crash after saving all attachments [@ nsMessenger::SaveAllAttachments]

RESOLVED FIXED

Status

MailNews Core
Backend
--
critical
RESOLVED FIXED
12 years ago
9 years ago

People

(Reporter: Jakub Kalas, Assigned: Bienvenu)

Tracking

(4 keywords)

Trunk
x86
All
crash, fixed1.8.0.2, fixed1.8.1, verified1.8.1.3

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa:verified-tb-1802], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: version 1.5 (20051201)

Delete all attachments from an email and then try to "save all" attachments. Thunderbird crashes.

Reproducible: Always
(Reporter)

Updated

12 years ago
Version: unspecified → 1.5

Comment 1

12 years ago
Confirmed on branch and trunk. 

Talkback ids, e.g. TB3882732M, TB3882641X
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows XP → Linux

Comment 2

12 years ago
you lost a digit from your incident ids, please try not to do that :(
  
Incident ID: 13882641
Stack Signature	nsMessenger::SaveAllAttachments() 7c0f1f4f
Product ID	Thunderbird2
Build ID	2006010905
Trigger Time	2006-01-12 13:55:45.0
Platform	LinuxIntel
Operating System	Linux 2.6.12-10-386
Module	thunderbird-bin + (0075b157)
URL visited	
User Comments	delete all attachments, then save all. bug 323131
Since Last Crash	5 sec
Total Uptime	5 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/mailnews/base/src/nsMessenger.cpp, line 655
Stack Trace 	
nsMessenger::SaveAllAttachments()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/mailnews/base/src/nsMessenger.cpp, line 655]
nsMessenger::SaveAllAttachments()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/mailnews/base/src/nsMessenger.cpp, line 906]
XPTC_InvokeByIndex()
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 3091]
XPC_WN_CallMethod()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/jsinterp.c, line 3522]
js_Invoke()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/js/src/jsapi.c, line 4158]
nsJSContext::CallEventHandler()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1413]
nsJSEventListener::HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 185]
nsEventListenerManager::HandleEventSubType()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 848]
nsEventListenerManager::HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1784]
nsXULElement::HandleDOMEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2153]
PresShell::HandleDOMEventWithTarget()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/layout/base/nsPresShell.cpp, line 6469]
nsMenuFrame::Execute()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/layout/xul/base/src/nsMenuFrame.cpp, line 848]
nsMenuFrame::HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/layout/xul/base/src/nsMenuFrame.cpp, line 454]
PresShell::HandleEventInternal()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/layout/base/nsPresShell.cpp, line 69]
PresShell::HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/layout/base/nsPresShell.cpp, line 6209]
nsViewManager::HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/view/src/nsViewManager.cpp, line 848]
nsViewManager::DispatchEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/view/src/nsViewManager.cpp, line 2254]
HandleEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/view/src/nsView.cpp, line 251]
nsCommonWidget::DispatchEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/widget/src/gtk2/nsCommonWidget.cpp, line 219]
nsWindow::OnButtonReleaseEvent()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 1601]
button_release_event_cb()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 3737]
libgtk-x11-2.0.so.0 + 0x12002c (0xb7bb402c)
libgobject-2.0.so.0 + 0x93a8 (0xb79713a8)
libgobject-2.0.so.0 + 0x17b13 (0xb797fb13)
libgobject-2.0.so.0 + 0x18ec3 (0xb7980ec3)
libgobject-2.0.so.0 + 0x194c3 (0xb79814c3)
libgtk-x11-2.0.so.0 + 0x20216f (0xb7c9616f)
libgtk-x11-2.0.so.0 + 0x11e767 (0xb7bb2767)
libgtk-x11-2.0.so.0 + 0x11eba0 (0xb7bb2ba0)
libgdk-x11-2.0.so.0 + 0x3fb2d (0xb7a56b2d)
libglib-2.0.so.0 + 0x244ee (0xb79084ee)
libglib-2.0.so.0 + 0x274f6 (0xb790b4f6)
libglib-2.0.so.0 + 0x277e3 (0xb790b7e3)
libgtk-x11-2.0.so.0 + 0x11de65 (0xb7bb1e65)
nsAppShell::Run()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp, line 141]
nsAppStartup::Run()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
XRE_main()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/toolkit/xre/nsAppRunner.cpp, line 848]
main()  [/builds/tinderbox/Tb-Mozilla1.8/Linux_2.4.18-14_Depend/mozilla/mail/app/nsMailApp.cpp, line 63]
libc.so.6 + 0x14ea2 (0xb745cea2)

There are all sorts of bugs in the relevant code, but i can't spot the one that actually caused you crash.


this needs to be result checked:
filePicker->Init(mWindow,
GetString(NS_LITERAL_STRING("SaveAllAttachments")),
nsIFilePicker::modeGetFolder);

this needs to be oom checked:
saveState = new nsSaveAllAttachmentsState(count,
contentTypeArray,
urlArray,
displayNameArray,
messageUriArray, 
(const char*) dirName, detaching);

this and following leak saveState:
rv = ConvertAndSanitizeFileName(displayNameArray[0], nsnull, getter_Copies(unescapedName));
if (NS_FAILED(rv))
goto done;

this should be result checked:
fileSpec->SetFromFileSpec(aFileSpec);

most likely these lines crashed:
 970 rv = ConvertAndSanitizeFileName(displayNameArray[0], nsnull, getter_Copies(unescapedName));

 979 rv = SaveAttachment(fileSpec, urlArray[0], messageUriArray[0], 
 980                     contentTypeArray[0], (void *)saveState);

since they aren't checking count and just presume the array has a length
Assignee: mscott → nobody
Component: Mail Window Front End → MailNews: Backend
Product: Thunderbird → Core
Summary: crash after saving all attachments → crash after saving all attachments [@ nsMessenger::SaveAllAttachments]
Version: 1.5 → Trunk

Comment 3

12 years ago
Created attachment 208364 [details] [diff] [review]
improve one function in a bad file
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #208364 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #208364 - Flags: review?(neil.parkwaycc.co.uk)

Comment 4

12 years ago
Comment on attachment 208364 [details] [diff] [review]
improve one function in a bad file

>     nsresult rv = NS_ERROR_OUT_OF_MEMORY;
>     nsCOMPtr<nsIFilePicker> filePicker =
>         do_CreateInstance("@mozilla.org/filepicker;1", &rv);
Hardly having been set a good example above, but isn't this a useless init?
>+    nsSaveAllAttachmentsState *saveState = nsnull;
>     saveState = new nsSaveAllAttachmentsState(count,
>                                               contentTypeArray,
>                                               urlArray,
>                                               displayNameArray,
>                                               messageUriArray, 
>-                                              (const char*) dirName, detaching);
>+                                              dirName.get(), detaching);
Attachment #208364 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #208364 - Flags: superreview+
Attachment #208364 - Flags: review?(neil.parkwaycc.co.uk)

Comment 5

12 years ago
*** Bug 323427 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 6

12 years ago
Created attachment 208609 [details] [diff] [review]
the actual fix.

I believe this should fix the crash.
Assignee: timeless → bienvenu
Attachment #208609 - Flags: superreview?(mscott)

Comment 7

12 years ago
It would be great to make the status of detached a lot more obvious, then maybe people wouldn't be trying as much to save/delete a detached file (a very similar situation to this one).  Of course, I am sure that suggestion has been seen in many other places.

Like at:
https://bugzilla.mozilla.org/show_bug.cgi?id=292385

Updated

12 years ago
OS: Linux → All

Updated

12 years ago
Attachment #208609 - Flags: superreview?(mscott) → superreview+
(Assignee)

Comment 8

12 years ago
fixed on trunk, will want for 1.8.1 and perhaps 1.8.0.2
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Attachment #208609 - Flags: approval1.8.1?
Attachment #208609 - Flags: approval1.8.0.2?

Updated

12 years ago
Attachment #208609 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Updated

12 years ago
Keywords: fixed1.8

Comment 9

12 years ago
i think you meant 1.8.1 here adjusting the fixed keyword.
Keywords: fixed1.8 → fixed1.8.1
(Assignee)

Comment 10

12 years ago
yup, I'd better go look at some other bugs I added that keyword to :-(

Comment 11

12 years ago
Comment on attachment 208609 [details] [diff] [review]
the actual fix.

low risk crash fix, approving.
Attachment #208609 - Flags: approval1.8.0.2? → approval1.8.0.2+

Updated

12 years ago
Keywords: fixed1.8.0.2
verified fixed Windows Thunderbird 20060308
Whiteboard: [qa:verified-tb-1802]
verified fixed on 1.8.1.3 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.0 ID:2007032620 - no crash on steps to reproduce - adding verify keyword
Keywords: verified1.8.1.3
Product: Core → MailNews Core
Crash Signature: [@ nsMessenger::SaveAllAttachments]
You need to log in before you can comment on or make changes to this bug.