Startup crash - PR_Free in ProcessBodyAsAttachment

RESOLVED FIXED in Thunderbird 17.0


MailNews Core
5 years ago
5 years ago


(Reporter: mconley, Assigned: hiro)


({crash, regression})

Thunderbird 17.0
crash, regression

Thunderbird Tracking Flags

(thunderbird15+ fixed, thunderbird16 fixed)


([startupcrash], crash signature)


(1 attachment)

On my latest build of comm-central, after startup, I have about 5 seconds before I crash, with the following backtrace:

#0  0xb78a9424 in __kernel_vsyscall ()
#1  0xb767a8b6 in nanosleep () from /lib/i386-linux-gnu/
#2  0xb767a6af in sleep () from /lib/i386-linux-gnu/
#3  0xb387239f in ah_crap_handler (signum=6) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsSigHandlers.cpp:121
#4  0xb3877f4e in nsProfileLock::FatalSignalHandler (signo=6, info=0xbfd6363c, context=0xbfd636bc) at /media/Projects/mozilla/objdir-thunderbird-patches/mozilla/toolkit/profile/nsProfileLock.cpp:227
#5  <signal handler called>
#6  0xb78a9424 in __kernel_vsyscall ()
#7  0xb75f61ef in raise () from /lib/i386-linux-gnu/
#8  0xb75f9835 in abort () from /lib/i386-linux-gnu/
#9  0x080579fc in arena_run_reg_dalloc (run=0xa4113000, bin=0xb74995ec, ptr=0xa4116ef4, size=272) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:3288
#10 0x0805c2bd in arena_dalloc_small (arena=0xb7499040, chunk=0xa4100000, ptr=0xa4116ef4, mapelm=0xa4100118) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:4486
#11 0x0805cb5d in arena_dalloc (ptr=0xa4116ef4, offset=93940) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:4614
#12 0x0805ffc5 in free (ptr=0xa4116ef4) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:6541
#13 0xb72d4505 in PR_Free () from /usr/lib/i386-linux-gnu/
#14 0xb5199368 in ProcessBodyAsAttachment (obj=0xac1a5f00, data=0xbfd63e94) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:213
#15 0xb519aaa6 in MimeGetAttachmentList (tobj=0xa80a1c90, aMessageURL=0x98ffed30 "imap://", 
    data=0xbfd63e94) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:611
#16 0xb519bd55 in mime_display_stream_complete (stream=0xa6f5c960) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:1027
#17 0xb51a80e7 in nsStreamConverter::OnStopRequest (this=0xa48f9e20, request=0x991a2d60, ctxt=0xac005144, status=0) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/nsStreamConverter.cpp:1090
#18 0xb507a4a7 in nsImapCacheStreamListener::OnStopRequest (this=0xa6f5c7e0, request=0xae3deac0, aCtxt=0xac005144, aStatus=0) at /media/Projects/mozilla/thunderbird/mailnews/imap/src/nsImapProtocol.cpp:8627
#19 0xb38b7c54 in nsInputStreamPump::OnStateStop (this=0xae3deac0) at /media/Projects/mozilla/thunderbird/mozilla/netwerk/base/src/nsInputStreamPump.cpp:583
#20 0xb38b748f in nsInputStreamPump::OnInputStreamReady (this=0xae3deac0, stream=0xa6bd595c) at /media/Projects/mozilla/thunderbird/mozilla/netwerk/base/src/nsInputStreamPump.cpp:405
#21 0xb541d562 in nsInputStreamReadyEvent::Run (this=0xa6f5c9a0) at /media/Projects/mozilla/thunderbird/mozilla/xpcom/io/nsStreamUtils.cpp:114
#22 0xb543e4f1 in nsThread::ProcessNextEvent (this=0xb734ef20, mayWait=false, result=0xbfd640df) at /media/Projects/mozilla/thunderbird/mozilla/xpcom/threads/nsThread.cpp:656
#23 0xb53d6b72 in NS_ProcessNextEvent_P (thread=0xb734ef20, mayWait=false) at /media/Projects/mozilla/objdir-thunderbird-patches/mozilla/xpcom/build/nsThreadUtils.cpp:245
#24 0xb5280d70 in mozilla::ipc::MessagePump::Run (this=0xb19193d0, aDelegate=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/glue/MessagePump.cpp:110
#25 0xb548ac78 in MessageLoop::RunInternal (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/
#26 0xb548ac03 in MessageLoop::RunHandler (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/
#27 0xb548abe5 in MessageLoop::Run (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/
#28 0xb4c9ce69 in nsBaseAppShell::Run (this=0xb0552240) at /media/Projects/mozilla/thunderbird/mozilla/widget/xpwidgets/nsBaseAppShell.cpp:189
#29 0xb49e31c2 in nsAppStartup::Run (this=0xb057f8b0) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/components/startup/nsAppStartup.cpp:295
#30 0xb3864a4c in XREMain::XRE_mainRun (this=0xbfd64470) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3772
#31 0xb3864d31 in XREMain::XRE_main (this=0xbfd64470, argc=1, argv=0xbfd65754, aAppData=0xb7315900) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3849
#32 0xb3864f50 in XRE_main (argc=1, argv=0xbfd65754, aAppData=0xb7315900) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3925
#33 0x08049714 in do_main (exePath=0xbfd646ac "/media/Projects/mozilla/objdir-thunderbird-patches/mozilla/dist/bin/", argc=1, argv=0xbfd65754) at /media/Projects/mozilla/thunderbird/mail/app/nsMailApp.cpp:144
#34 0x0804995b in main (argc=1, argv=0xbfd65754) at /media/Projects/mozilla/thunderbird/mail/app/nsMailApp.cpp:233
Summary: Startup crash → Startup crash - PR_Free in ProcessBodyAsAttachment

Comment 1

5 years ago
we're trying to stream an imap message, perhaps for gloda or the junk filter. So your crash is probably specific to a particular message in your inbox or other imap folder. You could start up offline, and try clicking on messages until you crash, since I suspect you would crash trying to display the message.
Keywords: crash

Comment 2

5 years ago
I tried this on the mac on a self-built trunk build. no crash. I also tried explicitly enabling jemalloc, in case it's not on by default on the mac, no luck. And this doesn't crash on windows.
This problem mysteriously vanished for me.
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
And now it's back.  :/
Resolution: WORKSFORME → ---
Argh, and with a rebuild this morning, it's gone again.

Still hasn't resurfaced yet. I'll close this until it does.
Last Resolved: 5 years ago5 years ago
Resolution: --- → WORKSFORME
mconley, does bp-45595d1f-28f0-4233-a7cd-6cca42120803 / e7160b81-8be5-47aa-89bb-383d32120803 excite you at all?  They have the same reporter email address.

#10 crash for TB15

crashes are TB15, 16, 17. So assuming regression|%20arena_dalloc_small%20|%20arena_dalloc%20|%20je_free%20|%20ProcessBodyAsAttachment%28MimeObject*%2C%20nsMsgAttachmentData**%29
tracking-thunderbird15: --- → ?
Keywords: regression
Resolution: WORKSFORME → ---
Component: General → MIME
Product: Thunderbird → MailNews Core
TB15 bp-81e21c6a-dc0e-4a63-b924-835542120730 :)
TB16 bp-ab19419d-555c-42c4-b48c-44e052120810
Crash Signature: [@ arena_dalloc | PR_Free | ProcessBodyAsAttachment]
Whiteboard: [startupcrash]
Crash Signature: [@ arena_dalloc | PR_Free | ProcessBodyAsAttachment] → [@ arena_dalloc | PR_Free | ProcessBodyAsAttachment] [@ arena_run_reg_dalloc | arena_dalloc_small | arena_dalloc | je_free | ProcessBodyAsAttachment(MimeObject*, nsMsgAttachmentData**) ]
OS: Linux → All

Comment 9

5 years ago
Created attachment 653590 [details] [diff] [review]
possible fix

delete should be used for the memory allocated with 'new'.
Attachment #653590 - Flags: review?(mbanner)
Comment on attachment 653590 [details] [diff] [review]
possible fix

r=me by inspection.
Attachment #653590 - Flags: review?(mbanner) → review+
Keywords: checkin-needed
Interestingly introduced by bug 679476, but didn't seem to show up until the 15 cycle.
Assignee: nobody → hiikezoe
Blocks: 679476
tracking-thunderbird15: ? → +
Comment on attachment 653590 [details] [diff] [review]
possible fix

[Triage Comment]
I want to take this given its a regression, and a simple fix.
Attachment #653590 - Flags: approval-comm-beta+
Attachment #653590 - Flags: approval-comm-aurora+
Checked in:
status-thunderbird15: --- → fixed
status-thunderbird16: --- → fixed
Target Milestone: --- → Thunderbird 17.0
And bustage fixes for the branches as the nsnull -> nullptr transition hasn't taken place there yet:
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Keywords: checkin-needed
You need to log in before you can comment on or make changes to this bug.