517456 - crash [@strchr | nsParseMailMessageState::ParseHeaders() ], formerly [@ nsParseMailMessageState::ParseHeaders()]

Status: RESOLVED FIXED

(MailNews Core :: Backend, defect)

Description

[Ludovic Hirlimann [:Usul]]

0  	mozcrt19.dll  	strchr  	strchr.asm:101
1 	thunderbird.exe 	nsParseMailMessageState::ParseHeaders 	mailnews/local/src/nsParseMailbox.cpp:949
2 	thunderbird.exe 	nsParseMailMessageState::ParseFolderLine 	mailnews/local/src/nsParseMailbox.cpp:677
3 	thunderbird.exe 	nsMsgMailboxParser::HandleLine 	mailnews/local/src/nsParseMailbox.cpp:514
4 	thunderbird.exe 	nsMsgLineBuffer::ConvertAndSendBuffer 	mailnews/base/util/nsMsgLineBuffer.cpp:264
5 	thunderbird.exe 	nsMsgLineBuffer::BufferInput 	mailnews/base/util/nsMsgLineBuffer.cpp:201
6 	thunderbird.exe 	nsMsgMailboxParser::ProcessMailboxInputStream 	mailnews/local/src/nsParseMailbox.cpp:366
7 	thunderbird.exe 	nsMsgMailboxParser::OnDataAvailable 	mailnews/local/src/nsParseMailbox.cpp:115
8 	thunderbird.exe 	nsMailboxProtocol::ReadFolderResponse 	mailnews/local/src/nsMailboxProtocol.cpp:553
9 	thunderbird.exe 	nsMailboxProtocol::ProcessProtocolState 	mailnews/local/src/nsMailboxProtocol.cpp:688
10 	thunderbird.exe 	nsMsgProtocol::OnDataAvailable 	mailnews/base/util/nsMsgProtocol.cpp:359
11 	thunderbird.exe 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
12 	thunderbird.exe 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
13 	xpcom_core.dll 	nsOutputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
14 	xpcom_core.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:521
15 	xpcom_core.dll 	NS_ProcessPendingEvents_P 	objdir-tb/mozilla/xpcom/build/nsThreadUtils.cpp:183
16 	thunderbird.exe 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
17 	thunderbird.exe 	nsAppShell::EventWindowProc 	widget/src/windows/nsAppShell.cpp:91
18 	user32.dll 	InternalCallWinProc 	
19 	user32.dll 	UserCallWinProcCheckWow 	
20 	user32.dll 	DispatchMessageWorker 	
21 	user32.dll 	DispatchMessageW 	
22 	ole32.dll 	CDragOperation::HandleMessages 	
23 	ole32.dll 	DoDragDrop 	
24 	thunderbird.exe 	nsDragService::StartInvokingDragSession 	widget/src/windows/nsDragService.cpp:316
25 	thunderbird.exe 	nsDragService::InvokeDragSession 	widget/src/windows/nsDragService.cpp:263
26 	thunderbird.exe 	nsBaseDragService::InvokeDragSessionWithImage 	widget/src/xpwidgets/nsBaseDragService.cpp:276
27 	thunderbird.exe 	nsEventStateManager::DoDefaultDragStart 	content/events/src/nsEventStateManager.cpp:2501
28 	thunderbird.exe 	nsEventStateManager::GenerateDragGesture 	content/events/src/nsEventStateManager.cpp:2256
29 	thunderbird.exe 	nsEventStateManager::PreHandleEvent 	content/events/src/nsEventStateManager.cpp:997
30 	thunderbird.exe 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6313
31 	thunderbird.exe 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6211
32 	thunderbird.exe 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6071
33 	thunderbird.exe 	nsViewManager::HandleEvent 	view/src/nsViewManager.cpp:1400
34 	thunderbird.exe 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1359
35 	thunderbird.exe 	HandleEvent 	view/src/nsView.cpp:168
36 	thunderbird.exe 	nsWindow::DispatchEvent 	widget/src/windows/nsWindow.cpp:1051
37 	thunderbird.exe 	nsWindow::DispatchWindowEvent 	widget/src/windows/nsWindow.cpp:1071
38 	thunderbird.exe 	nsWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6614
39 	thunderbird.exe 	ChildWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6761
40 	thunderbird.exe 	nsWindow::ProcessMessage 	widget/src/windows/nsWindow.cpp:4618
41 	thunderbird.exe 	nsWindow::WindowProc 	widget/src/windows/nsWindow.cpp:1267
42 	user32.dll 	InternalCallWinProc 	
43 	user32.dll 	UserCallWinProcCheckWow 	
44 	user32.dll 	DispatchMessageWorker 	
45 	user32.dll 	DispatchMessageW 	
46 	thunderbird.exe 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:165
47 	thunderbird.exe 	nsBaseAppShell::DoProcessNextNativeEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:151
48 	thunderbird.exe 	nsBaseAppShell::OnProcessNextEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:278
49 	xpcom_core.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:508
50 	xpcom_core.dll 	NS_ProcessNextEvent_P 	objdir-tb/mozilla/xpcom/build/nsThreadUtils.cpp:227
51 	thunderbird.exe 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
52 	thunderbird.exe 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
53 	thunderbird.exe 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3321
54 	thunderbird.exe 	NS_internal_main 	mail/app/nsMailApp.cpp:103
55 	thunderbird.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
56 	thunderbird.exe 	__tmainCRTStartup 	objdir-tb/mozilla/memory/jemalloc/src/crtexe.c:591
57 	kernel32.dll 	BaseThreadInitThunk 	
58 	ntdll.dll 	__RtlUserThreadStart 	
59 	ntdll.dll 	_RtlUserThreadStart

Comment 1

[Wayne Mery (:wsmwk)]

ludo, is this something you hit during a litmus test?

not a new crash, but quite rare - 0-2 per month on crash-stats. 
bcf1c5b0-37cc-4adb-bd1f-181e52090922 3.0b3
0	mozcrt19.dll	strchr	 strchr.asm:101
1	thunderbird.exe	nsParseMailMessageState::ParseHeaders	mailnews/local/src/nsParseMailbox.cpp:949
2	thunderbird.exe	nsParseMailMessageState::ParseFolderLine	mailnews/local/src/nsParseMailbox.cpp:677
3	thunderbird.exe	nsMsgMailboxParser::HandleLine	mailnews/local/src/nsParseMailbox.cpp:514
4	thunderbird.exe	nsMsgLineBuffer::ConvertAndSendBuffer	mailnews/base/util/nsMsgLineBuffer.cpp:264
5	thunderbird.exe	nsMsgLineBuffer::BufferInput	mailnews/base/util/nsMsgLineBuffer.cpp:201
6	thunderbird.exe	nsMsgMailboxParser::ProcessMailboxInputStream	mailnews/local/src/nsParseMailbox.cpp:366
7	thunderbird.exe	nsMsgMailboxParser::OnDataAvailable	mailnews/local/src/nsParseMailbox.cpp:115
8	thunderbird.exe	nsMailboxProtocol::ReadFolderResponse	mailnews/local/src/nsMailboxProtocol.cpp:553
9	thunderbird.exe	nsMailboxProtocol::ProcessProtocolState	mailnews/local/src/nsMailboxProtocol.cpp:688
10	thunderbird.exe	nsMsgProtocol::OnDataAvailable	mailnews/base/util/nsMsgProtocol.cpp:351
11	thunderbird.exe	nsInputStreamPump::OnStateTransfer	netwerk/base/src/nsInputStreamPump.cpp:508
12	thunderbird.exe	nsInputStreamPump::OnInputStreamReady	netwerk/base/src/nsInputStreamPump.cpp:398
13	xpcom_core.dll	nsInputStreamReadyEvent::Run	xpcom/io/nsStreamUtils.cpp:111 

Oldest ones I find are
bp-20ecdd3e-5722-4e5a-97d1-71b5f2090702 3.0b2
bp-72b1940c-2091-4955-a9df-dc95e2090619 3.0b2

Comment 2

[Ludovic Hirlimann [:Usul]]

(In reply to comment #1)
> ludo, is this something you hit during a litmus test?

No - if so I would have added STRs.

Comment 3

[Wayne Mery (:wsmwk)]

a thunderbird 5 example
bp-6e28a71f-ec61-4f0e-8887-a8c3f2110726
EXCEPTION_ACCESS_VIOLATION_READ
0x10916000
0	mozcrt19.dll	strchr	strchr.asm:101
1	xul.dll	nsParseMailMessageState::ParseHeaders	mailnews/local/src/nsParseMailbox.cpp:950
2	xul.dll	nsParseMailMessageState::ParseFolderLine	mailnews/local/src/nsParseMailbox.cpp:678
3	xul.dll	nsMsgMailboxParser::HandleLine	mailnews/local/src/nsParseMailbox.cpp:513
4	xul.dll	nsMsgLineBuffer::ConvertAndSendBuffer	mailnews/base/util/nsMsgLineBuffer.cpp:265
5	xul.dll	nsMsgLineBuffer::BufferInput	mailnews/base/util/nsMsgLineBuffer.cpp:202
6	xul.dll	nsMsgMailboxParser::ProcessMailboxInputStream	mailnews/local/src/nsParseMailbox.cpp:365
7	xul.dll	nsMsgMailboxParser::OnDataAvailable	mailnews/local/src/nsParseMailbox.cpp:115
8	xul.dll	nsMailboxProtocol::ReadFolderResponse	mailnews/local/src/nsMailboxProtocol.cpp:554
9	xul.dll	nsMailboxProtocol::ProcessProtocolState	mailnews/local/src/nsMailboxProtocol.cpp:689
10	xul.dll	nsMsgProtocol::OnDataAvailable	mailnews/base/util/nsMsgProtocol.cpp:387 



slightly different stack, and line number
nsParseMailMessageState::ParseHeaders()
bp-b6022bd6-513b-4bef-82e5-c67412110725
EXCEPTION_ACCESS_VIOLATION_WRITE
0xd
0	xul.dll	nsParseMailMessageState::ParseHeaders	mailnews/local/src/nsParseMailbox.cpp:1040
1	xul.dll	nsParseMailMessageState::ParseFolderLine	mailnews/local/src/nsParseMailbox.cpp:678
2	xul.dll	nsParseMailMessageState::ParseAFolderLine	mailnews/local/src/nsParseMailbox.cpp:665
3	xul.dll	nsImapMailFolder::ParseAdoptedHeaderLine	mailnews/imap/src/nsImapMailFolder.cpp:3065
4	xul.dll	nsImapMailFolder::ParseMsgHdrs	mailnews/imap/src/nsImapMailFolder.cpp:3018

Comment 4

[Wayne Mery (:wsmwk)]

p.s. frame 1 is same line number

Comment 5

[Wayne Mery (:wsmwk)]

bp-6e28a71f-ec61-4f0e-8887-a8c3f2110726 TB5 has same source line as bp-cf5017a2-d64e-4c58-8325-2b5d42120819 TB14
line 968
966 while (buf < buf_end)
967 {
968 char *colon = PL_strchr (buf, ':'); 

consistent line# for all the strchr | nsParseMailMessageState::ParseHeaders() crashes that I examined

Comment 6

[Hiroyuki Ikezoe (:hiro)]

(In reply to Wayne Mery (:wsmwk) from comment #5)
> bp-6e28a71f-ec61-4f0e-8887-a8c3f2110726 TB5 has same source line as
> bp-cf5017a2-d64e-4c58-8325-2b5d42120819 TB14
> line 968
> 966 while (buf < buf_end)
> 967 {
> 968 char *colon = PL_strchr (buf, ':'); 

Ah, this is really bad since buf is not NULL-terminated. We should use PL_strnchr there.

Comment 7

[Hiroyuki Ikezoe (:hiro)]

Attachment: Fix

Unfortunately I can't write effective test because of jemalloc.

Comment 8

[Mark Banner (:standard8)]

Comment on attachment 653251 [details] [diff] [review]
Fix

Review of attachment 653251 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay in getting to this.

::: mailnews/local/src/nsParseMailbox.cpp
@@ +925,5 @@
>  */
>  int nsParseMailMessageState::ParseHeaders ()
>  {
>    char *buf = m_headers.GetBuffer();
> +  PRUint32 buf_length = m_headers.GetBufferPos();

As a result of recent changes, this should now be uint32_t rather than PRUint32.

Comment 9

[:aceman]

Attachment: fix v2

Updated patch with standard8's nit. As Hiro is not responding just get this landed as it seems finished.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/comm-central/rev/78c6a5c08287