Closed Bug 453956 Opened 16 years ago Closed 15 years ago

crash [@ free()] -- free(): invalid next size (fast)

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: wharms, Unassigned)

Details

(Keywords: crash, Whiteboard: closeme 2009-10-22)

Crash Data

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.1) Gecko/2008070400 SUSE/3.0.1-0.1 Firefox/3.0.1
Build Identifier: Thunderbird 2.0.0.12

I am using  Thunderbird 2.0.0.12 from Opensuse. It crashes at random so i stated collecting back traces. I noticed some  "free(): invalid next size (fast)"
(reported as Opensuse: Bug 422717). You may interested to investigate that also. 
I have not installed any plug-ins therefore i am pretty sure that is a internal thunderbird problem.

Reproducible: Always

Steps to Reproduce:
1. Start thunderbird
2. Connect to IMAP
3. Keep it running for some days (sometimes is crashes faster)
Actual Results:  
Crash with back trace


Again this bug is reported already to opensuse. I did not get any feedback for now but i think this type of bug points to a larger problem that should be investigated. A got other errors the same way also.e.g.:

*** glibc detected *** /usr/lib/thunderbird/thunderbird-bin: munmap_chunk(): inv
alid pointer: 0x0afe34c8 ***

(also reported to opensuse)
Questions:

1. Does it still crash with 2.0.0.*? With Trunk builds? (Obtainable from http://ftp.mozilla.org/pub/mozilla.org/thunderbird/)
2. Can you use Talkback or crashreporter to get IDs? They provide more reliable symbols.
Severity: major → critical
Keywords: crash
Version: unspecified → 2.0
I have installed Version 2.0.0.16 (20080707) from 
http://ftp.mozilla.org/pub/mozilla.org/

i noticed that i could not use the link in the document direcly ("Couldn't load XPCOM",no clue why).
I will keep it running to night
talkback seem to be installed. i have no clue how i can activate it 2.0.0.12

it may be noteworthy that the last crash broke the trace also.
The bug is still present in 2.0.16, please note that the dump stopped in between. 



/opt/thunderbird-2.0.16/thunderbird 
Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkTreeView::odd-row-color' of type `GdkColor' from rc file value "((GString*) 0x9c61140)" of type `GString'
Couldn't load XPCOM.
*** glibc detected *** /opt/thunderbird-2.0.16/thunderbird-bin: free(): invalid next size (fast): 0x0a8d5568 ***
======= Backtrace: =========
/lib/libc.so.6[0xb73f0fc4]
/lib/libc.so.6(cfree+0x9c)[0xb73f295c]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN14nsStringBuffer7ReleaseEv+0x38)[0xb80047e8]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN12nsCSubstring8FinalizeEv+0x48)[0xb8005f28]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN19nsACString_internalD2Ev+0x37)[0xb800c2c7]
/opt/thunderbird-2.0.16/thunderbird-bin[0x88da2bd]
/opt/thunderbird-2.0.16/thunderbird-bin[0x89a680e]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN13nsCOMPtr_base18assign_with_AddRefEP11nsISupports+0x2c)[0xb7f9c44c]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN12nsPipeEventsD1Ev+0x3c)[0xb7fc6c7c]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN6nsPipe18AdvanceWriteCursorEj+0xb3)[0xb7fc6a13]
/opt/thunderbird-2.0.16/libxpcom_core.so[0xb7fc7d47]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN16nsStreamCopierOB6DoCopyEPjS0_+0x51)[0xb7fc9581]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN15nsAStreamCopier7ProcessEv+0x53)[0xb7fc9713]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN15nsAStreamCopier23HandleContinuationEventEP7PLEvent+0x25)[0xb7fc9225]
/opt/thunderbird-2.0.16/libxpcom_core.so(PL_HandleEvent+0x27)[0xb7fe5837]
/opt/thunderbird-2.0.16/thunderbird-bin[0x8171789]
/opt/thunderbird-2.0.16/thunderbird-bin[0x8171e13]
/opt/thunderbird-2.0.16/libxpcom_core.so(_ZN8nsThread4MainEPv+0x3b)[0xb7fe8c4b]
/opt/thunderbird-2.0.16/libnspr4.so[0xb7f468f1]
/lib/libpthread.so.0[0xb7ef1175]
/lib/libc.so.6(clone+0x5e)[0xb7452dce]
======= Memory map: ========
08048000-08d0e000 r-xp 00000000 08:13 39498      /opt/thunderbird-2.0.16/thunderbird-bin
08d0e000-08d27000 rwxp 00cc5000 08:13 39498      /opt/thunderbird-2.0.16/thunderbird-bin
08d27000-0b21d000 rwxp 08d27000 00:00 0          [heap]
aabe8000-aabe9000 ---p aabe8000 00:00 0 
aabe9000-ab3e9000 rwxp aabe9000 00:00 0 
ab3e9000-ab3ea000 ---p ab3e9000 00:00 0 
ab3ea000-abbea000 rwxp ab3ea000 00:00 0 
abbea000-abbeb000 ---p abbea000 00:00 0 
abbeb000-ac3eb000 rwxp abbeb000 00:00 0 
ac3eb000-ac3ec000 ---p ac3eb000 00:00 0 
ac3ec000-acbec000 rwxp ac3ec000 00:00 0 
acbec000-acbed000 ---p acbec000 00:00 0 
acbed000-ad3ed000 rwxp acbed000 00:00 0 
ad3ed000-ad3ee000 ---p ad3ed000 00:00 0 
ad3ee000-adbee000 rwxp ad3ee000 00:00 0 
adbee000-adbef000 r-xp 00000000 08:12 297909     /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
adbef000-adbf0000 r-xp 00000000 08:12 297909     /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
adbf0000-adbf1000 rwxp 00001000 08:12 297909     /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so
adbf1000-adbf2000 r-xs 00000000 08:13 39747      /opt/gnome/share/mime/mime.cache
adbf2000-adc04000 r-xs 00000000 08:12 37045      /usr/share/mime/mime.cache
adc04000-adc2e000 r-xp 00000000 08:12 20725      /usr/share/fonts/truetype/albwb.ttf
adc2e000-adc31000 r-xp 00000000 08:12 103790     /usr/share/locale-bundle/de/LC_MESSAGES/atk10.mo
adc31000-adc41000 r-xp 00000000 08:13 29214      /opt/gnome/share/icons/hicolor/icon-theme.cache
adc41000-ae6c5000 r-xp 00000000 08:13 31081      /opt/kde3/share/icons/hicolor/icon-theme.cache
ae6c5000-aefac000 r-xp 00000000 08:12 126398     /usr/share/icons/hicolor/icon-theme.cache
aefac000-b00b6000 r-xp 00000000 08:13 29473      /opt/kde3/share/icons/crystalsvg/icon-theme.cache
b00b6000-b07ba000 r-xp 00000000 08:12 314106     /usr/share/icons/gnome/icon-theme.cache
b07ba000-b0fbc000 rwxp b07ba000 00:00 0 
b10e9000-b1108000 r-xp 00000000 08:12 254772     /usr/share/fonts/Type1/courb.pfa
b1108000-b1127000 r-xp 00000000 08:12 254770     /usr/share/fonts/Type1/cour.pfa
b1127000-b1135000 r-xp 00000000 08:13 8726       /lib/libbz2.so.1.0.5
b1135000-b1136000 r-xp 0000d000 08:13 8726       /lib/libbz2.so.1.0.5
b1136000-b1137000 rwxp 0000e000 08:13 8726       /lib/libbz2.so.1.0.5
b1137000-b116a000 r-xp 00000000 08:12 23957      /usr/lib/libcroco-0.6.so.3.0.1
b116a000-b116b000 r-xp 00032000 08:12 23957      /usr/lib/libcroco-0.6.so.3.0.1
b116b000-b116d000 rwxp 00033000 08:12 23957      /usr/lib/libcroco-0.6.so.3.0.1
b116d000-b119d000 r-xp 00000000 08:12 72264      /usr
also the munmap_chunk() is present in 2.0.16
i will open a new bug for that beast.
*** glibc detected *** /opt/thunderbird-2.0.16/thunderbird-bin: munmap_chunk(): invalid pointer: 0x09e118f8 ***
The stacks don't have symbols, thus are unlikely to be useful. Please follow the steps in:

https://developer.mozilla.org/en/Debugging_Mozilla_with_gdb#How_do_I_get_useful_stack_traces_inside_system_libraries.3f

then reproduce the crash and get the stack with symbols.
Looking at the backtrace it seems that I've got the same problem.
I'm using your precompiled binary version 2.0.0.22 (20090605) installed to /home/boris/thunderbird on CentOS (RHEL) 5.3.
The bug happened when I was running the Remove Duplicate Messages (Alternate) 0.3.2 Add-on on my whole IMAP account. I'm using cyrus-imapd.
I don't use thunderbird on a regular basis, but IIRC the bug didn't happen with older 2.0 releases.

*** glibc detected *** ./thunderbird/thunderbird-bin: free(): invalid next size (fast): 0xb0846518 ***
======= Backtrace: =========
/lib/libc.so.6[0xfe10f1]
/lib/libc.so.6(cfree+0x90)[0xfe4bc0]
./thunderbird/libxpcom_core.so(_ZN14nsStringBuffer7ReleaseEv+0x38)[0x43ba98]
./thunderbird/libxpcom_core.so(_ZN12nsCSubstring8FinalizeEv+0x48)[0x43d1d8]
./thunderbird/libxpcom_core.so(_ZN19nsACString_internalD2Ev+0x37)[0x443577]
./thunderbird/thunderbird-bin[0x88dd46d]
./thunderbird/thunderbird-bin[0x89a99de]
./thunderbird/libxpcom_core.so(_ZN13nsCOMPtr_base18assign_with_AddRefEP11nsISupports+0x2c)[0x3d350c]
./thunderbird/libxpcom_core.so(_ZN8nsThread4MainEPv+0x44)[0x41fea4]
./thunderbird/libnspr4.so[0xab78f1]
/lib/libpthread.so.0[0x62449b]
/lib/libc.so.6(clone+0x5e)[0x104942e]
======= Memory map: ========
00110000-00111000 rwxp 00110000 00:00 0 
00111000-0019b000 r-xp 00000000 fd:03 66183      /usr/lib/libgdk-x11-2.0.so.0.1000.4
0019b000-0019e000 rwxp 0008a000 fd:03 66183      /usr/lib/libgdk-x11-2.0.so.0.1000.4
0019e000-0019f000 rwxp 0019e000 00:00 0 
0019f000-001a5000 r-xp 00000000 fd:03 65202      /usr/lib/libpangoxft-1.0.so.0.1400.9
001a5000-001a6000 rwxp 00005000 fd:03 65202      /usr/lib/libpangoxft-1.0.so.0.1400.9
001a6000-00243000 r-xp 00000000 fd:00 69658      /lib/libglib-2.0.so.0.1200.3
00243000-00244000 rwxp 0009c000 fd:00 69658      /lib/libglib-2.0.so.0.1200.3
00244000-00245000 rwxp 00244000 00:00 0 
00245000-0026d000 r-xp 00000000 fd:01 116595     /home/boris/thunderbird/libssl3.so
0026d000-0026f000 rwxp 00028000 fd:01 116595     /home/boris/thunderbird/libssl3.so
0026f000-00298000 r-xp 00000000 fd:01 116573     /home/boris/thunderbird/libldap50.so
00298000-00299000 rwxp 00029000 fd:01 116573     /home/boris/thunderbird/libldap50.so
00299000-0029d000 rwxp 00299000 00:00 0 
0029d000-0029f000 r-xp 00000000 fd:03 65110      /usr/lib/libXau.so.6.0.0
0029f000-002a0000 rwxp 00001000 fd:03 65110      /usr/lib/libXau.so.6.0.0
002a0000-002a4000 rwxp 002a0000 00:00 0 
002a4000-002a5000 r-xp 00000000 fd:03 65027      /usr/lib/gconv/ISO8859-1.so
002a5000-002a7000 rwxp 00000000 fd:03 65027      /usr/lib/gconv/ISO8859-1.so
002a7000-002b2000 r-xp 00000000 fd:01 116457     /home/boris/thunderbird/components/libmyspell.so
002b2000-002b3000 rwxp 0000b000 fd:01 116457     /home/boris/thunderbird/components/libmyspell.so
002b3000-002b5000 r-xp 00000000 fd:00 71693      /lib/libcom_err.so.2.1
002b5000-002b6000 rwxp 00001000 fd:00 71693      /lib/libcom_err.so.2.1
002b6000-002b8000 r-xp 00000000 fd:03 66594      /usr/lib/libscim-x11utils-1.0.so.8.1.0
002b8000-002b9000 rwxp 00001000 fd:03 66594      /usr/lib/libscim-x11utils-1.0.so.8.1.0
002b9000-002ba000 rwxp 002b9000 00:00 0 
002ba000-002bb000 r-xp 002ba000 00:00 0          [vdso]
002bb000-002c7000 r-xp 00000000 fd:03 974665     /usr/lib/gtk-2.0/2.10.0/engines/libbluecurve.so
002c7000-002c8000 rwxp 0000c000 fd:03 974665     /usr/lib/gtk-2.0/2.10.0/engines/libbluecurve.so
002c8000-002cd000 r-xp 00000000 fd:01 116541     /home/boris/thunderbird/extensions/talkback@mozilla.org/components/libqfaservices.so
002cd000-002ce000 rwxp 00004000 fd:01 116541     /home/boris/thunderbird/extensions/talkback@mozilla.org/components/libqfaservices.so
002ce000-002d4000 r-xp 00000000 fd:03 1007117    /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
002d4000-002d5000 rwxp 00005000 fd:03 1007117    /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
002d5000-002da000 r-xs 00000000 fd:04 164208     /var/cache/fontconfig/beeeeb3dfe132a8a0633a017c99ce0c0-x86.cache-2
002da000-002db000 rwxp 002da000 00:00 0 
002db000-0032d000 r-xp 00000000 fd:01 116593     /home/boris/thunderbird/libsoftokn3.so
0032d000-00331000 rwxp 00052000 fd:01 116593     /home/boris/thunderbird/libsoftokn3.so
00331000-0035e000 r-xp 00000000 fd:03 65974      /usr/lib/libpangoft2-1.0.so.0.1400.9
0035e000-0035f000 rwxp 0002c000 fd:03 65974      /usr/lib/libpangoft2-1.0.so.0.1400.9
0035f000-00374000 r-xp 00000000 fd:03 66115      /usr/lib/libgnome-2.so.0.1600.0
00374000-00375000 rwxp 00014000 fd:03 66115      /usr/lib/libgnome-2.so.0.1600.0
00375000-00380000 r-xp 00000000 fd:03 69161      /usr/lib/libavahi-common.so.3.4.3
00380000-00381000 rwxp 0000a000 fd:03 69161      /usr/lib/libavahi-common.so.3.4.3
00381000-00382000 rwxp 00381000 00:00 0 
00382000-00389000 r-xs 00000000 fd:03 66233      /usr/lib/gconv/gconv-modules.cache
00389000-00391000 r-xp 00000000 fd:03 65900      /usr/lib/libkrb5support.so.0.1
00391000-00392000 rwxp 00007000 fd:03 65900      /usr/lib/libkrb5support.so.0.1
00392000-00394000 r-xs 00000000 fd:04 164126     /var/cache/fontconfig/e3ead4b767b8819993a6fa3ae306afa9-x86.cache-2
00394000-00395000 rwxp 00394000 00:00 0 
00395000-0044f000 r-xp 00000000 fd:01 116599     /home/boris/thunderbir
(In reply to comment #6)
> The bug happened when I was running the Remove Duplicate Messages (Alternate)
> 0.3.2 Add-on on my whole IMAP account. I'm using cyrus-imapd.

Does it occur in Thunderbird safe-mode? i.e. on a fresh profile.
Wolfgang any idea what might be going on here ?
Actually I have no idea. That's why I haven't commented on the downstream bug. I ran out of ideas how to debug it w/o being able to reproduce it.
My guess it that this is a low memory problem.

Since the first post my computer died and i have a new one (64bit/6GB Ram) and
the problem did not show up so far.
Boris, do you still hit this? Walter is unable to provide additional information.
Whiteboard: closeme 2009-10-22
RESO INCO due to lack of response to last question. If you feel this change was made in error, please respond to this bug with your reasons why.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Summary: free(): invalid next size (fast) → crash [@ free()] -- free(): invalid next size (fast)
Crash Signature: [@ free()]
You need to log in before you can comment on or make changes to this bug.