Crash in nsAString_internal::Last via nsMapiHook::PopulateCompFieldsWithConversion

RESOLVED FIXED in Thunderbird 55.0


3 years ago
2 years ago


(Reporter: wsmwk, Assigned: jorgk)


({crash, topcrash-thunderbird})

54 Branch
Thunderbird 55.0

Thunderbird Tracking Flags

(thunderbird_esr52 fixed, thunderbird53 fixed, thunderbird54 fixed, thunderbird55 fixed)


(crash signature)


(1 attachment)

#1 crash for 54.0a2. It started in 54.0a1 with 20170305 [0] daily build (before c-a merge) averaging about 2 per day. Daily crashes stopped with 20170308 build (after c-a merge). [1] (last build crashing is 20170307030216)

54.0a2 crashes start on 20170308 build (day after our merges), and continue today at a rate of about 10 per day [2].  About 1/3 are startup. Various versions of Windows.

So the question is, what landed in comm-central (or mozilla-centra) on or after 2017-03-08 [3] that might need uplifting to auora?  (One might assume that SM is also affected)   (based on dates, I'd expect 53 beta should not be affected)

This bug was filed from the Socorro interface and is 
report bp-e9b93aa4-82c7-4175-8876-1f4fd2170305.   33 seconds uptime. 
 0 	xul.dll	nsAString_internal::Last()	xpcom/string/nsTSubstring.cpp:48
1 	xul.dll	nsMapiHook::PopulateCompFieldsWithConversion(__MIDL___MIDL_itf_msgMapi_0000_0000_0003*, nsIMsgCompFields*)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/mapi/mapihook/src/msgMapiHook.cpp:638
2 	xul.dll	CMapiImp::SendMail(unsigned long, __MIDL___MIDL_itf_msgMapi_0000_0000_0003*, short, __MIDL___MIDL_itf_msgMapi_0000_0000_0002*, short, __MIDL___MIDL_itf_msgMapi_0000_0000_0001*, unsigned long, unsigned long)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/mailnews/mapi/mapihook/src/msgMapiImp.cpp:220
3 	rpcrt4.dll	Invoke	
4 	rpcrt4.dll	_imp_load__FreeAddrInfoW	
5 	ole32.dll	ole32.dll@0x13e7e5	
6 	ole32.dll	ThreadInvoke	
7 	ole32.dll	CStdPSFactoryBuffer_QueryInterface	
8 	ole32.dll	CCtxComChnl::ContextInvoke(tagRPCOLEMESSAGE*, IRpcStubBuffer*, tagIPIDEntry*, unsigned long*)	
9 	ole32.dll	MTAInvoke(tagRPCOLEMESSAGE*, unsigned long, IRpcStubBuffer*, IInternalChannelBuffer*, tagIPIDEntry*, unsigned long*)	d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx:2097
10 	ole32.dll	STAInvoke(tagRPCOLEMESSAGE*, unsigned long, IRpcStubBuffer*, IInternalChannelBuffer*, void*, tagIPIDEntry*, unsigned long*)	
11 	ole32.dll	HMENU_UserUnmarshal	d:\w7rtm\com\ole32\oleprx32\proxy\transmit.cxx:484
12 	ole32.dll	NdrpCreateNonDelegatedAsyncStub	
13 	ole32.dll	NdrpInitializeStublessVtbl	
14 	ole32.dll	ThreadDispatch(void*)	
15 	ole32.dll	ThreadWndProc(HWND__*, unsigned int, unsigned int, long)	
16 	user32.dll	InternalCallWinProc	
17 	user32.dll	UserCallWinProcCheckWow	
18 	user32.dll	DispatchMessageWorker	
19 	user32.dll	DispatchMessageW	
20 	xul.dll	nsAppShell::ProcessNextNativeEvent(bool)	widget/windows/nsAppShell.cpp:376
21 	xul.dll	nsBaseAppShell::DoProcessNextNativeEvent(bool)	widget/nsBaseAppShell.cpp:138
22 	xul.dll	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)	widget/nsBaseAppShell.cpp:289
23 	xul.dll	nsThread::ProcessNextEvent(bool, bool*)	xpcom/threads/nsThread.cpp:1220
24 	xul.dll	nsThreadPool::~nsThreadPool()	xpcom/threads/nsThreadPool.cpp:62
25 	xul.dll	mozilla::detail::VariantImplementation<unsigned char, 0, int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)>::moveConstruct<mozilla::Variant<int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)> >(void*, mozilla::Variant<int const, char const*, void (*)(nsITimer*, bool, void*, char*, unsigned int)>&&)	C:/builds/moz2_slave/tb-c-cen-w32-ntly-000000000000/build/objdir-tb/dist/include/mozilla/Variant.h:235 


[1] daily

[2] auora

Crashing code: 
    if (Body.Last() != '\n') <=== 

MOZ_RELEASE_ASSERT(mLength > 0) (|Last()| called on an empty string)

Simple fix.
Did you find the bug which regressed it? Checked but didn't see anything. 

I experienced some crashes in 252 (55) over the last week when I got a notification during message compose but unable to reproduce either and I doubt its this bug.
Obvious fix.
Assignee: nobody → jorgk
Attachment #8848129 - Flags: review?(rkent)
Comment on attachment 8848129 [details] [diff] [review]

Review of attachment 8848129 [details] [diff] [review]:

Attachment #8848129 - Flags: review?(rkent) → review+
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 55.0
Comment on attachment 8848129 [details] [diff] [review]

Small tweak on to crash on empty bodies.
Attachment #8848129 - Flags: approval-comm-esr52?
Attachment #8848129 - Flags: approval-comm-beta+
Attachment #8848129 - Flags: approval-comm-aurora+
Oops: Small tweak NOT to crash on empty bodies.
Attachment #8848129 - Flags: approval-comm-esr52? → approval-comm-esr52+
See Also: → 1353988
You need to log in before you can comment on or make changes to this bug.