Crashes during autocomplete when entering group alias from mac's or Windows contacts. @ mozilla::SegmentedVector<T>::PopLastN @ nsArrayBase::QueryElementAt
Categories
(Thunderbird :: Message Compose Window, defect, P1)
Tracking
(thunderbird_esr91+ fixed, thunderbird94+ fixed)
People
(Reporter: bgrinstein, Assigned: KaiE)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, reproducible)
Crash Data
Attachments
(4 files)
|
38.72 KB,
application/vnd.oasis.opendocument.text
|
Details | |
|
3.80 KB,
text/plain
|
Details | |
|
4.43 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
rjl
:
approval-comm-beta+
wsmwk
:
approval-comm-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Steps to reproduce:
Entered the name of a "Group" that was defined in Mac OS X Contacts. After typing a few letters into the "To" field a short list of possible completions showed up and I selected the desired one, a Groups defined in contacts. Then hit entered and Thunderbird immediately crashed and the crash report window opened up. This is 100% reproducible
Actual results:
Crashed
Expected results:
?? I should have been able to enter text in Subject and in the body of the email
|
||
Comment 1•3 years ago
|
||
Perhaps related to bug 1718862 comment 3.
What is your crash ID from Help > More troubleshooting information?
|
Reporter | |
Comment 2•3 years ago
•
|
||
(In reply to Wayne Mery (:wsmwk) from comment #1)
Perhaps related to bug 1718862 comment 3.
What is your crash ID from Help > More troubleshooting information?
Any of these (I think they were all caused by the same, as I was first stubborn and then just wanted to insure it was reproducible)
ID: bp-a7b4976a-55f1-409e-ba71-5524c0211013 91.2.0
ID: bp-cbc4eb48-a1e6-4d01-8d51-bc9330211013 91.2.0
ID: bp-41e1098c-fd7d-49fb-aa97-4bc5b0211013 91.2.0
ID: bp-cca5cea6-010a-48c5-8bcb-93bc60211013 91.2.0
ID: bp-a7b4976a-55f1-409e-ba71-5524c0211013 91.2.0
|
|
||
Comment 3•3 years ago
|
||
All four crashes (the last one is a duplicate of the first) are @ mozilla::SegmentedVector<T>::PopLastN.
The last three all have uptime of only 20 seconds. Are you really getting into compose and providing an alias in the compose field for those crashes?
bp-a7b4976a-55f1-409e-ba71-5524c0211013
0 XUL mozilla::SegmentedVector<nsCOMPtr<nsISupports>, (unsigned long)4096, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) mfbt/SegmentedVector.h:262
1 XUL mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) dom/bindings/BindingUtils.h:2753
2 XUL mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) xpcom/base/CycleCollectedJSRuntime.cpp:1648
3 XUL mozilla::IncrementalFinalizeRunnable::Run() xpcom/base/CycleCollectedJSRuntime.cpp:1685
4 XUL IdleRunnableWrapper::Run() xpcom/threads/nsThreadUtils.cpp:310
5 XUL mozilla::RunnableTask::Run() xpcom/threads/TaskController.cpp:502
6 XUL mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:805
|
|
Reporter | |
Comment 4•3 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #3)
All four crashes (the last one is a duplicate of the first) are @ mozilla::SegmentedVector<T>::PopLastN.
The last three all have uptime of only 20 seconds. Are you really getting into compose and providing an alias in the compose field for those crashes?
bp-a7b4976a-55f1-409e-ba71-5524c0211013
0 XUL mozilla::SegmentedVector<nsCOMPtr<nsISupports>, (unsigned long)4096, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) mfbt/SegmentedVector.h:262
1 XUL mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) dom/bindings/BindingUtils.h:2753
2 XUL mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) xpcom/base/CycleCollectedJSRuntime.cpp:1648
3 XUL mozilla::IncrementalFinalizeRunnable::Run() xpcom/base/CycleCollectedJSRuntime.cpp:1685
4 XUL IdleRunnableWrapper::Run() xpcom/threads/nsThreadUtils.cpp:310
5 XUL mozilla::RunnableTask::Run() xpcom/threads/TaskController.cpp:502
6 XUL mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:805
Yes. I had the crash report dialogue restart Thunderbird and I immediately hit compose, entered the address (the group name) and it crashed. Then I repeated this a few times, as stated. BTW I just tried it with a new group, just to check that it was not somethiung specifically wrong about that Group. It crashed again
|
||
Comment 5•3 years ago
|
||
I don't have any further input, and no mac to reproduce either.
|
|
Reporter | |
Comment 6•3 years ago
|
||
Maybe I should add, this is a macbook pro with the M1 chip running Big Sur (OS X 11.6)
|
|
||
Comment 7•3 years ago
|
||
This is easily reproduced. I'm on Macbook pro 2016 running 11.6, Thunderbird 94.0b2. But I get a variety of crash signatures:
- ChildFinder::NoteXPCOMChild bp-d8842f33-3f31-4e9d-8a2c-6a6900211014
- mozilla::SegmentedVector<T>::PopLastN bp-e5d4a0a8-a28e-4519-8916-11ef10211014
- XPCConvert::JSObject2NativeInterface bp-e4a3832e-1e0b-4fa5-9cbc-64bf30211014
Did this work for you when using version 78?
|
||
Comment 8•3 years ago
|
||
Although this signature is in cycle collector or gc, if we have the reproduce step, I guess that something thunderbird's XPCOM object will be released/destroyed in non-main thread.
|
|
Reporter | |
Comment 9•3 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #7)
This is easily reproduced. I'm on Macbook pro 2016 running 11.6, Thunderbird 94.0b2. But I get a variety of crash signatures:
- ChildFinder::NoteXPCOMChild bp-d8842f33-3f31-4e9d-8a2c-6a6900211014
- mozilla::SegmentedVector<T>::PopLastN bp-e5d4a0a8-a28e-4519-8916-11ef10211014
- XPCConvert::JSObject2NativeInterface bp-e4a3832e-1e0b-4fa5-9cbc-64bf30211014
Did this work for you when using version 78?
Crashes only started when I updated to v 91, it worked without a problem previous to that update
While the bug was changed to crashes when "autocomplete", I just checked that it still crashes even when I input the complete group name by hand
|
|
||
Comment 10•3 years ago
|
||
I installed 93.0b5 - address lookup for Mac contacts doesn't happen at all. So it's not possible to say whether 93 would crash.
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 13•3 years ago
|
||
I can reproduce using a local esr91 build. I have the full stack. It's crashing while trying to delete elements. The crash suggests that some of the assertions isn't true, but the assertion checks are no-ops in the optimized build.
I will do a local debug build, hopefully this will allow me to find the first time an assertion check fails.
|
||
Comment 14•3 years ago
|
||
|
|
||
Comment 15•3 years ago
|
||
This is the stack of the first crash when running a debug build.
|
|
Assignee | |
Comment 16•3 years ago
|
||
I'm guessing we have a pointer to an object from the OS (probably a pointer to an OS address book object), and it's being incorrectly deleted.
|
|
Assignee | |
Comment 17•3 years ago
|
||
Does the stack help you to understand what might be wrong?
|
|
Assignee | |
Comment 18•3 years ago
|
||
Magnus, I suggest to re-review the past year's patches that touched the implementation for mac OS address books. Maybe that code incorrectly copies a system handle to two different places, causing it to deleted twice.
|
|
||
Comment 19•3 years ago
|
||
There's many such patches though... I guess https://hg.mozilla.org/comm-central/log/tip/mailnews/addrbook/src/nsAbOSXDirectory.mm and related files.
|
|
||
Comment 20•3 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #17)
Does the stack help you to understand what might be wrong?
We should use listDir.forget(aResult) instead.
|
|
Assignee | |
Comment 21•3 years ago
|
||
(In reply to Makoto Kato [:m_kato] from comment #20)
I guess https://searchfox.org/comm-central/rev/0e154d21c2179c0f4cad51fa61bbab20f494dbc2/mailnews/addrbook/src/nsAbDirProperty.cpp#371.
We should uselistDir.forget(aResult)instead.
Thank you very much! With that change, I can no longer reproduce the crash!
|
|
Assignee | |
Comment 22•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Comment 23•3 years ago
|
||
Sharp eyes! Many thanks m_kato!
|
||
Updated•3 years ago
|
|
||
Comment 24•3 years ago
|
||
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/aa53cab20da1
Fix pointer ownership to prevent crash when entering group alias in mac address book. r=mkmelin
|
|
Assignee | |
Comment 25•3 years ago
|
||
Comment on attachment 9247774 [details]
Bug 1735508 - Fix pointer ownership to prevent crash when entering group alias in mac address book. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): 1712601
User impact if declined: crash
Testing completed (on c-c, etc.): manual
Risk to taking this patch (and alternatives if risky): very low, obvious fix to avoid duplicate pointer delete
|
||
Comment 26•3 years ago
|
||
Comment on attachment 9247774 [details]
Bug 1735508 - Fix pointer ownership to prevent crash when entering group alias in mac address book. r=mkmelin
[Triage Comment]
Crash fix for 94 beta.
|
|
||
Comment 27•3 years ago
|
||
| bugherder uplift | ||
Thunderbird 94.0b5:
https://hg.mozilla.org/releases/comm-beta/rev/9ed35867789f
|
|
||
Comment 28•3 years ago
|
||
Comment on attachment 9247774 [details]
Bug 1735508 - Fix pointer ownership to prevent crash when entering group alias in mac address book. r=mkmelin
[Triage Comment]
approved for esr91
It hasn't yet shipped in beta, but the patch is simple, and only impacts Mac AB - i.e. it can't get get much worse for Mac.
|
|
||
Comment 29•3 years ago
|
||
We probably want to file another bug report for @ mozilla::SegmentedVector<T>::PopLastN which has reporters using Windows
|
|
||
Comment 30•3 years ago
|
||
| bugherder uplift | ||
Thunderbird 91.3.0:
https://hg.mozilla.org/releases/comm-esr91/rev/51fb6cee4bb1
|
|
||
Comment 31•3 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #29)
We probably want to file another bug report for @ mozilla::SegmentedVector<T>::PopLastN which has reporters using Windows
If user uses Outlook's address book integration, I guess that same issue may occur on Windows too.
|
||
Updated•3 years ago
|
|
||
Comment 32•3 years ago
|
||
I tried to reproduce this issue in TB 91 on my iMac running macOS 10.14.6.
TB didn't crash when I entered the first letters of a list name in my Mac "Contacts" and let autocomplete do its work. TB did not crash when I hit the Tab key to navigate to the text field of the compose window. So I saved the message as a draft in the Drafts folder.
When I edit the saved draft message TB crashes.
Crash IDs
7d278f2f-2e77-40da-a049-e2f5e0211028
1b5f2575-32fe-454c-bbe1-495b30211028
|
|
||
Comment 33•3 years ago
•
|
||
bp-7d278f2f-2e77-40da-a049-e2f5e0211028 -> @ nsArrayBase::QueryElementAt 91.2.1 Mac
bp-1b5f2575-32fe-454c-bbe1-495b30211028 ->@ ChildFinder::NoteXPCOMChild 91.2.1 Mac
|
|
||
Comment 35•3 years ago
|
||
We will have to check the results at backtrace to see if the crash rate reduces
|
|
||
Updated•3 years ago
|
|
||
Comment 36•3 years ago
|
||
Ha, as much as I run a mac, (though not mad on MS stuff either), I do not have contacts in the Mac AB, never use Safri, mail, or any MAc app, much. Bout only app is Finder
I will need to set up contcts and test if still a concern
|
|
||
Comment 37•3 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #33)
bp-7d278f2f-2e77-40da-a049-e2f5e0211028 -> @ nsArrayBase::QueryElementAt
bp-1b5f2575-32fe-454c-bbe1-495b30211028 ->@ ChildFinder::NoteXPCOMChild
Build id is old (20211020014537), try newer build when newer is released.
|
|
Reporter | |
Comment 39•2 years ago
|
||
Hi Wayne.
Yes, no more crashes, the bug seems to have been fixed.
Thx
Description
•