245233 - MailNews crashes [@ MimeMessage_parse_eof] when quickly viewing messages

Status: VERIFIED FIXED

Description

[Frank Wein [:mcsmurf]]

With a current cvs trunk build Mozilla MailNews crashes when quickly viewing
messages/mails. To reproduce try this:
1st method: Move many mails to your trash folder and try to delete them by
holding the DEL key (MailNews views every message for a very short time).
Mozilla crashes after some mails here.
2nd method: Go to a newsgroup with many unread messages (here the messages were
all text only) and hold the Space key (MailNews views every message for a very
short time). After some posting it crashes.

Stacktrace for 1st method:
MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000) line 554 + 14 bytes
mime_display_stream_complete(_nsMIMESession * 0x062a49d0) line 928
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x04513920,
nsIRequest * 0x066ea93c, nsISupports * 0x0660b250, unsigned int 0x804b0002) line
1055 + 6 bytes
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x066ea938, nsIRequest *
0x066cf650, nsISupports * 0x0660b250, unsigned int 0x804b0002) line 362 + 15 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x00000000,
nsIRequest * 0x066cf650, nsISupports * 0x0660b250, unsigned int 0x804b0002) line 392
nsInputStreamPump::OnStateStop(nsInputStreamPump * const 0x00000000) line 506
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const,
nsIAsyncInputStream *) line 341

Stacktrace for 2nd method:
MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000) line 554 + 14 bytes
mime_display_stream_complete(_nsMIMESession * 0x03405448) line 928
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x032d16d0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line
1055 + 6 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x032d16d0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line 360
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03be4dd0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line
65 + 21 bytes
nsNNTPProtocol::CleanupAfterRunningUrl(nsNNTPProtocol * const 0x00000000) line 5361
nsNNTPProtocol::CloseSocket(nsNNTPProtocol * const 0x00000000) line 5405
nsNNTPProtocol::CloseConnection(nsNNTPProtocol * const 0x025775f6) line 5321
nsNNTPProtocol::ProcessProtocolState(nsNNTPProtocol * const 0x00000000, nsIURI *
0x01b346ae, nsIInputStream * 0x03c16e9c, unsigned int 0x03139aa8, unsigned int
0x00000000) line 5284 + 9 bytes
nsMsgProtocol::OnDataAvailable(nsMsgProtocol * const, nsIRequest *, nsISupports
*, nsIInputStream *, unsigned int, unsigned int) line 325 + 20 bytes

Comment 1

[Frank Wein [:mcsmurf]]

(In reply to comment #0)
> 2nd method: Go to a newsgroup with many unread messages (here the messages were
> all text only) and hold the Space key (MailNews views every message for a very
> short time). After some posting it crashes.

I mean "After some postings/time it crashes." here.

Comment 2

[Frank Wein [:mcsmurf]]

This regressed between 20040506 and 20040601, but i think the date where this
regressed is more towards 20040601 (can't test when this regressed, no bandwidth
to download builds).

Comment 3

[Stephen Donner [:stephend]]

I saw this too, when I entered a newsgroup and immediately pressed the spacebar.
 Build 2004-05-31-08 on Windows XP.

Comment 4

[Lorenzo Colitti]

Hmm, this is probably my fault. :-( I wonder if 

-  if(outer_p && ! msg->hdrs->done_p) {
+  if(outer_p && msg->hdrs && ! msg->hdrs->done_p) {

fixes the problem?

Comment 5

[Lorenzo Colitti]

On the other hand, the traces both end with:

MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000)

Since the function is 

static int MimeMessage_parse_eof (MimeObject *obj, PRBool abort_p)

does this mean that the function was called with a MimeObject pointer of
0x00000001 ???

Comment 6

[Frank Wein [:mcsmurf]]

(In reply to comment #5)
> does this mean that the function was called with a MimeObject pointer of
> 0x00000001 ???

My debugger says so, yes.

Comment 7

[Scott MacGregor]

I backed out the patch that introduced this crash. Hopefully Lorenzo and Frank
can figure out a fix :)

Comment 8

[Lorenzo Colitti]

I can't reproduce this.
I tried both using a trunk CVS build of Thunderbird with attachment 149627 [details] [diff] [review]
applied and a nightly build of mozilla (2004060105) which should have the
offending checkin. This is using Linux.

This is what I did:

1. Start mozilla
2. Copy a few hundred messages from an IMAP inbox into a the Trash folder in
local folders.
3. Select Trash folder
4. Keep the DEL key pressed until all messages deleted

Result: the messages were deleted as expected with no crash.

Comment 9

[Lorenzo Colitti]

Ah, got it (I think):

Program received signal SIGSEGV, Segmentation fault.
0x41af46e2 in MimeMessage_parse_eof (obj=0x8f3f158, abort_p=0) at mimemsg.cpp:554
554       if(outer_p && ! msg->hdrs->done_p) {
Current language:  auto; currently c++
(gdb) bt
#0  0x41af46e2 in MimeMessage_parse_eof (obj=0x8f3f158, abort_p=0) at
mimemsg.cpp:554
#1  0x41b01529 in mime_display_stream_complete (stream=0x8351318) at
mimemoz2.cpp:964
#2  0x41b0ec57 in nsStreamConverter::OnStopRequest (this=0x950d690,
request=0x9519e98, ctxt=0x0,
    status=2152398850) at nsStreamConverter.cpp:1014
#3  0x40d45e02 in nsDocumentOpenInfo::OnStopRequest ()
   from [...]/mozilla/dist/bin/components/libdocshell.so
#4  0x409bad8e in nsStreamListenerTee::OnStopRequest ()
   from [...]/mozilla/dist/bin/components/libnecko.so

[...]

(gdb) p msg->hdrs
$1 = (MimeHeaders *) 0x0

Comment 10

[Lorenzo Colitti]

So I think what is happening here is that the stream is closed because before
the headers have been parsed, probably because the front end is already trying
to display the next message since this one has been deleted.

A null check on msg->hdrs should fix the crash:

-  if(outer_p && ! msg->hdrs->done_p) {
+  if(outer_p && msg->hdrs && ! msg->hdrs->done_p) {

Comment 11

[Stephen Donner [:stephend]]

Verified FIXED with build 2004-06-30-08 on Windows XP.