Closed Bug 505971 Opened 15 years ago Closed 15 years ago

crash when using SSPI/Kerberos authetication [@ _CxxThrowException - operator new]

Categories

(MailNews Core :: Security, defect)

All
Windows 7
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 511806

People

(Reporter: shopik, Unassigned)

Details

(Keywords: regression)

Attachments

(2 files)

46.43 KB, application/octet-stream
Details
28.10 KB, application/octet-stream
Details
Configured ldap, with GSSAPI enabled. Startup compose message and to enter "gal" into to field will crash TB
bp-ebf2ea29-2fe9-4367-b7f5-7ca2a2090723
bp-11daccd7-57bd-4155-b802-9ab8d2090723
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Thunderbird/3.0b3
Component: Address Book → LDAP Integration
Product: Thunderbird → MailNews Core
QA Contact: address-book → ldap-integration
for some reason you're running out of memory. find out if you're really low on memory. also be aware that IsLowMemory() only works usefully on -central, not 1.9.1.

Signature	KERNELBASE.dll@0x98f6
UUID	ebf2ea29-2fe9-4367-b7f5-7ca2a2090723
Time 	2009-07-23 04:07:50.337198
Uptime	14
Last Crash	19 seconds before submission
Product	Thunderbird
Version	3.0b3
Build ID	20090715140311
Branch	1.9.1
OS	Windows NT
OS Version	6.1.7100
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 6
Crash Reason	0xe06d7363 / 0x00000001
Crash Address	0x756198f6
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	KERNELBASE.dll 	KERNELBASE.dll@0x98f6 	
1 	mozcrt19.dll 	_CxxThrowException 	throw.cpp:159
2 	mozcrt19.dll 	operator new 	new.cpp:57
3 	xpcom_core.dll 	nsSupportsArray::Create 	xpcom/ds/nsSupportsArray.cpp:212
4 	xpcom_core.dll 	NS_NewISupportsArray 	xpcom/ds/nsSupportsArray.cpp:681
5 	thunderbird.exe 	nsAutoCompleteResults::nsAutoCompleteResults 	xpfe/components/autocomplete/src/nsAutoComplete.cpp:119
6 	thunderbird.exe 	nsAutoCompleteResultsConstructor 	xpfe/components/autocomplete/src/nsAutoComplete.cpp:181
7 	xpcom_core.dll 	nsGenericFactory::CreateInstance 	nsGenericFactory.cpp:80
8 	xpcom_core.dll 	nsComponentManagerImpl::CreateInstanceByContractID 	xpcom/components/nsComponentManager.cpp:1687
9 	xpcom_core.dll 	CallCreateInstance 	nsComponentManagerUtils.cpp:170
10 	xpcom_core.dll 	nsCreateInstanceByContractID::operator 	nsComponentManagerUtils.cpp:210
11 	xpcom_core.dll 	nsCOMPtr_base::assign_from_helper 	nsCOMPtr.cpp:150
12 	thunderbird.exe 	nsCOMPtr<nsIAutoCompleteResults>::operator= 	nsCOMPtr.h:707
13 	thunderbird.exe 	nsLDAPAutoCompleteSession::CreateResultsArray 	mailnews/addrbook/src/nsLDAPAutoCompleteSession.cpp:905
14 	thunderbird.exe 	nsLDAPAutoCompleteSession::DoTask 	mailnews/addrbook/src/nsLDAPAutoCompleteSession.cpp:713
15 	thunderbird.exe 	nsLDAPAutoCompleteSession::OnStartLookup 	mailnews/addrbook/src/nsLDAPAutoCompleteSession.cpp:208
16 	xpcom_core.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
17 	thunderbird.exe 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2295
18 	xpcom_core.dll 	nsStringBuffer::Alloc 	xpcom/string/src/nsSubstring.cpp:204
19 	xpcom_core.dll 	nsAString_internal::SetCapacity 	xpcom/string/src/nsTSubstring.cpp:577
20 	xpcom_core.dll 	nsAString_internal::SetCapacity 	xpcom/string/src/nsTSubstring.cpp:565

Signature	KERNELBASE.dll@0x98f6
UUID	11daccd7-57bd-4155-b802-9ab8d2090723
Time 	2009-07-23 04:07:28.983171
Uptime	535
Last Crash	3447 seconds before submission
Product	Thunderbird
Version	3.0b3
Build ID	20090715140311
Branch	1.9.1
OS	Windows NT
OS Version	6.1.7100
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 6
Crash Reason	0xe06d7363 / 0x00000001
Crash Address	0x756198f6
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	KERNELBASE.dll 	KERNELBASE.dll@0x98f6 	
1 	mozcrt19.dll 	_CxxThrowException 	throw.cpp:159
2 	mozcrt19.dll 	operator new 	new.cpp:57
3 	xpcom_core.dll 	nsVariantConstructor 	xpcom/build/nsXPComInit.cpp:217
4 	xpcom_core.dll 	nsGenericFactory::CreateInstance 	nsGenericFactory.cpp:80
5 	xpcom_core.dll 	nsComponentManagerImpl::CreateInstanceByContractID 	xpcom/components/nsComponentManager.cpp:1687
6 	xpcom_core.dll 	CallCreateInstance 	nsComponentManagerUtils.cpp:170
7 	xpcom_core.dll 	nsCreateInstanceByContractID::operator 	nsComponentManagerUtils.cpp:210
8 	xpcom_core.dll 	nsCOMPtr_base::assign_from_helper 	nsCOMPtr.cpp:150
9 	thunderbird.exe 	nsCOMPtr<nsIWritableVariant>::nsCOMPtr<nsIWritableVariant> 	nsCOMPtr.h:621
10 	thunderbird.exe 	nsAbCardProperty::SetPropertyAsAString 	mailnews/addrbook/src/nsAbCardProperty.cpp:273
11 	thunderbird.exe 	nsAddrDatabase::InitCardFromRow 	mailnews/addrbook/src/nsAddrDatabase.cpp:2411
12 	thunderbird.exe 	nsAddrDatabase::CreateCardFromDeletedCardsTable 	mailnews/addrbook/src/nsAddrDatabase.cpp:2835
13 	thunderbird.exe 	nsAddrDBEnumerator::GetNext 	mailnews/addrbook/src/nsAddrDatabase.cpp:2617
14 	thunderbird.exe 	nsAbDirectoryQuery::queryCards 	mailnews/addrbook/src/nsAbDirectoryQuery.cpp:355
15 	thunderbird.exe 	nsAbDirectoryQuery::query 	mailnews/addrbook/src/nsAbDirectoryQuery.cpp:289
16 	thunderbird.exe 	nsAbDirectoryQuery::DoQuery 	mailnews/addrbook/src/nsAbDirectoryQuery.cpp:265
17 	thunderbird.exe 	nsAbDirectoryQueryProxy::DoQuery 	mailnews/addrbook/src/nsAbDirectoryQueryProxy.h:49
18 	thunderbird.exe 	nsAbMDBDirectory::StartSearch 	mailnews/addrbook/src/nsAbMDBDirectory.cpp:956
19 	thunderbird.exe 	nsAbMDBDirectory::GetChildCards 	mailnews/addrbook/src/nsAbMDBDirectory.cpp:441
20 	xpcom_core.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
21 	xpcom_core.dll 	xptiInterfaceInfo::GetMethodInfo 	xpcom/reflect/xptinfo/src/xptiprivate.h:706
22 	thunderbird.exe 	XPCConvert::NativeInterface2JSObject 	js/src/xpconnect/src/xpcconvert.cpp:1146
Summary: crash when lookup up names with ldap enabled [@KERNELBASE.dll@0x98f6 ] → crash when lookup up names with ldap enabled [@ _CxxThrowException - operator new]
(In reply to comment #1)
> for some reason you're running out of memory. find out if you're really low on
> memory. also be aware that IsLowMemory() only works usefully on -central, not
> 1.9.1.

I doubt about running low on memory, just tried and from what I see there lot available memory. Also from what I see sometimes it just hang compose message window but main window still responsive.
What are you suggesting, try latest trunk?
bp-7a349bbc-65d4-4b36-93d9-bc08c2090723
Here is crash on Windows XP
I can say this problem dates back to march of 2009 (exactly 2009-03-20) with that crash below. I've tested this once after GSSAPI binding for ldap landed.
bp-c9db6b27-117d-410a-9bf4-9f3372090320
I can only crash it with Kerberos (GSSAPI) enabled, but from what I see it crash after binding already complete.
Hardware: x86_64 → All
Ludo, anything else I could do to help resolve this crash?
(In reply to comment #6)
> Ludo, anything else I could do to help resolve this crash?

If you could provide an account to either sid or bienvenu with proper credential they might be able to hook the debugger and figure out what is going on. But maybe we should ask them first if they would be interested in having a look at it before  creating the accounts.
I can get crash even just when starting up TB end selecting account INBOX.
bp-34a57873-ab79-411c-a65a-5640b2090804
bp-ec306b8c-97cd-444b-bd50-832282090804
And these two crashes actually happens when ldap was DISABLED. But strangely now I'm getting trouble to reproduce these.
(In reply to comment #8)
> I can get crash even just when starting up TB end selecting account INBOX.
> bp-34a57873-ab79-411c-a65a-5640b2090804
> bp-ec306b8c-97cd-444b-bd50-832282090804

Well nothing in them shows that ldap is causing the issue. Those are nice crashes btw.
Simon Wilkinson suggest this is address book card creation, see bug 308118#c56. Also if this is important last two crashes produced when I enabled Kerberos for IMAP and select INBOX from such account.
I wonder if there's some sort of memory corruption going on causing new to throw an exception.
This is getting further, looks like this is related to GSSAPI somewhat. Because I've disable LDAP completely and still getting crashes but as I said previously have Kerberos enabled mailbox. Crashes mostly random, but sometimes happens on specific folder.
Summary: crash when lookup up names with ldap enabled [@ _CxxThrowException - operator new] → crash when using GSSAPI/Kerberos authetication [@ _CxxThrowException - operator new]
Here is two crashes, with two both latest trunks
bp-b6fffcc4-e492-41b9-b406-640e42090810
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a2pre) Gecko/20090809 Shredder/3.1a1pre
bp-10ed8004-3e76-4128-ab61-06a042090810
These two clearly show problem with address book (I've used LDAP+GSSAPI authetication)
https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg
use 'thunderbird' instead of 'firefox'
http://windowsitpro.com/article/articleid/22962/heap-corruption-part-2.html

note that i don't usually have to deal w/ heap corruption, so i don't really have better hints, sorry. the article (and some links within it) should be explain enough (at least the author thought so).
Keywords: regression
Which builds of thunderbird you suggest to try debug, 1.9.2 or 1.9.1? It seems I having trouble getting symbols for 1.9.2 (or at least windbg think so)
Attached file windbg stacktrace
Here is stacktrace from windbg. I could test if that problem exist on Linux and if so give stacktrace too.
right, so you got windbg working, that's step 1. step 2 is reading the article that talks about heap corruption and applying it to the windbg you've set up.
Attached file windbg Backtrace
These flags are enabled for process thunderbird.exe - Enable heap tail checking, Enable heap free checking, Enable heap parameter checking, Enable heap validation on call, Disable heap coalesce on free, Enable page heap, and Enable heap tagging check boxes.
Moving to security, its only crash when binding GSSAPI regardless LDAP/IMAP/SMTP
Component: LDAP Integration → Security
QA Contact: ldap-integration → security
(In reply to comment #17)
> right, so you got windbg working, that's step 1. step 2 is reading the article
> that talks about heap corruption and applying it to the windbg you've set up.

Please let me know if anything else I could do to help resolve this issue, hope backtrace good enough.
Nikolay, if you could get me access to a server that supports GSSAPI, (IMAP, LDAP, it doesn't really matter - just some way to reproduce the crash), then I might be able to make progress...
David, I will provide you access to IMAP or LDAP. I can't get yet MIT kerberos working on mine WindowsXP or at least Thunderbird to understand it have ticket. On Linux this works and not produce any crashes yet.
I've got it working network.auth.use-sspi should be false, but surprisingly with MIT Kerberos it very stable and not crashing every 2 minutes. So problem can be reproduced only when using SSPI with machine joined to windows domain.
David, I could create virtual machine joined to test domain for you to access remotely via VNC or RDP.
Summary: crash when using GSSAPI/Kerberos authetication [@ _CxxThrowException - operator new] → crash when using SSPI/Kerberos authetication [@ _CxxThrowException - operator new]
bp-25919eed-1897-4a39-bfe5-9947c2090816 new crash now with MS symbols enabled.
I've just filed bug 511806 which might be related to this bug (or a duplicate).
GSSAPI for IMAP, POP, and SMTP was recently enabled at UC Berkeley, and we've received widespread reports of Thunderbird crashing under Vista or later when joined to AD and SSPI is enabled.  We've yet to receive any reports of issues under XP.
Marking dupe since that bug contain actual patch which fixing crash described here.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.