460479 - crash [@ nsMailDatabase::UpdateFolderFlag]

Status: VERIFIED FIXED

(MailNews Core :: Backend, defect)

Description

[Wayne Mery (:wsmwk)]

crash [@ nsMailDatabase::UpdateFolderFlag]

3 total
bp-49a5b357-974a-11dd-8a78-001cc45a2ce4
bp-d138590a-9749-11dd-9798-001a4bd43ef6
bp-d2f23cf3-9747-11dd-ab66-0013211cbf8a
0  	thunderbird.exe  	nsMailDatabase::UpdateFolderFlag  	nsMailDatabase.cpp:373
1 	thunderbird.exe 	nsMailDatabase::SetHdrFlag 	nsMailDatabase.cpp:219
2 	thunderbird.exe 	nsMsgDatabase::SetKeyFlag 	nsMsgDatabase.cpp:2260
3 	thunderbird.exe 	nsMsgDatabase::MarkMarked 	nsMsgDatabase.cpp:2100
4 	thunderbird.exe 	nsMsgHdr::MarkFlagged 	nsMsgHdr.cpp:279
5 	thunderbird.exe 	nsParseNewMailState::ApplyFilterHit 	nsParseMailbox.cpp:1994
6 	thunderbird.exe 	nsMsgFilterList::ApplyFiltersToHdr 	nsMsgFilterList.cpp:360
7 	thunderbird.exe 	nsParseNewMailState::ApplyFilters 	nsParseMailbox.cpp:1830
8 	thunderbird.exe 	nsPop3Sink::IncorporateComplete 	nsPop3Sink.cpp:826
9 	thunderbird.exe 	nsPop3Protocol::HandleLine 	nsPop3Protocol.cpp:3189
10 	thunderbird.exe 	nsPop3Protocol::RetrResponse 	nsPop3Protocol.cpp:2972
11 	thunderbird.exe 	nsPop3Protocol::ProcessProtocolState 	nsPop3Protocol.cpp:3597
12 	thunderbird.exe 	nsMsgProtocol::OnDataAvailable 	nsMsgProtocol.cpp:347
13 	thunderbird.exe 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
14 	thunderbird.exe 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
15 	xpcom_core.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
16 	xpcom_core.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
17 	xpcom_core.dll 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:227
18 	thunderbird.exe 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
19 	thunderbird.exe 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:182
20 	thunderbird.exe 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3265
21 	thunderbird.exe 	NS_internal_main 	nsMailApp.cpp:103
22 	thunderbird.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
23 	thunderbird.exe 	__tmainCRTStartup 	crtexe.c:594
24 	kernel32.dll 	kernel32.dll@0x17066

Comment 1

[Kent James (:rkent)]

Brief analysis: the routine where this occurs looks like

void nsMailDatabase::UpdateFolderFlag(nsIMsgDBHdr *mailHdr, PRBool bSet, 
							  MsgFlags flag, nsIOutputStream **ppFileStream)
{
  ...
  nsCOMPtr <nsISeekableStream> seekableStream;
  nsresult rv;
  if (offset > 0) 
  {
    ...    
  }
  if (!m_folderStream)
    *ppFileStream = fileStream; // This tells the caller that we opened the file, and please to close it.
  else if (!m_ownFolderStream)
    seekableStream->Seek(nsISeekableStream::NS_SEEK_SET, folderStreamPos); <== crash
}

That is, seekableStream is never set if offset <= 0. That might occur is someone did not properly initialize the header. The seekableStream call is not needed in that case, either.

So I'll add a check of that. The check is clearly correct given the structure of the code - though it is not 100% sure this causes the crash.

Comment 2

[Kent James (:rkent)]

Attachment: moved reseek inside of offset > 0 [Checkin: Comment 4]

I moved both repositioning calls inside of offset < 0, since the other call is just restoring the value to what it was before - and it never changed.

Comment 3

[David :Bienvenu]

Comment on attachment 344646 [details] [diff] [review]
moved reseek inside of offset > 0
[Checkin: Comment 4]

makes sense, thx.

Comment 4

[Serge Gautherie (:sgautherie)]

Comment on attachment 344646 [details] [diff] [review]
moved reseek inside of offset > 0
[Checkin: Comment 4]

http://hg.mozilla.org/comm-central/rev/840b9dcfdc83

Comment 5

[Wayne Mery (:wsmwk)]

just noting 
a) this is a topcrash for 3.0a3
b) zero crash reports for trunk after 3.0a3 - so probably want to see 3.0b1 results to say before v.fixed

Comment 6

[Wayne Mery (:wsmwk)]

v.gone from crash stats post 3.0a3