2007164 - Crash in [@ nsMsgSearchOfflineMail::Search]

Status: RESOLVED FIXED

(Thunderbird :: Search, defect)

Description

[Magnus Melin [:mkmelin]]

Crash report: https://crash-stats.mozilla.org/report/index/72745a17-deb1-48e6-8a19-29a290251219

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  nsMsgSearchOfflineMail::Search(bool*)  mailnews/search/src/nsMsgLocalSearch.cpp:630
1  xul.dll  nsMsgSearchSession::TimeSliceSerial(bool*)  mailnews/search/src/nsMsgSearchSession.cpp:541
2  xul.dll  nsMsgSearchSession::TimeSlice(bool*)  mailnews/search/src/nsMsgSearchSession.cpp:507
2  xul.dll  nsMsgSearchSession::TimerCallback(nsITimer*, void*)  mailnews/search/src/nsMsgSearchSession.cpp:416
3  xul.dll  nsMsgSearchSession::StartTimer()  mailnews/search/src/nsMsgSearchSession.cpp:436
3  xul.dll  nsMsgSearchSession::SearchWOUrls()  mailnews/search/src/nsMsgSearchSession.cpp:442
3  xul.dll  nsMsgSearchSession::DoNextSearch()  mailnews/search/src/nsMsgSearchSession.cpp:372
4  xul.dll  nsMsgSearchSession::BeginSearching()  mailnews/search/src/nsMsgSearchSession.cpp:358
4  xul.dll  nsMsgSearchSession::Search(nsIMsgWindow*)  mailnews/search/src/nsMsgSearchSession.cpp:226
5  xul.dll  nsMsgPurgeService::SearchFolderToPurge(nsIMsgFolder*, int)  mailnews/base/src/nsMsgPurgeService.cpp:410

Seems likely caused/exposed by bug 1976655
#1 top crash for 147.0b3 currently.

Comment 1

[Yury]

Bug 1992248 comment 104?

Comment 2

[Hartmut Welpmann [:welpy-cw]]

Here's a breakdown of how the crash presumably happened:

1. The background purge service, which runs for the first time five minutes after Thunderbird starts, attempts to access a local folder with a missing or corrupt summary file.

2. nsMsgSearchOfflineMail::Search() calls OpenSummaryFile(), which invokes ParseFolder() to rebuild the database.

3. If ParseFolder() fails immediately (e.g., due to file I/O errors), it triggers a completion notification (OnStopRunningUrl()) synchronously before returning to the caller.

4. This notification reaches the search session, which triggers skipSearch(). The session releases its strong reference to the search adapter. As the sole owner, the session’s release causes the adapter to be destroyed immediately, and its memory is poisoned with 0xE5 by the allocator.

5. The stack unwinds back to the Search() method, which is still active. The code proceeds to a virtual function call (GetSearchCharset()).

6. The CPU attempts to read the vtable pointer from the poisoned memory (0xE5E5...). This leads to an invalid memory access and an immediate crash.

All crash reports so far are from Windows or Mac OS installations, so there may be a connection to all file handles being used up.

Comment 3

[Hartmut Welpmann [:welpy-cw]]

Attachment: Bug 2007164 - Harden local search against Use-After-Free and timer leaks. r=#thunderbird-back-end-reviewers

This patch fixes a crash in nsMsgSearchOfflineMail::Search by addressing
asynchronous re-entrancy hazards and resource management:

• Modified nsMsgLocalMailFolder::ParseFolder to dispatch failure
  notifications asynchronously. This prevents synchronous callbacks from
  destroying the search adapter while its Search method is still on the
  stack.

• Added a RefPtr "Kung Fu Death Grip" to nsMsgSearchOfflineMail::Search to
  additionally ensure object stability during its execution slice.

• Refactored nsMsgSearchSession to reuse its background timer instance,
  preventing leaks and orphaned callbacks during search transitions.

Comment 4

[Pulsebot]

Pushed by toby@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/5044ea90d103
Harden local search against Use-After-Free and timer leaks. r=tobyp