Closed Bug 156967 Opened 23 years ago Closed 23 years ago

using stand-alone msg window can cause memory corruption

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: Bienvenu, Assigned: Bienvenu)

Details

(Keywords: fixedOEM)

Attachments

(2 files)

proposed fix
1.27 KB, patch
naving
: review+
sspitzer
: superreview+
asa
: approval+
Details | Diff | Splinter Review
patch version 1.00
2.00 KB, patch
Details | Diff | Splinter Review
The trunk only performance ehancement to clone msg views when opening stand-alone msg windows instead of creating a new view has exposed bugs in our array cloning code. In particular, the clone code was not setting the m_nMaxSize of the new array correctly, so that the array thought it had more space than it did (the clone code was allocating space for the actual number of entries the src array had, but setting the allocated size to the allocated size of the src array, which is usually larger). This results in memory corruption when adding elements to the cloned array. I'll attach a patch in a sec.
Attached patch proposed fixSplinter Review
Navin, can I get a review? thx. There were two possible ways of fixing this - I could have changed the allocation size for the new array to the allocated size of the old array, but that would mean we could allocated more memory than needed, so I chose the attached fix.
Comment on attachment 90990 [details] [diff] [review] proposed fix ok, makes sense, r=naving we could grow as needed.
Attachment #90990 - Flags: review+
right, we will grow as needed.
cc antonio.xu@sun.com. the fix for #109557 caused this bug.
Comment on attachment 90990 [details] [diff] [review] proposed fix sr=sspitzer
Attachment #90990 - Flags: superreview+
QA Contact: gayatri → stephend
Comment on attachment 90990 [details] [diff] [review] proposed fix a=asa (on behalf of drivers) for checkin to the 1.1 trunk.
Attachment #90990 - Flags: approval+
fix checked into trunk.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
David, I've since updated my tree (doh!), but before you fixed this, did you see an Array Bounds Read in Purify, or was it some other error?
My tree is up-to-date: C:\moz_src\mozilla\mailnews\base\util>cvs up cvs server: Updating . cvs server: Updating macbuild However, I see something that should be related, or a straight spinoff... [E] FMM: Freeing mismatched memory in delete(void *) {1 occurrence} Address 0x0a013ec8 points into a malloc'd block in heap 0x02720000 Location of free attempt delete(void *) [MSVCRT.DLL] nsUint8Array::SetSize(int,int) [nsUint8Array.cpp:115] memset(&pNewData[m_nSize], 0, (nNewSize-m_nSize) * sizeof(PRUint8)); => delete[] (PRUint8*)m_pData; m_pData = pNewData; m_nSize = nNewSize; m_nMaxSize = nNewMax; nsUint8Array::InsertAt(int,BYTE,int) [nsUint8Array.cpp:172] if (nIndex >= m_nSize) { // adding after the end of the array => SetSize(nIndex + nCount); // grow so nIndex is valid } else { nsMsgDBView::AddHdr(nsIMsgDBHdr *) [nsMsgDBView.cpp:3742] nsMsgThreadedDBView::OnNewHeader(UINT,UINT,int) [nsMsgThreadedDBView.cpp:574] nsMsgDBView::OnKeyAdded(UINT,UINT,int,nsIDBChangeListener *) [nsMsgDBView.cpp:4019] nsMsgDatabase::NotifyKeyAddedAll(UINT,UINT,int,nsIDBChangeListener *) [nsMsgDatabase.cpp:538] nsMsgDatabase::AddNewHdrToDB(nsIMsgDBHdr *,int) [nsMsgDatabase.cpp:2747] nsImapMailFolder::NormalEndHeaderParseStream(nsIImapProtocol *) [nsImapMailFolder.cpp:2610] XPTC_InvokeByIndex [xptcinvoke.cpp:105] Allocation location malloc [MSVCRT.DLL] PR_Malloc [prmem.c:470] nsUint8Array::CopyArray(nsUint8Array&) [nsUint8Array.cpp:148] nsMsgDBView::CopyDBView(nsMsgDBView *,nsIMessenger *,nsIMsgWindow *,nsIMsgDBViewCommandUpdater *) [nsMsgDBView.cpp:5216] nsMsgThreadedDBView::CloneDBView(nsIMessenger *,nsIMsgWindow *,nsIMsgDBViewCommandUpdater *,nsIMsgDBView * *) [nsMsgThreadedDBView.cpp:884] XPTC_InvokeByIndex [xptcinvoke.cpp:105] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative) [xpcwrappednative.cpp:1994] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *) [xpcwrappednativejsops.cpp:1266] js_Invoke [jsinterp.c:788] js_Interpret [jsinterp.c:2743] js_Invoke [jsinterp.c:805] js_InternalInvoke [jsinterp.c:880] JS_CallFunctionValue [jsapi.c:3428] nsJSContext::CallEventHandler(void *,void *,UINT,void *,int *,int) [nsJSEnvironment.cpp:1042] nsJSEventListener::HandleEvent(nsIDOMEvent *) [nsJSEventListener.cpp:182] nsEventListenerManager::HandleEventSubType(nsListenerStruct *,nsIDOMEvent *,nsIDOMEventTarget *,UINT,UINT) [nsEventListenerManager.cpp:1221] nsEventListenerManager::HandleEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * *,nsIDOMEventTarget *,UINT,nsEventStatus *) [nsEventListenerManager.cpp:1901] GlobalWindowImpl::HandleDOMEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * *,UINT,nsEventStatus *) [nsGlobalWindow.cpp:762] DocumentViewerImpl::LoadComplete(UINT) [nsDocumentViewer.cpp:1532] nsDocShell::EndPageLoad(nsIWebProgress *,nsIChannel *,UINT) [nsDocShell.cpp:4110]
I use pr_malloc and pr_free replace new and delete in nsUInt8Array.cpp. I think it can resolve Stephen's problem. I think we should use pr_malloc instead of new. If you think we should use "new", we should change some code in CopyArray() like this void nsUint8Array::CopyArray(nsUint8Array &aSrcArray) { - PR_FREEIF(m_pData); + if (m_pData) + delete[] (PRUint8*)m_pData; m_nSize = aSrcArray.m_nSize; m_nMaxSize = aSrcArray.m_nSize; - m_pData = (PRUint8*)PR_Malloc(m_nSize * sizeof(PRUint8)); + m_pData = (PRUint8*) new PRUint8[m_nSize * sizeof(PRUint8)]; if (m_pData) memcpy(m_pData, aSrcArray.m_pData, m_nSize * sizeof(PRUint8)); }
Stephen, that's unrelated and harmless. What you'd see in purify is array bounds write, i.e., writing past the end of the array for this bug.
Verified FIXED, David's right, an FMM is less critical than an ABR. I'll file a new bug, no need to continue the new problem here.
Status: RESOLVED → VERIFIED
I've filed bug 157184. Antonio, please carry your patch to that bug and continue discussion there. Thanks!
Whiteboard: branchOEM
Whiteboard: branchOEM → branchOEM+
Antonio: According to bonsai, you have already checked this into the OEM branch, correct? Marked it as fixedOEM. Please correct it if it is not right.
Whiteboard: branchOEM+ → fixedOEM
Sorry for my careless, I have checked the patch into oem branch. Thanks Margaret
Keywords: fixedOEM
Whiteboard: fixedOEM
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: