Crash in nsAString_internal::Last via nsMapiHook::PopulateCompFieldsWithConversion

RESOLVED FIXED in Thunderbird 55.0

Status

Thunderbird
General
--
critical
RESOLVED FIXED
5 months ago
5 months ago

People

(Reporter: wsmwk, Assigned: Jorg K (GMT+2))

Tracking

({crash, topcrash-thunderbird})

54 Branch
Thunderbird 55.0
x86
Windows
crash, topcrash-thunderbird

Thunderbird Tracking Flags

(thunderbird_esr52 fixed, thunderbird53 fixed, thunderbird54 fixed, thunderbird55 fixed)

Details

(crash signature)

Attachments

(1 attachment)

#1 crash for 54.0a2. It started in 54.0a1 with 20170305 [0] daily build (before c-a merge) averaging about 2 per day. Daily crashes stopped with 20170308 build (after c-a merge). [1] (last build crashing is 20170307030216)

54.0a2 crashes start on 20170308 build (day after our merges), and continue today at a rate of about 10 per day [2].  About 1/3 are startup. Various versions of Windows.

So the question is, what landed in comm-central (or mozilla-centra) on or after 2017-03-08 [3] that might need uplifting to auora?  (One might assume that SM is also affected)   (based on dates, I'd expect 53 beta should not be affected)

This bug was filed from the Socorro interface and is 
report bp-e9b93aa4-82c7-4175-8876-1f4fd2170305.   33 seconds uptime. 
=============================================================
 0 	xul.dll	nsAString_internal::Last()	xpcom/string/nsTSubstring.cpp:48
1 	xul.dll	nsMapiHook::PopulateCompFieldsWithConversion(__MIDL___MIDL_itf_msgMapi_0000_0000_0003*, nsIMsgCompFields*)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/mapi/mapihook/src/msgMapiHook.cpp:638
2 	xul.dll	CMapiImp::SendMail(unsigned long, __MIDL___MIDL_itf_msgMapi_0000_0000_0003*, short, __MIDL___MIDL_itf_msgMapi_0000_0000_0002*, short, __MIDL___MIDL_itf_msgMapi_0000_0000_0001*, unsigned long, unsigned long)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/mapi/mapihook/src/msgMapiImp.cpp:220
3 	rpcrt4.dll	Invoke	
4 	rpcrt4.dll	_imp_load__FreeAddrInfoW	
5 	ole32.dll	ole32.dll@0x13e7e5	
6 	ole32.dll	ThreadInvoke	
7 	ole32.dll	CStdPSFactoryBuffer_QueryInterface	
8 	ole32.dll	CCtxComChnl::ContextInvoke(tagRPCOLEMESSAGE*, IRpcStubBuffer*, tagIPIDEntry*, unsigned long*)	
9 	ole32.dll	MTAInvoke(tagRPCOLEMESSAGE*, unsigned long, IRpcStubBuffer*, IInternalChannelBuffer*, tagIPIDEntry*, unsigned long*)	d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx:2097
10 	ole32.dll	STAInvoke(tagRPCOLEMESSAGE*, unsigned long, IRpcStubBuffer*, IInternalChannelBuffer*, void*, tagIPIDEntry*, unsigned long*)	
11 	ole32.dll	HMENU_UserUnmarshal	d:\w7rtm\com\ole32\oleprx32\proxy\transmit.cxx:484
12 	ole32.dll	NdrpCreateNonDelegatedAsyncStub	
13 	ole32.dll	NdrpInitializeStublessVtbl	
14 	ole32.dll	ThreadDispatch(void*)	
15 	ole32.dll	ThreadWndProc(HWND__*, unsigned int, unsigned int, long)	
16 	user32.dll	InternalCallWinProc	
17 	user32.dll	UserCallWinProcCheckWow	
18 	user32.dll	DispatchMessageWorker	
19 	user32.dll	DispatchMessageW	
20 	xul.dll	nsAppShell::ProcessNextNativeEvent(bool)	widget/windows/nsAppShell.cpp:376
21 	xul.dll	nsBaseAppShell::DoProcessNextNativeEvent(bool)	widget/nsBaseAppShell.cpp:138
22 	xul.dll	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)	widget/nsBaseAppShell.cpp:289
23 	xul.dll	nsThread::ProcessNextEvent(bool, bool*)	xpcom/threads/nsThread.cpp:1220
24 	xul.dll	nsThreadPool::~nsThreadPool()	xpcom/threads/nsThreadPool.cpp:62
25 	xul.dll	mozilla::detail::VariantImplementation<unsigned char, 0, int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)>::moveConstruct<mozilla::Variant<int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)> >(void*, mozilla::Variant<int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)>&&)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/objdir-tb/dist/include/mozilla/Variant.h:235 

[0] https://hg.mozilla.org/comm-central/pushloghtml?startdate=2017-03-02+03%3A05%3A00&enddate=2017-03-05+03%3A05%3A00

[1] daily https://crash-stats.mozilla.com/signature/?product=Thunderbird&release_channel=nightly&signature=nsAString_internal%3A%3ALast&date=%3E%3D2017-02-16T09%3A14%3A37.000Z&date=%3C2017-03-16T09%3A14%3A37.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1

[2] auora https://crash-stats.mozilla.com/signature/?product=Thunderbird&release_channel=aurora&signature=nsAString_internal%3A%3ALast&date=%3E%3D2017-02-16T09%3A14%3A37.000Z&date=%3C2017-03-16T09%3A14%3A37.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports

[3] https://hg.mozilla.org/comm-central/pushloghtml?startdate=2017-03-02+03%3A05%3A00&enddate=2017-03-05+03%3A05%3A00
(Reporter)

Updated

5 months ago
Keywords: regression, regressionwindow-wanted
(Assignee)

Comment 1

5 months ago
Crashing code: 
msgMapiHook.cpp:638:
    if (Body.Last() != '\n') <=== 
      Body.AppendLiteral(CRLF);

MOZ_RELEASE_ASSERT(mLength > 0) (|Last()| called on an empty string)

Simple fix.
Did you find the bug which regressed it? Checked but didn't see anything. 

I experienced some crashes in 252 (55) over the last week when I got a notification during message compose but unable to reproduce either and I doubt its this bug.
(Assignee)

Comment 3

5 months ago
Created attachment 8848129 [details] [diff] [review]
1347868-crash-last-empty.patch

Obvious fix.
Assignee: nobody → jorgk
Status: NEW → ASSIGNED
Attachment #8848129 - Flags: review?(rkent)

Comment 4

5 months ago
Comment on attachment 8848129 [details] [diff] [review]
1347868-crash-last-empty.patch

Review of attachment 8848129 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8848129 - Flags: review?(rkent) → review+
(Assignee)

Comment 5

5 months ago
https://hg.mozilla.org/comm-central/rev/424efa8d9bdaf3649a0aae4c613b1bd1cc40d078
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
Keywords: regression, regressionwindow-wanted
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 55.0
(Assignee)

Comment 6

5 months ago
Comment on attachment 8848129 [details] [diff] [review]
1347868-crash-last-empty.patch

Small tweak on to crash on empty bodies.
Attachment #8848129 - Flags: approval-comm-esr52?
Attachment #8848129 - Flags: approval-comm-beta+
Attachment #8848129 - Flags: approval-comm-aurora+
(Assignee)

Comment 7

5 months ago
Oops: Small tweak NOT to crash on empty bodies.
(Assignee)

Comment 8

5 months ago
C-A (TB 54): https://hg.mozilla.org/releases/comm-aurora/rev/0aa8d3fae0349e31482008b9f52e8f93b713fcd2
C-B (TB 53): https://hg.mozilla.org/releases/comm-beta/rev/78647e55b4a2dbe985c1178e6cafcfb93d1a89cf
status-thunderbird53: --- → fixed
status-thunderbird54: --- → fixed
status-thunderbird55: --- → fixed
(Assignee)

Updated

5 months ago
Attachment #8848129 - Flags: approval-comm-esr52? → approval-comm-esr52+
(Assignee)

Comment 9

5 months ago
ESR 52: https://hg.mozilla.org/releases/comm-esr52/rev/061570ec12aa4a5e2b0e30f033a8235f0c72f7fe
status-thunderbird_esr52: --- → fixed

Updated

5 months ago
See Also: → bug 1353988
You need to log in before you can comment on or make changes to this bug.