Closed Bug 593007 Opened 11 years ago Closed 11 years ago

Stack overflow on corrupted newsgroup Crash [@ arena_malloc_small ] looping through nsMsgQuickSearchDBView::ListIdsInThreadOrder

Categories

(MailNews Core :: Database, defect)

x86
All
defect
Not set
critical

Tracking

(thunderbird3.1 .7-fixed)

RESOLVED FIXED
Tracking Status
thunderbird3.1 --- .7-fixed

People

(Reporter: bugzilla, Assigned: Bienvenu)

References

()

Details

(Keywords: crash, Whiteboard: [gs][has WIP test])

Crash Data

Attachments

(3 files)

The original bug wasn't cloneable, so creating it manually.

There are still a lot of crashes with that signature. Can't say the exact number, since not all crashes with signature arena_malloc_small are related to nsMsgQuickSearchDBView::ListIdsInThreadOrder.

Looking at last weeks crashstats affected versions are SeaMonkey 2.0.6, Thunderbird 3.0.4, 3.0.6, 3.0.7, 3.1.1 and 3.1.2. There are no reported crashes for trunk builds or any pre version.
Would be nice to figure out some STRS.
Severity: normal → critical
Thx to Günter, I have a .msf file and news.mozilla.org.rc file that enable me to recreate the crash.
Assignee: nobody → bienvenu
Attached patch proposed fixSplinter Review
This fixes the crash. I'm going to try to do a bit more digging into what exactly is wrong with the threading info in the .msf file, and how it might have gotten that way.
This should fix one (the?) cause of the corruption - adding a hdr that already exists to a thread confuses the threading structure. We should never do that. One reproducible way of doing this is to repair a newsgroup folder, and get multiple downloads going on the newsgroup.
Comment on attachment 485771 [details] [diff] [review]
proposed fix

This basically extends the previous sanity check to include skipped levels. I'm going to try to write a unit test for this, but creating a horked db is probably going to prove challenging.
Attachment #485771 - Flags: review?(neil)
(In reply to comment #5)
> Comment on attachment 485771 [details] [diff] [review]
> proposed fix
> 
> This basically extends the previous sanity check to include skipped levels. I'm
> going to try to write a unit test for this, but creating a horked db is
> probably going to prove challenging.

Can't you reuse the one you analyzed ?
It's 3MB, a few orders of magnitude bigger than the minimal test case.
Comment on attachment 485895 [details] [diff] [review]
fix one cause of corruption

We shouldn't allow adding a header that already exists...
Attachment #485895 - Flags: review?(neil)
Attachment #485771 - Flags: review?(neil) → review+
Attachment #485895 - Flags: review?(neil) → review+
Attached patch wip on unit testSplinter Review
saving what I had so far for the unit test. I haven't been able to reproduce the exact structure of the thread that was causing the crash fixed in the view code, however.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attachment #485771 - Flags: approval-thunderbird3.1.7?
Attachment #485895 - Flags: approval-thunderbird3.1.7?
Flags: in-testsuite?
Duplicate of this bug: 573129
Attachment #485771 - Flags: approval-thunderbird3.1.7? → approval-thunderbird3.1.7+
Attachment #485895 - Flags: approval-thunderbird3.1.7? → approval-thunderbird3.1.7+
Duplicate of this bug: 272483
Crash Signature: [@ arena_malloc_small ]
Flags: in-testsuite?
Flags: in-testsuite-
Whiteboard: [gs] → [gs][has WIP test]
You need to log in before you can comment on or make changes to this bug.