Crash in nsStreamConverter::OnDataAvailable
Categories
(MailNews Core :: MIME, defect)
Tracking
(thunderbird78+ fixed)
People
(Reporter: wsmwk, Assigned: mkmelin)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
2.22 KB,
patch
|
benc
:
review+
wsmwk
:
approval-comm-beta+
|
Details | Diff | Splinter Review |
Bug #1495793 was fixed in version 60, but examples of the crash signature still exist in 68. Crash rank ~80
bp-94ae9e06-a400-4468-a3a5-d9d200200404 Windows
bp-c73438d0-687e-45cb-b3fc-1d03c0200404 MacOS
Comment 1•4 years ago
|
||
Just happened to me bp-8f57a752-9448-434c-b197-57ee50200603 with TB 77.0b3 on Windows 10 (IMAP/SMTP account)
I had noticed the main TB window had disappear but other windows were still available... managed to re-opened the main window via taskbar TB item but shortly after TB crashed by itself entirely... generating crash report above...
Assignee | ||
Comment 2•4 years ago
|
||
Assignee | ||
Comment 3•4 years ago
|
||
Maybe this could help.
Comment 4•4 years ago
|
||
Comment on attachment 9153730 [details] [diff] [review] bug1627440_ondataavailable_crash.patch Review of attachment 9153730 [details] [diff] [review]: ----------------------------------------------------------------- It looks fine, and worth a go, but my feeling is that this won't help: It's being called from Javascript, which implies that there's already a reference out there holding aIStream in existance for the duration of this call. And if it _is_ a refcount problem, creating a new nsCOMPtr<> inside OnDataAvailable() won't help - aIStream may be borked even before OnDataAvailable() is entered.
Comment 5•4 years ago
|
||
Looking at the crash dump, the offending address is 0xe5e5e5f9
. Which I think must be the pointer in aIStream
, when the crashing line...
aIStream->Read(buf, aLength, &readLen);
... is invoked.
That address is suspiciously similar to the 0xe5e5e5e5
used by jemalloc (I think) to blat over freed memory. So my guess is that some object in another thread is dispatching the call to the main thread, then getting zapped before the main thread picks it up :-(
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/2c583204ea8e
fix Crash in nsStreamConverter::OnDataAvailable. r=benc DONTBUILD
Reporter | ||
Comment 8•4 years ago
|
||
3-4 crashes per week on beta, so if we uplift to beta we should know impact within two weeks
Assignee | ||
Comment 9•4 years ago
|
||
Comment on attachment 9153730 [details] [diff] [review] bug1627440_ondataavailable_crash.patch It's a bit doubtful whether it will help. But it wont' make anything any worse.
Reporter | ||
Comment 10•4 years ago
|
||
Comment on attachment 9153730 [details] [diff] [review] bug1627440_ondataavailable_crash.patch Approved for beta
Assignee | ||
Updated•4 years ago
|
Comment 11•4 years ago
|
||
bugherder uplift |
Thunderbird 78.0b2:
https://hg.mozilla.org/releases/comm-beta/rev/8d70324cc50f
Updated•4 years ago
|
Comment 12•4 years ago
|
||
FYI, just experienced this bug/crash in 78.0b3... so it does not look like the issue has been fixed...
bp-cbac5572-9e3e-4e1a-9b57-fac980200630
I started TB, while choosing my profile set option to start offline, once opened I clicked on the icon to go online... TB crashed shortly after... with IMAP/SMTP mailbox and one CalDAV calendar enabled...
I let you decide to re-open or not this bug consequently...
Comment 13•4 years ago
|
||
I'm really not the right person to be needinfo'ing about this. Passing it on…
Reporter | ||
Comment 14•4 years ago
|
||
Indeed, the crash continues. bp-464efb9b-296b-4b3c-82c8-a7c460200624 is 78.0b2 which has the patch
Assignee | ||
Comment 15•4 years ago
|
||
Filed bug 1649674 to track it further.
Reporter | ||
Updated•3 years ago
|
Description
•