventStatus * 0x0012f668) line 2039 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f77c) line 79
nsWindow::DispatchEvent(nsWindow * const 0x05734fa4, nsGUIEvent * 0x0012f77c,
nsEventStatus & nsEventStatus_eIgnore) line 1064 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f77c) line 1085
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000,
nsPoint * 0x00000000) line 5207 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int
0x00000000, nsPoint * 0x00000000) line 5462
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long
0x0104003b, long * 0x0012fc28) line 4001 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x005103b4, unsigned int 0x00000202, unsigned int
0x00000000, long 0x0104003b) line 1346 + 27 bytes
USER32! 77e2a2d0()
USER32! 77e045e5()
USER32! 77e0a816()
nsAppShellService::Run(nsAppShellService * const 0x010d6478) line 484
main1(int 0x00000002, char * * 0x00263f88, nsISupports * 0x00ed3c90) line 1291 +
32 bytes
main(int 0x00000002, char * * 0x00263f88) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e987e7()
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
this looks like a result of my string branch landing...

-> me

this probably results from a missing null-check somewhere.  investigating...
Assignee: sspitzer → darin
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.7beta
here's a somewhat simplified testcase:

    const char *oldName = nsnull;
    const char *newName = "user";
    nsString acctName = NS_LITERAL_STRING("forums.foo.com");
    nsAutoString newAcctName, oldVal, newVal;
    oldVal.AssignWithConversion(oldName);
    newVal.AssignWithConversion(newName);
    newAcctName.Assign(acctName);
    newAcctName.ReplaceSubstring(oldVal, newVal);

the ReplaceSubstring call never finishes.  it just loops forever.  i didn't
observe any crash.
Summary: crash after choosing Server Settings in Mail&Newsgroup Account Settings, click o.k. → hangs/crashes after choosing Server Settings in Mail&Newsgroup Account Settings, click o.k.
-> strings
Component: Account Manager → String
Product: MailNews → Browser
Attached patch v1 patchSplinter Review
patch + testcase
Comment on attachment 142195 [details] [diff] [review]
v1 patch

i checked with the old nsString2.cpp code, and saw that indeed it would return
early if ReplaceSubstring was called with aTarget equal to the empty string.

it also would returned early if aNewValue was empty, but that makes little
sense to me.  what if you wanted to replace a certain substring with an empty
value?	that should be supported.  this makes that happen.

i also corrected the adjustment of the iteration variable |i| in the
algorithm's loop.  i think it is correct for it to resume replacing after the
end of the last replaced substring.  previously what it was doing was pretty
bogus.
Attachment #142195 - Flags: superreview?(dbaron)
Attachment #142195 - Flags: review?(dbaron)
Attachment #142195 - Flags: superreview?(dbaron)
Attachment #142195 - Flags: superreview+
Attachment #142195 - Flags: review?(dbaron)
Attachment #142195 - Flags: review+
fixed on trunk
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Component: String → XPCOM
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: