Closed Bug 1163132 Opened 5 years ago Closed 4 years ago

crash in nsMsgFilterAfterTheFact::ContinueExecutionPrompt()

Categories

(Thunderbird :: Filters, defect, critical)

38 Branch
x86
Windows NT
defect
Not set
critical

Tracking

(thunderbird38 fixed, thunderbird39 fixed, thunderbird40 fixed, thunderbird41 fixed)

RESOLVED FIXED
Thunderbird 41.0
Tracking Status
thunderbird38 --- fixed
thunderbird39 --- fixed
thunderbird40 --- fixed
thunderbird41 --- fixed

People

(Reporter: rkent, Assigned: rkent)

References

Details

(Keywords: crash, regression, topcrash-thunderbird, Whiteboard: [regression:TB37])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-be07b0a6-87c6-44dd-9e9a-e467b2150502.
=============================================================
Somehow the filter executor is getting destroyed prematurely. The stacks seem messed up after a certain point.

This patch is really a simple, no-risk experiment. I don't have better ideas. Still a top crasher.
Assignee: nobody → rkent
Status: NEW → ASSIGNED
Attachment #8603533 - Flags: review?(neil)
Comment on attachment 8603533 [details] [diff] [review]
Hold onto reference in parent to ApplyFilters

Given line 336 I can't see how this makes any difference, but you're welcome to try.
Attachment #8603533 - Flags: review?(neil) → review+
indeed #3 crash for 38.0b4. And, I do not see any crashes before version 37 beta.

The majority of crashes may be the person with this crash bp-bb602fbe-ee18-4ab3-ac72-340672150330.  He has many lterAfterTheFact::ApplyFilter(bool*) / bug 797710 crashes such as bp-b623460d-8c6f-4148-bf80-acd702150224.  I'll check to see if he is using maildir.
See Also: → 797710
First 37.0a1 is 29-Nov-2014. So the regression could be one of these

831c95685e21 2015-03-25 15:23 -0700	ISHIKAWA, Chiaki - Bug 1146100: save a to-be-freed value for later use, r=rkent

b50441dcdf0d 2015-02-23 01:49 +0100	ISHIKAWA, Chiaki - Bug 854172 - Add a missing check of the return value of MoveIncorporatedMessage, and the failure to log such failure. r=rkent IGNORE IDL

5967bba9d130 2015-01-01 10:25 -0800	R Kent James - Bug 1116561 - filter after the fact should return an error if any filter failed, r=neil, a=rkent

79d319474891 2014-12-30 21:53 +0000	Neil Rashbrook - Bug 11039 Filter sent messages r=rkent a=starred CLOSED TREE

7bc453bb4cdd 2014-12-20 08:48 -0800	R Kent James - Bug 695671 - Only 1 message filter seems to execute when I hit "Run Filters on Folder", r=neil, a=rkent
Does this happen only under Windows?
(In reply to ISHIKAWA, Chiaki from comment #5)
> Does this happen only under Windows?

so far, yes only windows.  But the crash count to date is much, much too low to say that other OS are not impacted. N.B. bug 797710 is all OS.

What are you thinking?
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #6)
> (In reply to ISHIKAWA, Chiaki from comment #5)
> > Does this happen only under Windows?
> 
> so far, yes only windows.  But the crash count to date is much, much too low
> to say that other OS are not impacted. N.B. bug 797710 is all OS.
> 
> What are you thinking?

Maybe a low-level machine-dependent library may have some funny interactions, etc.
But I am sort of a fishing trip on this one. I have no clear idea.
At least, from the static reading of the code for linux part, it is hard to see
where the double-free, etc. can happen.

I will keep an eye on this while I work on the POP3/IMAP code, though.

TIA
http://hg.mozilla.org/comm-central/rev/2e392e51238e

(keep open, this is an experiment)
Target Milestone: --- → Thunderbird 41.0
Attachment #8603533 - Flags: approval-comm-beta?
Attachment #8603533 - Flags: approval-comm-aurora?
Comment on attachment 8603533 [details] [diff] [review]
Hold onto reference in parent to ApplyFilters

http://hg.mozilla.org/releases/comm-aurora/rev/c66ae8a4029e
Attachment #8603533 - Flags: approval-comm-aurora? → approval-comm-aurora+
Comment on attachment 8603533 [details] [diff] [review]
Hold onto reference in parent to ApplyFilters

TB 38: http://hg.mozilla.org/releases/comm-beta/rev/ce7bee323287
TB 39: http://hg.mozilla.org/releases/comm-beta/rev/127e1f37bc11
Attachment #8603533 - Flags: approval-comm-beta? → approval-comm-beta+
Keywords: leave-open
bug 1186392 has an example crash of version 38.
If you think it is the same issue I'll dupe it to this bug
Flags: needinfo?(rkent)
Yes the crash in bug 1186392 has the same pattern as this, namely that the main object is being deleted from some unknown source. Si I would say that we failed to fix this bug, and re-opening and duping might be the best path.
Flags: needinfo?(rkent)
Crash Signature: [@ nsMsgFilterAfterTheFact::ContinueExecutionPrompt()] → [@ nsMsgFilterAfterTheFact::ContinueExecutionPrompt()] [@ nsMsgFilterAfterTheFact::ContinueExecutionPrompt]
Duplicate of this bug: 1186392
The signature is gone in version 38.3.0 [1], so I believe this and bug 1153820 are pretty much fixed by bug 797710. (and perhaps the patch here helped?)

Although a topcrash for trunk and 37beta, this never evolved into a topcrash for version 38 - far from it, only a few crashes per week for 38.1.0, and 38.2.0.

(Only one filter crash in top 300 for 38.3.0. Rank #300 @ nsMsgFilterAfterTheFact::ApplyFilter, only 24 crashes in one week, bug 537017)

[1] https://crash-stats.mozilla.com/search/?signature=~nsMsgFilterAfterTheFact%3A%3AContinueExecutionPrompt&product=Thunderbird&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: [regression:TB37]
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.