Closed Bug 1238189 Opened 9 years ago Closed 8 years ago

crash in UnescapeAndConvert when accessing http://www.w3.org/TR/html5/

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(seamonkey2.42 unaffected, seamonkey2.43 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
seamonkey2.42 --- unaffected
seamonkey2.43 --- affected

People

(Reporter: tonymec, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, Whiteboard: [CLOSEME 2016-12-11 WFM])

Crash Data

This bug was filed from the Socorro interface and is report bp-6acce554-5804-4546-a200-0a76b2160109. ============================================================= Also: bp-407d43db-b159-4612-bf75-638e52160109 bp-51c78635-ffbf-47f3-a58d-82fbd2160108 bp-7770b15d-28da-4f35-9cb3-8906d2160108 bp-b45707b9-e4b4-4707-a1c0-840282160108 All these crashes (all at UnescapeAndConvert) happened during restart of a session containing a tab for http://www.w3.org/TR/html5/ — the two most recent just as I clicked that tab. Then I omitted that tab from the session to be restarted and there was no more crash. According to MXR, the identifier UnescapeAndConvert is a function name used only in the source file mailnews/compose/src/nsSmtpUrl.cpp (and in particular nowhere in mozilla-central) but I had set SeaMonkey to open only the browser and ChatZilla at startup, not MailNews The crashing build is: UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 SeaMonkey/2.43a1" ID:20160108003001 en-US c-c:625d871a9669ee81da4b6128efc95301dae3f7cb m-c:d4213241bb796fdfa7a5ad4f1989e97b44474364 There was no crash with the same session in the previous nightly, whose seamonkey-2.43a1.en-US.linux-x86_64.txt had the following contents: 20160107003001 http://hg.mozilla.org/mozilla-central/rev/1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1 http://hg.mozilla.org/comm-central/rev/3f5e39b93615 and also none in any earlier build. Here are the crash details, as seen by Socorro for the most recent of these crashes (the one from which this bug report was generated): Signature UnescapeAndConvert More Reports Search UUID 6acce554-5804-4546-a200-0a76b2160109 Date Processed 2016-01-09T00:47:29.395992+00:00 Uptime 749 Last Crash 1435 seconds before submission Install Age 9552 since version was first installed. Install Time 2016-01-08 22:05:48 Product SeaMonkey Version 2.43a1 Build ID 20160108003001 Release Channel nightly OS Linux OS Version 0.0.0 Linux 4.1.13-5-default #1 SMP PREEMPT Thu Nov 26 16:35:17 UTC 2015 (49475c3) x86_64 Build Architecture amd64 Build Architecture Info family 6 model 23 stepping 10 | 2 Crash Reason SIGSEGV Crash Address 0x0 User Comments During crashed session restore. Again as I clicked on the tab for the W3C HTML5 standard. I'll omit it at next restart. App Notes OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Q45/Q43 -- 2.1 Mesa 11.0.8 -- texture_from_pixmap WebGL? libGL.so.1? libGL.so.1+ GL Context? GL Context+ WebGL+ Processor Notes processor_prod-processor-i-69281bad_17121; MozillaProcessorAlgorithm2015; skunk_classifier: reject - not a plugin hang EMCheckCompatibility False Winsock LSP Adapter Vendor ID Adapter Device ID Bugzilla - Report this bug in SeaMonkey Core Plugins Toolkit Related Bugs Crashing Thread (0) Frame Module Signature Source 0 libxul.so UnescapeAndConvert /builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:46 1 libxul.so nsMailtoUrl::ParseMailtoUrl(char*) /builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:211 2 libxul.so nsMailtoUrl::ParseUrl() /builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:305 3 libxul.so nsSmtpService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) /builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpService.cpp:315 4 libxul.so nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) netwerk/base/nsIOService.cpp 5 libxul.so NS_NewURI(nsIURI**, nsACString_internal const&, char const*, nsIURI*, nsIIOService*) netwerk/base/nsNetUtil.inl 6 libxul.so NS_NewURI(nsIURI**, nsAString_internal const&, char const*, nsIURI*, nsIIOService*) netwerk/base/nsNetUtil.inl 7 libxul.so nsGenericHTMLElement::GetURIAttr(nsIAtom*, nsIAtom*, nsIURI**) const dom/html/nsGenericHTMLElement.cpp 8 libxul.so nsGenericHTMLElement::GetHrefURIForAnchors() const dom/html/nsGenericHTMLElement.cpp 9 libxul.so mozilla::dom::HTMLAnchorElement::GetHrefURI() const dom/html/HTMLAnchorElement.cpp 10 libxul.so mozilla::dom::Link::GetURI() const dom/base/Link.cpp 11 libxul.so mozilla::dom::Link::LinkState() const dom/base/Link.cpp 12 libxul.so nsIDocument::FlushPendingLinkUpdates() dom/base/nsDocument.cpp 13 libxul.so nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) layout/base/nsCSSFrameConstructor.cpp 14 libxul.so nsCSSFrameConstructor::ResolveStyleContext(nsIFrame*, nsIContent*, nsIContent*, nsFrameConstructorState*) layout/base/nsCSSFrameConstructor.cpp 15 libxul.so nsCSSFrameConstructor::ResolveStyleContext(nsCSSFrameConstructor::InsertionPoint const&, nsIContent*, nsFrameConstructorState*) layout/base/nsCSSFrameConstructor.cpp 16 libxul.so nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) layout/base/nsCSSFrameConstructor.cpp 17 libxul.so nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) layout/base/nsCSSFrameConstructor.cpp 18 libxul.so nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) layout/base/nsCSSFrameConstructor.cpp 19 libxul.so nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) layout/base/nsCSSFrameConstructor.cpp 20 libxul.so nsCSSFrameConstructor::CreateNeededFrames() layout/base/nsCSSFrameConstructor.cpp 21 libxul.so mozilla::RestyleManager::ProcessPendingRestyles() layout/base/RestyleManager.cpp 22 libxul.so PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp 23 libxul.so nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 24 libxul.so mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp 25 libxul.so mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 26 libxul.so mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 27 libxul.so nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() xpcom/glue/nsThreadUtils.h 28 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 29 libxul.so NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/c-cen-t-lnx64/build/mozilla/xpcom/glue/nsThreadUtils.cpp:297 30 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 31 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 32 libxul.so nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 33 libxul.so nsAppStartup::Run() /builds/slave/c-cen-t-lnx64/build/mozilla/toolkit/components/startup/nsAppStartup.cpp:281 34 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 35 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 36 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp 37 seamonkey do_main /builds/slave/c-cen-t-lnx64-ntly/build/suite/app/nsSuiteApp.cpp:197 38 seamonkey main /builds/slave/c-cen-t-lnx64-ntly/build/suite/app/nsSuiteApp.cpp:330 Ø 39 libc-2.19.so libc-2.19.so@0x21b04 40 seamonkey _init 41 seamonkey seamonkey@0x55cb 42 seamonkey __libc_csu_fini 43 seamonkey seamonkey@0x55cb 44 seamonkey _start
From hg.mozilla.org: list of chagesets from the "last kown good" excluded to the "first known bad" included (most recent first): 625d871a9669 for bug 1231642 d880f3209683 for bug 1135663 (a=DONTBUILD) b2008d57aef4 for bug 1230739 601987a78df2 for bug 1237085 c73aed47dd73 for bug 1228438 586f1324ab64 for bug 1233827 b5ed5553699e for bug 1235355 015e0b60011d for bug 1236296 d991c6964795 for bug 1236164 09bf778fb288 for bug 1234619 17f2d83ce40a for bug 623986 I would have done it too for mozilla-central but there are too many. So I'm just extracting here the relevant info from comment #0: Last known good: 1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1 First known bad: d4213241bb796fdfa7a5ad4f1989e97b44474364
bp-2751cde4-c1db-4508-8da2-ff7992160110 The page can be read in Lynx (2.8.7rel.2, 21 Jun 2010) with no problem. Let's try a few others... - Firefox... OK UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0" (en-US) ID:20160109030208 CSet:0f363ae95dc90d593394ef464aa500804c824962 - Konqueror... OK in Webkit... OK in KHTML... OK in Okular (View Source) Konqueror 4.14.10 - Opera... OK Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 OPR/32.0.1948.69 Firefox and SeaMonkey from ftp.mozilla.org, Konqueror and Opera from download.opensuse.org
Whiteboard: parity-Firefox
> All these crashes (all at UnescapeAndConvert) happened during restart of a session > containing a tab for http://www.w3.org/TR/html5/ I think that page has a mailto link > http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/dom/html/nsGenericHTMLElement.cpp#l1764 This calls NewURIWithDocumentCharset > http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsNetUtil.inl#l126 > http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsNetUtil.inl#l115 Which passes to NS_NewURI and then to ioService->NewURI() > http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsIOService.cpp#l627 Since this is a mailto: uri it gets passed to: nsSmtpService::NewURI() > http://hg.mozilla.org/comm-central/annotate/1eb99f6f98f7/mailnews/compose/src/nsSmtpService.cpp#l315 nsMailtoUrl::ParseUrl() > http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l305 nsMailtoUrl::ParseMailtoUrl() > http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l211 nsMailtoUrl::ParseMailtoUrl() UnescapeAndConvert() mimeConverter->DecodeMimeHeaderToUTF8() > http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l46
Component: General → MIME
Product: SeaMonkey → MailNews Core
Whiteboard: parity-Firefox
The code for UnescapeAndConvert contains all sorts of interesting edge cases for XPCONNECT. It is likely that some core mozilla code changed something, and that resulted in a failure of one of the edge cases. Edge cases: 1) Using an out parameter as an input. 2) Using AutoCString 3) In the JS, calling through arguments rather than directly. Thoughts, jcranmer?
Flags: needinfo?(Pidgeot18)
(In reply to Tony Mechelynck [:tonymec] from comment #0) > ... > The crashing build is: > UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 > SeaMonkey/2.43a1" > ID:20160108003001 en-US > c-c:625d871a9669ee81da4b6128efc95301dae3f7cb > m-c:d4213241bb796fdfa7a5ad4f1989e97b44474364 > > There was no crash with the same session in the previous nightly, whose > seamonkey-2.43a1.en-US.linux-x86_64.txt had the following contents: > 20160107003001 > http://hg.mozilla.org/mozilla-central/rev/ > 1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1 > http://hg.mozilla.org/comm-central/rev/3f5e39b93615 > > and also none in any earlier build. your nod to possible regression range might not totally square with crash-stats, which lists these seamonkey crashes bp-e81ce54a-4f4d-4a4d-80e9-dc08a2151128 2015-11-28 17:53:54 bp cced7942-e446-47b9-81da-79b152151001 2015-10-01 06:48:20 these are the oldest I find. And no crashes for Thunderbird.
(In reply to Kent James (:rkent) from comment #5) > The code for UnescapeAndConvert contains all sorts of interesting edge cases > for XPCONNECT. It is likely that some core mozilla code changed something, > and that resulted in a failure of one of the edge cases. > > Edge cases: > > 1) Using an out parameter as an input. > 2) Using AutoCString > 3) In the JS, calling through arguments rather than directly. > > Thoughts, jcranmer? The crash is in UnescapeAndConvert, not anything deeper in xpconnect. As a SIGSEGV, the most likely scenario is someone is null, the obvious candidates being mimeConverter or possibly the string. The registers on the crashing thread seem to indicate that this is not the case, though, so my next guess (without being able to catch it in a debugger) is that there's some heap corruption that's overwriting a vtable pointer or vtable entry.
Flags: needinfo?(Pidgeot18)
Is this now WFM? Nothing on crash-stats with your email address after bp-7b2403eb-fb31-4cc4-b0ea-688722160701 - i.e. many months.
Flags: needinfo?(antoine.mechelynck)
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #8) > Is this now WFM? > Nothing on crash-stats with your email address after > bp-7b2403eb-fb31-4cc4-b0ea-688722160701 - i.e. many months. It's just that at comment #0 "I omitted that tab" from my session and did not restore it afterwards. I'll try. If it crashes again I shall say so and remove the tab again.
UA:"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49a1" ID:20161110003001 en-US c-c:5cb6c4f805a525ffda697c35221af3612f4cccf3 m-c:336759fad4621dfcd0a3293840edbed67018accd I've put that URL back into my session and it doesn't seem to crash — or not every time. I propose to close this bug if the crash does not reappear within a month.
Flags: needinfo?(antoine.mechelynck)
Whiteboard: [CLOSEME WFM 2016-12-11]
Whiteboard: [CLOSEME WFM 2016-12-11] → [CLOSEME 2016-12-11 WFM]
No reply to comment #10 in more than a month, closing.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.