1627440 - Crash in nsStreamConverter::OnDataAvailable

Status: RESOLVED FIXED

(MailNews Core :: MIME, defect)

Description

[Wayne Mery (:wsmwk)]

Bug #1495793 was fixed in version 60, but examples of the crash signature still exist in 68. Crash rank ~80

bp-94ae9e06-a400-4468-a3a5-d9d200200404 Windows
bp-c73438d0-687e-45cb-b3fc-1d03c0200404 MacOS

Comment 1

[Richard Leger]

Just happened to me bp-8f57a752-9448-434c-b197-57ee50200603 with TB 77.0b3 on Windows 10 (IMAP/SMTP account)
I had noticed the main TB window had disappear but other windows were still available... managed to re-opened the main window via taskbar TB item but shortly after TB crashed by itself entirely... generating crash report above...

Comment 2

[Magnus Melin [:mkmelin]]

Crashes at https://searchfox.org/comm-central/rev/f8b764c571b8503c951ba26a7acc248e211b91d7/mailnews/mime/src/nsStreamConverter.cpp#794

Comment 3

[Magnus Melin [:mkmelin]]

Attachment: bug1627440_ondataavailable_crash.patch

Maybe this could help.

Comment 4

[Ben Campbell]

Comment on attachment 9153730 [details] [diff] [review]
bug1627440_ondataavailable_crash.patch

Review of attachment 9153730 [details] [diff] [review]:
-----------------------------------------------------------------

It looks fine, and worth a go, but my feeling is that this won't help:
It's being called from Javascript, which implies that there's already a reference out there holding aIStream in existance for the duration of this call.
And if it _is_ a refcount problem, creating a new nsCOMPtr<> inside OnDataAvailable() won't help - aIStream may be borked even before OnDataAvailable() is entered.

Comment 5

[Ben Campbell]

Looking at the crash dump, the offending address is 0xe5e5e5f9. Which I think must be the pointer in aIStream, when the crashing line...

aIStream->Read(buf, aLength, &readLen);

... is invoked.

That address is suspiciously similar to the 0xe5e5e5e5 used by jemalloc (I think) to blat over freed memory. So my guess is that some object in another thread is dispatching the call to the main thread, then getting zapped before the main thread picks it up :-(

Comment 6

[Pulsebot]

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/2c583204ea8e
fix Crash in nsStreamConverter::OnDataAvailable. r=benc DONTBUILD

Comment 7

[Magnus Melin [:mkmelin]]

Fingers crossed I guess.

Comment 8

[Wayne Mery (:wsmwk)]

3-4 crashes per week on beta, so if we uplift to beta we should know impact within two weeks

Comment 9

[Magnus Melin [:mkmelin]]

Comment on attachment 9153730 [details] [diff] [review]
bug1627440_ondataavailable_crash.patch

It's a bit doubtful whether it will help. But it wont' make anything any worse.

Comment 10

[Wayne Mery (:wsmwk)]

Comment on attachment 9153730 [details] [diff] [review]
bug1627440_ondataavailable_crash.patch

Approved for beta

Comment 11

[Geoff Lankow (:darktrojan)]

Thunderbird 78.0b2:
https://hg.mozilla.org/releases/comm-beta/rev/8d70324cc50f

Comment 12

[Richard Leger]

FYI, just experienced this bug/crash in 78.0b3... so it does not look like the issue has been fixed...

bp-cbac5572-9e3e-4e1a-9b57-fac980200630

I started TB, while choosing my profile set option to start offline, once opened I clicked on the icon to go online... TB crashed shortly after... with IMAP/SMTP mailbox and one CalDAV calendar enabled...

I let you decide to re-open or not this bug consequently...

Comment 13

[Geoff Lankow (:darktrojan)]

I'm really not the right person to be needinfo'ing about this. Passing it on…

Comment 14

[Wayne Mery (:wsmwk)]

Indeed, the crash continues. bp-464efb9b-296b-4b3c-82c8-a7c460200624 is 78.0b2 which has the patch

Comment 15

[Magnus Melin [:mkmelin]]

Filed bug 1649674 to track it further.