Forwarding message crashes Mozilla

RESOLVED WORKSFORME

Status

MailNews Core
Composition
--
critical
RESOLVED WORKSFORME
16 years ago
9 years ago

People

(Reporter: Bill Sheppard, Assigned: Jean-Francois Ducarroz)

Tracking

({crash, stackwanted})

Trunk
x86
Windows 98
crash, stackwanted

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(5 attachments)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.7) Gecko/20011221
BuildID:    2001122106

I received a message which had been repeatedly forwarded, apparently munging a
fair amount of the MIME encoding.  I forwarded this message as an attachment to
another account and deleted the original.  Now upon attempting to forward the
copy saved in my Sent mail folder (which should have the original message
encapsulated as an attachment) Mozilla crashes with an invalid page fault in
module MSVCRT.DLL at 0177:7800b9c8.

I've attached the stack trace and the problem message.

Reproducible: Always
Steps to Reproduce:
1. Select offending message in selection pane
2. Click on "Forward" toolbar button


Actual Results:  Mozilla crashes

Expected Results:  Composition window opens
(Reporter)

Comment 1

16 years ago
Created attachment 66538 [details]
Stack trace from crash
(Reporter)

Comment 2

16 years ago
Created attachment 66539 [details]
Message which causes crash
Reporter: 
Can you please use a talkback enabled build ?
After talkback submitted the crash run mozilla/components/talkback.exe manually 
to get the Talkback ID# and add this TB ID# in this bug.

And can you right click on that message and save it as Mail File (*.eml) and 
attach it here ?
Keywords: crash

Updated

16 years ago
QA Contact: nbaca → sheelar

Comment 4

16 years ago
reassign and change the component
Assignee: mscott → ducarroz
Component: Networking - SMTP → Composition

Comment 5

16 years ago
Reporter,
The build you are using is old. Can you try this on a newer build?
(Reporter)

Comment 6

16 years ago
OK, looks like this works fine on 2002020406 (0.98).  Thanks!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 7

16 years ago
Sorry, spoke too soon.  Forwarding the original message (which is now in the 
trash folder) works, but forwarding the copy I forwarded (from the sent folder) 
crashes on build 2002020406.  Talkback ID is #TB2546617Y, reported 2/5/02 at 
12:55PM.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Keywords: stackwanted
Please try this with a trunk build


MSVCRT.DLL + 0xb9c8 (0x7800b9c8)
MSVCRT.DLL + 0xb30c (0x7800b30c)
PR_Free [../../../../pr/src/malloc/prmem.c, line 436]
mime_free_attachments
[d:\builds\seamonkey\mozilla\mailnews\mime\src\mimedrft.cpp, line 498]
mime_parse_stream_complete
[d:\builds\seamonkey\mozilla\mailnews\mime\src\mimedrft.cpp, line 1573] 

Comment 9

16 years ago
Isn't this a dupe of #122196
Bill, I can't crash with build 2002-02-27-03 on Windows 2000 with your test
message (forwarding, replying).  Is this fixed for you, too?

Comment 11

16 years ago
Created attachment 85261 [details]
Another message causing the crash

An eml file containing the message that caused a crash repeatedly.

Comment 12

16 years ago
Crash when forwarding message - repeatable for me.

Unhandled exception in mozilla.exe (MSGBSUTIL.DLL): 0xC0000005: Access Violation

Occurs repeatably when I select a particular message in my IMAP Inbox and
hit the Forward button. Crash occurrs as soon as Forward button released.
Only ever seen with one particular message.

Here is the mozilla build info:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3)
Gecko/20020523
BuildID:    2002052306

OS is Win2K Server + SP2

Here is the stack trace:

MSGBSUTL! 60f34439()
MIME! 607395b7()
MIME! 60738ec6()
MIME! 60732ca9()
MSGIMAP! 6087db4d()
NECKO! 6096d927()
XPCOM! 6116d41f()
SETUPAPI! 778b0c24

Here is the register info:

 EAX = 0012FA34 EBX = 00000000 ECX = 00000000 EDX = 80000000 ESI = 030548F0 EDI 
= 00000000
 EIP = 60F34439 ESP = 0012F82C EBP = 0012FA14 EFL = 00000206
 MM0 = BAD088FC00000000 MM1 = BFE89B63000000E1 MM2 = BFEA2CE7BAD0877C MM3 = 
BAD086B800000000
 MM4 = 0000000000000000 MM5 = 0000000000000000 MM6 = 0000000000000000 MM7 = 
FA00000000000000
 XMM0 = 0012FDF00012FD40000000180000001B XMM1 = 7FFDE0000012FFB000000000BAD08DD8
 XMM2 = BAD0891C81176554BAD086480012FDC8 XMM3 = 7FFDE6CC00000000804147538045FD60
 XMM4 = 824E77DCA0000373BAD0892C00000000 XMM5 = 00000084000007AAA005408C00000001
 XMM6 = 00525D700000000000000018A0380E68 XMM7 = 00000000006C01EA0000000000000084
 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 
PL=0 ZR=0 AC=0 PE=1 CY=0
 XMM00 = +3.78351E-044 XMM01 = +3.36312E-044 XMM02 = +1.74389E-039 XMM03 = 
+1.74413E-039
 XMM10 = -1.59114E-003 XMM11 = +0.00000E+000 XMM12 = +1.74476E-039 XMM13 = 
+1.#QNANE+000
 XMM20 = +1.74408E-039 XMM21 = -1.59092E-003 XMM22 = -2.78070E-038 XMM23 = -
1.59100E-003
 XMM30 = -6.42754E-039 XMM31 = -5.99489E-039 XMM32 = +0.00000E+000 XMM33 = 
+1.#QNANE+000
 XMM40 = +0.00000E+000 XMM41 = -1.59100E-003 XMM42 = -1.08432E-019 XMM43 = -
1.51689E-037
 XMM50 = +1.40130E-045 XMM51 = -1.12869E-019 XMM52 = +2.74935E-042 XMM53 = 
+1.84971E-043
 XMM60 = -1.55902E-019 XMM61 = +3.36312E-044 XMM62 = +0.00000E+000 XMM63 = 
+7.56403E-039
 XMM70 = +1.84971E-043 XMM71 = +0.00000E+000 XMM72 = +9.91892E-039 XMM73 = 
+0.00000E+000 MXCSR = 00001F80
 ST0 = +2.11281009475938174e+0719 ST1 = +0.00000000000000000e+0000 ST2 = -
1.89865406387901985e+0176
 ST3 = +5.87511559076009300e+3771 ST4 = +0.00000000000000000e+0000 ST5 = 
+0.00000000000000000e+0000
 ST6 = +0.00000000000000000e+0000 ST7 = +5.00000000000000000e+0002
 CTRL = 027F STAT = 4020 TAGS = FFFF EIP = 78001E27
 CS = 001B DS = 0023 EDO = 0012F434

Updated

16 years ago
QA Contact: sheelar → meehansqa

Comment 13

16 years ago
Reporter: I can't reproduce this with build 2002-06-03-08 using your test
message on Windows 2000. Can you test and see if this still happens for you?
(Reporter)

Comment 14

16 years ago
Works fine for me now.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago16 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 15

16 years ago
Oops - my message works OK, but others who have reported crashing messages
should probably test their's as well.  Incidentally, this worksforme on 1.0RC3.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

Comment 16

16 years ago
Terry, can you test this in your scenario?

Comment 17

16 years ago
Hit Forward button to forward a selected message. (RC3 on Win2K)

Read access violation.

Stack trace:

MSGBSUTL! 60f34439()
MIME! 607395b7()
MIME! 60738ec6()
MIME! 60732ca9()
MSGIMAP! 6087db4d()
NECKO! 6096d927()
XPCOM! 6116d41f()
SETUPAPI! 778b0c

Registers:

EAX = 0012FA34 EBX = 00000000 ECX = 00000000 EDX = 80000000 ESI = 044EB7E0 EDI =
00000000
 EIP = 60F34439 ESP = 0012F82C EBP = 0012FA14 EFL = 00200206
 MM0 = 00000001000000AF MM1 = BAF29614819034C8 MM2 = BAF2991C80469FD3 MM3 =
814C508CBAF29644
 MM4 = 0000000000000000 MM5 = 0000000000000000 MM6 = 0000000000000000 MM7 =
FA00000000000000
 XMM0 = 0012FDF00012FD40000000180000001B XMM1 = 7FFDE0000012FFB000000000BAF29DD8
 XMM2 = BAF2991C814C5054BAF296480012FDC8 XMM3 = 7FFDE6CC00000000804147538045FD60
 XMM4 = 8191AE3CA0000373BAF2992C00000000 XMM5 = 0000008400000358A005408C00000001
 XMM6 = 0045A8E8819034C818F48FF5A038C770 XMM7 = 00000000005001940000000000000084
 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0
ZR=0 AC=0 PE=1 CY=0
 XMM00 = +3.78351E-044 XMM01 = +3.36312E-044 XMM02 = +1.74389E-039 XMM03 =
+1.74413E-039
 XMM10 = -1.85102E-003 XMM11 = +0.00000E+000 XMM12 = +1.74476E-039 XMM13 =
+1.#QNANE+000
 XMM20 = +1.74408E-039 XMM21 = -1.85079E-003 XMM22 = -3.75265E-038 XMM23 =
-1.85088E-003
 XMM30 = -6.42754E-039 XMM31 = -5.99489E-039 XMM32 = +0.00000E+000 XMM33 =
+1.#QNANE+000
 XMM40 = +0.00000E+000 XMM41 = -1.85088E-003 XMM42 = -1.08432E-019 XMM43 =
-5.35146E-038
 XMM50 = +1.40130E-045 XMM51 = -1.12869E-019 XMM52 = +1.19951E-042 XMM53 =
+1.84971E-043
 XMM60 = -1.56514E-019 XMM61 = +6.32179E-024 XMM62 = -5.29730E-038 XMM63 =
+6.39724E-039
 XMM70 = +1.84971E-043 XMM71 = +0.00000E+000 XMM72 = +7.34741E-039 XMM73 =
+0.00000E+000 MXCSR = 00001F80
 ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000 ST2 =
+0.00000000000000000e+0000
 ST3 = +9.06221337680116653e+1242 ST4 = +0.00000000000000000e+0000 ST5 =
+0.00000000000000000e+0000
 ST6 = +0.00000000000000000e+0000 ST7 = +5.00000000000000000e+0002
 CTRL = 027F STAT = 4023 TAGS = FFFF EIP = 78001E27
 CS = 001B DS = 0023 EDO = 0012F434

Memory:

60F34405   pop         ebx
60F34406   leave
60F34407   ret
60F34408   push        ebp
60F34409   mov         ebp,esp
60F3440B   sub         esp,1DCh
60F34411   push        ebx
60F34412   push        esi
60F34413   mov         esi,dword ptr [ebp+0Ch]
60F34416   xor         ebx,ebx
60F34418   cmp         esi,ebx
60F3441A   push        edi
60F3441B   jne         60F34427
60F3441D   mov         eax,80004003h
60F34422   jmp         60F34603
60F34427   cmp         byte ptr [esi],bl
60F34429   jne         60F34436
60F3442B   mov         ecx,dword ptr [ebp+10h]
60F3442E   push        ebx
60F3442F   mov         eax,dword ptr [ecx]
60F34431   call        dword ptr [eax+24h]
60F34434   jmp         60F34475
60F34436   mov         edi,dword ptr [ebp+8]
60F34439   cmp         byte ptr [edi],bl
60F3443B   je          60F3445F
60F3443D   push        edi
60F3443E   push        60F48EF8h
60F34443   call        60F361A2
60F34448   pop         ecx
60F34449   test        eax,eax
60F3444B   pop         ecx
60F3444C   je          60F3445F
60F3444E   push        edi
60F3444F   push        60F48EECh
60F34454   call        60F361A2
60F34459   pop         ecx
60F3445A   test        eax,eax
60F3445C   pop         ecx
60F3445D   jne         60F3447C
60F3445F   push        esi
60F34460   call        dword ptr ds:[60F3722Ch]

Current instruction pointer at 60F34439.
This is the second time I've seen this. It appears to be specific to
the message being forwarded. It is repeatable.

Comment 18

16 years ago
Created attachment 86396 [details]
Message that caused crash mentioned in comment above

Comment 19

16 years ago
Just downloaded nightly build from 05Jun2002 and tested.
Both of my test cases still crash repeatably on this build.
Crash is at same address for both test cases.

Mozilla 1.0.0+
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0+) Gecko/20020605

The instruction at "0x61104276" referenced the memory at "0x00000000". The
memory could not be "read".

PC at 61104276   cmp         byte ptr [edi],bl

Stack:

MSGBSUTL! 61104276()
MIME! 60cb9847()
MIME! 60cb9164()
MIME! 60cb2c5b()
MSGIMAP! 60d2d732()
NECKO! 602ed682()
XPCOM! 60ead5b0()
XPCOM! 60ea2f5a()
SETUPAPI! 778b0c24()

Registers:

EAX = 0012FA2C EBX = 00000000 ECX = 00000000 EDX = 80000000 ESI = 033C4FF8 EDI =
00000000
 EIP = 61104276 ESP = 0012F824 EBP = 0012FA0C EFL = 00200206
 MM0 = 80414C0B80415CF6 MM1 = 0000000000000000 MM2 = A0000B2FBB5F6614 MM3 =
0000000000000000
 MM4 = 0000000000000000 MM5 = 0000000000000000 MM6 = 0000000000000000 MM7 =
FA00000000000000
 XMM0 = 0012FDEC0012FD3C000000180000001B XMM1 = 7FFDE0000012FFB000000000BB5F6DD8
 XMM2 = BB5F691C812EB3D4BB5F66480012FDC4 XMM3 = 7FFDE6CC00000000804147538045FD60
 XMM4 = 8191AE3CA0000373BB5F692C00000000 XMM5 = 00000084000002EAA005408C00000001
 XMM6 = 004EB550E58AEB04E58AEAFCA03EC2E8 XMM7 = 000000000037017E0000000000000084
 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0
ZR=0 AC=0 PE=1 CY=0
 XMM00 = +3.78351E-044 XMM01 = +3.36312E-044 XMM02 = +1.74388E-039 XMM03 =
+1.74413E-039
 XMM10 = -3.40926E-003 XMM11 = +0.00000E+000 XMM12 = +1.74476E-039 XMM13 =
+1.#QNANE+000
 XMM20 = +1.74407E-039 XMM21 = -3.40881E-003 XMM22 = -3.20878E-038 XMM23 =
-3.40897E-003
 XMM30 = -6.42754E-039 XMM31 = -5.99489E-039 XMM32 = +0.00000E+000 XMM33 =
+1.#QNANE+000
 XMM40 = +0.00000E+000 XMM41 = -3.40898E-003 XMM42 = -1.08432E-019 XMM43 =
-5.35146E-038
 XMM50 = +1.40130E-045 XMM51 = -1.12869E-019 XMM52 = +1.04537E-042 XMM53 =
+1.84971E-043
 XMM60 = -1.61581E-019 XMM61 = -8.20027E+022 XMM62 = -8.20027E+022 XMM63 =
+7.22821E-039
 XMM70 = +1.84971E-043 XMM71 = +0.00000E+000 XMM72 = +5.05149E-039 XMM73 =
+0.00000E+000 MXCSR = 00001F80
 ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000 ST2 =
+0.00000000000000000e+0000
 ST3 = +0.00000000000000000e+0000 ST4 = +0.00000000000000000e+0000 ST5 =
+0.00000000000000000e+0000
 ST6 = +0.00000000000000000e+0000 ST7 = +5.00000000000000000e+0002
 CTRL = 027F STAT = 4020 TAGS = FFFF EIP = 78001E27
 CS = 001B DS = 0023 EDO = 0012F428

Instruction context:

61104243   leave
61104244   ret
61104245   push        ebp
61104246   mov         ebp,esp
61104248   sub         esp,1DCh
6110424E   push        ebx
6110424F   push        esi
61104250   mov         esi,dword ptr [ebp+0Ch]
61104253   xor         ebx,ebx
61104255   cmp         esi,ebx
61104257   push        edi
61104258   jne         61104264
6110425A   mov         eax,80004003h
6110425F   jmp         61104440
61104264   cmp         byte ptr [esi],bl
61104266   jne         61104273
61104268   mov         ecx,dword ptr [ebp+10h]
6110426B   push        ebx
6110426C   mov         eax,dword ptr [ecx]
6110426E   call        dword ptr [eax+24h]
61104271   jmp         611042B2
61104273   mov         edi,dword ptr [ebp+8]
61104276   cmp         byte ptr [edi],bl
61104278   je          6110429C
6110427A   push        edi
6110427B   push        61118F88h
61104280   call        611061BA
61104285   pop         ecx
61104286   test        eax,eax
61104288   pop         ecx
61104289   je          6110429C
6110428B   push        edi
6110428C   push        61118F7Ch
61104291   call        611061BA
61104296   pop         ecx
61104297   test        eax,eax
61104299   pop         ecx
6110429A   jne         611042B9
6110429C   push        esi
6110429D   call        dword ptr ds:[6110722Ch]
611042A3   test        eax,eax
611042A5   pop         ecx
611042A6   je          611042B9
611042A8   mov         ecx,dword ptr [ebp+10h]
611042AB   push        esi
611042AC   call        dword ptr ds:[61107178h]
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 20

16 years ago
using yesterday nigtly build, I am not anle to reproduce the crash. Can somebody
give me the exact steps te recreate the problem. Also, let me know if you do a
forward inline or forward as attachment. Thanks

Comment 21

16 years ago
Created attachment 86888 [details]
MozBugMessages mailbox files for Local Folders account

Comment 22

16 years ago
Using Mozilla 1.0 release, confirmed that on Win2k, the bug occurs
only when forwarding inline, not when forwarding attached.

I will attach a zip file containing 2 files. These files constitute
a "Local Folders" mailbox named "MozBugMessages". To test, you start
mail, create an empty Local Folder called MozBugMessages and then
exit Mozilla. Next, replace the files MozBugMessages and MozBugMessages.msf
in your Local Folders directory with the files from the zip
attached to this bug. Restart Mozilla. You should be able to
open the MozBugMessages folder in the Local Folders
account, select the one message, and then hit Forward. On my system, if
Forwarding is set to Inline, an access violation will occur. Always.

Comment 23

16 years ago
I am seeing a similar crash. However, the exact steps for my crash are a 
little bit different:

To reproduce:

1. Click on any message in IMAP
2. View Message Source for message (Ctrl-U)
3. Close Message Source window
4. Quickly, hit forward toolbar button.
5. Result is a crash

Errors filed as Talkback # TB147185Y, TB146914H and #TB146873E, reported 
6/8/2002.

Comment 24

16 years ago
BTW, that crash is on RC3

Comment 25

14 years ago
unable to reproduce with attached message. tested windows Mozilla 1.7 beta.
Status: NEW → RESOLVED
Last Resolved: 16 years ago14 years ago
Resolution: --- → WORKSFORME
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.