Last Comment Bug 707078 - js crash when receiving a message (JSCompartment, js::gc::ScanShape)
: js crash when receiving a message (JSCompartment, js::gc::ScanShape)
Status: VERIFIED FIXED
: crash, testcase, topcrash
Product: MailNews Core
Classification: Components
Component: Filters (show other bugs)
: 8
: All All
: -- critical (vote)
: Thunderbird 17.0
Assigned To: Hiroyuki Ikezoe (:hiro)
:
:
Mentors:
: 701194 (view as bug list)
Depends on: 701194
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-01 23:04 PST by verymuch.happyman
Modified: 2014-03-12 19:17 PDT (History)
10 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
crash_info.zip (41.75 KB, application/octet-stream)
2011-12-01 23:04 PST, verymuch.happyman
no flags Details
Test message (2.54 KB, application/octet-stream)
2011-12-04 19:08 PST, verymuch.happyman
no flags Details
Fix (1.05 KB, patch)
2012-07-19 16:37 PDT, Hiroyuki Ikezoe (:hiro)
standard8: review+
Details | Diff | Splinter Review
Test (148.98 KB, patch)
2012-07-20 00:13 PDT, Hiroyuki Ikezoe (:hiro)
mconley: review+
Details | Diff | Splinter Review

Description verymuch.happyman 2011-12-01 23:04:50 PST
Created attachment 578504 [details]
crash_info.zip

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

do nothing


Actual results:

Crash Thunderbird application when receiving a specific message to which the filter is configured. Message, filter and crash info included to file.
Comment 1 verymuch.happyman 2011-12-01 23:07:50 PST
Without message filter all right.
Comment 2 :aceman 2011-12-02 03:40:50 PST
Please post also your crash ID.
Instructions for Thunderbird at https://support.mozillamessaging.com/en-US/kb/Mozilla-Crash-Reporter#w_viewing-crash-reports
Comment 3 :aceman 2011-12-02 03:43:11 PST
Ah, sorry, is db29fda7-22c6-41e4-bf02-6b624c0086be the crash ID? Could you click on it to submit it?
Comment 4 :aceman 2011-12-02 03:48:26 PST
Does it crash everytime you run the filter on that message, even with manual run?
Comment 5 :aceman 2011-12-02 03:50:37 PST
I had to change the filter name as it came up empty when loaded in TB. Also I do not have imap, so I set the action to Move to some POP3 folder. Also I tested it on TB11, Win XP. It didn't crash on manual run for me.
Comment 6 verymuch.happyman 2011-12-04 19:08:26 PST
Created attachment 578971 [details]
Test message
Comment 7 verymuch.happyman 2011-12-04 19:20:09 PST
Test message (attached) from folder Inbox/Notify mark unread, drug and drop it to INBOX, click to folder Inbox/Notify and exception:
https://crash-stats.mozilla.com/report/index/bp-9816d424-67da-4a09-b9ff-a15902111204
Manual run filter not working.

While receiving these messages, also such exceptions arose:
https://crash-stats.mozilla.com/report/index/bp-c628ecb9-7edc-4751-8f6c-d880a2111204
https://crash-stats.mozilla.com/report/index/bp-279cbcb4-2327-4e8d-b455-b12072111204
https://crash-stats.mozilla.com/report/index/bp-84b61339-419f-4b1d-86b7-ba5b72111204
Comment 8 WADA 2011-12-04 20:22:17 PST
(In reply to verymuch.happyman from comment #6)
> Test message

Last part of message header([CRLF]=0x0D0A)
> To: LyukshinRA@krw.rzd,[CRLF]
>     biakus@krw.rzd,[CRLF]
>     [CRLF]
> [CRLF]
Malformed To: header. (1) Ends with ",    ", (2) Incorrect space only line in message header.
Other characteristics. (3) The incorrect space only line is folded line of a message header and is last folded line of the header, (4) The space-only/last-folded line is placed at end of message headers(just before separator of headers and mail payload).

(2)/(3)/(4) is very similar to mail which produces bug 701194.
> Subject: =?iso-8859-1?B?UmVjaG51bmcgQW535Gx0aW4=?=[CRLF]
> [HTAB][CRLF]
> [CRLF]
([CRLF]=0x0D0A, [HTAB]=0x09)
According to bug 706813 comment #4, it's not a buffer write overflow, but most likely simply reading uninitialized memory. So phenomenon depends on uninitialized memory and crash may happen.

Setting dependency to bug 701194 for ease of tracking.
Comment 9 Wayne Mery (:wsmwk, NI for questions) 2012-03-06 17:55:50 PST
gc::ScanShape is #40 crash for version 10

assuming these from comment 7 are related:
[@ JSCompartment::sweep(JSContext*, unsigned int)]
[@ JSCompartment::purge(JSContext*)]

but less sure about 
XPCNativeInterface::GetIID()
Comment 10 Hiroyuki Ikezoe (:hiro) 2012-07-19 16:37:18 PDT
Created attachment 644066 [details] [diff] [review]
Fix

The buffer of nsByteArray is not initialized with 0, so null checking it not useful there.
Comment 11 Hiroyuki Ikezoe (:hiro) 2012-07-20 00:13:10 PDT
Created attachment 644202 [details] [diff] [review]
Test

This test includes the message in comment 6 and bug 701194 comment 0.
Comment 12 Mike Conley (:mconley) - (needinfo me!) 2012-08-03 12:10:31 PDT
Comment on attachment 644202 [details] [diff] [review]
Test

Review of attachment 644202 [details] [diff] [review]:
-----------------------------------------------------------------

By inspection, this looks good to me. Thanks!
Comment 14 Hiroyuki Ikezoe (:hiro) 2012-08-22 03:00:56 PDT
*** Bug 701194 has been marked as a duplicate of this bug. ***
Comment 15 Wayne Mery (:wsmwk, NI for questions) 2013-03-02 22:10:12 PST
I am trying to determine what issues still exist associated with this signature and whether the original testcase is solved in the field - because there are still many crashes in version 17 [1].  I suspect most or all are caused by other factors not related to this bug  Is there a relevant part of the stack for this bug that we can put in a bug comment to use for comparison to crashes in version 17?

verymuch, is your problem solved in version 17?

[1] https://crash-stats.mozilla.com/query/query?product=Thunderbird&version=ALL%3AALL&date=&range_value=4&range_unit=weeks&query_search=signature&query_type=exact&build_id=&process_type=all&do_query=1&query=js%3A%3Agc%3A%3AScanShape
Comment 16 Wayne Mery (:wsmwk, NI for questions) 2014-03-12 19:17:04 PDT
verymuch indicates no longer crashing.
And nothing on crash-stats for current versions

Note You need to log in before you can comment on or make changes to this bug.