Closed Bug 707078 Opened 13 years ago Closed 12 years ago

js crash when receiving a message (JSCompartment, js::gc::ScanShape)

Categories

(MailNews Core :: Filters, defect)

Product:
MailNews Core
Component:
Filters
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Thunderbird 17.0

People

(Reporter: verymuch.happyman, Assigned: hiro)

References

Details

(Keywords: crash, testcase, topcrash)

Crash Data

Attachments

(4 files)

crash_info.zip
41.75 KB, application/octet-stream
Details
Test message
2.54 KB, application/octet-stream
Details
Fix
1.05 KB, patch
standard8
: review+
Details | Diff | Splinter Review
Test
148.98 KB, patch
mconley
: review+
Details | Diff | Splinter Review
Attached file crash_info.zip 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

do nothing


Actual results:

Crash Thunderbird application when receiving a specific message to which the filter is configured. Message, filter and crash info included to file.
Severity: normal → critical
Keywords: crash
Without message filter all right.
Attachment #578504 - Attachment mime type: text/plain → application/octet-stream
Please post also your crash ID.
Instructions for Thunderbird at https://support.mozillamessaging.com/en-US/kb/Mozilla-Crash-Reporter#w_viewing-crash-reports
Ah, sorry, is db29fda7-22c6-41e4-bf02-6b624c0086be the crash ID? Could you click on it to submit it?
Does it crash everytime you run the filter on that message, even with manual run?
I had to change the filter name as it came up empty when loaded in TB. Also I do not have imap, so I set the action to Move to some POP3 folder. Also I tested it on TB11, Win XP. It didn't crash on manual run for me.
Component: General → Filters
Keywords: stackwanted
Product: Thunderbird → MailNews Core
QA Contact: general → filters
Attached file Test message 

    
    

    
  
Test message (attached) from folder Inbox/Notify mark unread, drug and drop it to INBOX, click to folder Inbox/Notify and exception:
https://crash-stats.mozilla.com/report/index/bp-9816d424-67da-4a09-b9ff-a15902111204
Manual run filter not working.

While receiving these messages, also such exceptions arose:
https://crash-stats.mozilla.com/report/index/bp-c628ecb9-7edc-4751-8f6c-d880a2111204
https://crash-stats.mozilla.com/report/index/bp-279cbcb4-2327-4e8d-b455-b12072111204
https://crash-stats.mozilla.com/report/index/bp-84b61339-419f-4b1d-86b7-ba5b72111204

    
    

    
  
(In reply to verymuch.happyman from comment #6)
> Test message

Last part of message header([CRLF]=0x0D0A)
> To: LyukshinRA@krw.rzd,[CRLF]
>     biakus@krw.rzd,[CRLF]
>     [CRLF]
> [CRLF]
Malformed To: header. (1) Ends with ",    ", (2) Incorrect space only line in message header.
Other characteristics. (3) The incorrect space only line is folded line of a message header and is last folded line of the header, (4) The space-only/last-folded line is placed at end of message headers(just before separator of headers and mail payload).

(2)/(3)/(4) is very similar to mail which produces bug 701194.
> Subject: =?iso-8859-1?B?UmVjaG51bmcgQW535Gx0aW4=?=[CRLF]
> [HTAB][CRLF]
> [CRLF]
([CRLF]=0x0D0A, [HTAB]=0x09)
According to bug 706813 comment #4, it's not a buffer write overflow, but most likely simply reading uninitialized memory. So phenomenon depends on uninitialized memory and crash may happen.

Setting dependency to bug 701194 for ease of tracking.
Depends on: 701194

    
  
Crash Signature: [@ js::gc::ScanShape ]

    
    

    
  
gc::ScanShape is #40 crash for version 10

assuming these from comment 7 are related:
[@ JSCompartment::sweep(JSContext*, unsigned int)]
[@ JSCompartment::purge(JSContext*)]

but less sure about 
XPCNativeInterface::GetIID()
Status: UNCONFIRMED → NEW
Crash Signature: [@ js::gc::ScanShape ] → [@ js::gc::ScanShape ]
[@ JSCompartment::sweep(JSContext*, unsigned int)]
[@ JSCompartment::purge(JSContext*)]
Ever confirmed: true
Keywords: stackwantedtopcrash

    
  
Summary: Crash when receiving a message → js crash when receiving a message (JSCompartment, js::gc::ScanShape)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
The buffer of nsByteArray is not initialized with 0, so null checking it not useful there.

        Attachment #644066 -
        Flags: review?(mbanner)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        TestSplinter Review
      

    


  
This test includes the message in comment 6 and bug 701194 comment 0.
Assignee: nobody → hiikezoe
Status: NEW → ASSIGNED

        Attachment #644202 -
        Flags: review?(mconley)

    
  
OS: Windows XP → All
Hardware: x86 → All

        Attachment #644066 -
        Flags: review?(mbanner) → review+

    
    

    
  
Comment on attachment 644202 [details] [diff] [review]
Test

Review of attachment 644202 [details] [diff] [review]:
-----------------------------------------------------------------

By inspection, this looks good to me. Thanks!

        Attachment #644202 -
        Flags: review?(mconley) → review+

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/comm-central/rev/1c833d465ab7
https://hg.mozilla.org/comm-central/rev/cc9bb408f84e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 17.0

    
    

    
  
I am trying to determine what issues still exist associated with this signature and whether the original testcase is solved in the field - because there are still many crashes in version 17 [1].  I suspect most or all are caused by other factors not related to this bug  Is there a relevant part of the stack for this bug that we can put in a bug comment to use for comparison to crashes in version 17?

verymuch, is your problem solved in version 17?

[1] https://crash-stats.mozilla.com/query/query?product=Thunderbird&version=ALL%3AALL&date=&range_value=4&range_unit=weeks&query_search=signature&query_type=exact&build_id=&process_type=all&do_query=1&query=js%3A%3Agc%3A%3AScanShape
Keywords: testcase

    
    

    
  
verymuch indicates no longer crashing.
And nothing on crash-stats for current versions
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: