Build ID: 2002-03-12-08, Linux RedHat 7.2
Summary: Crash in [ @ nsNntpCacheStreamListener::OnStartRequest] closing
Steps to Reproduce:
DISCLAIMER: Not very reproducable, and the server was being extremely slow when
I was doing this, so bear with me.
1. Double-click on multiple news postings.
2. Before they come up entirely, close their windows.
Window should close.
Crash in nsNntpCacheStreamListener::OnStartRequest
Here's the full stack, but it's not particularly useful.
libgdk-1.2.so.0 + 0x1710f (0x4036910f)
libglib-1.2.so.0 + 0x10055 (0x40398055)
libglib-1.2.so.0 + 0x10659 (0x40398659)
libglib-1.2.so.0 + 0x107e8 (0x403987e8)
libgtk-1.2.so.0 + 0x9127b (0x402b427b)
netscape-bin + 0x84a9 (0x080504a9)
netscape-bin + 0x8cf7 (0x08050cf7)
libc.so.6 + 0x1c306 (0x404f5306)
Are there other crashes in talkback, with the same stack? Any other data?
It was from a Windows XP user, but they didn't place their email or steps to
reproduce in the stack
2002031805 MozillaTrunk Windows NT 5.1 build 2600 2002-03-21 04:13:42
Okay, people are still seeing this. I'm seeing crashes in Talkback stacks as
recent as 8/26/2002.
EAX: 00000000 EBX: 60012450 ECX: 00000000 EDX: 0012fd08
ESI: 03f418e0 EDI: 00000000 ESP: 0012fcec EBP: 0012fd0c
EIP: 60c4fe2a cf PF af ZF sf of IF df nt RF vm IOPL: 0
CS: 001b DS: 0023 SS: 0023 ES: 0023 FS: 0038 GS: 0000
Code Around the PC:
60c4fe2a 8b08 mov ecx,[eax]
60c4fe2c ff5124 call dword ptr [ecx+0x24]
60c4fe2f 8b45fc mov eax,[ebp-0x4]
60c4fe32 3bc7 cmp eax,edi
60c4fe34 740a jz 60c4fe40
60c4fe36 8b08 mov ecx,[eax]
60c4fe38 57 push edi
60c4fe39 ff7508 push dword ptr [ebp+0x8]
60c4fe3c 50 push eax
60c4fe3d ff5144 call dword ptr [ecx+0x44]
60c4fe40 ff7510 push dword ptr [ebp+0x10]
60c4fe43 8b760c mov esi,[esi+0xc]
60c4fe46 ff7508 push dword ptr [ebp+0x8]
60c4fe49 8b491c mov ecx,[ecx+0x1c]
The crash occurs at line 721:
Looks like mChannelToUse is null.
NOTE: The assembler is not exactly identical to what I have on my system, but
I'm pretty certain this is the crash.
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity. Only changing open bugs to
minimize unnecessary spam. Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.
not very many crashes, and mostly by one user. marking topcrash-
[/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 659]
[/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 594]
[/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsEventQueue.cpp line 391]
[/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 194]
[/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 75]
libglib-1.2.so.0 + 0xee00 (0x40289e00)
libglib-1.2.so.0 + 0x104c8 (0x4028b4c8)
libglib-1.2.so.0 + 0x10ad3 (0x4028bad3)
libglib-1.2.so.0 + 0x10c6c (0x4028bc6c)
libgtk-1.2.so.0 + 0x8d7f7 (0x401ac7f7)
[/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 336]
libc.so.6 + 0x15a51 (0x403a3a51)
This crash is still around, but not in huge numbers for any particular release:
I see a lot of these in current talkback queries.
Also see Bug 281212, it contains steps how to reproduce this bug (or at least
one variant of a nsNntpCacheStreamListener::OnStartRequest crasher).
low on the 220.127.116.11 list, currently #88 in talkcback
TB34590930 doing... "Absolutely nothing. Computer was locked and thunderbird was inactive (open on a newsgroup page). This install was only upgraded to 18.104.22.168 in the last hour. Thunderbird has never crashed before on this machine.
nsNntpCacheStreamListener::OnStartRequest [mozilla/mailnews/news/src/nsNNTPProtocol.cpp, line 659]
nsInputStreamPump::OnStateStart [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 442]
nsOutputStreamReadyEvent::EventHandler [mozilla/xpcom/io/nsStreamUtils.cpp, line 121]
interesting... TB34298317 "going offline and reading news posts"
one more: TB34397104
This is now #3 crash for windows trunk 3.0b1 http://crash-stats.mozilla.com/report/list?product=Thunderbird&version=Thunderbird%3A3.0b1&version=Thunderbird%3A3.0b1pre&platform=windows&query_search=signature&query_type=contains&query=&date=&range_value=2&range_unit=weeks&do_query=1&signature=nsNntpCacheStreamListener%3A%3AOnStartRequest%28nsIRequest*%2C%20nsISupports*%29
one example bp-a52b67e7-8784-4a96-8299-e2be92081210 "closing thunderbird and it crashed"
seems possible this has to do with the changes to the way nntp does connection caching... bug 66150 - I'll look for this crash. I haven't seen it myself
bp-1bd8d97c-8241-4d71-b14e-7479a2081224 has a comment "when connecting a news group, I click the "go offline" button, then it crashes
I crashed with bp-410922bb-93a2-46e7-b702-ba5972090102.
That's on mChannelToUse->GetLoadGroup(getter_AddRefs(loadGroup));
Should we just null check mChannelToUse?
http://crash-stats.mozilla.com/report/index/d792ecfb-2348-4333-922f-6733a2090306 "Checking the failing^Hmailing list for news.php.net which frequently times out."
Would be nice to fix this for TB3. This is topcrash #20 for TB3.0b2
#13 crash in 3.0b3pre
I crashed twice in that method in the last 30 minutes reading news on news.mozilla.org (using "N" goto next unread message)
and a while ago the same:
*** Bug 506257 has been marked as a duplicate of this bug. ***
bp-b7963bd8-3726-42cc-95f2-29c922090722 has a user comment:
"i guess i was traversing thru a newsgroup with large number of headers > 500 very quickly with 'T' for marking thread as reading and moving to next thread. mail was open in 2nd tab."
Bug 506257 states it's reproduceable by "switching through the news pressing Space for about 10-20 seconds" and provides those crash IDs on SeaMonkey 2.0 Beta 1:
Currently that signature is #13 topcrasher for Thunderbird 3.0 Beta 3:
Here's a Mac stack, so it's happening on all platforms: bp-dd29e64d-f474-4f4c-a7c3-b10592090723
SeaMonkey 2.0 Beta 1 shows it as #10 topcrasher right now: http://crash-stats.mozilla.com/topcrasher/byversion/SeaMonkey/2.0b1
I was the one with the space key on a xp system using an external news server.
I tried to reproduce it with my local hamster, a local news server.
SM did not crash but was busy for about one minute (netbook),
Hamster is set to allow 100 NNTP connections (instead of 4) per user due to errors i recieved due to this Bug ... recursion sucks...
Is there some testing that can be done?
Created attachment 390596 [details] [diff] [review]
I hit this crash once, and these two checks should fix the crash I saw...
Comment on attachment 390596 [details] [diff] [review]
nsNntpCacheStreamListener::OnStartRequest(nsIRequest *request, nsISupports * aCtxt)
Why does it only go wrong in OnStartRequest?
How are we getting to OnStartRequest before we're initialised?
I'm not sure what's happening, actually. It's hard to reproduce this crash, so it's hard to debug it.
Yesterday i tried and found SM crashing by pressing space once again (no, this time it was curiosity that killed the ...seamonkey).
This time i took a lokal nntp-server, i had around 92 open connections from SM to to my NNTP-server, SM was busy for a minute and crshed.
Im sorry i can't convice my neighbours to do some testing by now...
It might be useful if SM could forget about the headers i've clicked when i decided for the last header to read the message...
btw. i read news in online mode, having the header loaded.
So every time a header is clicked, the 'load message' command gets to a cache, right? Might it be useful to reduce this cache to a number of 1 so only one maessage is loaded?
The only programs i ever wrote,were Sinclair BASIC and PASCAL in school, and C looks very mystic to me, sorry. But i'll try to do a little more testing from time to time, lot of headache, lot of time...
(In reply to comment #27)
> It might be useful if SM could forget about the headers i've clicked when i
> decided for the last header to read the message...
> btw. i read news in online mode, having the header loaded.
> So every time a header is clicked, the 'load message' command gets to a cache,
> right? Might it be useful to reduce this cache to a number of 1 so only one
> maessage is loaded?
That would be a result as bug 424148 (which may be a duplicate of an older bug), which is simply a result of us failing to cancel the message loads in the URI. We do have a memory cache (in addition to the offline cache, of course), but the existence or lack thereof isn't causing the problem you specifically are seeing (we'd still load the message anyways).
pinging for review
update crash sig for crash-stats to nsNntpCacheStreamListener::OnStartRequest(nsIRequest*, nsISupports*)
First crash for b4 had this signature :-)
yes, for some reason, I'm not getting traction on the null check fix review requests...
(In reply to comment #32)
> yes, for some reason, I'm not getting traction on the null check fix review
I asked on IRC about why the checks were only in OnStartRequest and not in OnStopRequest as well and never really got an answer on that... Unfortunately, it seems that the one hour of missing logs corresponds to the hour I asked the question :-( .
#14 crash for 3.0b4
bsmedberg is affected occasionally, eg http://crash-stats.mozilla.com/report/index/b3708bfc-6d0e-4b80-9165-09b992090924
I can add a check to OnStopRequest, though I never hit a case where mChannelToUse was null there...I got your question and Neil's confused. I don't know the answer to Neil's question.
Created attachment 407795 [details] [diff] [review]
check for null channel in both start and stop request
Comment on attachment 407795 [details] [diff] [review]
check for null channel in both start and stop request
sr=me if you add in plenty of assertions to remind us that the underlying cause of this bug has not been fixed.
Created attachment 408464 [details] [diff] [review]
fix for landing
this is what I'll check in - adds some assertions.
fixed on trunk and branch
OK, SM2.0.1 doesn't crash anymore when i switch fast through the news BUT after going fast through the news, SM won't display any message instead of crashing. When this happens 'download chosen message' (in german 'gewählte Nachrichten abrufen') doesn't do so.