Closed Bug 1571808 Opened 5 years ago Closed 4 years ago

Crash in [@ arena_t::DallocSmall | je_free | nsIMAPGenericParser::ResetLexAnalyzer] via nsIMAPBodypart (corrupt or overwritten memory)

Categories

(MailNews Core :: Networking: IMAP, defect)

x86
Windows 10
defect
Not set
critical

Tracking

(thunderbird_esr68- affected, thunderbird75 wontfix, thunderbird76 wontfix, thunderbird77 unaffected)

RESOLVED WORKSFORME
Tracking Status
thunderbird_esr68 - affected
thunderbird75 --- wontfix
thunderbird76 --- wontfix
thunderbird77 --- unaffected

People

(Reporter: wsmwk, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

First appears 68.0b<something>

This bug is for crash report bp-8309ceae-08a5-4c5e-8ffe-a6db50190710.

Top 10 frames of crashing thread:

0 mozglue.dll arena_t::DallocSmall memory/build/mozjemalloc.cpp:3257
1 mozglue.dll je_free memory/build/malloc_decls.h:41
2 xul.dll nsIMAPGenericParser::ResetLexAnalyzer comm/mailnews/imap/src/nsIMAPGenericParser.cpp:30
3 xul.dll nsImapServerResponseParser::ParseIMAPServerResponse comm/mailnews/imap/src/nsImapServerResponseParser.cpp:176
4 xul.dll nsImapProtocol::ParseIMAPandCheckForNewMail comm/mailnews/imap/src/nsImapProtocol.cpp:1905
5 xul.dll nsImapProtocol::FetchMessage comm/mailnews/imap/src/nsImapProtocol.cpp:3585
6 xul.dll nsImapProtocol::FetchTryChunking comm/mailnews/imap/src/nsImapProtocol.cpp:3631
7 xul.dll nsIMAPBodypart::GeneratePart comm/mailnews/imap/src/nsIMAPBodyShell.cpp:413
8 xul.dll nsIMAPBodypartLeaf::Generate comm/mailnews/imap/src/nsIMAPBodyShell.cpp:529
9 xul.dll nsIMAPBodypartMultipart::Generate comm/mailnews/imap/src/nsIMAPBodyShell.cpp:894

Version: unspecified → 68

Doesn't look good: nsIMAPGenericParser.cpp:30 is

void nsIMAPGenericParser::ResetLexAnalyzer() {
30  PR_FREEIF(fCurrentLine);
    PR_FREEIF(fStartOfLineOfTokens);

So "free if" will check for null. If it crashes in the free, that means that the memory is corrupt, has been overwritten or some such :-(

Blocks: tb68found
See Also: → 1581390

signatures with lower crash rates

  • arena_t::DallocSmall | arena_dalloc | Allocator<T>::free | nsIMAPGenericParser::ResetLexAnalyzer (beta)
  • je_free | nsIMAPGenericParser::ResetLexAnalyzer
  • arena_t::DallocSmall | arena_dalloc | nsIMAPGenericParser::ResetLexAnalyzer
Crash Signature: [@ arena_t::DallocSmall | je_free | nsIMAPGenericParser::ResetLexAnalyzer] → [@ arena_t::DallocSmall | je_free | nsIMAPGenericParser::ResetLexAnalyzer] [@ t::DallocSmall | arena_dalloc | Allocator<T>::free | nsIMAPGenericParser::ResetLexAnalyzer] [@ je_free | nsIMAPGenericParser::ResetLexAnalyzer] [@ arena_t::DallocSmall | aren…
Summary: Crash in [@ arena_t::DallocSmall | je_free | nsIMAPGenericParser::ResetLexAnalyzer] → Crash in [@ arena_t::DallocSmall | je_free | nsIMAPGenericParser::ResetLexAnalyzer] via nsIMAPBodypart (corrupt or overwritten memory)

Not seen in version 77 nor so far in 78. Though still happening in 68.*
bug 1581390 - nsIMAPGenericParser::ResetLexAnalyze- has similar characteristics

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.