crash navigating news articles @ nsNNTPProtocol::DisplayArticle
Categories
(MailNews Core :: Networking: NNTP, defect)
Tracking
(thunderbird_esr6068+ fixed, thunderbird68 fixed)
People
(Reporter: wsmwk, Assigned: aceman)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 1 obsolete file)
3.39 KB,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-esr60+
|
Details | Diff | Splinter Review |
Comment 1•16 years ago
|
||
Comment 3•15 years ago
|
||
Updated•14 years ago
|
Reporter | ||
Comment 4•13 years ago
|
||
Reporter | ||
Comment 5•12 years ago
|
||
Reporter | ||
Comment 7•6 years ago
•
|
||
Aceman, thainks for all the analysis. So this is an easy win? Are there many callers that need to be changed when fixing nsMsgLineBuffer?
I checked and nothing changed yet in https://dxr.mozilla.org/comm-central/rev/2a29ee0adb310b54a6a2df72034953fed8f2b043/comm/mailnews/base/util/nsMsgLineBuffer.cpp#313
Crashing line is now https://hg.mozilla.org/comm-central/annotate/tip/mailnews/news/src/nsNNTPProtocol.cpp#l2023
Reporter | ||
Comment 8•6 years ago
|
||
bp-fe292625-2221-413f-b9ce-11a3e0190411
bp-065d3e7b-2d1f-4511-b5d0-dc9ed0190405
bp-b8ab70cc-5984-405d-aa05-cf8620190320
FWIW, other news crashes - probably none related
- open bugs https://mzl.la/2JD65Rt
- fixed, dupe and open from past 2 years https://mzl.la/2JD2vqo
I have looked at all the callers of ReadNextLine and it seems to me ALL of them check either rv or !line so for those nothing changes if we change return value of aNumBytesInLine.
Only the single caller in question inside nsNNTPProtocol::DisplayArticle (at https://hg.mozilla.org/comm-central/annotate/tip/mailnews/news/src/nsNNTPProtocol.cpp#l1989) does not check either one, but checks the number of bytes. So this patch changes it to return 0.
Let's see what happens. It seems to me in case of 0 we hit the line:
mDisplayOutputStream->Write(line, line_length, &count);
I don't know what happens when this runs with line==nullptr and line_length==0. But at least we do not access line[0] in the check above.
Maybe we get a crash at this place, but then we know we are fixing the right cause :) When that happens we may need to add proper check for NS_FAILED(rv) or !line, but then I don't know how to return, is it protocol specific logic :) If jcranmer does not help, we will have to guess :)
So, let's try the simple version for now.
Try run: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=4fd248a7a5c857644a746d68a0b9fa027b357c5b
Comment 10•6 years ago
|
||
![]() |
Assignee | |
Comment 11•6 years ago
|
||
OK, I'm fine with going with plan B directly. I'm just not sure about returning NS_OK, but we will see.
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/7d83fbb674d6
do not return -1 in a uint32_t argument in nsMsgLineStreamBuffer::ReadNextLine() to prevent an overflow. r=jorgk
Comment 14•6 years ago
|
||
Fingers crossed. This is an uplift candidate.
Updated•6 years ago
|
Reporter | ||
Comment 15•6 years ago
|
||
Note - as can be seen in the graph this has crazy low crash volume, you could almost say subzero :) I'd just let it ride the train.
Updated•6 years ago
|
Comment 16•6 years ago
|
||
TB 60.8 ESR:
https://hg.mozilla.org/releases/comm-esr60/rev/48a03f2b366309f62cc5184f3a18a6960520b526
Grrr, I messed up the rebasing: aNumBytesInLine = -0;
, doesn't matter.
Description
•