Closed Bug 49115 Opened 24 years ago Closed 23 years ago

Crashed when selecting attach message in news [@ MSVCRT.dll + 0x1000 - CNavDTD::DidBuildModel]

Categories

(MailNews Core :: Networking: NNTP, defect, P1)

Product:
MailNews Core
Component:
Networking: NNTP
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: huang, Assigned: talkback)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [nsbeta3+][dogfood-][PDTP1])

Crash Data

Attachments

(6 files)

Attached the attached gif file which I had crash for this bug
2.01 KB, image/gif
Details
My test gif file
135.78 KB, image/gif
Details
Parser patch
1.41 KB, patch
Details | Diff | Splinter Review
Sink patch
8.16 KB, patch
Details | Diff | Splinter Review
Gfx patch
647 bytes, patch
Details | Diff | Splinter Review
A safer patch [ KungFu! ]
777 bytes, patch
Details | Diff | Splinter Review 
Used 08-15-08-M18 commercial build

Crashed when trying to posting an attached message in news

1) Created a NEW news account
2) Tried to post an attachement in the news/newsgroup 
(ex: news.mozilla.org/netscape.test)
3) Actual Results: Crash is occurring when post an attchment in news
 Expected results: Should allow to post the attach message in the news/newsgroup 
successfully without crash. (problem can be reproduced every time)

Talkback ID 15812635:
Stack Trace

MSVCRT.dll + 0x1000 (0x78001000) 
MSVCRT.dll + 0x1452 (0x78001452) 
CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, 
line 638] 
nsParser::DidBuildModel 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1394] 
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, 
line 1914] 
nsParser::OnStopRequest 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 2361] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsStreamConverter::OnStopRequest 
[d:\builds\seamonkey\mozilla\mailnews\mime\src\nsStreamConverter.cpp, line 981] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsNNTPProtocol::CleanupAfterRunningUrl 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 5018] 
nsNNTPProtocol::ProcessProtocolState 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 4996]
Adding keywords: crash, regression nsbeta3
Keywords: crash, nsbeta3, regression
Assignee: ducarroz → mscott
Component: Composition → Networking - News
OS: Windows NT → All
QA Contact: lchiang → huang
Hardware: PC → All
Summary: Crashed when trying to posting an attached message in news → Crashed when trying to posting/reading an attached message in news
This is occurring to Mac platforms as well. Changing the platforms to all.
Also, if I am just reading an attached posted messages, it will get the crash as 
well. I am changing the component to networking news and reassign to mscott.
Change the QA contact to me. Adding "reading" in the summary
Karen your bug topic is a bit confusing.
Do you crash on SEND or when you read the message?

Your subject says both. If it is both, we need two separate bugs. Thanks...
I got the crash when I posting the attached file in news, but afterwords, it 
crash again when I try to read that attached file in news. should I still log 
another bug?
OK. Restore this bug the way it was. I probably will log another bug for reading 
attached news message problem. So is this bug still yours? Please reassign to 
other developer if I was wrong.
Summary: Crashed when trying to posting/reading an attached message in news → Crashed when trying to posting an attached message in news
karen - take a look at the stack traces (ie. talkback) see if the traces are the 
same.  Probably different.  For reading crash, you should narrow down to see if 
it's with any news msg with an attachment or if it occurs with mail msg with 
attachments, etc, in a separate report.  Thanks.  
It seems that the talk back report is the same -- I don't think that I need to 
log another bug.

Here is the talkback report (ID: 15810413) for just selecting the posted 
attachment messages in news:

CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, 
line 638] 
nsParser::DidBuildModel 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1394] 
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, 
line 1914] 
nsParser::OnStopRequest 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 2361] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsStreamConverter::OnStopRequest 
[d:\builds\seamonkey\mozilla\mailnews\mime\src\nsStreamConverter.cpp, line 981] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsNNTPProtocol::CleanupAfterRunningUrl 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 5018] 
nsNNTPProtocol::ProcessProtocolState 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 4996] 

By using the same build for new profile, problem is not occurring on mail 
acount.
you mean you don't crash when you post a new profile but you do crash when you
post with an old profile?
No. Alll these crashes are from the new profile. 
I didn't try on migrated profile -- it seems it will crash right away for 
today's migrated profiles (that crash is for profile migration problem). 
This is specific for New Profile and news crash problem.
Then what do you mean by "with new profile, problem is not occurring with mail
account"? Is there a certain profile where you don't crash or something?
No. I mean by using the same attached file, it crash whn trying to post on News.
But no problem when trying to send from Mail.
Problem is still occurring on today's build 08-16-09/10-M18 commercial build for 
all the platforms. I even get the crash everytime when selecting the posted 
attach message. Nominating for dogfood since it impact our daily use for just 
reading the news w/attachment messages.
Keywords: dogfood
Target Milestone: --- → M18
+ per mail triage.
Karen - what happens if you use 4.x to post news w/other attachments and then 
try to view those messages in Seamonkey?
Keywords: mail5
Priority: P3 → P2
Whiteboard: [nsbeta3+]
Yes. By using today's 08-18-08-M18 commercial build:
Crash is still occurring even I use 4.x to post news w/other attachments and 
then try to view those messages in Seamonkey.
this worked fine for me - I attached a text file to a news message, posted it,
and was able to read it fine. What kind of file were you trying to attach, Karen?
By using today's 08-21-08-M18 commercial build, 
I am still seeing this crash for just selecting an attached news message.
It seems there is random crash for just selecting news messages. It can be 
occurring on any attached messages (please see the talkback ID 16088860 & 
16088982 which I just got today), but I will attach the gif file here soon when 
I reported this problem.
But like I said, there was random crash for selecting the news messages, I 
didn't get crash for above attached gif file for today, but I got crashed from 
other news messages. It used to be easy to get the crash right away, but for 
today's build, it seems that after you select over than  7 or 8 news messages, 
you will get the crash.....
Adding topcrash keyword.  This crash [@ MSVCRT.dll + 0x1000] is in the latest 
talkback crash list.  Here are a few entries for this specific crash:

 MSVCRT.dll + 0x1000 (0x78001000) bd408264
         line 
        Build: 2000081508 CrashDate: 2000-08-15 UptimeMinutes: 138  Total: 138 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crashed when trying to post attached article in news
        Stacktrace: 
http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=15809646

    MSVCRT.dll + 0x1000 (0x78001000) bd408264
         line 
        Build: 2000081508 CrashDate: 2000-08-15 UptimeMinutes: 3  Total: 141 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crashed when trying to send attach file in news
        Stacktrace: 
http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=15810115

    MSVCRT.dll + 0x1000 (0x78001000) bd408264
         line 
        Build: 2000081508 CrashDate: 2000-08-15 UptimeMinutes: 1  Total: 143 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crashed when selecting the post news messages
        Stacktrace: 
http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=15810413

    MSVCRT.dll + 0x1000 (0x78001000) bd408264
         line 
        Build: 2000081508 CrashDate: 2000-08-15 UptimeMinutes: 2  Total: 167 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crashed when posting a attached file in news again
        Stacktrace: 
http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=15812635

    MSVCRT.dll + 0x1000 (0x78001000) bd408264
         line 
        Build: 2000081508 CrashDate: 2000-08-15 UptimeMinutes: 5  Total: 174 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crashe again for reading attached from news
        Stacktrace: 
http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=15816440
Keywords: topcrash
Summary: Crashed when trying to posting an attached message in news → Crashed when trying to posting an attached message in news [@ MSVCRT.dll + 0x1000]
MSVCRT.dll crashes in talkback with offsets 0x139a, 0x1398, 0x10ad have the same 
stack trace as offset 0x1000.
Is there any crash for posting a message with an attachment anymore, or is it
just for reading a news message with an attachment? If the latter, maybe we
should change the summary.
Putting on [dogfood-] radar.
Whiteboard: [nsbeta3+] → [nsbeta3+][dogfood-]
It seems that it's more easier to hit this problem by using the NEW news 
profile.
After I sent that attached messages (see above attached gif file) and selecting 
that attached message will crash again, so it seems for sending/posting an 
attached messages is OK, but if tried to select/view that attached message, 
crash is occurring..... 
Updating the summary since crash is occurring when just selecting/reading a 
attched news message.
Summary: Crashed when trying to posting an attached message in news [@ MSVCRT.dll + 0x1000] → Crashed when selecting attach message in news [@ MSVCRT.dll + 0x1000]
Adding myself to cc: list.

I see this problem everytime I try to view an attach gif image or inline image. 
 As Karen described, I crash everytime I try to display the news messages.

I was testing with today commercial seamonkey on win32, macos, and linux.
I posted my messages using communicator 4.74.  The message displays ok in 4.74. 

The crash occurs only under news.  Seamonkey can display the inline or attach 
gif ok under seamonkey mail.
Attached image My test gif file 

    
    

    
  
do you crash viewing the messages I just posted today to mcom.test with attached
gifs? Because I don't, though the images aren't displayed; I just see them in
the attachment menu.

    
    

    
  
Sorry for not being specific.  I generally crash loading the 2nd message.  The 
first message loads (no image displayed).  When I select another message with an 
attached gif, I crash.

    
    

    
  
Hmm I don't see this using a build from today. I'm viewing some of the old posts 
Peter made to the public tests newsgroup. I can click on the first message with 
an attached gif and it shows up in the attachment menu. I can click on a second 
message with an attached gif and I get the same behavior.

No crash....

WFM?

    
    

    
  
This appears to have gotten fixed along the way somewhere.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
Reopening this bug since problem is still occurring on today's 08-30-08-M18 
commercial build:

Talkback ID 16568116
Stack Trace

ntdll.dll + 0x43c8 (0x77f643c8) 
ntdll.dll + 0x4dfd (0x77f64dfd) 
MSVCRT.dll + 0x1488 (0x78001488) 
CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, 
line 638] 
nsParser::DidBuildModel 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1394] 
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, 
line 1909] 
nsParser::OnStopRequest 
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 2356] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsStreamConverter::OnStopRequest 
[d:\builds\seamonkey\mozilla\mailnews\mime\src\nsStreamConverter.cpp, line 984] 
nsDocumentOpenInfo::OnStopRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 269] 
nsNNTPProtocol::CleanupAfterRunningUrl 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 5021] 
nsNNTPProtocol::ProcessProtocolState 
[d:\builds\seamonkey\mozilla\mailnews\news\src\nsNNTPProtocol.cpp, line 4999] 
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Seth said he'd help take a look at this. 
Assignee: mscott → sspitzer
Status: REOPENED → NEW

    
    

    
  
accepting.  looking at this now.
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+][dogfood-] → [nsbeta3+][dogfood-] looking at this now (9-5-00)

    
    

    
  
adding harishd to the cc list.

I'm consistently able to reproduce this crash.  here's a better stack trace:

harish, notice how nsParser::~nsParser() ends up calling nsParser::~nsParser() 
again.


operator delete(void * 0x02d94048) line 47 + 3 bytes
CParserContext::~CParserContext() line 118 + 21 bytes
CParserContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsParser::~nsParser() line 275 + 31 bytes
nsParser::`vector deleting destructor'(unsigned int 1) + 84 bytes
nsParser::Release(nsParser * const 0x03360900) line 280 + 154 bytes
HTMLContentSink::~HTMLContentSink() line 2168 + 27 bytes
HTMLContentSink::`scalar deleting destructor'(unsigned int 1) + 15 bytes
HTMLContentSink::Release(HTMLContentSink * const 0x0339ceb0) line 2223 + 157 
bytes
CNavDTD::~CNavDTD() line 260 + 27 bytes
CNavDTD::`vector deleting destructor'(unsigned int 1) + 84 bytes
CNavDTD::Release(CNavDTD * const 0x03cd0940) line 132 + 154 bytes
CParserContext::~CParserContext() line 120 + 36 bytes
CParserContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsParser::~nsParser() line 275 + 31 bytes
nsParser::`vector deleting destructor'(unsigned int 1) + 84 bytes
nsParser::Release(nsParser * const 0x03360900) line 280 + 154 bytes
HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x0339ceb0, int 0) line 
2392 + 27 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x03cd0940, unsigned int 0, int 1, 
nsIParser * 0x03360900, nsIContentSink * 0x0339ceb0) line 632 + 14 bytes
nsParser::DidBuildModel(unsigned int 0) line 1389 + 60 bytes
nsParser::ResumeParse(int 1, int 1) line 1909
nsParser::OnStopRequest(nsParser * const 0x03360908, nsIChannel * 0x041794ec, 
nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) 
line 2348 + 19 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03361b50, 
nsIChannel * 0x041794ec, nsISupports * 0x00000000, unsigned int 0, const 
unsigned short * 0x00000000) line 269
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x03361a40, 
nsIChannel * 0x041794ec, nsISupports * 0x00000000, unsigned int 0, const 
unsigned short * 0x00000000) line 984
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03367060, 
nsIChannel * 0x041794ec, nsISupports * 0x00000000, unsigned int 0, const 
unsigned short * 0x00000000) line 269
nsNNTPProtocol::CleanupAfterRunningUrl() line 5052 + 70 bytes
nsNNTPProtocol::ProcessProtocolState(nsIURI * 0x04179bf4, nsIInputStream * 
0x045c3960, unsigned int 12705, unsigned int 945) line 5012 + 11 bytes
nsMsgProtocol::OnDataAvailable(nsMsgProtocol * const 0x041794e8, nsIChannel * 
0x0417f604, nsISupports * 0x04179bf0, nsIInputStream * 0x045c3960, unsigned int 
12705, unsigned int 945) line 192 + 32 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x03c82e40) 
line 400 + 47 bytes
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03c83bd0) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x03c83bd0) line 589 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00b49620) line 526 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x132f017a, unsigned int 49424, unsigned int 0, 
long 11834912) line 1059 + 9 bytes
USER32! 77e71820()
00b49620()
 

    
    

    
  
harish is working on rewriting the parser / content sink / dtd code to use weak 
references.

we hope that should fix this problem.  re-assigning to him.

thanks harish.  when you check in your fix for #37434, I'll update and see it 
fixes this crash.

let me know if you need help in reproducing this crash.
Assignee: sspitzer → harishd
Status: ASSIGNED → NEW
Depends on: 37434

    
  
Keywords: mailtrack

    
    

    
  
*** Bug 51612 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51612 has been marked as a duplicate of this bug. ***

    
    

    
  
harish, see bug #51612 for detailed instructions on how to reproduce this crash.

    
    

    
  
PDT agrees P2
Whiteboard: [nsbeta3+][dogfood-] looking at this now (9-5-00) → [nsbeta3+][dogfood-][PDTP2] looking at this now (9-5-00)

    
    

    
  
clearing my old status whiteboard comment.  harishd is looking at this, not me.
Whiteboard: [nsbeta3+][dogfood-][PDTP2] looking at this now (9-5-00) → [nsbeta3+][dogfood-][PDTP2]

    
    

    
  
Increasing priority to P1.
Status: NEW → ASSIGNED
Priority: P2 → P1

    
    

    
  
harish, rpotts's fix for #37434 did not fix this.


    
    

    
  
Thanx Seth, I'll go with the weak ref. then.

    
    

    
  
PDT agrees P1 based on Harish's explanation that this is a widespread crash.
Whiteboard: [nsbeta3+][dogfood-][PDTP2] → [nsbeta3+][dogfood-][PDTP1]

    
  
Summary: Crashed when selecting attach message in news [@ MSVCRT.dll + 0x1000] → Crashed when selecting attach message in news [@ MSVCRT.dll + 0x1000 - CNavDTD::DidBuildModel]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Parser patchSplinter Review
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Sink patchSplinter Review
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Gfx patchSplinter Review
      

    


  

    
    

    
  
Should apply all three patches ( Parser,Sink,Gfx ).

    
    

    
  
Looks like creating a weak parser, though the right thing to do, could 
potentially break some scripts ( per Vidur )! Therefore, the easiest fix would 
be to apply a KungFuDeathGrip ( safer solution ), on the parser, in sink's 
DidBuildModel(). 

But, the best thing to do ( post release ), is to find out who screwed up 
refcounting on the parser.

BTW, I was not able to reproduce the crash with the new tree ( Sept 17th ). 
However, I do crash in nsImageNetContextAsync.cpp ( line: 377 ) due to a null 
uri. 

Adding Pam to the CC list to provide input on why the uri is null and if it can 
be null why isn't the pointer conditioned.

    
    

    
  


  

    
    

    
  
Seth, I have checked in the KungFu (!) patch. Could you please verify if we
still crash....cause I wan't able to reproduce the crash ( not the URI
crash..though ).


    
    

    
  
would not hold pr3 for this


    
    

    
  
harish:
problem you encountered in nsImageNetContextAsync.cpp is interesting.
If uri == NULL, you should have gotten err failure. And you didn't.
The uri stuff isn't in my area, though it affects me. I'll flag it.
-p

    
    

    
  
I don't see the crash anymore.

but most times the image in 
news://news.mozilla.org/3999C01C.4040004%40netscape.com doesn't load.

see bug #53258 for details.

    
  
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → WORKSFORME

    
    

    
  
Based on Seth's comment and my comment marking bug WFM.


    
    

    
  
Should this be marked fixed or worksforme? I get the impression from Seth that
it's fixed, and if it was marked fixed, it wouldn't show up in the top talkback
crashers that we can't reproduce.


    
    

    
  
Verified on WinNT 09-29-09-MN6
Verified on Linux 09-29-09-MN6
Verified on Mac 09-29-11-MN6
No crashes anymore when selecting attach message in news. 
Marking as verified.
Status: RESOLVED → VERIFIED

    
    

    
  
Moving all the Works For Me bugs to talkback user account for future reference.

Assignee: harishd → talkback
Status: VERIFIED → NEW

    
    

    
  
We are gathering all the Resolved and WFM bugs which are happened to be topcrash 
bugs and assigning it to talkback. I am marking all of them as RESOLVED WFM.
Status: NEW → RESOLVED
Closed: 24 years ago23 years ago

    
    

    
  
>I get the impression from Seth that
>it's fixed, and if it was marked fixed, it wouldn't show up in the top talkback
>crashers that we can't reproduce.

Reopening this bug in order to marking as fixed from "worksforme"...
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
    

    
  
marking as fixed, so it wouldn't show up in the top talkback
crashers that we can't reproduce.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED

    
    

    
  
I did verify again on all the platforms:

Verified on WinNT 05-25-09-trunk build
Verified on Linux 05-25-08-trunk build
verified on Mac 05-25-08-trunk build

No crashes anymore when posting an attached message in news. 
Marking as verified.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Crash Signature: [@ MSVCRT.dll + 0x1000 - CNavDTD::DidBuildModel]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: