Last Comment Bug 707078 - js crash when receiving a message (JSCompartment, js::gc::ScanShape)
: js crash when receiving a message (JSCompartment, js::gc::ScanShape)
: crash, testcase, topcrash
Product: MailNews Core
Classification: Components
Component: Filters (show other bugs)
: 8
: All All
-- critical (vote)
: Thunderbird 17.0
Assigned To: Hiroyuki Ikezoe (:hiro)
: 701194 (view as bug list)
Depends on: 701194
  Show dependency treegraph
Reported: 2011-12-01 23:04 PST by verymuch.happyman
Modified: 2014-03-12 19:17 PDT (History)
10 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Attachments (41.75 KB, application/octet-stream)
2011-12-01 23:04 PST, verymuch.happyman
no flags Details
Test message (2.54 KB, application/octet-stream)
2011-12-04 19:08 PST, verymuch.happyman
no flags Details
Fix (1.05 KB, patch)
2012-07-19 16:37 PDT, Hiroyuki Ikezoe (:hiro)
standard8: review+
Details | Diff | Splinter Review
Test (148.98 KB, patch)
2012-07-20 00:13 PDT, Hiroyuki Ikezoe (:hiro)
mconley: review+
Details | Diff | Splinter Review

Description User image verymuch.happyman 2011-12-01 23:04:50 PST
Created attachment 578504 [details]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

do nothing

Actual results:

Crash Thunderbird application when receiving a specific message to which the filter is configured. Message, filter and crash info included to file.
Comment 1 User image verymuch.happyman 2011-12-01 23:07:50 PST
Without message filter all right.
Comment 2 User image :aceman 2011-12-02 03:40:50 PST
Please post also your crash ID.
Instructions for Thunderbird at
Comment 3 User image :aceman 2011-12-02 03:43:11 PST
Ah, sorry, is db29fda7-22c6-41e4-bf02-6b624c0086be the crash ID? Could you click on it to submit it?
Comment 4 User image :aceman 2011-12-02 03:48:26 PST
Does it crash everytime you run the filter on that message, even with manual run?
Comment 5 User image :aceman 2011-12-02 03:50:37 PST
I had to change the filter name as it came up empty when loaded in TB. Also I do not have imap, so I set the action to Move to some POP3 folder. Also I tested it on TB11, Win XP. It didn't crash on manual run for me.
Comment 6 User image verymuch.happyman 2011-12-04 19:08:26 PST
Created attachment 578971 [details]
Test message
Comment 7 User image verymuch.happyman 2011-12-04 19:20:09 PST
Test message (attached) from folder Inbox/Notify mark unread, drug and drop it to INBOX, click to folder Inbox/Notify and exception:
Manual run filter not working.

While receiving these messages, also such exceptions arose:
Comment 8 User image WADA:World Anti-bad-Duping Agency 2011-12-04 20:22:17 PST
(In reply to verymuch.happyman from comment #6)
> Test message

Last part of message header([CRLF]=0x0D0A)
> To: LyukshinRA@krw.rzd,[CRLF]
>     biakus@krw.rzd,[CRLF]
>     [CRLF]
> [CRLF]
Malformed To: header. (1) Ends with ",    ", (2) Incorrect space only line in message header.
Other characteristics. (3) The incorrect space only line is folded line of a message header and is last folded line of the header, (4) The space-only/last-folded line is placed at end of message headers(just before separator of headers and mail payload).

(2)/(3)/(4) is very similar to mail which produces bug 701194.
> Subject: =?iso-8859-1?B?UmVjaG51bmcgQW535Gx0aW4=?=[CRLF]
> [CRLF]
([CRLF]=0x0D0A, [HTAB]=0x09)
According to bug 706813 comment #4, it's not a buffer write overflow, but most likely simply reading uninitialized memory. So phenomenon depends on uninitialized memory and crash may happen.

Setting dependency to bug 701194 for ease of tracking.
Comment 9 User image Wayne Mery (:wsmwk, NI for questions) 2012-03-06 17:55:50 PST
gc::ScanShape is #40 crash for version 10

assuming these from comment 7 are related:
[@ JSCompartment::sweep(JSContext*, unsigned int)]
[@ JSCompartment::purge(JSContext*)]

but less sure about 
Comment 10 User image Hiroyuki Ikezoe (:hiro) 2012-07-19 16:37:18 PDT
Created attachment 644066 [details] [diff] [review]

The buffer of nsByteArray is not initialized with 0, so null checking it not useful there.
Comment 11 User image Hiroyuki Ikezoe (:hiro) 2012-07-20 00:13:10 PDT
Created attachment 644202 [details] [diff] [review]

This test includes the message in comment 6 and bug 701194 comment 0.
Comment 12 User image Mike Conley (:mconley) 2012-08-03 12:10:31 PDT
Comment on attachment 644202 [details] [diff] [review]

Review of attachment 644202 [details] [diff] [review]:

By inspection, this looks good to me. Thanks!
Comment 14 User image Hiroyuki Ikezoe (:hiro) 2012-08-22 03:00:56 PDT
*** Bug 701194 has been marked as a duplicate of this bug. ***
Comment 15 User image Wayne Mery (:wsmwk, NI for questions) 2013-03-02 22:10:12 PST
I am trying to determine what issues still exist associated with this signature and whether the original testcase is solved in the field - because there are still many crashes in version 17 [1].  I suspect most or all are caused by other factors not related to this bug  Is there a relevant part of the stack for this bug that we can put in a bug comment to use for comparison to crashes in version 17?

verymuch, is your problem solved in version 17?

Comment 16 User image Wayne Mery (:wsmwk, NI for questions) 2014-03-12 19:17:04 PDT
verymuch indicates no longer crashing.
And nothing on crash-stats for current versions

Note You need to log in before you can comment on or make changes to this bug.