1649674 - Crash in nsStreamConverter::OnDataAvailable (78+ edition) - imap thread and freed memory

Status: RESOLVED WORKSFORME

(MailNews Core :: Networking: IMAP, defect)

Description

+++ This bug was initially created as a clone of Bug #1627440 +++

Bug 1627440 (79.0a1, 78.0b2) didn't seem to totally fix the crash. There are still crashes such as bp-cbac5572-9e3e-4e1a-9b57-fac980200630.
@ https://hg.mozilla.org/comm-central/annotate/2c583204ea8e29cddc780c7686fae5275a8e9201/mailnews/mime/src/nsStreamConverter.cpp#l788 [ And Richard Leger continues to crash per bug 1627440 comment 12.]

Which make little sense. The problem could be like Ben writes in bug 1627440 comment 5:

Looking at the crash dump, the offending address is 0xe5e5e5f9. Which I think must be the pointer in aIStream, when the crashing line...

aIStream->Read(buf, aLength, &readLen);

... is invoked.

That address is suspiciously similar to the 0xe5e5e5e5 used by jemalloc (I think) to blat over freed memory. So my guess is that some object in another thread is dispatching the call to the main thread, then getting zapped before the main thread picks it up :-(

Comment 1

[Richard Leger]

Just encountered this crash in TB 82.0b2 while typing in the mail quick search field to run a quick search...

bp-1374061c-b8c4-4086-8b81-8ff8d0201028

If that can be of help...

Comment 2

[Magnus Melin [:mkmelin]]

So now crash at https://searchfox.org/comm-central/rev/aa6ec7ca8813e82b76168e76f6cd706ed226bdcd/mailnews/mime/src/nsStreamConverter.cpp#787 - no idea what that would imply.

Comment 3

[Richard Leger]

FYI just encounter this crash in TB 78.7.1 Build ID 20210203182138
bp-dd819804-31c5-45b6-a9e2-b28310210209

I was either selecting messages in Inbox so IMAP message would be loading in preview or editing text in the message compose window body field...
When I was selecting messages, they would not load at first... or take a long time to load for some reason... with TB interface becoming less reactive...

Comment 4

[Wayne Mery (:wsmwk)]

(In reply to Richard Leger from comment #3)

FYI just encounter this crash in TB 78.7.1 Build ID 20210203182138
bp-dd819804-31c5-45b6-a9e2-b28310210209

I was either selecting messages in Inbox so IMAP message would be loading in preview or editing text in the message compose window body field...
When I was selecting messages, they would not load at first... or take a long time to load for some reason... with TB interface becoming less reactive...

Richard, still able to reproduce?

Comment 5

[Richard Leger]

After using TB 78.11.0 (64-bit) for a couple of days I have not seen the crash yet... but I don't recall how often it happens... so it could be just luck... so far...

Comment 6

[Wayne Mery (:wsmwk)]

Thanks Richard.

Do you have many message filters?

Comment 7

[Richard Leger]

(In reply to Wayne Mery (:wsmwk) from comment #6)

Do you have many message filters?

Few of them to tag messages...

Comment 8

[Wayne Mery (:wsmwk)]

You use beta, not daily build, correct?

Comment 9

[Richard Leger]

(In reply to Wayne Mery (:wsmwk) from comment #8)

You use beta, not daily build, correct?

Yes I restarted using TB beta few days ago... as I was till a month back where I started using 91.x ESR since about 24 Aug to test it... now back on beta channel...

Comment 10

[Wayne Mery (:wsmwk)]

There are still some version 91 crashes, like bp-b3ed4191-506a-45c8-8018-0a7530211030 with crash address 0xe5e5e5e9. Most of the v91 crashes are address 0xe5e5e5e9 or 0xffffffffffffffff

Comment 11

[Magnus Melin [:mkmelin]]

No idea.

Comment 12

[Geoff Lankow (:darktrojan)]

This may be unrelated or it may help: I was looking into using the streaming messages through the converter for something yesterday, and I noticed that for every onDataAvailable call the count value was 0, when surely it should climb with each call. Haven't figured out why yet.

Comment 13

[Wayne Mery (:wsmwk)]

(In reply to Richard Leger from comment #9)

(In reply to Wayne Mery (:wsmwk) from comment #8)

You use beta, not daily build, correct?

Yes I restarted using TB beta few days ago... as I was till a month back where I started using 91.x ESR since about 24 Aug to test it... now back on beta channel...

Richard, How is it now?

Comment 14

[Wayne Mery (:wsmwk)]

(In reply to Geoff Lankow (:darktrojan) [out for Christmas 🎄 back early Jan] from comment #12)

This may be unrelated or it may help: I was looking into using the streaming messages through the converter for something yesterday, and I noticed that for every onDataAvailable call the count value was 0, when surely it should climb with each call. Haven't figured out why yet.

Interesting is beta 94 had a massive jump in crashes around the time of your comment on 2021-11-01, as seen below. But it appears the spike ended with 95.0b1 (build2) released on Nov 3, 3pm at rate unknown (but I'd guess around 50), which increased to rate 100 on Nov 5 - fortunately crash-stats had not yet stopped accepting reports until end of day Nov 9 / beta 95 was definitely still sending crash reports.

But is it really fixed, and if not why did this signature go away?? Because I don't see any obvious related October checkins in https://hg.mozilla.org/comm-central/log/tip/mailnews/mime/src/nsStreamConverter.cpp

ver count -- installations
92.0 2 2.2% 2
93.0 2 2.2% 2
94.0 80 86.0% 80
95.0 1 1.1% 1

buildid 20211007214915 94.0b2 (corrected)
buildid 20211014184052 94.0b3 (corrected)
buildid 20211103010303 95.0b1 build2 bp-6828984f-009a-45fd-910e-f85da0211105

Comment 15

[Wayne Mery (:wsmwk)]

last couple weeks of version 95 checkins https://hg.mozilla.org/comm-central/pushloghtml?startdate=2021-10-20+01%3A01%3A33&enddate=2021-11-01+10%3A01%3A33. Could one of the coverity checkins helped, or Bug 1738160 - Crash in [@ nsMsgLocalMailFolder::CopyData] ?

Comment 16

[Wayne Mery (:wsmwk)]

version numbers for buildids are incorrect in Comment 14
buildid 20211007214915 94.0b2
buildid 20211014184052 94.0b3

which means
a) there were no crash reports in 94.0b4 and 94.0b5, and it makes sense there were no crashes of significance in 95 beta.
b) an uplift in 94.0b4 fixed the crash spike ?

Comment 17

[Magnus Melin [:mkmelin]]

For 94, this was probably bug 1738160.

Comment 18

[Richard Leger]

(In reply to Wayne Mery (:wsmwk) from comment #13)

(In reply to Richard Leger from comment #9)

(In reply to Wayne Mery (:wsmwk) from comment #8)

You use beta, not daily build, correct?

Yes I restarted using TB beta few days ago... as I was till a month back where I started using 91.x ESR since about 24 Aug to test it... now back on beta channel...

Richard, How is it now?

Not seen recently... in Beta nor in ESR...

Those are my most recent crash reports fyi some still related to IMAP but not directly to this bug:
bp-e474fa4d-eea0-4a90-a3d6-2f99e1211223 23/12/2021, 19:03
bp-153ff11b-1179-4151-8607-eeacc0211105 05/11/2021, 11:02
bp-4c49f26a-881c-4c63-b7bd-a2d0f0211104 04/11/2021, 15:11
bp-fadc5f63-4982-4620-8b18-544430210809 09/08/2021, 09:36
bp-28a933fe-327d-41d3-af42-4c3020210729 29/07/2021, 20:43

Comment 19

[Richard Leger]

Just encountered in TB 91.11.0 on Windows 10 while browsing email in a sub-folder IMAP account... no cache... online mode...
bp-e117fd27-6502-4f3e-8db5-9d1830220711

Could be linked to high latency on the Internet connection that I currently encounter... email are slow to load in preview and when selecting some of them TB crashes...

Ping statistics for 62.3.75.133:
Packets: Sent = 18, Received = 18, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 85ms, Maximum = 336ms, Average = 189ms

Comment 20

[Wayne Mery (:wsmwk)]

(In reply to Richard Leger from comment #19)

Just encountered in TB 91.11.0 on Windows 10 while browsing email in a sub-folder IMAP account... no cache... online mode...
bp-e117fd27-6502-4f3e-8db5-9d1830220711

0 xul.dll nsStreamConverter::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long long, unsigned int) mailnews/mime/src/nsStreamConverter.cpp:779
1 xul.dll `anonymous namespace'::SyncRunnable4<nsIStreamListener, nsIRequest*, nsIInputStream*, unsigned long long, unsigned int>::Run() mailnews/imap/src/nsSyncRunnableHelpers.cpp:184
2 xul.dll mozilla::RunnableTask::Run() xpcom/threads/TaskController.cpp:502
3 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:805
4 xul.dll mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:641

Version 91 crashes are strong through 91.13.0. However, there are no version 102 crashes. So this crash is either gone, or morphed to some other signature. So it will be interesting to see what crashes you have with version 102 or newer versions.

Comment 21

[Richard Leger]

Those are my most recent crashes... none related to 105.x branch...

bp-40d4ebab-443b-441e-b651-2a4ff0220711 11/07/2022, 17:39
Thunderbird 103.0b2 Crash Report [@ nsImapServerResponseParser::ProcessOkCommand ]

Frame 	Module 	Signature 	Source 	Trust
0 	xul.dll 	nsImapServerResponseParser::ProcessOkCommand(char const*) 	mailnews/imap/src/nsImapServerResponseParser.cpp:422 	context
1 	xul.dll 	nsImapServerResponseParser::ParseIMAPServerResponse(char const*, bool, char*) 	mailnews/imap/src/nsImapServerResponseParser.cpp:270 	cfi
2 	xul.dll 	nsImapProtocol::FetchMessage(nsTString<char> const&, <unnamed-tag>, char const*, unsigned int, unsigned int, char*) 	mailnews/imap/src/nsImapProtocol.cpp:3813 	cfi
3 	xul.dll 	nsImapProtocol::FetchTryChunking(nsTString<char> const&, <unnamed-tag>, bool, char*, unsigned int, bool) 	mailnews/imap/src/nsImapProtocol.cpp:3872 	cfi
4 	xul.dll 	nsIMAPBodypart::GeneratePart(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:360 	cfi
5 	xul.dll 	nsIMAPBodypartLeaf::Generate(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:470 	cfi
6 	xul.dll 	nsIMAPBodypartMultipart::Generate(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:834 	cfi
7 	xul.dll 	nsIMAPBodypartMultipart::Generate(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:834 	cfi
8 	xul.dll 	nsIMAPBodypartMultipart::Generate(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:834 	cfi
9 	xul.dll 	nsIMAPBodypartMessage::Generate(nsImapBodyShell*, nsImapProtocol*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:707 	cfi
10 	xul.dll 	nsImapBodyShell::Generate(nsImapProtocol*, char*) 	mailnews/imap/src/nsImapBodyShell.cpp:204 	cfi

bp-e117fd27-6502-4f3e-8db5-9d1830220711 11/07/2022, 17:31
Thunderbird 91.11.0 Crash Report [@ nsStreamConverter::OnDataAvailable ]

Frame 	Module 	Signature 	Source 	Trust
0 	xul.dll 	nsStreamConverter::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long long, unsigned int) 	mailnews/mime/src/nsStreamConverter.cpp:779 	context
1 	xul.dll 	`anonymous namespace'::SyncRunnable4<nsIStreamListener, nsIRequest*, nsIInputStream*, unsigned long long, unsigned int>::Run() 	mailnews/imap/src/nsSyncRunnableHelpers.cpp:184 	cfi
2 	xul.dll 	mozilla::RunnableTask::Run() 	xpcom/threads/TaskController.cpp:502 	cfi
3 	xul.dll 	mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) 	xpcom/threads/TaskController.cpp:805 	cfi
4 	xul.dll 	mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) 	xpcom/threads/TaskController.cpp:641 	cfi
5 	xul.dll 	mozilla::TaskController::ProcessPendingMTTask(bool) 	xpcom/threads/TaskController.cpp:425 	cfi
6 	xul.dll 	mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:7'>::Run() 	xpcom/threads/nsThreadUtils.h:532 	cfi
7 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1152 	cfi
8 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/threads/nsThreadUtils.cpp:466 	cfi
9 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:85 	cfi
10 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:324 	cfi

bp-2916ff34-4676-426b-9ab9-be9220220711 11/07/2022, 17:30
Thunderbird 91.11.0 Crash Report [@ MOZ_Z_inflate_table ]

Frame 	Module 	Signature 	Source 	Trust
0 	xul.dll 	MOZ_Z_inflate_table(<unnamed-tag>, unsigned short*, unsigned int, code**, unsigned int*, unsigned short*) 	modules/zlib/src/inftrees.c:236 	context
1 	xul.dll 	MOZ_Z_inflate(z_stream_s*, int) 	modules/zlib/src/inflate.c:1023 	cfi
2 	xul.dll 	nsMsgCompressIStream::Read(char*, unsigned int, unsigned int*) 	mailnews/base/src/nsMsgCompressIStream.cpp:159 	cfi
3 	xul.dll 	nsMsgLineStreamBuffer::ReadNextLine(nsIInputStream*, unsigned int&, bool&, nsresult*, bool) 	mailnews/base/src/nsMsgLineBuffer.cpp:275 	cfi
4 	xul.dll 	nsImapProtocol::CreateNewLineFromSocket() 	mailnews/imap/src/nsImapProtocol.cpp:4865 	cfi
5 	xul.dll 	nsImapServerResponseParser::GetNextLineForParser(char**) 	mailnews/imap/src/nsImapServerResponseParser.cpp:84 	cfi
6 	xul.dll 	nsImapGenericParser::AdvanceToNextToken() 	mailnews/imap/src/nsImapGenericParser.cpp:95 	cfi
7 	xul.dll 	nsImapServerResponseParser::ParseIMAPServerResponse(char const*, bool, char*) 	mailnews/imap/src/nsImapServerResponseParser.cpp:185 	cfi
8 	xul.dll 	nsImapProtocol::FetchMessage(nsTString<char> const&, <unnamed-tag>, char const*, unsigned int, unsigned int, char*) 	mailnews/imap/src/nsImapProtocol.cpp:3742 	cfi
9 	xul.dll 	nsImapProtocol::FetchTryChunking(nsTString<char> const&, <unnamed-tag>, bool, char*, unsigned int, bool) 	mailnews/imap/src/nsImapProtocol.cpp:3792 	cfi
10 	xul.dll 	nsIMAPBodypart::GeneratePart(nsImapBodyShell*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:409 	cfi

bp-a4b7ce53-23e0-40df-84be-16ab90220707 07/07/2022, 17:15
Thunderbird 91.11.0 Crash Report [@ RtlEnterCriticalSection | PR_EnterMonitor | nsImapProtocol::GetPseudoInterrupted ]

Frame 	Module 	Signature 	Source 	Trust
0 	ntdll.dll 	RtlEnterCriticalSection 		context
1 	nss3.dll 	PR_EnterMonitor(PRMonitor*) 	nsprpub/pr/src/threads/prmon.c:139 	cfi
2 	xul.dll 	nsImapProtocol::GetPseudoInterrupted() 	mailnews/imap/src/nsImapProtocol.cpp:4752 	cfi
3 	xul.dll 	nsImapBodyShell::Generate(char*) 	mailnews/imap/src/nsImapBodyShell.cpp:197 	cfi
4 	xul.dll 	nsImapServerResponseParser::ProcessOkCommand(char const*) 	mailnews/imap/src/nsImapServerResponseParser.cpp:406 	cfi
5 	xul.dll 	nsImapServerResponseParser::ParseIMAPServerResponse(char const*, bool, char*) 	mailnews/imap/src/nsImapServerResponseParser.cpp:264 	cfi
6 	xul.dll 	nsImapProtocol::FetchMessage(nsTString<char> const&, <unnamed-tag>, char const*, unsigned int, unsigned int, char*) 	mailnews/imap/src/nsImapProtocol.cpp:3742 	cfi
7 	xul.dll 	nsImapProtocol::FetchTryChunking(nsTString<char> const&, <unnamed-tag>, bool, char*, unsigned int, bool) 	mailnews/imap/src/nsImapProtocol.cpp:3792 	cfi
8 	xul.dll 	nsIMAPBodypart::GeneratePart(nsImapBodyShell*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:409 	cfi
9 	xul.dll 	nsIMAPBodypartLeaf::Generate(nsImapBodyShell*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:528 	cfi
10 	xul.dll 	nsIMAPBodypartMultipart::Generate(nsImapBodyShell*, bool, bool) 	mailnews/imap/src/nsImapBodyShell.cpp:889 	cfi

Comment 22

[Wayne Mery (:wsmwk)]

Signature doesn't exist in version 102