Last Comment Bug 524064 - crash [@memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int)] - [@ nsMsgDBView::RemoveRows]
: crash [@memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsign...
[no l10n impact][ccbr]
: crash, fixed-seamonkey2.0.1, topcrash
Product: MailNews Core
Classification: Components
Component: Backend (show other bugs)
: 1.9.1 Branch
: x86 Windows XP
-- critical (vote)
: Thunderbird 3.0rc1
Assigned To: David :Bienvenu
Depends on:
  Show dependency treegraph
Reported: 2009-10-23 00:42 PDT by Ludovic Hirlimann [:Usul]
Modified: 2011-06-13 10:01 PDT (History)
4 users (show)
mozilla: blocking‑thunderbird3+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

proposed fix (1.17 KB, patch)
2009-10-23 15:56 PDT, David :Bienvenu
standard8: review+
standard8: superreview+
Details | Diff | Splinter Review

Description User image Ludovic Hirlimann [:Usul] 2009-10-23 00:42:52 PDT
STR from bug
1. start TB in safe-mode;
2. go to view "All Folders"
3. create a saved search (I create a saved search base on my TBbugzilla with
fiter condition <subject> <contains> <bug>: all 2019 mails are selected);
4. sort saved search group by sort (date descending) and fill "bug." (without
quotes) on globalsearch when is applied "search all messages" and don't raise
5. change filter on globalsearch to "Subject or From" (zero results);
6. in message pane click on "+\-" icon (one or two time): crash!
Comment 1 User image Wayne Mery (:wsmwk, NI for questions) 2009-10-23 08:25:50 PDT
memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int)

#13 in 3.0b4 [1] and #18 for 3.0pre. Hopefully blocking is justified by an easy fix, given we have good STR thanks to Aureliano. But given the 3.0pre crash rate we may not know for ~6 days from patch landing whether this significantly affects crash profile.

Optimistically marking topcrash, but I  haven't examined the stacks of [1] ... there may be multiple stacks/causes of this top of stack [2].  (most of our crashes mention deleting or clicking on messages, not manipulating filters, threads, etc)

from bug 518128, bp-044bb85b-072f-47ff-aa2d-b8df92091022
0	mozcrt19.dll	memmove	 MEMCPY.ASM:188
1	xpcom_core.dll	nsTArray_base::ShiftData	objdir-tb/mozilla/xpcom/build/nsTArray.cpp:173
2	thunderbird.exe	nsMsgDBView::RemoveRows	mailnews/base/src/nsMsgDBView.cpp:5193
3	thunderbird.exe	nsMsgDBView::CollapseByIndex	mailnews/base/src/nsMsgDBView.cpp:4768
4	thunderbird.exe	nsMsgDBView::ToggleExpansion	mailnews/base/src/nsMsgDBView.cpp:4598
5	thunderbird.exe	nsMsgDBView::ToggleOpenState	mailnews/base/src/nsMsgDBView.cpp:1934
6	xpcom_core.dll	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 


[2] xref [INVALID] Bug 519771 -  Crash [@memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int) ]
Comment 2 User image David :Bienvenu 2009-10-23 09:04:00 PDT
taking, I can reproduce this.
Comment 3 User image David :Bienvenu 2009-10-23 09:30:38 PDT
The steps are a little simpler:

1. create a saved search (I create a saved search base on my TBbugzilla with
fiter condition <subject> <contains> <bug>: all 2019 mails are selected);
2. sort saved search group by sort (date descending)
3. Do a "Subject or From" search on "bug." (which shouldn't get hits)
4. in message pane click on "+\-" icon (one or two time): crash!

After 3, we end up with the groups looking expanded in the sense that the triangle is open, but there aren't any rows displayed. And the counts on the group are completely wrong, as if we haven't cleared out the group correctly.
Comment 4 User image David :Bienvenu 2009-10-23 13:46:32 PDT
OK, the issue removing cached hits on saved searches that are no longer matches doesn't update the groups correctly - we call RemoveByIndex, but that doesn't update the groups correctly. We need to do something more like OnHdrDeleted, which has all the smarts for updating the groups.
Comment 5 User image David :Bienvenu 2009-10-23 15:56:19 PDT
Created attachment 408134 [details] [diff] [review]
proposed fix

this fixes it for me, and mirrors what we're doing in the cross-folder view case. There are things going wrong upstream in the sense that the quick search on the saved search is getting initialized with the saved search results, when it really shouldn't be, and that's why we have to clear out all the stale hits. But the stale hit clearing out code needs to go through the OnHdrDeleted path.
Comment 6 User image David :Bienvenu 2009-10-23 15:57:35 PDT
I'll try to come up with an xpcshell or mozmill test for this.
Comment 7 User image Mark Banner (:standard8) 2009-10-26 12:56:42 PDT
Comment on attachment 408134 [details] [diff] [review]
proposed fix

I've not been able to reproduce the crash with or without this (except for one with a cross folder search that I told bienvenu about earlier).

However the changes look fine, r/sr=Standard8
Comment 8 User image David :Bienvenu 2009-10-26 15:16:39 PDT
fixed on 3.0 branch and trunk.
Comment 9 User image [:Aureliano Buendía] 2009-10-27 06:42:50 PDT
Reading today pushlog it seems that the fix is landed, but I can reproduce this crash (with different STR) using today nyghtly build.
Comment 11 User image Ludovic Hirlimann [:Usul] 2009-10-27 06:46:42 PDT
What are the new STRs ?
Comment 12 User image [:Aureliano Buendía] 2009-10-27 06:55:00 PDT

1. TB safe-mode and view "All Folder";
2. select a folder (e.g. I select my bugzilla folder on Local Folders);
3. on context menu of this folder select "Search";
4. fill one criteria (in my case I create a new "custom headers" X-Bugzilla-Status and set is as RESOLVED);
5. click on search button on search window;
6. on results section click to "select column to display" and add "Thread";
7. on result section click on Thread column for sort by Thread: TB crash.
Comment 13 User image Mark Banner (:standard8) 2009-10-27 07:12:44 PDT
Whilst it ends up crashing in the same place, it is a different bug because its different STR and a different stack leading up to the crash.
Comment 14 User image Ludovic Hirlimann [:Usul] 2009-10-27 07:13:42 PDT
/me opens a new bug

Note You need to log in before you can comment on or make changes to this bug.