412268 - Mailnews topcrashes [@ nsUInt32Array::GetAt]

Status: RESOLVED FIXED

(MailNews Core :: Backend, defect)

Description

[Mark Banner (:standard8)]

We're seeing lots of crashes around nsUInt32Array, starting with the 2008010500 builds.

The stacks point to nsMsgDBView.cpp changes which could be either bug 250811 or bug 410369:

0 nsUInt32Array::GetAt(unsigned int) d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\mailnews\base\util\nsuint32array.cpp:158  
1 nsMsgDBView::NonDummyMsgSelected(unsigned int*, int) d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\mailnews\base\src\nsmsgdbview.cpp:6107  
2 nsMsgDBView::SelectionChanged() d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\mailnews\base\src\nsmsgdbview.cpp:1025  
3 NS_InvokeByIndex_P d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101  
4 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp:2344  
5 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp:1480 

I don't know about reproducing the failure, I think crash-stats is showing a clear regression here though.

Comment 1

[neil@parkwaycc.co.uk]

dwitte warned me about it, and at the time I couldn't see how, but I think the tree gets into a state where it thinks there's a selection when there isn't.
I therefore allocate space for the selection, but never set it :-(

Comment 2

[neil@parkwaycc.co.uk]

Attachment: Proposed patch

Comment 3

[David :Bienvenu]

Comment on attachment 296948 [details] [diff] [review]
Proposed patch

Maybe add a comment so someone doesn't optimize the bug fix away :-)

Comment 5

[Mark Banner (:standard8)]

Comment on attachment 296948 [details] [diff] [review]
Proposed patch

r=me assuming you add the comment that David suggested.

Comment 6

[neil@parkwaycc.co.uk]

Fix checked in. Let's see if this wallpapers the crash as suspected.

Comment 7

[Robert Roessler]

As a user responsible for a number of these in the crash reports db, I have a few observations / comments:

1) I first saw this by accidentally selecting the Junk folder shortly after it had been emptied to Trash - boom

2) After seeing a number of crashes with this signature (which subsequently did NOT require that the Junk folder be empty), I tried an old [NS 4.x] trick - I removed the Junk.msf file and let it it get rebuilt... problem solved for a while, then back again (also fixable by removing the bogus .msf).

3) I installed the nightly which should contain this proposed fix (2008011501), and notice a possibly related side-effect: after bringing my XP box back from Standby, a batch of new messages was downloaded, including about 50 of them which got marked as Junk but left in the Inbox.  After deleting them manually, I noticed that the "unread" count was now about 50 too low... so is it possible that the "unread" count was in effect pre-decremented to account for these unread Junk messages getting removed, even though they in fact weren't?

Comment 8

[neil@parkwaycc.co.uk]

OK, so we think this is fixed, but if anyone with a debug does hit the assertion, I want STR ;-)

Comment 9

[Bob Clary [:bc] (inactive)]

Ok, this _isn't_ fixed. I'll do a debug build and try to catch a stack.

Comment 10

[Mark Banner (:standard8)]

(In reply to comment #9)
> Ok, this _isn't_ fixed. I'll do a debug build and try to catch a stack.

Actually, you want bug 415601. The stacks in this new instance are caused by the changes in a different bug and they've got a different stack.