Closed Bug 593007 Opened 15 years ago Closed 15 years ago

Stack overflow on corrupted newsgroup Crash [@ arena_malloc_small ] looping through nsMsgQuickSearchDBView::ListIdsInThreadOrder

Categories

(MailNews Core :: Database, defect)

Product:
MailNews Core
Component:
Database
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(thunderbird3.1 .7-fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
thunderbird3.1 --- .7-fixed

People

(Reporter: bugzilla, Assigned: Bienvenu)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [gs][has WIP test])

Crash Data

Attachments

(3 files)

proposed fix
5.14 KB, patch
neil
: review+
standard8
: approval-thunderbird3.1.7+
Details | Diff | Splinter Review
fix one cause of corruption
1.06 KB, patch
neil
: review+
standard8
: approval-thunderbird3.1.7+
Details | Diff | Splinter Review
wip on unit test
5.12 KB, patch
Details | Diff | Splinter Review
The original bug wasn't cloneable, so creating it manually. There are still a lot of crashes with that signature. Can't say the exact number, since not all crashes with signature arena_malloc_small are related to nsMsgQuickSearchDBView::ListIdsInThreadOrder. Looking at last weeks crashstats affected versions are SeaMonkey 2.0.6, Thunderbird 3.0.4, 3.0.6, 3.0.7, 3.1.1 and 3.1.2. There are no reported crashes for trunk builds or any pre version.
Would be nice to figure out some STRS.
Severity: normal → critical
Thx to Günter, I have a .msf file and news.mozilla.org.rc file that enable me to recreate the crash.
Assignee: nobody → bienvenu
Attached patch proposed fixSplinter Review
This fixes the crash. I'm going to try to do a bit more digging into what exactly is wrong with the threading info in the .msf file, and how it might have gotten that way.
This should fix one (the?) cause of the corruption - adding a hdr that already exists to a thread confuses the threading structure. We should never do that. One reproducible way of doing this is to repair a newsgroup folder, and get multiple downloads going on the newsgroup.
Comment on attachment 485771 [details] [diff] [review] proposed fix This basically extends the previous sanity check to include skipped levels. I'm going to try to write a unit test for this, but creating a horked db is probably going to prove challenging.
Attachment #485771 - Flags: review?(neil)
(In reply to comment #5) > Comment on attachment 485771 [details] [diff] [review] > proposed fix > > This basically extends the previous sanity check to include skipped levels. I'm > going to try to write a unit test for this, but creating a horked db is > probably going to prove challenging. Can't you reuse the one you analyzed ?
It's 3MB, a few orders of magnitude bigger than the minimal test case.
Comment on attachment 485895 [details] [diff] [review] fix one cause of corruption We shouldn't allow adding a header that already exists...
Attachment #485895 - Flags: review?(neil)
Attachment #485771 - Flags: review?(neil) → review+
Attachment #485895 - Flags: review?(neil) → review+
Attached patch wip on unit testSplinter Review
saving what I had so far for the unit test. I haven't been able to reproduce the exact structure of the thread that was causing the crash fixed in the view code, however.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Attachment #485771 - Flags: approval-thunderbird3.1.7?
Attachment #485895 - Flags: approval-thunderbird3.1.7?
Flags: in-testsuite?
Attachment #485771 - Flags: approval-thunderbird3.1.7? → approval-thunderbird3.1.7+
Attachment #485895 - Flags: approval-thunderbird3.1.7? → approval-thunderbird3.1.7+
Crash Signature: [@ arena_malloc_small ]
Flags: in-testsuite?
Flags: in-testsuite-
Whiteboard: [gs] → [gs][has WIP test]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: