Closed
Bug 1335638
Opened 7 years ago
Closed 7 years ago
Crash in [thunk]:nsIImapMailFolderSink::`vcall''{56, {flat}}'' }'' via `anonymous namespace'::SyncRunnable1
Categories
(MailNews Core :: Networking: IMAP, defect)
Tracking
(thunderbird50 unaffected, thunderbird51 wontfix, thunderbird52+ fixed, thunderbird53 fixed, thunderbird54 fixed)
RESOLVED
FIXED
Thunderbird 54.0
People
(Reporter: wsmwk, Assigned: jorgk-bmo)
References
()
Details
(4 keywords)
Crash Data
Attachments
(2 files, 3 obsolete files)
3.95 KB,
text/plain
|
Details | |
6.59 KB,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-aurora+
jorgk-bmo
:
approval-comm-beta+
|
Details | Diff | Splinter Review |
Like bug 1335578, perhaps fallout from an uplifted patch? Note, checking ~10 users who report with an email address, none have crashed in the release prior. So this is a new crash. Also, most only see this signature, but a few also crash with the signature of bug 1335578 [thunk]:mozilla::storage::Connection::`vcall''{100, {flat}}'' }'' (51.0b2 has some crashes ... I did not check for any correlation between those crashes and the other releases) #2 crash for 45.7.0 *** #3 crash for 52.0b1 #8 crash for 51.0b2 the most common comments are viewing, forwarding, deleting email bp-c7d35878-640c-4ad8-a8e5-1d8c62170130 0 xul.dll [thunk]:nsIImapMailFolderSink::`vcall'{56, {flat}}' }' 1 xul.dll `anonymous namespace'::SyncRunnable1<nsIImapServerSink, unsigned __int64>::Run() c:/builds/moz2_slave/tb-rel-c-esr45-w32_bld-0000000/build/mailnews/imap/src/nsSyncRunnableHelpers.cpp:118 2 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:972 3 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:297 4 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:227 5 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 6 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:257
Reporter | ||
Updated•7 years ago
|
status-thunderbird52:
--- → affected
status-thunderbird_esr45:
--- → affected
tracking-thunderbird52:
--- → ?
tracking-thunderbird_esr45:
--- → ?
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Comment 1•7 years ago
|
||
51.0b1 had only a smallish number of crashes [1]. only a few per day - not sure what to make of that low rate in comparison to 51.0b2. FWIW, earliest is bp-c20d7012-2c89-4d5c-b912-ab8482170113 dated 2017-01-13 which predates the release => some of our testers crashed https://www.mozilla.org/en-US/thunderbird/51.0beta/releasenotes/ [1] https://crash-stats.mozilla.com/signature/?version=51.0b1&signature=%5Bthunk%5D%3AnsIImapMailFolderSink%3A%3A%60vcall%27%27%7B56%2C%20%7Bflat%7D%7D%27%27%20%7D%27%27&date=%3E%3D2016-11-01T21%3A17%3A21.000Z&date=%3C2017-02-01T21%3A17%3A21.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1#reports
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: Tried to open an inline forwarded email. The forward was made from a Mac version of TB (User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.6.0) and originated from an Outlook client (<meta name="Generator" content="Microsoft Word 14 (filtered medium)>). After deleting the src="imap://...." part of the embedded picture, the message was rendered successfully. My TB client is: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0 Actual results: TB crashed without displaying anything. Expected results: Render the message.
Something happened between 45.6 and 45.7 because it works on 45.6 but 45.7 does crash.
Assignee | ||
Comment 5•7 years ago
|
||
We made very few changes between 45.6 and 45.7: https://hg.mozilla.org/releases/comm-esr45/pushloghtml?fromchange=2d3f730dbc9a&tochange=5b85a38d67c3 The only one related to IMAP is bug 1328814: https://hg.mozilla.org/releases/comm-esr45/rev/ccb801cd360e I suggested that Kent do some investigation, see bug 1332606 comment #5.
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Razvan from comment #4) > Something happened between 45.6 and 45.7 because it works on 45.6 but 45.7 > does crash. Razvan, please try https://archive.mozilla.org/pub/thunderbird/nightly/2017/02/2017-02-04-03-02-04-comm-central/thunderbird-54.0a1.en-US.win32.installer.exe and post your results, and any crash IDs
Flags: needinfo?(justcsdr)
Unfortunately it still crashes. Crash id: bp-6e4642c3-b3bc-441c-915d-941202170205 (In reply to Wayne Mery (:wsmwk, NI for questions) from comment #6) > (In reply to Razvan from comment #4) > > Something happened between 45.6 and 45.7 because it works on 45.6 but 45.7 > > does crash. > > Razvan, please try > https://archive.mozilla.org/pub/thunderbird/nightly/2017/02/2017-02-04-03-02- > 04-comm-central/thunderbird-54.0a1.en-US.win32.installer.exe and post your > results, and any crash IDs
Comment 8•7 years ago
|
||
Razva, could you try the latest nightly https://archive.mozilla.org/pub/thunderbird/nightly/2017/02/2017-02-04-03-02-04-comm-central/thunderbird-54.0a1.en-US.win32.installer.exe Ideally this will also crash for you, but it will crash in a different place that will give us more idea of the root cause, and hos to prevent it. If it crashes make sure you report the crash ID.
I think that this version is the same as the version suggested in comment #6. In comment #7 is the crash id for that. (bp-6e4642c3-b3bc-441c-915d-941202170205) (In reply to Kent James (:rkent) from comment #8) > Razva, could you try the latest nightly > https://archive.mozilla.org/pub/thunderbird/nightly/2017/02/2017-02-04-03-02- > 04-comm-central/thunderbird-54.0a1.en-US.win32.installer.exe > > Ideally this will also crash for you, but it will crash in a different place > that will give us more idea of the root cause, and hos to prevent it. If it > crashes make sure you report the crash ID.
Assignee | ||
Comment 10•7 years ago
|
||
Razvan, many thanks!! Yes, comment #6 and comment #8 both asked you to use the same version of 2017-02-04 (yesterday). The new crash report is *extremely* helpful. We see a very useful call stack and can now diagnose the problem much better. So thanks again. In nsImapProtocol::SetupSinkProxy() we do this: if (!m_imapMessageSink) { nsCOMPtr<nsIImapMessageSink> aImapMessageSink; (void) m_runningUrl->GetImapMessageSink(getter_AddRefs(aImapMessageSink)); m_imapMessageSink = new ImapMessageSinkProxy(aImapMessageSink); <=== line 641 we now crash when trying to instantiate ImapMessageSinkProxy(nullptr). This does seem to be related to bug 1328814 since there we kick on with life despite not being able to find a now renamed folder. That seems to open up this code path here. Kent is the expert on this.
Comment 11•7 years ago
|
||
Razvan: yeah sorry about that, I did not read Wayne's link very carefully, and somehow I assumed he directed you to the recent esr45 run instead (which tests a different theory of the same problem).
Assignee | ||
Comment 12•7 years ago
|
||
Kent, do you have some tips about how to fix this?
Flags: needinfo?(justcsdr) → needinfo?(rkent)
Comment 13•7 years ago
|
||
Hints or tips? Hmmm ... in spite of your comments about me as the Imap expert, I'm more the last man standing more than an expert. But I could give some hints about how I would approach. The crash report showed a path coming from I believe an embedded imap: or imap-message: protocol in the image of am email. It would be good to know where those come from. I thought we got rid of those in Magnus' patches from our formerly favorite bug. Perhaps this current problem is a transition problem, with old non-data uris lieing around causing issues. In that case, merely preventing the crash and not displaying the embedded content is probably the best approach. Still, an invalid folder reference in a URL should not lead to a crash. The patch to bug 1328814 removed one previous location where invalid folder references threw an error, apparently leading to this current crash. One possible compromise would be to understand how that happens (through the creation presumably of invalid proxy references in the imap protocol), prevent it from happening at that point by throwing errors, that would presumably allow us to continue responsibly. Not displaying an embedded HTML image would be preferable to either crashing or failing in the nature that bug 1328814 was meant to solve. But better still would be to correct the URL in known circumstances such as a folder rename. I doubt if that is worth the work though, particularly as imap protocol references are known to cause all sorts of issues, which is why we are moving to data urls in the first place.
Flags: needinfo?(rkent)
Comment 14•7 years ago
|
||
This is an working example. It must be in an IMAP folder in TB, otherwise it doesn't work (TB doesn't crash if is opened from the local folder of TB or as eml from a PC local folder). More than that, the host/address of the IMAP server must be valid otherwise the TB doesn't crash. I hope this help.
Assignee | ||
Comment 15•7 years ago
|
||
Comment on attachment 8833869 [details] This one crashes TB Razvan, that you so much!! Having an example that reproduces the crash it a big step towards fixing it. As Kent said, this is coming from from an embedded image with an IMAP URL, since imgLoader::LoadImage() is in the call stack. In the message source we see: <img moz-do-not-send="true" id="Picture_x0020_1" src="imap://aaa%40bbb%2Eccc@mail.lthd.com:993/.... Razvan, one question: Does viewing the message with an older version of TB that doesn't crash show any image? I don't think it would since this appears to be an old invalid reference. So not showing anything here would solve the problem.
Attachment #8833869 -
Attachment mime type: application/octet-stream → text/plain
Comment 16•7 years ago
|
||
No, it doesn't. The IMAP folder that the link is pointing to is particular to the user that has forwarded the message and only him can access it, so there is no picture to see for the receiver. The no-picture-found image is displayed on the older versions. I don't know if this is important for this bug, but the IMAP server is Dovecot and is secured with self signed certificate.
Assignee | ||
Comment 17•7 years ago
|
||
This fixes the crash. This is quite a pain, once an invalid IMAP URL is in the system, it's hard to get out. Kent, please tell me what you think. As per comment #10, only checking of aImapMessageSink was necessary. So perhaps the checking is overzealous. I'm also not sure what the various sink (proxies) do. Another option would be to check the URL before calling SetupSinkProxy(). With the patch I get two grumbling elsewhere in the bowels of IMAP: ###!!! ASSERTION: shouldn't get an error loading url: 'false', file c:/mozilla-source/comm-central/mailnews/imap/src/nsImapIncomingServer.cpp, line 455 Well, it can now if the URL is invalid. More interestingly: [4848] ###!!! ASSERTION: shouldn't already have a channel listener: '!m_channelListener', file c:/mozilla-source/comm-central/mailnews/imap/src/nsImapProtocol.cpp, line 790 The other option would be to back out the "folder move/rename" bug and try to solve it some other way. I still think you should be able to clone something invalid, sigh.
Attachment #8833895 -
Flags: feedback?(rkent)
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Comment 18•7 years ago
|
||
jorgk, perhaps this will further inform your investigations... gsmith, who is a prolific crasher with multiple signature - mostly bug 1335578 [thunk]:mozilla::storage::Connection::`vcall''{100, {flat}}'' }'' - has done a lot of testing for me with nightly builds and such. He encounters "Daily has blocked a file from loading into this message" [and no crash] when composing an email with a signature containing a logo image and using https://ftp.mozilla.org/pub/thunderbird/nightly/2016/12/2016-12-10-03-02-04-comm-central/thunderbird-53.0a1.en-US.win32.installer.exe https://ftp.mozilla.org/pub/thunderbird/nightly/2016/12/2016-12-09-03-02-10-comm-central/thunderbird-53.0a1.en-US.win32.installer.exe handles the logo correctly checkins: https://hg.mozilla.org/comm-central/pushloghtml?startdate=2016-12-09+03%3A05%3A00&enddate=2016-12-10+03%3A05%3A00
Assignee | ||
Comment 19•7 years ago
|
||
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #18) > jorgk, perhaps this will further inform your investigations... Wayne, no it doesn't. "Daily has blocked a file from loading into this message". Please refer to bug 1332606 comment #11. This is Magnus' new compose Windows magic of blocking file-based images and others. Let's concentrate on the crash and nothing else.
Assignee | ||
Comment 20•7 years ago
|
||
Kent, please take a look at crash ID https://crash-stats.mozilla.com/report/index/ef6fbbe4-9790-4c4a-8b78-b2e932170206 posted in bug 1335345 comment #11 This comes from nsSyncRunnableHelpers.h:69: ImapServerSinkProxy(nsIImapServerSink* receiver) So this code: res = m_runningUrl->GetImapServerSink(getter_AddRefs(aImapServerSink)); m_imapServerSink = new ImapServerSinkProxy(aImapServerSink); can also create null receivers at nsImapProtocol.cpp:647, so not just like 641 needs extra checking. So perhaps the checking I added isn't overzealous after all.
Assignee | ||
Comment 21•7 years ago
|
||
This takes care of the crashes and tones down some NS_ASSERTS(). The message that used to cause the crash loads, but the status indicator keeps showing "Loading Message..." like it never finishes, somehow an indication of the fact that it tries accessing something without success. Kent, let me know what you think of the new checks. As I said: We've seen crashes due to aImapMessageSink or aImapServerSink being null.
Attachment #8833895 -
Attachment is obsolete: true
Attachment #8833895 -
Flags: feedback?(rkent)
Attachment #8833950 -
Flags: review?(rkent)
Assignee | ||
Comment 22•7 years ago
|
||
Comment on attachment 8833903 [details] gsmith-bug1335578-image-blocked-okafgmbeepcacbgp.png Sorry, this is not useful, I know how the message looks like since I reviewed the bug where this was implemented.
Attachment #8833903 -
Attachment is obsolete: true
Assignee | ||
Comment 26•7 years ago
|
||
Comment on attachment 8833950 [details] [diff] [review] 1335638-IMAP-crash-fix.patch (v2) Review of attachment 8833950 [details] [diff] [review]: ----------------------------------------------------------------- I did some further digging in nsImapUrl::GetImapMailFolderSink() and friends. https://dxr.mozilla.org/comm-central/rev/756fa9e390ab08f995382c9a9dfc6bf4b72421ca/mailnews/imap/src/nsImapUrl.cpp#147 See comments below. ::: mailnews/imap/src/nsImapProtocol.cpp @@ +632,3 @@ > m_imapMailFolderSink = new ImapMailFolderSinkProxy(aImapMailFolderSink); > + } else { > + return NS_ERROR_ILLEGAL_VALUE; Maybe this is overzealous since nsImapUrl::GetImapMailFolderSink() sort of seems to expect a nullptr in m_imapMailFolderSink. @@ +641,5 @@ > (void) m_runningUrl->GetImapMessageSink(getter_AddRefs(aImapMessageSink)); > + if (aImapMessageSink) { > + m_imapMessageSink = new ImapMessageSinkProxy(aImapMessageSink); > + } else { > + return NS_ERROR_ILLEGAL_VALUE; I think this is necessary since we crash later otherwise. @@ +651,5 @@ > + res = m_runningUrl->GetImapServerSink(getter_AddRefs(aImapServerSink)); > + if (aImapServerSink) { > + m_imapServerSink = new ImapServerSinkProxy(aImapServerSink); > + } else { > + return NS_ERROR_ILLEGAL_VALUE; Same here. See comment #20. @@ +660,5 @@ > nsCOMPtr<nsIImapProtocolSink> anImapProxyHelper(do_QueryInterface(NS_ISUPPORTS_CAST(nsIImapProtocolSink*, this), &res)); > + if (anImapProxyHelper) { > + m_imapProtocolSink = new ImapProtocolSinkProxy(anImapProxyHelper); > + } else { > + return NS_ERROR_ILLEGAL_VALUE; This is most likely nonsense since the cast won't fail.
Reporter | ||
Comment 27•7 years ago
|
||
jph who crashes with vcall''{56 in 45.7.0, with nightly build all crash are ImapMessageSinkProxy::ImapMessageSinkProxy bp-58dda482-6b93-4966-a797-9485f2170206
Crash Signature: [@ [thunk]:nsIImapMailFolderSink::`vcall''{56, {flat}}'' }''] → [@ [thunk]:nsIImapMailFolderSink::`vcall''{56, {flat}}'' }'']
[@ ImapMessageSinkProxy::ImapMessageSinkProxy]
Assignee | ||
Comment 28•7 years ago
|
||
We have two crashes here: ImapMessageSinkProxy - bp-58dda482-6b93-4966-a797-9485f2170206 - nsSyncRunnableHelpers.h:89 ImapServerSinkProxy - bp-ef6fbbe4-9790-4c4a-8b78-b2e932170206 - nsSyncRunnableHelpers.h:69 Both are addressed in my patch.
Comment 29•7 years ago
|
||
Comment on attachment 8833950 [details] [diff] [review] 1335638-IMAP-crash-fix.patch (v2) Review of attachment 8833950 [details] [diff] [review]: ----------------------------------------------------------------- r+ with my one comment fixed. These sync proxies look like they will crash if the conditions checked by this bug are violated, so this seems pretty safe. But there are lots of dark corners lurking in this code, and unknown behavior when these failures are flagged. So I would not be too quick to uplift this. ::: mailnews/imap/src/nsImapProtocol.cpp @@ +672,5 @@ > { > nsCOMPtr<nsIInterfaceRequestor> callbacks; > aChannel->GetNotificationCallbacks(getter_AddRefs(callbacks)); > > nsCOMPtr<nsILoadGroup> loadGroup; Later (line 1173) there is another call to SetupSinkProxy in SetupMainThreadProxies() that should also propagate the error.
Attachment #8833950 -
Flags: review?(rkent) → review+
Assignee | ||
Comment 30•7 years ago
|
||
Can you please clarify. Please refer to my comment #26. There I suggested to only return an error on the 2nd and 3rd case since the 1st case is already handled specially and the 4th can't fail.
Assignee | ||
Comment 31•7 years ago
|
||
This is what I discussed with Kent on IRC, although we're not sure how to react to an error returned by SetupSinkProxy()/SetupMainThreadProxies() in ProcessCurrentURL(). Kent said on IRC that if we get it wrong, the session will hang. As an example he mentioned to look at HandleCurrentUrlError().
Attachment #8833950 -
Attachment is obsolete: true
Assignee | ||
Comment 32•7 years ago
|
||
Comment on attachment 8835905 [details] [diff] [review] 1335638-IMAP-crash-fix.patch (v3). Carrying forward Kent's r+ with the issues addressed. I looked into improving error handling further but couldn't come up with anything better. So I'll land this now and get Wayne for find many testers.
Attachment #8835905 -
Flags: review+
Assignee | ||
Comment 33•7 years ago
|
||
https://hg.mozilla.org/comm-central/rev/cb631957f0df8544737186e625f8ea9794e38cb0 This should fix the crashes. Wayne, can you please get test coverage here. I will also uplift this to Aurora so it goes onto the Earlybird Channel and those poor people stop crashing. We need Razvan and Andrea from bug 1335345 comment #9. After two weeks we can uplift to beta if all goes well ;-)
Assignee: nobody → jorgk
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 54.0
Comment 34•7 years ago
|
||
The current Daily still crashes, but I don't know if it is the patched one.
Assignee | ||
Comment 35•7 years ago
|
||
Sure, I landed the patch at 2017-02-10 16:14:06 CET. Please try tomorrow's build, or if you let me know your platform (and x86 or x64) you can use a build when the compile is ready, I can provide the link in two hours. I tested with your sample e-mail, so that won't crash any more.
Assignee | ||
Comment 36•7 years ago
|
||
You can try these builds: Windows x86: https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central-win32/1486739243/ Windows x64: https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central-win64/1486739243/ Linux64: https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central-linux64/1486739243/ Andrea, we know you from bug 1335345 comment #9. Can you check these builds, please.
Flags: needinfo?(fox91fox)
Assignee | ||
Comment 37•7 years ago
|
||
Comment on attachment 8835905 [details] [diff] [review] 1335638-IMAP-crash-fix.patch (v3). [Approval Request Comment] Regression caused by (bug #): Bug 1328814. User impact if declined: Crash!! Testing completed (on c-c, etc.): Manual. Risk to taking this patch (and alternatives if risky): Can't get any worse, or maybe it can ;-)
Attachment #8835905 -
Flags: approval-comm-beta?
Attachment #8835905 -
Flags: approval-comm-aurora?
Comment 38•7 years ago
|
||
(In reply to Jorg K (GMT+1) from comment #36) > You can try these builds: > Windows x86: > https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central- > win32/1486739243/ > Windows x64: > https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central- > win64/1486739243/ > Linux64: > https://archive.mozilla.org/pub/thunderbird/tinderbox-builds/comm-central- > linux64/1486739243/ > > Andrea, we know you from bug 1335345 comment #9. Can you check these builds, > please. Hi Jorg, I've tried Linux64 version and works fine for me.
Flags: needinfo?(fox91fox)
Assignee | ||
Updated•7 years ago
|
Attachment #8835905 -
Flags: approval-comm-aurora? → approval-comm-aurora+
Assignee | ||
Comment 39•7 years ago
|
||
Aurora (TB 53): https://hg.mozilla.org/releases/comm-aurora/rev/67909d34664406b0153179342e35716dae965688
status-thunderbird53:
--- → fixed
status-thunderbird54:
--- → fixed
status-thunderbird_esr45:
affected → ---
tracking-thunderbird_esr45:
? → ---
Comment 40•7 years ago
|
||
Sorry for the late response. From my point of view, the bug was fixed in the Daily.
Assignee | ||
Comment 41•7 years ago
|
||
Comment on attachment 8835905 [details] [diff] [review] 1335638-IMAP-crash-fix.patch (v3). This adds stability to TB, even it we don't land bug 1328814 back on TB 52 beta 3
Attachment #8835905 -
Flags: approval-comm-beta? → approval-comm-beta+
Assignee | ||
Comment 42•7 years ago
|
||
Beta (TB 52): https://hg.mozilla.org/releases/comm-beta/rev/9807cf77ed6948b29c4750a3351b8b2484388a88
Assignee | ||
Comment 43•7 years ago
|
||
Razvan, thank you so much for your help. You contribution was absolutely essential to getting this fixed quickly! We are very grateful. And thank you for being on the Daily release channel and helping us. You know that this can be a bumpy ride sometimes. Currently we have one loss of functionality: Proxies don't work for IMAP. We're working on it.
Comment 44•7 years ago
|
||
I am sorry to here that (that the proxy isn't working) but unfortunately I don't have any experience with any type of proxy internals so I can't help with this problem.
You need to log in
before you can comment on or make changes to this bug.
Description
•