Crash in [@ arena_run_reg_dalloc | arena_t::DallocSmall | arena_dalloc | nsImapProtocol::DeleteSubFolders] emptying Trash folder with mark as deleted
Categories
(MailNews Core :: Networking: IMAP, defect, P2)
Tracking
(thunderbird_esr115 fixed, thunderbird118+ verified, thunderbird119 affected)
People
(Reporter: wsmwk, Assigned: mkmelin)
References
(Regression)
Details
(Keywords: crash, regression, topcrash, Whiteboard: [TM: 115.2.3, blocking bug 1848264])
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr115+
|
Details | Review |
#1 crash for beta
First Crash report 118.0a1 buildid 20230816102333: https://crash-stats.mozilla.org/report/index/dda87b00-0a28-47fa-8b06-1c3af0230902
MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(diff == regind * size)
Top 10 frames of crashing thread:
0 mozglue.dll arena_run_reg_dalloc memory/build/mozjemalloc.cpp:2570
0 mozglue.dll arena_t::DallocSmall memory/build/mozjemalloc.cpp:3713
1 mozglue.dll arena_dalloc memory/build/mozjemalloc.cpp:3809
2 xul.dll nsImapProtocol::DeleteSubFolders mailnews/imap/src/nsImapProtocol.cpp:6953
3 xul.dll nsImapProtocol::ProcessSelectedStateURL mailnews/imap/src/nsImapProtocol.cpp:3077
4 xul.dll nsImapProtocol::ProcessCurrentURL mailnews/imap/src/nsImapProtocol.cpp:2004
5 xul.dll nsImapProtocol::ImapThreadMainLoop mailnews/imap/src/nsImapProtocol.cpp:1546
6 xul.dll nsImapProtocol::RunImapThreadMainLoop mailnews/imap/src/nsImapProtocol.cpp:1150
7 xul.dll nsImapProtocolMainLoopRunnable::Run mailnews/imap/src/nsImapProtocol.cpp:467
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1193
|
||
Comment 1•2 years ago
|
||
Very easy to duplicate: Create an imap folder A with subfolder B, CC and DD. Not sure it matters what they are called. Then delete folder A. Crash.
This may have something to do with bug 1848264 since it touched code in this area. (Lots of allocating and freeing going on here when deleting subfolders.)
|
|
||
Comment 2•2 years ago
•
|
||
Actually, crash on delete of top level parent folder only occurs if your delete model is "just mark deleted". If using move to trash, you don't see the crash until you empty the deleted folder tree from trash.
|
Reporter | |
Comment 3•2 years ago
|
||
(In reply to gene smith from comment #1)
This may have something to do with bug 1848264 since it touched code in this area. (Lots of allocating and freeing going on here when deleting subfolders.)
Indeed It fits the time frame
|
|
Reporter | |
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
It's crashing since we're freeing the memory of an nsCString which went away. https://searchfox.org/comm-central/rev/8dd2eb58861612e3afa78e00e8f5b10ab4591e40/mailnews/imap/src/nsImapProtocol.cpp#6940,6943,6953
But, I think thing we need to get rid of a bit more old string handling, which is causing the trouble to begin with.
|
|
Reporter | |
Comment 5•2 years ago
|
||
Another signature, less common - arena_run_reg_dalloc | arena_t::DallocSmall | arena_dalloc | BaseAllocator::free | Allocator<T>::free | nsImapProtocol::DeleteSubFolders bp-a302c400-977e-4def-8276-0228e0230904
|
|
Assignee | |
Comment 6•2 years ago
|
||
Minimal fix.
|
|
Assignee | |
Updated•2 years ago
|
Pushed by benc@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/894d89f64450
Fix crash in nsImapProtocol::DeleteSubFolders. r=gds
|
|
Reporter | |
Comment 8•2 years ago
|
||
|
|
Reporter | |
Comment 10•2 years ago
|
||
Comment on attachment 9351474 [details]
Bug 1851293 - Fix crash in nsImapProtocol::DeleteSubFolders. r=gds
[Triage Comment]
|
|
Reporter | |
Comment 11•2 years ago
|
||
Comment on attachment 9351474 [details]
Bug 1851293 - Fix crash in nsImapProtocol::DeleteSubFolders. r=gds
[Triage Comment]
Approved for beta
|
|
Reporter | |
Updated•2 years ago
|
|
||
Comment 12•2 years ago
|
||
| bugherder uplift | ||
Thunderbird 118.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/8e6ec8f43b65
|
|
Reporter | |
Comment 13•2 years ago
|
||
Magnus, the crash is gone in 118.0b3. Thanks
https://crash-stats.mozilla.org/signature/?product=Thunderbird&version=118.0b&signature=arena_run_reg_dalloc%20%7C%20arena_t%3A%3ADallocSmall%20%7C%20arena_dalloc%20%7C%20nsImapProtocol%3A%3ADeleteSubFolders&date=%3E%3D2023-09-06T00%3A00%3A00.000Z&date=%3C2023-09-13T23%3A59%3A00.000Z#summary
So we need to take this with bug 1848264 to 115, correct?
|
|
Assignee | |
Comment 14•2 years ago
|
||
Comment on attachment 9351474 [details]
Bug 1851293 - Fix crash in nsImapProtocol::DeleteSubFolders. r=gds
[Approval Request Comment]
Needed for bug 1848264
|
|
Assignee | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 15•2 years ago
|
||
Comment on attachment 9351474 [details]
Bug 1851293 - Fix crash in nsImapProtocol::DeleteSubFolders. r=gds
[Triage Comment]
Approved for esr115
|
|
||
Comment 16•2 years ago
|
||
| bugherder uplift | ||
Thunderbird 115.2.3:
https://hg.mozilla.org/releases/comm-esr115/rev/7799f88543a0
|
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 17•2 years ago
|
||
Fixed missed flag
Description
•