Closed Bug 484550 Opened 13 years ago Closed 11 years ago

crash [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] - [@ nsFolderCompactState::Release]

Categories

(MailNews Core :: Backend, defect)

x86
Windows Vista
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wsmwk, Unassigned)

References

Details

(Keywords: crash, topcrash-, Whiteboard: fixed by Bug 619358)

Crash Data

3.0b2 topcrash 
crash [@ arena_dalloc_small | arena_dalloc ][@ nsFolderCompactState::`vector deleting destructor']

bp-0ed9f42d-4260-49ed-819a-40cae2090320
0	mozcrt19.dll	arena_dalloc_small	jemalloc.c:4270
1	mozcrt19.dll	arena_dalloc	jemalloc.c:4393
2	mozcrt19.dll	free	jemalloc.c:6219
3	thunderbird.exe	nsFolderCompactState::`vector deleting destructor'	
4	thunderbird.exe	nsFolderCompactState::Release	nsMsgCompose.cpp:3238
5	xpcom_core.dll	nsCOMPtr_base::~nsCOMPtr_base	nsCOMPtr.cpp:81
6	thunderbird.exe	nsMsgDBFolder::AutoCompact	nsMsgDBFolder.cpp:1764
7	thunderbird.exe	nsMsgLocalMailFolder::EndMove	nsLocalMailFolder.cpp:2725
8	thunderbird.exe	nsCopyMessageStreamListener::EndCopy	nsCopyMessageStreamListener.cpp:179
9	thunderbird.exe	nsCopyMessageStreamListener::OnStopRequest	nsCopyMessageStreamListener.cpp:190
10	thunderbird.exe	nsImapCacheStreamListener::OnStopRequest	nsImapProtocol.cpp:8115
11	thunderbird.exe	nsInputStreamPump::OnStateStop	netwerk/base/src/nsInputStreamPump.cpp:576
12	thunderbird.exe	nsInputStreamPump::OnInputStreamReady	netwerk/base/src/nsInputStreamPump.cpp:401
13	xpcom_core.dll	nsInputStreamReadyEvent::Run	xpcom/io/nsStreamUtils.cpp:111
another compact, topcrash in both 3.0b2 and 3.0b3
requesting blocking
Flags: blocking-thunderbird3?
this looks like it could be either heap corruption, or a double free. I suspect this has to do with compacting imap offline stores, from that stack trace.
it's only #30 in 3.0b3 ranking and doesn't appear in top 100 of 3.0b4pre. so topcrash- and removing blocking-thunderbird3?
Flags: blocking-thunderbird3?
Keywords: topcrashtopcrash-
I've start bumping these crashes on 3.1a during getting backtrace for Bug 505971
And this maybe just coincidence and I'm actually hit two different bugs, first was catched by windbg only here is stacktrace
thunderbird!gfxFont::Draw+0x73 
thunderbird!nsFontCache::GetMetricsFor+0xff 
thunderbird!nsThebesDeviceContext::GetMetricsFor+0x45
thunderbird!nsThebesRenderingContext::SetFont+0x28 
thunderbird!nsLayoutUtils::SetFontFromStyle+0x32 
thunderbird!nsTreeBodyFrame::GetItemWithinCellAt+0x3a
thunderbird!nsTreeBodyFrame::GetCellAt+0xc4 
thunderbird!nsTreeBodyFrame::GetCursor+0x2a 
thunderbird!nsEventStateManager::UpdateCursor+0x5a
thunderbird!nsEventStateManager::PreHandleEvent+0x2bc
thunderbird!PresShell::HandleEventInternal+0x17a 
thunderbird!PresShell::HandlePositionedEvent+0xc3 
thunderbird!PresShell::HandleEvent+0x4d2 
thunderbird!nsViewManager::HandleEvent+0x2f 
thunderbird!nsViewManager::DispatchEvent+0x60d 
thunderbird!HandleEvent+0x36
thunderbird!nsWindow::DispatchEvent+0x2d 
thunderbird!nsWindow::DispatchWindowEvent+0x13
thunderbird!nsWindow::DispatchMouseEvent+0x414 
thunderbird!ChildWindow::DispatchMouseEvent+0x5d
in crash-stats' new parlance, this is 
  arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)

ex. bp-aa11fec3-0c4a-4e8c-b3ef-122092091111
Summary: crash [@ arena_dalloc_small | arena_dalloc ][@ nsFolderCompactState::`vector deleting destructor'] → crash [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)]
recent example 
bp-9b3bdfa5-4d3c-415e-9111-3ea432101108 v3.1.6
0	mozcrt19.dll	arena_dalloc_small	objdir-tb/mozilla/memory/jemalloc/crtsrc/jemalloc.c:4104
1	mozcrt19.dll	arena_dalloc	objdir-tb/mozilla/memory/jemalloc/crtsrc/jemalloc.c:4227
2	mozcrt19.dll	free	objdir-tb/mozilla/memory/jemalloc/crtsrc/jemalloc.c:6017
3	thunderbird.exe	nsFolderCompactState::`vector deleting destructor'	
4	thunderbird.exe	nsFolderCompactState::Release	mailnews/compose/src/nsMsgCompose.cpp:3375
5	xpcom_core.dll	nsCOMPtr_base::~nsCOMPtr_base	objdir-tb/mozilla/xpcom/build/nsCOMPtr.cpp:81
6	thunderbird.exe	nsMsgDBFolder::AutoCompact	mailnews/base/util/nsMsgDBFolder.cpp:1848
7	thunderbird.exe	nsMsgLocalMailFolder::EndMove	mailnews/local/src/nsLocalMailFolder.cpp:2871 


xref
- (fixed) Bug 492662 - crash [@ nsFolderCompactState::FinishCompact()] 
- Bug 406851 - When folders get compacted, Thunderbird crashes [@ nsFolderCompactState::EndCopy(nsISupports*, unsigned int)] and index gets corrupted when BitDefender is running
Summary: crash [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] → crash [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] - [@ nsFolderCompactState::Release]
timeless, 
anythoughts on related? or different?

nsCOMPtr_base::~nsCOMPtr_base() | nsFolderCompactState::~nsFolderCompactState()
bp-57b6ca7d-df4d-411c-a6f4-b87e32101202 (jkclifford)
EXCEPTION_ACCESS_VIOLATION_READ
0x8
0	xpcom_core.dll	nsCOMPtr_base::~nsCOMPtr_base	objdir-tb/mozilla/xpcom/build/nsCOMPtr.cpp:81
1	thunderbird.exe	nsFolderCompactState::~nsFolderCompactState	mailnews/base/src/nsMsgFolderCompactor.cpp:97
2	thunderbird.exe	nsFolderCompactState::`vector deleting destructor'	
3	thunderbird.exe	nsFolderCompactState::Release	mailnews/compose/src/nsMsgCompose.cpp:3375
4	xpcom_core.dll	nsCOMPtr_base::~nsCOMPtr_base	objdir-tb/mozilla/xpcom/build/nsCOMPtr.cpp:81
5	thunderbird.exe	nsMsgDBFolder::AutoCompact	mailnews/base/util/nsMsgDBFolder.cpp:1848
6	thunderbird.exe	nsMsgLocalMailFolder::EndMove	mailnews/local/src/nsLocalMailFolder.cpp:2871
7	thunderbird.exe	nsCopyMessageStreamListener::EndCopy	mailnews/base/src/nsCopyMessageStreamListener.cpp:179
8	thunderbird.exe	nsCopyMessageStreamListener::OnStopRequest	mailnews/base/src/nsCopyMessageStreamListener.cpp:190
probably the same, but i wouldn't put money on it
Crash Signature: [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] [@ nsFolderCompactState::Release]
bienvienu, 

This crash has greatly increased numbers for v3.1.10+v3.1.11 [1], and coincidentally NO crashes for v5 [2].  So, perhaps the "gap" of v3.1.10+v3.1.11 for Bug 673904 - crash during compact [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`scalar deleting - is taken up by increase numbers of this bug, but I don't know why. But this would also mean that bug 673904's numbers might be inflated and not totally a result of switching on compact in v5.

[1] https://crash-stats.mozilla.com/report/list?product=Thunderbird&query_search=signature&query_type=contains&query=Compact&reason_type=contains&date=07%2F25%2F2011%2010%3A34%3A38&range_value=6&range_unit=weeks&hang_type=any&process_type=any&do_query=1&admin=1&signature=arena_dalloc_small%20%7C%20arena_dalloc%20%7C%20free%20%7C%20nsFolderCompactState%3A%3A%60vector%20deleting%20destructor%27%27%28unsigned%20int%29

[2] https://crash-stats.mozilla.com/query/query?product=Thunderbird&version=Thunderbird%3A8.0a1&version=Thunderbird%3A7.0a2&version=Thunderbird%3A7.0a1&version=Thunderbird%3A6.0a2&version=Thunderbird%3A6.0&version=Thunderbird%3A5.0b2pre&version=Thunderbird%3A5.0b2&version=Thunderbird%3A5.0b1&version=Thunderbird%3A5.0&range_value=4&range_unit=weeks&date=07%2F25%2F2011+11%3A00%3A03&query_search=signature&query_type=exact&query=arena_dalloc_small+%7C+arena_dalloc+%7C+free+%7C+nsFolderCompactState%3A%3A%60vector+deleting+destructor%27%27%28unsigned+int%29&reason=&build_id=&hang_type=any&do_query=1
Crash Signature: [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] [@ nsFolderCompactState::Release] → [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] [@ nsFolderCompactState::Release]
because this is gone in version 5, perhaps a more plausible interpretation (vs comment 10) is this crash was fixed by  Bug 619358

and also gone in version 5 is nsCOMPtr_base::~nsCOMPtr_base() | nsFolderCompactState::~nsFolderCompactState()
Status: NEW → RESOLVED
Crash Signature: [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] [@ nsFolderCompactState::Release] → [@ arena_dalloc_small | arena_dalloc | free | nsFolderCompactState::`vector deleting destructor''(unsigned int)] [@ nsFolderCompactState::Release] [@ nsCOMPtr_base::~nsCOMPtr_base() | nsFolderCompactState::~nsFolderCompactState() ]
Closed: 11 years ago
Depends on: 619358
Resolution: --- → FIXED
Whiteboard: fixed by Bug 619358
You need to log in before you can comment on or make changes to this bug.