Closed
Bug 81682
Opened 23 years ago
Closed 23 years ago
crash when opening multipart html attachment to mail message [@ nsMultiMixedConv::FindToken]
Categories
(MailNews Core :: Composition, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9.2
People
(Reporter: blizzard, Assigned: dougt)
Details
(Keywords: crash, topcrash, Whiteboard: [PDT+] ETA 06/25)
Crash Data
Build is on May 18, 2001: When I attach a bugzilla query request to a mail message and then try to open that message from in mozilla with the attachment the browser crashes. Steps to reproduce: Make a bugzilla query. Open a mail message. Using the url icon in the url bar, drag it to the attachments area of the message. Send the message to yourself. When you get the message note the attachment. Try to open the attachment and you will crash. Here's the stack trace: #0 0x405478e1 in __libc_nanosleep () from /lib/i686/libc.so.6 #1 0x40547761 in __sleep (seconds=300) at ../sysdeps/unix/sysv/linux/sleep.c:85 #2 0x080507df in ah_crap_handler (signum=11) at nsSigHandlers.cpp:114 #3 0x401cf935 in pthread_sighandler (signo=11, ctx= {gs = 7, __gsh = 0, fs = 0, __fsh = 0, es = 43, __esh = 0, ds = 43, __dsh = 0, edi = 140452696, esi = 144875080, ebp = 3221221632, esp = 3221221560, ebx = 1083051828, edx = 140452696, ecx = 0, eax = 3221221576, trapno = 14, err = 4, eip = 1082804823, cs = 35, __csh = 0, eflags = 66054, esp_at_signal = 3221221560, ss = 43, __ssh = 0, fpstate = 0xbfffee38, oldmask = 2147483648, cr2 = 0}) at signals.c:97 #4 <signal handler called> #5 0x408a4a57 in nsMultiMixedConv::FindToken (this=0x85f2358, aCursor=0x8a29e48 "\n--thisrandomstring\nContent-type: text/html\n\n<html><head><title>Bugzilla is pondering your query</title>\n<style type=\"text/css\">\n .psb { margin-top: 20%; text-align: center; }\n</style></head><body>"..., aLen=20609) at nsMultiMixedConv.cpp:536 #6 0x408a3b40 in nsMultiMixedConv::OnDataAvailable (this=0x85f2358, request=0x85beee8, context=0x8691454, inStr=0x87d295c, sourceOffset=0, count=20608) at nsMultiMixedConv.cpp:202 #7 0x40e990af in nsDocumentOpenInfo::OnDataAvailable (this=0x88bb160, request=0x85beee8, aCtxt=0x8691454, inStr=0x87d295c, sourceOffset=0, count=20608) at nsURILoader.cpp:237 #8 0x41130f9e in nsMimeBaseEmitter::Complete (this=0x8692370) at ../../../../dist/include/nsCOMPtr.h:642 #9 0x40ff8a53 in nsStreamConverter::OnStopRequest (this=0x8691b30, request=0x85beee8, ctxt=0x0, status=0) at ../../../dist/include/nsCOMPtr.h:648 #10 0x41b08b68 in nsImapCacheStreamListener::OnStopRequest (this=0x88e1218, request=0x8692018, aCtxt=0x0, aStatus=0) at ../../../dist/include/nsCOMPtr.h:649 #11 0x4089d359 in nsStorageTransport::nsReadRequest::Process (this=0x8692010) at ../../../dist/include/nsCOMPtr.h:649 #12 0x4089d710 in nsStorageTransport::nsReadRequest::OnDataAvailable ( this=0x8692010, aRequest=0x8692018, aContext=0x0, aInput=0x8692020, aOffset=16384, aCount=5722) at nsStorageTransport.cpp:613 #13 0x400d72f2 in XPTC_InvokeByIndex (that=0x869201c, methodIndex=5, paramCount=5, params=0x8691688) at xptcinvoke_unixish_x86.cpp:138 #14 0x400c79fb in EventHandler (self=0x88be8d8) at ../../../dist/include/nsProxyEvent.h:132 #15 0x400c2d4f in PL_HandleEvent (self=0x88be8d8) at plevent.c:588 #16 0x400c2c5d in PL_ProcessPendingEvents (self=0x80ba148) at plevent.c:518 #17 0x400c3dbf in nsEventQueueImpl::ProcessPendingEvents (this=0x80ba320) at nsEventQueue.cpp:374 #18 0x40771a76 in event_processor_callback (data=0x80ba320, source=5, condition=GDK_INPUT_READ) at nsAppShell.cpp:168 #19 0x407717c5 in our_gdk_io_invoke (source=0x40d1aca8, condition=G_IO_IN, data=0x40d1ab58) at nsAppShell.cpp:61 #20 0x4035cfae in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0 #21 0x4035e783 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #22 0x4035ed49 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #23 0x4035eefc in g_main_run () from /usr/lib/libglib-1.2.so.0 #24 0x402738f3 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #25 0x40771fa6 in nsAppShell::Run (this=0x80eab50) at nsAppShell.cpp:360 #26 0x40747e3a in nsAppShellService::Run (this=0x80e46d8) at ../../../dist/include/nsCOMPtr.h:649 #27 0x0804fa27 in main1 (argc=1, argv=0xbffff82c, nativeApp=0x0) at ../../dist/include/nsCOMPtr.h:649 #28 0x080502c3 in main (argc=1, argv=0xbffff82c) at nsAppRunner.cpp:1391 #29 0x404a9177 in __libc_start_main (main=0x8050178 <main>, argc=1, ubp_av=0xbffff82c, init=0x804be74 <_init>, fini=0x805210c <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff81c) at ../sysdeps/generic/libc-start.c:129 The bit of offending code seems to be nsMultiMixedConv::FindToken() in netwerk/streamconv/converters/nsMultiMixedConv.cpp. The token variable ends up being NULL and we try to dereference it.
Reporter | ||
Updated•23 years ago
|
Whiteboard: want for mozilla 0.9.1
Comment 2•23 years ago
|
||
cc'ing ducarroz and varada
Comment 3•23 years ago
|
||
Looks like we have several problem here: 1) When I send the buzilla query from 4.x, evrything is fine but when it's sent from 6.x, the attachment looks like: --thisrandomstring Content-type: text/html <html><head><title>Bugzilla is pondering your query</title> <style type="text/css"> .psb { margin-top: 20%; text-align: center; } </style></head><body> <h1 class="psb">Please stand by ...</h1></body></html> --thisrandomstring Content-type: text/html Content-disposition: inline; filename=bugzilla_bug_list.html Set-Cookie: LASTORDER=bugs.priority%2C%20bugs.bug_id ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT Set-Cookie: BUGLIST=80113:81306:81720:22486:28348:76323:79622:71865:74649 <HTML><HEAD> <TITLE>Bug List</TITLE> ... --thisrandomstring We should not have those pseudo two parts in the attachment data, I don't have any clue how that appends 2) The browser code should not crash when viewing the attachment. If I save the attachment to the disk and then open it in the browser, I don't crash!
Reporter | ||
Comment 4•23 years ago
|
||
It looks like 4.x will attach the second part of a multipart response instead of the entire response. I've set up bug 81751 to track that issue which is seperate from this which should also be fixed.
Reporter | ||
Comment 5•23 years ago
|
||
I'll bet that the multi mixed converter is getting confused by the fact that there are tags in the mail message as well as the attachment.
Comment 6•23 years ago
|
||
how is this one coming. we really need it for 0.9.1...
We are crashing because mToken is not being set to a valid value in nsMultiMixedConv::OnStartRequest(..) We are not receiving a boundary=thisrandomstring in the Content-Type. We should be getting Content-Type: multipart/x-mixed-replace;boundary=thisrandomstring instead we only get Content-Type: multipart/x-mixed-replace; so mToken is not being set to the boundary value.
This part of the source from the mail attachment. Content-Type: multipart/mixed; boundary="------------000903060705000804050204" This is a multi-part message in MIME format. --------------000903060705000804050204 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit --------------000903060705000804050204 Content-Type: multipart/x-mixed-replace; name="buglist.cgi" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="buglist.cgi" --thisrandomstring Content-type: text/html
Comment 10•23 years ago
|
||
Ooooh This is a great find Neeti! I think I know whats going on here... Darin's recent changes broke multi-line parsing of headers and that is what is going on here. cc'ing darin since he has a fix for it already.
Comment 11•23 years ago
|
||
looks like a dupe of 81008 *** This bug has been marked as a duplicate of 81008 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Comment 12•23 years ago
|
||
Yes, this is similar to bug 81008, but is this actually fed into the code to be changed by the patch to 81008? I haven't investigated in detail, but I have the patch in my tree and can still reproduce the crash. Furthermore, even if the boundary value gets lost we should not crash. Reopening.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 13•23 years ago
|
||
Code in nsHttpTransaction.cpp seems not to be touched by reproducing this crash (or fails the log right before a crash (I have "sync" enabled)?).
Comment 14•23 years ago
|
||
Darin: In nsHttpResponseHead::ParseContentType(..), we get type as multipart/x-mixed-replace;boundary=thisrandomstring. When we check if the content-type has additional fields, since we currently only check for charset field only, we are stripping away the boundary value in the content type, setting it to multipart/x-mixed-replace; In this case we also need to check for boundary= .
Comment 15•23 years ago
|
||
the code that looks for the boundary= should call GetResponseHeader("content-type") instead of GetContentType(). multipart/x-mixed-replace is a content-type; multipart/x-mixed-replace;boundary=blahblahblah is not.
Comment 16•23 years ago
|
||
related to the parser changes darin's working on for bug 81008
Assignee: neeti → darin
Status: REOPENED → NEW
Comment 17•23 years ago
|
||
actually, the channel (data source) in question is not HTTP... it is IMAP. -> mailnews
Assignee: darin → mscott
Component: Networking → Networking - IMAP
Product: Browser → MailNews
QA Contact: benc → huang
Comment 18•23 years ago
|
||
Hey Darin, I'm pretty confused about this bug. Imap isn't involved at all. The multi-mixed converter is the guy trying to parse out the boundary tag. That's in networking not in mailnews. The multi mixed converter does indeed call GetResponseHeader("content-type"): rv = httpChannel->GetResponseHeader("content-type", getter_Copies(delimiter)); when it wants to extract the boundary information from it. I don't think we are getting the boundary string back here. And that's what leads to the crash.
Comment 19•23 years ago
|
||
ignore my comments. I see, the multi mixed converter asks the imap channel for the content type and we know nothing about parsing boundary headers so we always give back just a content type when you call GetContentType. Hmm this is going to be pretty hard to fix I think.
Comment 20•23 years ago
|
||
updating status whiteboard. We might try to get in 81751 which will prevent the case that we know causes the crash but not the crash.
Whiteboard: want for mozilla 0.9.1 → want for mozilla 0.9.1,eta = unknown
Comment 21•23 years ago
|
||
Adding topcrash keyword and [@ nsMultiMixedConv::FindToken] to summary. This is a topcrasher according to the latest Talkback data for the Trunk. Here is the latest stack trace: Incident ID 31068424 nsMultiMixedConv::FindToken [d:\builds\seamonkey\mozilla\netwerk\streamconv\converters\nsMultiMixedConv.cpp, line 598] nsMultiMixedConv::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\streamconv\converters\nsMultiMixedConv.cpp, line 161] nsDocumentOpenInfo::OnDataAvailable [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 238] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2091] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line 183] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1072] KERNEL32.DLL + 0x248f7 (0xbff848f7) 0x00688b5e 0x00058f64 And some user comments: (31068424) URL: bugzilla.mozilla.org (31068424) Comments: searching bugzilla for the term "bookmarks" (31063889) Comments: Trying to display pdf document (30954884) URL: http://westwaybc.camarades.com/ (30945611) Comments: I tried to open an attachement in Mozilla mail client. It had a named bugxyz.cgi (30906640) Comments: click on buglist attachment (30874370) URL: news://news.mcom.com/netscape.public.mozilla.mail-news (30867062) Comments: Trying to open a pdf file (30862432) URL: www.google.com (30862432) Comments: Clicked on a PDF from a Google link. Walked away while Acrobat was loading up and came back a few minutes later and the Dr. Watson was showing and this feedback agent.
Keywords: topcrash
Summary: crash when opening multipart html attachment to mail message → crash when opening multipart html attachment to mail message [@ nsMultiMixedConv::FindToken]
Comment 22•23 years ago
|
||
We're going to try to fix 81751 instead. Moving off 0.9.1 radar.
Target Milestone: mozilla0.9.1 → mozilla0.9.2
Comment 23•23 years ago
|
||
multipart html attachment -> esther
Component: Networking - IMAP → Composition
QA Contact: huang → esther
Comment 24•23 years ago
|
||
I want to move this out of 0.9.2 but wanted to get some feedback first. If we fix 81751 (which has a fix and therefore should make 0.9.2), then we should prevent the case that we know causes this crash and therefore make this not a top crash or even a likely crash through mail. Given that and the fact that it looks hard to fix, I don't think this is as high of a priority or severity that it is without the fix in 87151. Any other opinions?
Comment 25•23 years ago
|
||
When I read the 3 user's comment above, 1 crash when opening a mail attachment, 2 while surfing the web. That's not a lot of data to make accurate analysis but looks like fixing mail will solve only some of the cases.
Comment 26•23 years ago
|
||
adding PDT+, though with ducarroz's fix I'm not sure if remaining crashers can happen through mail anymore.
Whiteboard: want for mozilla 0.9.1,eta = unknown → [PDT+]want for mozilla 0.9.1,eta = unknown
Updated•23 years ago
|
Priority: -- → P2
Comment 27•23 years ago
|
||
I'm going to re-assign this crasher over to necko. Here's why: 1) We already have a bug tracking the issue that causes mailnews to get into this crash. jean-Francois has the fix for that 2) many of the talkback reports with this stack trace are seeing this crash just by browsing web pages. So clearly there are code paths on the http side wich are leading to the crash in nsMultiMixedConv::FindToken as well. see the comments about crashing while searching bugzilla for examples.
Assignee: mscott → darin
Comment 28•23 years ago
|
||
removed the stale PDT+ status whiteboard comment.
Whiteboard: [PDT+]want for mozilla 0.9.1,eta = unknown
Comment 29•23 years ago
|
||
*** Bug 85891 has been marked as a duplicate of this bug. ***
Updated•23 years ago
|
Keywords: nsenterprise
Comment 30•23 years ago
|
||
Gagan, since you added PDT+ back to this today is there a patch available already? Please add your eta to the status whiteboard.
Whiteboard: [PDT+] → [PDT+] need eta
Comment 31•23 years ago
|
||
investigating... i don't expect it to be too difficult to make the multipart stream converter more robust. seems like some well placed null checks should do the trick.
Assignee | ||
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 33•23 years ago
|
||
Well, the crash is gone after changes that I just checked in, but I don't see the first segment of the multipart (the once that says "Please Wait" or whatever). I think that this is good enough for 0.9.2 (unless you can find a site that send multipart attachments where the first part is important). I filed another bug (87190) about the first part of the multipart not viewable.
Comment 34•23 years ago
|
||
Using build 2001-07-02 on windows and 2001-06-29 on mac and linux this is fixed per orginal scenario. I don't crash opening a bugzilla query attachment. Bug query was attached using the 6.1 build. Verified
Status: RESOLVED → VERIFIED
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
Updated•13 years ago
|
Crash Signature: [@ nsMultiMixedConv::FindToken]
You need to log in
before you can comment on or make changes to this bug.
Description
•