crash [@ nsMsgDBView::RemoveRows]

RESOLVED FIXED in Thunderbird 12.0


MailNews Core
7 years ago
5 years ago


(Reporter: Usul, Assigned: Bienvenu)


({crash, reproducible})

Thunderbird 12.0
crash, reproducible

Thunderbird Tracking Flags

(thunderbird11 fixed)


(Whiteboard: [STR comment 2][ccbr][rare], crash signature)


(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-3d0c18b7-7dac-4c37-b06f-c278e2110127 .
0 		@0xffff0f38 	
1 	XUL 	nsMsgDBView::RemoveRows 	
2 	XUL 	nsMsgDBView::CollapseByIndex 	nsMsgDBView.cpp:4800
3 	XUL 	nsMsgThreadedDBView::OnNewHeader 	nsMsgThreadedDBView.cpp:668
4 	XUL 	nsMsgQuickSearchDBView::AddHdr 	nsMsgQuickSearchDBView.cpp:174
5 	XUL 	nsMsgThreadedDBView::MoveThreadAt 	nsMsgThreadedDBView.cpp:814
6 	XUL 	nsMsgThreadedDBView::OnNewHeader 	nsMsgThreadedDBView.cpp:690
7 	XUL 	nsMsgQuickSearchDBView::AddHdr 	nsMsgQuickSearchDBView.cpp:174
8 	XUL 	nsMsgQuickSearchDBView::OnSearchHit 	nsMsgQuickSearchDBView.cpp:328
9 	XUL 	nsMsgSearchSession::AddSearchHit 	nsMsgSearchSession.cpp:601
10 	XUL 	nsMsgSearchOfflineMail::AddResultElement 	nsMsgLocalSearch.cpp:818
11 	XUL 	nsMsgSearchOfflineMail::Search 	nsMsgLocalSearch.cpp:770
12 	XUL 	nsMsgSearchSession::TimeSliceSerial 	nsMsgSearchSession.cpp:691
13 	XUL 	nsMsgSearchSession::TimerCallback 	nsMsgSearchSession.cpp:655
14 	XUL 	nsTimerImpl::Fire 	nsTimerImpl.cpp:425
15 	XUL 	nsTimerEvent::Run 	nsTimerImpl.cpp:517
16 	XUL 	nsThread::ProcessNextEvent 	nsThread.cpp:633
17 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:200
18 	XUL 	nsBaseAppShell::NativeEventCallback 	nsBaseAppShell.cpp:135
19 	XUL 	nsAppShell::ProcessGeckoEvents
20 	CoreFoundation 	CFRunLoopRunSpecific 	
21 	CoreFoundation 	CFRunLoopRunInMode 	
22 	HIToolbox 	RunCurrentEventLoopInMode 	
23 	HIToolbox 	ReceiveNextEventCommon 	
24 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
25 	AppKit 	_DPSNextEvent 	
26 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
27 	AppKit 	-[NSApplication run] 	
28 	XUL 	nsAppShell::Run
29 	XUL 	nsAppStartup::Run 	nsAppStartup.cpp:218
30 	XUL 	XRE_main 	nsAppRunner.cpp:3775
31 	thunderbird-bin 	main 	nsMailApp.cpp:101
32 	thunderbird-bin 	thunderbird-bin@0xc75

I was switching to the unread filtered view.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0b11pre) Gecko/20110126 Thunderbird/3.3a3pre
Component: General → Backend
Product: Thunderbird → MailNews Core
QA Contact: general → backend
likely dup of bug 572883.

and there is another signature of memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int) | nsMsgDBView::RemoveRows(unsigned int, int)
Crash Signature: [@ nsMsgDBView::RemoveRows]
I was able to reproduce this crash twice in row with the following strs :

1) have a folder with the following settings :
 i)  View -> sort by date, ascending , Threaded
 ii) View -> Messages -> all
 iii)View -> Threads -> Unread
2) hit bug 558303 and select that as he last visible thread in your view
3) click the unread button from the quick filter toolbar
4) crash
Whiteboard: [STR comment 2]
ludo, does this still reproduce for you?
Crash Signature: [@ nsMsgDBView::RemoveRows] → [@ nsMsgDBView::RemoveRows] [@ ]
Duplicate of this bug: 707618
Duplicate of this bug: 714610

Comment 6

6 years ago
Adding signatures from recent bp-a2fcade0-d26b-4b39-a211-6c1b72111205 and bp-61e2adb7-4ca7-4e66-91be-14be82120102 which the dupes were filed for.
Crash Signature: [@ nsMsgDBView::RemoveRows] [@ ] → [@ nsMsgDBView::RemoveRows] [@ ] [@ libsystem_c.dylib@0x27d91] [@ libsystem_c.dylib@0x27d4b]
> Duplicate of this bug: 707618
Not reproducible - what I did was the following :
1) filter my bugmail folder for 'crash'
2) choose unread emails only.

> Duplicate of this bug: 714610
I was able to crash TB twice in a row using these STRs.
1) Open bugmail folder
2) Settings are :
   i) View -> Sort by -> Date, Ascending, Threaded
   ii) View -> Message -> All
   iii)View -> Threads -> Unread
3) Enter a term in the filter bar
4) Select unread
5) Select all
6) press M
7) switch to firefox
8) come back to TB
9) press the x to clear the keyword by which you filter
Keywords: reproducible
is bp-328ad05e-760f-47da-8fee-cf2a02120102 the same crasher?  Seems to be version 8 only, so perhaps not, but too early in morning for me to compare the stacks
memmove | nsTArray_base<nsTArrayDefaultAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int) | nsMsgDBView::RemoveRows(unsigned int, int)
David I have a copy of the mbox and .msf for you to play with ? do you want them ?
Crash Signature: [@ nsMsgDBView::RemoveRows] [@ ] [@ libsystem_c.dylib@0x27d91] [@ libsystem_c.dylib@0x27d4b] → [@ nsMsgDBView::RemoveRows] [@ ] [@ libsystem_c.dylib@0x27d91] [@ libsystem_c.dylib@0x27d4b] [@ libsystem_c.dylib@0x27d80]

Comment 10

6 years ago
Created attachment 585459 [details] [diff] [review]
bullet proof removing of rows

this should fix the crash, but there's something unhealthy going on with those STR's that indicates an underlying issue that I haven't had time to diagnose. I can try to generate a try server build with this patch for you, Ludo.
Assignee: nobody → dbienvenu

Comment 11

6 years ago
try server builds, if successful, here -
(In reply to David :Bienvenu from comment #11)
> try server builds, if successful, here -

This fixed my crashes !!! Thanks David.

Comment 13

6 years ago
Is this Mac OS X only?

Comment 14

6 years ago
no, there's no reason for it to be platform dependent.
OS: Mac OS X → All
Hardware: x86 → All


6 years ago
Attachment #585459 - Flags: review?(mbanner)
Whiteboard: [STR comment 2] → [STR comment 2][ccbr]
Attachment #585459 - Flags: review?(mbanner) → review+
so, signature to check for after this lands in a release build

v8 memmove | nsTArray_base<nsTArrayDefaultAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int) | nsMsgDBView::RemoveRows(unsigned int, int)
v7 memmove | nsTArray_base<nsTArrayInfallibleAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int) | nsMsgDBView::RemoveRows(unsigned int, int)

in contrast to this bug, last bugs to be fixed in this area, almost 2 years ago) were topcrash
Bug 534858 - Crash on repeated collapse/expand of threads with subthreads killed by filter
Bug 524064 - crash [@memmove | nsTArray_base::ShiftData ...
Whiteboard: [STR comment 2][ccbr] → [STR comment 2][ccbr][rare]
Comment on attachment 585459 [details] [diff] [review]
bullet proof removing of rows

I would very love to have this on aurora so I could switch back to using Aurora
Attachment #585459 - Flags: approval-comm-aurora?

Comment 17

6 years ago
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 12.0
Attachment #585459 - Flags: approval-comm-aurora? → approval-comm-aurora+
Checked in:
status-thunderbird11: --- → fixed
Blocks: 568883
Duplicate of this bug: 568883
You need to log in before you can comment on or make changes to this bug.