MailNews crashes [@ MimeMessage_parse_eof] when quickly viewing messages

VERIFIED FIXED

Status

MailNews Core
MIME
--
critical
VERIFIED FIXED
14 years ago
10 years ago

People

(Reporter: mcsmurf, Assigned: (not reading, please use seth@sspitzer.org instead))

Tracking

({crash, regression})

Trunk
x86
Windows 2000
crash, regression

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

14 years ago
With a current cvs trunk build Mozilla MailNews crashes when quickly viewing
messages/mails. To reproduce try this:
1st method: Move many mails to your trash folder and try to delete them by
holding the DEL key (MailNews views every message for a very short time).
Mozilla crashes after some mails here.
2nd method: Go to a newsgroup with many unread messages (here the messages were
all text only) and hold the Space key (MailNews views every message for a very
short time). After some posting it crashes.

Stacktrace for 1st method:
MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000) line 554 + 14 bytes
mime_display_stream_complete(_nsMIMESession * 0x062a49d0) line 928
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x04513920,
nsIRequest * 0x066ea93c, nsISupports * 0x0660b250, unsigned int 0x804b0002) line
1055 + 6 bytes
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x066ea938, nsIRequest *
0x066cf650, nsISupports * 0x0660b250, unsigned int 0x804b0002) line 362 + 15 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x00000000,
nsIRequest * 0x066cf650, nsISupports * 0x0660b250, unsigned int 0x804b0002) line 392
nsInputStreamPump::OnStateStop(nsInputStreamPump * const 0x00000000) line 506
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const,
nsIAsyncInputStream *) line 341

Stacktrace for 2nd method:
MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000) line 554 + 14 bytes
mime_display_stream_complete(_nsMIMESession * 0x03405448) line 928
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x032d16d0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line
1055 + 6 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x032d16d0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line 360
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03be4dd0,
nsIRequest * 0x03308250, nsISupports * 0x03c16e98, unsigned int 0x00000000) line
65 + 21 bytes
nsNNTPProtocol::CleanupAfterRunningUrl(nsNNTPProtocol * const 0x00000000) line 5361
nsNNTPProtocol::CloseSocket(nsNNTPProtocol * const 0x00000000) line 5405
nsNNTPProtocol::CloseConnection(nsNNTPProtocol * const 0x025775f6) line 5321
nsNNTPProtocol::ProcessProtocolState(nsNNTPProtocol * const 0x00000000, nsIURI *
0x01b346ae, nsIInputStream * 0x03c16e9c, unsigned int 0x03139aa8, unsigned int
0x00000000) line 5284 + 9 bytes
nsMsgProtocol::OnDataAvailable(nsMsgProtocol * const, nsIRequest *, nsISupports
*, nsIInputStream *, unsigned int, unsigned int) line 325 + 20 bytes
(Reporter)

Comment 1

14 years ago
(In reply to comment #0)
> 2nd method: Go to a newsgroup with many unread messages (here the messages were
> all text only) and hold the Space key (MailNews views every message for a very
> short time). After some posting it crashes.

I mean "After some postings/time it crashes." here.
(Reporter)

Comment 2

14 years ago
This regressed between 20040506 and 20040601, but i think the date where this
regressed is more towards 20040601 (can't test when this regressed, no bandwidth
to download builds).
I saw this too, when I entered a newsgroup and immediately pressed the spacebar.
 Build 2004-05-31-08 on Windows XP.
Keywords: crash
Summary: MailNews crashes when quickly viewing messages → MailNews crashes [@ MimeMessage_parse_eof] when quickly viewing messages

Updated

14 years ago
Depends on: 244722

Comment 4

14 years ago
Hmm, this is probably my fault. :-( I wonder if 

-  if(outer_p && ! msg->hdrs->done_p) {
+  if(outer_p && msg->hdrs && ! msg->hdrs->done_p) {

fixes the problem?

Comment 5

14 years ago
On the other hand, the traces both end with:

MimeMessage_parse_eof(MimeObject * 0x00000001, int 0x00000000)

Since the function is 

static int MimeMessage_parse_eof (MimeObject *obj, PRBool abort_p)

does this mean that the function was called with a MimeObject pointer of
0x00000001 ???
(Reporter)

Comment 6

14 years ago
(In reply to comment #5)
> does this mean that the function was called with a MimeObject pointer of
> 0x00000001 ???

My debugger says so, yes.

Comment 7

14 years ago
I backed out the patch that introduced this crash. Hopefully Lorenzo and Frank
can figure out a fix :)
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Comment 8

14 years ago
I can't reproduce this.
I tried both using a trunk CVS build of Thunderbird with attachment 149627 [details] [diff] [review]
applied and a nightly build of mozilla (2004060105) which should have the
offending checkin. This is using Linux.

This is what I did:

1. Start mozilla
2. Copy a few hundred messages from an IMAP inbox into a the Trash folder in
local folders.
3. Select Trash folder
4. Keep the DEL key pressed until all messages deleted

Result: the messages were deleted as expected with no crash.

Comment 9

14 years ago
Ah, got it (I think):

Program received signal SIGSEGV, Segmentation fault.
0x41af46e2 in MimeMessage_parse_eof (obj=0x8f3f158, abort_p=0) at mimemsg.cpp:554
554       if(outer_p && ! msg->hdrs->done_p) {
Current language:  auto; currently c++
(gdb) bt
#0  0x41af46e2 in MimeMessage_parse_eof (obj=0x8f3f158, abort_p=0) at
mimemsg.cpp:554
#1  0x41b01529 in mime_display_stream_complete (stream=0x8351318) at
mimemoz2.cpp:964
#2  0x41b0ec57 in nsStreamConverter::OnStopRequest (this=0x950d690,
request=0x9519e98, ctxt=0x0,
    status=2152398850) at nsStreamConverter.cpp:1014
#3  0x40d45e02 in nsDocumentOpenInfo::OnStopRequest ()
   from [...]/mozilla/dist/bin/components/libdocshell.so
#4  0x409bad8e in nsStreamListenerTee::OnStopRequest ()
   from [...]/mozilla/dist/bin/components/libnecko.so

[...]

(gdb) p msg->hdrs
$1 = (MimeHeaders *) 0x0

Comment 10

14 years ago
So I think what is happening here is that the stream is closed because before
the headers have been parsed, probably because the front end is already trying
to display the next message since this one has been deleted.

A null check on msg->hdrs should fix the crash:

-  if(outer_p && ! msg->hdrs->done_p) {
+  if(outer_p && msg->hdrs && ! msg->hdrs->done_p) {
Verified FIXED with build 2004-06-30-08 on Windows XP.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Crash Signature: [@ MimeMessage_parse_eof]
You need to log in before you can comment on or make changes to this bug.