1136498 - crash in nsMsgSearchDBView::OnHdrDeleted deleting message in gloda search results. m_threadsTable is freed nsIMsgThread

Status: RESOLVED WORKSFORME

(MailNews Core :: Backend, defect)

Description

[Wayne Mery (:wsmwk)]

I crashed bp-5fe3496f-347e-4684-a569-9f9502150224.
" just deleted the last message in a two message conversation"

 0 		@0x12c6d414	
1 	xul.dll	nsMsgSearchDBView::OnHdrDeleted(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/base/src/nsMsgSearchDBView.cpp:228
2 	xul.dll	nsMsgDatabase::NotifyHdrDeletedAll(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/db/msgdb/src/nsMsgDatabase.cpp:929
3 	xul.dll	nsMsgDatabase::DeleteHeader(nsIMsgDBHdr*, nsIDBChangeListener*, bool, bool)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/db/msgdb/src/nsMsgDatabase.cpp:2031
4 	xul.dll	nsMsgDatabase::DeleteMessages(unsigned int, unsigned int*, nsIDBChangeListener*)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/db/msgdb/src/nsMsgDatabase.cpp:1975
5 	xul.dll	nsImapMailFolder::CopyMessagesOffline(nsIMsgFolder*, nsIArray*, bool, nsIMsgWindow*, nsIMsgCopyServiceListener*)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/imap/src/nsImapMailFolder.cpp:7430
6 	xul.dll	nsImapMailFolder::CopyMessages(nsIMsgFolder*, nsIArray*, bool, nsIMsgWindow*, nsIMsgCopyServiceListener*, bool, bool)	c:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/imap/src/nsImapMailFolder.cpp:7597 



This user has several signature which are no doubt related

bp-28811a65-b455-4918-bbfa-916c22150224	
nsMsgXFViewThread::RemoveChildHdr(nsIMsgDBHdr*, nsIDBChangeAnnouncer*)   

bp-94760e0d-7337-4048-a0b1-e4ddb2150224	
nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsMsgBodyHandler::nsMsgBodyHandler(nsIMsgSearchScopeTerm*, unsigned int, nsIMsgDBHdr*, nsIMsgDatabase*)   

bp-41bf67a9-bcf9-4962-8cda-bd6cc2150220	
@0x0 | nsMsgSearchDBView::OnHdrDeleted(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)   

bp-3669d1ef-bd56-4f57-a1e9-266b92150224	 	nsMsgSearchDBView::OnHdrDeleted(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)
" I click a message as JUNK and the program closes. "

http://hg.mozilla.org/releases/comm-esr31/annotate/431088bed817/mailnews/db/msgdb/src/nsMsgDatabase.cpp#l911
hg@0 	906 NS_IMETHODIMP nsMsgDatabase::NotifyHdrDeletedAll(nsIMsgDBHdr *aHdrDeleted,
hg@0 	907                                      nsMsgKey aParentKey,
ehsan@13324 908                                  int32_t aFlags,
hg@0 	909                                      nsIDBChangeListener *aInstigator)
hg@0 	910 {
hg@0 	911  NOTIFY_LISTENERS(OnHdrDeleted, (aHdrDeleted, aParentKey, aFlags, aInstigator));

http://hg.mozilla.org/releases/comm-esr31/annotate/431088bed817/mailnews/base/src/nsMsgSearchDBView.cpp#l228
bienvenu@774 223   nsCOMPtr<nsIMsgThread> thread;
bienvenu@774 224   GetXFThreadFromMsgHdr(aHdrDeleted, getter_AddRefs(thread));
bienvenu@774 225   if (thread)
bienvenu@774 226   {
bienvenu@774 227      nsMsgXFViewThread *viewThread = static_cast<nsMsgXFViewThread*>(thread.get());
mconley@13187 228     viewThread->RemoveChildHdr(aHdrDeleted, nullptr);

Comment 1

[Wayne Mery (:wsmwk)]

I just crashed bp-5079f917-c4de-45ac-a521-618382150803

 nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsMsgBodyHandler::nsMsgBodyHandler(nsIMsgSearchScopeTerm*, unsigned int, nsIMsgDBHdr*, nsIMsgDatabase*)

Comment 2

[Wayne Mery (:wsmwk)]

Mac signature appears to be [@ <name omitted> | nsMsgBodyHandler::nsMsgBodyHandler ]  bp-d2646e3c-e9f6-4d59-a1e6-349bf2170226

 0 	XUL	<name omitted>	xpcom/glue/nsCOMPtr.cpp:50
1 	XUL	nsMsgBodyHandler::nsMsgBodyHandler(nsIMsgSearchScopeTerm*, unsigned int, nsIMsgDBHdr*, nsIMsgDatabase*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/objdir-tb/x86_64/dist/include/nsCOMPtr.h:578
2 	XUL	nsMsgSearchTerm::MatchBody(nsIMsgSearchScopeTerm*, unsigned long long, unsigned int, char const*, nsIMsgDBHdr*, nsIMsgDatabase*, bool*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgSearchTerm.cpp:934
3 	XUL	nsMsgSearchOfflineMail::ProcessSearchTerm(nsIMsgDBHdr*, nsIMsgSearchTerm*, char const*, nsIMsgSearchScopeTerm*, nsIMsgDatabase*, char const*, unsigned int, bool, bool*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgLocalSearch.cpp:497
4 	XUL	nsMsgSearchBoolExpression::OfflineEvaluate(nsIMsgDBHdr*, char const*, nsIMsgSearchScopeTerm*, nsIMsgDatabase*, char const*, unsigned int, bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgLocalSearch.cpp:139
5 	XUL	nsMsgSearchBoolExpression::OfflineEvaluate(nsIMsgDBHdr*, char const*, nsIMsgSearchScopeTerm*, nsIMsgDatabase*, char const*, unsigned int, bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgLocalSearch.cpp:160
6 	XUL	nsMsgSearchBoolExpression::OfflineEvaluate(nsIMsgDBHdr*, char const*, nsIMsgSearchScopeTerm*, nsIMsgDatabase*, char const*, unsigned int, bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgLocalSearch.cpp:160
7 	XUL	<name omitted>	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgLocalSearch.cpp:686
8 	XUL	nsMsgSearchSession::MatchHdr(nsIMsgDBHdr*, nsIMsgDatabase*, bool*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/search/src/nsMsgSearchSession.cpp:668
9 	XUL	nsMsgXFVirtualFolderDBView::OnNewHeader(nsIMsgDBHdr*, unsigned int, bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/src/nsMsgXFVirtualFolderDBView.cpp:123
10 	XUL	nsMsgDatabase::NotifyHdrAddedAll(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/db/msgdb/src/nsMsgDatabase.cpp:921
11 	XUL	nsMsgDatabase::AddNewHdrToDB(nsIMsgDBHdr*, bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/db/msgdb/src/nsMsgDatabase.cpp:3547
12 	XUL	nsMsgLocalMailFolder::EndCopy(bool)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/local/src/nsLocalMailFolder.cpp:2472
13 	XUL	nsMsgLocalMailFolder::CopyFileMessage(nsIFile*, nsIMsgDBHdr*, bool, unsigned int, nsACString_internal const&, nsIMsgWindow*, nsIMsgCopyServiceListener*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/local/src/nsLocalMailFolder.cpp:1946
14 	XUL	nsMsgCopyService::DoNextCopy()	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/src/nsMsgCopyService.cpp:353
15 	XUL	nsMsgCopyService::CopyFileMessage(nsIFile*, nsIMsgFolder*, nsIMsgDBHdr*, bool, unsigned int, nsACString_internal const&, nsIMsgCopyServiceListener*, nsIMsgWindow*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/src/nsMsgCopyService.cpp:646
16 	XUL	nsMsgCopy::DoCopy(nsIFile*, nsIMsgFolder*, nsIMsgDBHdr*, bool, nsIMsgWindow*, nsIMsgSend*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgCopy.cpp:274
17 	XUL	nsMsgCopy::StartCopyOperation(nsIMsgIdentity*, nsIFile*, int, nsIMsgSend*, char const*, nsIMsgDBHdr*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgCopy.cpp:225
18 	XUL	nsMsgComposeAndSend::StartMessageCopyOperation(nsIFile*, int, nsCString const&)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:4698
19 	XUL	nsMsgComposeAndSend::MimeDoFCC(nsIFile*, int, char const*, char const*, char const*)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:4667
20 	XUL	nsMsgComposeAndSend::DoFcc()	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:3659
21 	XUL	nsMsgComposeAndSend::DeliverAsMailExit(nsIURI*, nsresult)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:3593
22 	XUL	nsMsgComposeAndSend::SendDeliveryCallback(nsIURI*, bool, nsresult)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:3181
23 	XUL	MsgDeliveryListener::OnStopRunningUrl(nsIURI*, nsresult)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsMsgSend.cpp:249
24 	XUL	nsMsgMailNewsUrl::SetUrlState(bool, nsresult)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/util/nsMsgMailNewsUrl.cpp:97
25 	XUL	nsSmtpProtocol::ProcessProtocolState(nsIURI*, nsIInputStream*, unsigned long long, unsigned int)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/compose/src/nsSmtpProtocol.cpp:2057
26 	XUL	nsMsgProtocol::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long long, unsigned int)	/builds/slave/tb-rel-c-esr45-m64_bld-0000000/build/mailnews/base/util/nsMsgProtocol.cpp:293

Comment 3

[Wayne Mery (:wsmwk)]

I crashed deleting a message bp-b95ce729-805e-4625-854e-33dc10170910.
I was in a list of gloda results (not a cross folder saved search)

Comment 4

[Wayne Mery (:wsmwk)]

(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #3)
> I crashed deleting a message bp-b95ce729-805e-4625-854e-33dc10170910.
> I was in a list of gloda results (not a cross folder saved search)

FWIW user crashes always when "open email as list" bp-3c457cc4-f3a9-44ea-b195-e4b520170912 with InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsMsgSearchDBView::AddHdrFromFolder] - Thunderbird 52.3.0

Comment 5

[Wayne Mery (:wsmwk)]

combined signatures ranks in top 80 for 60.3.1.

In bug 646168 comment 17 you wrote "crash may be that nsMsgSearchDBView (m_view) is already destroyed or invalid.  I don't know root cause."

What issue is seen in the crash for this bug?
Some recent examples:

* bp-86f8a992-8a19-418f-97c6-b59b80181118  "moving files to another folder" (local folder involved)
 0 		@0xffffffff	
1 	xul.dll	nsMsgSearchDBView::OnHdrDeleted(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)	comm/mailnews/base/src/nsMsgSearchDBView.cpp:230
2 	xul.dll	nsMsgDatabase::NotifyHdrDeletedAll(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*)	comm/mailnews/db/msgdb/src/nsMsgDatabase.cpp:902
3 	xul.dll	nsMsgDatabase::DeleteHeader(nsIMsgDBHdr*, nsIDBChangeListener*, bool, bool)	comm/mailnews/db/msgdb/src/nsMsgDatabase.cpp:1996
4 	xul.dll	nsMsgLocalMailFolder::DeleteMessages(nsIArray*, nsIMsgWindow*, bool, bool, nsIMsgCopyServiceListener*, bool)	comm/mailnews/local/src/nsLocalMailFolder.cpp:1226
5 	xul.dll	nsMsgLocalMailFolder::EndMove(bool)	comm/mailnews/local/src/nsLocalMailFolder.cpp:2658
6 	xul.dll	nsCopyMessageStreamListener::EndCopy(nsISupports*, nsresult)	comm/mailnews/base/src/nsCopyMessageStreamListener.cpp:134 

* bp-88953f1f-6365-4aae-be7f-80b060181104  highlighting items to be deleted (selecting) (imap folder involved)

Comment 6

[Makoto Kato [:m_kato]]

both is same issue,but I don't know root cause. m_threadsTable is freed nsIMsgThread... But why?

Comment 7

[Wayne Mery (:wsmwk)]

bp-d28d71a2-f7a7-4da3-ac8d-f457f0190915 @ xul.dll | nsMsgSearchDBView::OnHdrDeleted

Comment 8

[Wayne Mery (:wsmwk)]

perhaps as a result of something in https://mzl.la/2NiWuDP ?

Comment 9

[Wayne Mery (:wsmwk)]

None of these signatures exist in version 91.2.1.
So it is strange this graph shows no decrease trend https://crash-stats.mozilla.org/signature/?signature=nsCOMPtr_base%3A%3Aassign_with_AddRef%20%7C%20nsMsgBodyHandler%3A%3AnsMsgBodyHandler&date=%3E%3D2021-04-30T17%3A46%3A00.000Z&date=%3C2021-10-31T17%3A46%3A00.000Z#graphs

That said, I haven't crashed in a long time from deleting messages in global search results.
I'm not 100% convinced the underlying problem is gone. But I don't have an alternative bug/signature, so let's call it WFM