Closed Bug 522561 Opened 15 years ago Closed 14 years ago

crash replying to message that has attached eml [@ strlen | nsDateTimeFormatMac::FormatPRExplodedTime(nsILocale*, int, int, PRExplodedTime const*, nsAString_internal&)]

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- .2-fixed
status1.9.1 --- .9-fixed

People

(Reporter: wsmwk, Assigned: timeless)

References

(
URL
)

Details

(4 keywords, Whiteboard: [ccbr])

Crash Data

Attachments

(4 files)

don't try to crash as a fallback
844 bytes, patch
smontagu
: review+
beltzner
: approval1.9.2.2+
beltzner
: approval1.9.1.9+
Details | Diff | Splinter Review
Test Case
1.47 KB, text/plain
Details
Test case e-mail
4.87 KB, message/rfc822
Details
Test code that demonstrates asctime() platform dependent behavior
331 bytes, text/plain
Details 
crash replying to message that has attached eml 
[@ strlen | nsDateTimeFormatMac::FormatPRExplodedTime(nsILocale*, int, int, PRExplodedTime const*, nsAString_internal&)]

very few 3.0b4 crashes

"replying to an email which was attached to another email" sounds like 
1. open email attached to message
2. reply 

but i can't reproduce with plain text attachment

bp-6c238359-8518-42a0-a559-1c4e82091012
replying to an email which was attached to another email (mailman admin message) this is the second time. I was able to fully reproduce it this time.
0	libSystem.B.dylib	strlen	
1	thunderbird-bin	nsDateTimeFormatMac::FormatPRExplodedTime	intl/locale/src/mac/nsDateTimeFormatMac.cpp:299
2	thunderbird-bin	nsDateTimeFormatMac::FormatPRTime	intl/locale/src/mac/nsDateTimeFormatMac.cpp:276
3	thunderbird-bin	nsMsgCompose::SendMsg	mailnews/compose/src/nsMsgCompose.cpp:2277
4	thunderbird-bin	nsMsgCompose::QuoteOriginalMessage	mailnews/compose/src/nsMsgCompose.cpp:2983
5	thunderbird-bin	nsMsgCompose::BuildQuotedMessageAndSignature	mailnews/compose/src/nsMsgCompose.cpp:3933
6	thunderbird-bin	nsMsgCompose::InitEditor	mailnews/compose/src/nsMsgCompose.cpp:1489
7	libxpcom_core.dylib	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
8	thunderbird-bin	XPCWrappedNative::CallMethod	js/src/xpconnect/src/xpcwrappednative.cpp:2454
9	thunderbird-bin	XPC_WN_CallMethod	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1590
10	libmozjs.dylib	js_Invoke	js/src/jsinterp.cpp:1386
11	libmozjs.dylib	js_Interpret	js/src/jsinterp.cpp:5179
12	libmozjs.dylib	js_Invoke	js/src/jsinterp.cpp:1394 

a couple others - perhaps the same person:
* replying to an attached .eml file
* replying to a message which was attached to another (mailmain admin message)
FWIW, I hit a similar crash, consistently, when I hit the "Random Comic" link on any page on http://xkcd.com/ . bp-c5cf3ec5-84a7-4500-8559-907142091202 and also bp-2727608c-d7cf-40c1-a826-880022091202 have details. This is on FF3.5.5, OSX-10.6.2 .
a couple of the FF crashes (only 33 in one month) cite "viewing cookies" like bp-7c270717-048d-4e00-80ee-4f4532091124

all the FF crashes are also Mac-only.  Ditto Seamonkey whose comments all mention managing cookies
Hm, Wayne, I see you added me to the CC; but don't expect me to reproduce a Mac-only crash on my Linux-only system ;-).
I get a consistent crash but only in one profile - not if I make a new profile - even though I disable all extensions and plugins on that profile, going to one specific URL. This is also on a Mac. The crash report referred me to this bug, I think because of the function that the crash happens in looks the same.

Crash signature is bp-bcf6d464-4ac8-40f8-91bf-7a0112100106
URL that causes this is http://www.wnj.com/cross_appeal_revisited_jjb_article/
URL: http://www.wnj.com/cross_appeal_revis...
Whiteboard: [ccbr]
Should product be changed to Core, since this occurs in Firefox as well?  I also triggered this crash at xkcd.
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Component: Composition → Internationalization
Product: MailNews Core → Core
QA Contact: composition → i18n

        Attachment #422105 -
        Flags: review?(smontagu)

    
    

    
  
Comment on attachment 422105 [details] [diff] [review]
don't try to crash as a fallback

Why is this expected to prevent the crash?

    
    

    
  
if asctime returns null, nsDependentCString gets a null pointer which it tries to measure with strlen which doesn't consider null pointers to be valid input.

    
    

    
  
OK, but do we have any reason to believe that that is what is happening here? Other than OOM, why should asctime ever return null?

    
    

    
  
my assumption is that the structure is unhappy such that it insists on returning null. however i can't find the source for asctime (i searched).

anyway, the code is totally unnecessary, and i'd like to let crash-stats prove me right. it fits, as there aren't any other paths that i can see to strlen from this code.

    
    

    
  
I'm not so convinced that the code is totally unnecessary. Can't you do something like

char *defaultString = asctime(tmTime);
if (defaultString)
 ...

    
    

    
  
(In reply to comment #10)
> i'd like to let crash-stats prove
> me right. it fits, as there aren't any other paths that i can see to strlen
> from this code.

We have a couple testcase users. And I've pinged some thunderbird users to see if we can't get a test message or two.

    
    

    
  
121 nsresult nsDateTimeFormatMac::FormatTMTime(nsILocale* locale, 
126 {
127   nsresult res = NS_OK;
134     stringOut.Truncate();
135     return NS_OK;
^ we obviously don't bail here

139   CopyASCIItoUTF16(nsDependentCString(asctime(tmTime)), stringOut);
^ i believe we are here

160   switch (dateFormatSelector) {
174     default:
175       NS_ERROR("Unknown nsDateFormatSelector");
176       res = NS_ERROR_FAILURE;
^ we could do something stupid here, in which case we'll later violate xpcom

182   switch (timeFormatSelector) {
194     default:
195       NS_ERROR("Unknown nsTimeFormatSelector");
196       res = NS_ERROR_FAILURE;
^ we could do something stupid here, in which case we'll later violate xpcom

254   nsAutoTArray<UniChar, 256> stringBuffer;
255   if (stringBuffer.SetLength(stringLen + 1)) {
^ if the string really doesn't fit, then we should just fail
256     CFStringGetCharacters(formattedDate, CFRangeMake(0, stringLen), stringBuffer.Elements());
^ this is where we normally fill in the string
257     stringOut.Assign(stringBuffer.Elements(), stringLen);
^ here we stomp unconditionally (well, unless we ran out of memory trying to reduce the width of the buffer, which shouldn't happen)
258   }

263   return res;
264 }

    
    

    
  

      
      
      
      

        Attached file
          
        Test Case
      

    


  
Thanks for emailing me, Wayne, here's a test case. I removed some of the headers, but kept the user agent intact. I can consistently reproduce the problem with this email:

- right click it in finder, open with Thunderbird
- in the email showing up, double-click the forwarded email in the attachment
- in this email, finally click on reply to sender.

After a few seconds, Thunderbird crashes.

    
    

    
  

      
      
      
      

        Attached file
          
        Test case e-mail
      

    


  
Test case (see file):

1. Send yourself an HTML formatted mail.
1a. Wait till you receive it back in your inbox.

2. Send yourself another mail but now with the above mail as received as attachment.
2a. Wait till you receive it back in your inbox (this is the .eml file I attached).

3. Open the mail.
3a. Open the attachment message in the mail.
3b. In the message window that now opens, click on reply and Thunderbird crashes.

This is on a Mac with OS X 10.6.2 and Thunderbird 3.0.1

Hope this makes it reproducible at your end too.

Thanks,
    Hayo Baan

    
    

    
  
(In reply to comment #15)
> 1. Send yourself an HTML formatted mail.

FWIW, HTML format doesn't seem to play a role in this bug.

    
    

    
  
I can't reproduce the crash with the STR in comment 14. However, it's interesting to note that the reply opens:

On 7/22/28164 11:59 AM, Frederic Wenzel wrote:

    
    

    
  
I'm on to something here: dynamic.xkcd.com/comic/random sets a cookie with "Max-Age=604800000000; http://www.meh.es/" (which also appears in crash-data comments) sets a cookie with "expires=Fri, 31-Dec-9999 23:59:59 GMT"

So I'm guessing that we have two bugs here:

1) Forwarding an attached message as in the STR is corrupting the date somehow
2) OS X 10.6 (which is where all the crashes seem to be happening) crashes when formatting dates in the remote future. 

Question arising from this: are any of the people who haven't been able to reproduce the crash on 10.6? If not, what is the system locale of those who can reproduce and those who can't?

    
    

    
  
You are on to something with the cookie. I started up with the empty profile that did not crash on the URL I mentioned in comment #4 and tried to look for a cookie from the wnj.com domain. I used Preferences, Privacy, delete selected cookies, then I entered wnj.com in the search box. That resulted in a new example of this crash, same date related routine:
 crash report bp-3cd9b206-1161-4bf8-898c-e05e32100128

I exported the cookies, and sure enough it has a too large time stamp field:

www.wnj.com     FALSE   /       FALSE   253402300801    Localization    TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True

How do I answer your question about system locale? I'm set for New Zealand and display dates in dd/mm/yyyy format, if that's what you're looking for.

    
    

    
  
I can reproduce the crash using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 on comment #14 testcase.
Keywords: testcase

    
    

    
  


  
I compiled and ran the attached file (asctimetest.c) on my Mac OS 10.6.2 system that demonstrates the bug and on a linux machine. Test this using

gcc -o asctimetest asctimetest.c
./asctimetest

On the Mac it output "atime was NULL"
On the linux box it output "atime was Sat Jan 30 06:35:46 21899"

This shows that a very large year in the tm struct passed to asctime() will return NULL on Mac OS X and not on linux, answering the questions posed in comment #9 and comment #10

    
    

    
  
Comment on attachment 422105 [details] [diff] [review]
don't try to crash as a fallback

Looks like my questions have been answered

        Attachment #422105 -
        Flags: review?(smontagu) → review+

    
    

    
  
(In reply to comment #22)
> (From update of attachment 422105 [details] [diff] [review])
> Looks like my questions have been answered

Does this needs sr ?

    
    

    
  
FYI, the xkcd.com "random comic" link sets a cookie with a remarkably large
max-age:

 Set-Cookie: seen_comics="[219]";Max-Age=604800000000;Path=/;Version="1"

On my linux box, testing that in python with:

 time.asctime(time.localtime(time.time()+604800000000))

reports that as being in the year 21175. On my OS-X box (which crashes on
that xkcd page), I get a segfault, so it looks like python is experiencing
the same error as javascript.

    
    

    
  
thanks. the confirmation from python helps.

I think this is the key point (from my OS X 10.5 man page for 'asctime', if the one you have for 10.6 is more specific, please do provide the relevant excerpt):

     The ctime() function adjusts the time value for the current time zone, in
     the same manner as localtime().  It returns a pointer to a 26-character
     string of the form:

           Thu Nov 24 18:22:48 1986\n\0

     All of the fields have constant width.

     The ctime_r() function provides the same functionality as ctime(), except
     that the caller must provide the output buffer buf (which must be at
     least 26 characters long) to store the result.  The localtime_r() and
     gmtime_r() functions provide the same functionality as localtime() and
     gmtime(), respectively, except the caller must provide the output buffer
     result.

     The asctime() function converts the broken-out time in the structure tm
     (pointed at by *timeptr) to the form shown in the example above.

a five digit year violates the fixed width string. My guess is that Apple is enforcing this. Of late, the CRT vendors have been adding validation and fatal asserts for things like this, so it doesn't really shock me.

    
    

    
  
The 10.6 man page says the same thing. (it'd be nice if they'd update it to mention the NULL return, but the date on this page is from 1999, so I'm not holding my breath). Oh, and I should have mentioned that my python test was done on a 10.6 box, but I expect that 10.5 behaved the same way.

    
    

    
  
Landed on mozilla-central: http://hg.mozilla.org/mozilla-central/rev/b713e3aa3955
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 422105 [details] [diff] [review]
don't try to crash as a fallback

#30 crash for 3.0.1, and so after some baking it seems this should be driven in to thunderbird 3.1, and 3.0 if possible.  one line patch seems minor

        Attachment #422105 -
        Flags: approval1.9.2.1?

    
    

    
  
I spun off the issue with the corrupt date in the reply to an attached email into bug 544359

    
  

        Attachment #422105 -
        Flags: approval1.9.1.9?

    
    

    
  
Comment on attachment 422105 [details] [diff] [review]
don't try to crash as a fallback

a=beltzner for 1.9.2.2 and 1.9.1.9

        Attachment #422105 -
        Flags: approval1.9.2.2?

        Attachment #422105 -
        Flags: approval1.9.2.2+

        Attachment #422105 -
        Flags: approval1.9.1.9?

        Attachment #422105 -
        Flags: approval1.9.1.9+

    
    

    
  
Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100322 Shredder/3.0.5pre.

The attached e-mail still crashes in 1.9.2 though with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2pre) Gecko/20100322 Lanikai/3.1b2pre so this isn't fixed there.

          status1.9.2:
          .2-fixed → ---
Keywords: verified1.9.1

    
    

    
  
http://hg.mozilla.org/releases/mozilla-1.9.2/log?rev=5d8e5cbfb206 this landed roughly march 4

COMM192_20100302_RELBRANCH branched 2 days earlier.

          status1.9.2:
          --- → .2-fixed

    
    

    
  
Standard8 made a build for me with the fix and I've verified that it fixes the issue on 1.9.2.
Keywords: verified1.9.2
Crash Signature: [@ strlen | nsDateTimeFormatMac::FormatPRExplodedTime(nsILocale*, int, int, PRExplodedTime const*, nsAString_internal&)]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: