744077 - Startup crash - PR_Free in ProcessBodyAsAttachment

Status: RESOLVED FIXED

(MailNews Core :: MIME, defect)

Description

[Mike Conley (:mconley) (:⚙️)]

On my latest build of comm-central, after startup, I have about 5 seconds before I crash, with the following backtrace:

#0  0xb78a9424 in __kernel_vsyscall ()
#1  0xb767a8b6 in nanosleep () from /lib/i386-linux-gnu/libc.so.6
#2  0xb767a6af in sleep () from /lib/i386-linux-gnu/libc.so.6
#3  0xb387239f in ah_crap_handler (signum=6) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsSigHandlers.cpp:121
#4  0xb3877f4e in nsProfileLock::FatalSignalHandler (signo=6, info=0xbfd6363c, context=0xbfd636bc) at /media/Projects/mozilla/objdir-thunderbird-patches/mozilla/toolkit/profile/nsProfileLock.cpp:227
#5  <signal handler called>
#6  0xb78a9424 in __kernel_vsyscall ()
#7  0xb75f61ef in raise () from /lib/i386-linux-gnu/libc.so.6
#8  0xb75f9835 in abort () from /lib/i386-linux-gnu/libc.so.6
#9  0x080579fc in arena_run_reg_dalloc (run=0xa4113000, bin=0xb74995ec, ptr=0xa4116ef4, size=272) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:3288
#10 0x0805c2bd in arena_dalloc_small (arena=0xb7499040, chunk=0xa4100000, ptr=0xa4116ef4, mapelm=0xa4100118) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:4486
#11 0x0805cb5d in arena_dalloc (ptr=0xa4116ef4, offset=93940) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:4614
#12 0x0805ffc5 in free (ptr=0xa4116ef4) at /media/Projects/mozilla/thunderbird/mozilla/memory/jemalloc/jemalloc.c:6541
#13 0xb72d4505 in PR_Free () from /usr/lib/i386-linux-gnu/libnspr4.so
#14 0xb5199368 in ProcessBodyAsAttachment (obj=0xac1a5f00, data=0xbfd63e94) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:213
#15 0xb519aaa6 in MimeGetAttachmentList (tobj=0xa80a1c90, aMessageURL=0x98ffed30 "imap://mike%2Ed%2Econley%40gmail%2Ecom@imap.googlemail.com:993/fetch%3EUID%3E%5E%5BGmail%5D%5EImportant%3E15623?header=filter&emitter=js", 
    data=0xbfd63e94) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:611
#16 0xb519bd55 in mime_display_stream_complete (stream=0xa6f5c960) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/mimemoz2.cpp:1027
#17 0xb51a80e7 in nsStreamConverter::OnStopRequest (this=0xa48f9e20, request=0x991a2d60, ctxt=0xac005144, status=0) at /media/Projects/mozilla/thunderbird/mailnews/mime/src/nsStreamConverter.cpp:1090
#18 0xb507a4a7 in nsImapCacheStreamListener::OnStopRequest (this=0xa6f5c7e0, request=0xae3deac0, aCtxt=0xac005144, aStatus=0) at /media/Projects/mozilla/thunderbird/mailnews/imap/src/nsImapProtocol.cpp:8627
#19 0xb38b7c54 in nsInputStreamPump::OnStateStop (this=0xae3deac0) at /media/Projects/mozilla/thunderbird/mozilla/netwerk/base/src/nsInputStreamPump.cpp:583
#20 0xb38b748f in nsInputStreamPump::OnInputStreamReady (this=0xae3deac0, stream=0xa6bd595c) at /media/Projects/mozilla/thunderbird/mozilla/netwerk/base/src/nsInputStreamPump.cpp:405
#21 0xb541d562 in nsInputStreamReadyEvent::Run (this=0xa6f5c9a0) at /media/Projects/mozilla/thunderbird/mozilla/xpcom/io/nsStreamUtils.cpp:114
#22 0xb543e4f1 in nsThread::ProcessNextEvent (this=0xb734ef20, mayWait=false, result=0xbfd640df) at /media/Projects/mozilla/thunderbird/mozilla/xpcom/threads/nsThread.cpp:656
#23 0xb53d6b72 in NS_ProcessNextEvent_P (thread=0xb734ef20, mayWait=false) at /media/Projects/mozilla/objdir-thunderbird-patches/mozilla/xpcom/build/nsThreadUtils.cpp:245
#24 0xb5280d70 in mozilla::ipc::MessagePump::Run (this=0xb19193d0, aDelegate=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/glue/MessagePump.cpp:110
#25 0xb548ac78 in MessageLoop::RunInternal (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/message_loop.cc:208
#26 0xb548ac03 in MessageLoop::RunHandler (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/message_loop.cc:201
#27 0xb548abe5 in MessageLoop::Run (this=0xb731daa0) at /media/Projects/mozilla/thunderbird/mozilla/ipc/chromium/src/base/message_loop.cc:175
#28 0xb4c9ce69 in nsBaseAppShell::Run (this=0xb0552240) at /media/Projects/mozilla/thunderbird/mozilla/widget/xpwidgets/nsBaseAppShell.cpp:189
#29 0xb49e31c2 in nsAppStartup::Run (this=0xb057f8b0) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/components/startup/nsAppStartup.cpp:295
#30 0xb3864a4c in XREMain::XRE_mainRun (this=0xbfd64470) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3772
#31 0xb3864d31 in XREMain::XRE_main (this=0xbfd64470, argc=1, argv=0xbfd65754, aAppData=0xb7315900) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3849
#32 0xb3864f50 in XRE_main (argc=1, argv=0xbfd65754, aAppData=0xb7315900) at /media/Projects/mozilla/thunderbird/mozilla/toolkit/xre/nsAppRunner.cpp:3925
#33 0x08049714 in do_main (exePath=0xbfd646ac "/media/Projects/mozilla/objdir-thunderbird-patches/mozilla/dist/bin/", argc=1, argv=0xbfd65754) at /media/Projects/mozilla/thunderbird/mail/app/nsMailApp.cpp:144
#34 0x0804995b in main (argc=1, argv=0xbfd65754) at /media/Projects/mozilla/thunderbird/mail/app/nsMailApp.cpp:233

Comment 1

[David :Bienvenu]

we're trying to stream an imap message, perhaps for gloda or the junk filter. So your crash is probably specific to a particular message in your inbox or other imap folder. You could start up offline, and try clicking on messages until you crash, since I suspect you would crash trying to display the message.

Comment 2

[David :Bienvenu]

I tried this on the mac on a self-built trunk build. no crash. I also tried explicitly enabling jemalloc, in case it's not on by default on the mac, no luck. And this doesn't crash on windows.

Comment 3

[Mike Conley (:mconley) (:⚙️)]

This problem mysteriously vanished for me.

Comment 4

[Mike Conley (:mconley) (:⚙️)]

And now it's back.  :/

Comment 5

[Mike Conley (:mconley) (:⚙️)]

Argh, and with a rebuild this morning, it's gone again.

Spooky.

Comment 6

[Mike Conley (:mconley) (:⚙️)]

Still hasn't resurfaced yet. I'll close this until it does.

Comment 7

[Wayne Mery (:wsmwk)]

mconley, does bp-45595d1f-28f0-4233-a7cd-6cca42120803 / e7160b81-8be5-47aa-89bb-383d32120803 excite you at all?  They have the same reporter email address.

#10 crash for TB15

crashes are TB15, 16, 17. So assuming regression
https://crash-stats.mozilla.com/report/list?product=Thunderbird&query_search=signature&query_type=contains&query=ProcessBodyAsAttachment&reason_type=contains&date=08%2F09%2F2012%2015%3A23%3A49&range_value=2&range_unit=weeks&hang_type=any&process_type=any&do_query=1&admin=1&signature=arena_run_reg_dalloc%20|%20arena_dalloc_small%20|%20arena_dalloc%20|%20je_free%20|%20ProcessBodyAsAttachment%28MimeObject*%2C%20nsMsgAttachmentData**%29

Comment 8

[Wayne Mery (:wsmwk)]

TB15 bp-81e21c6a-dc0e-4a63-b924-835542120730 reporter@redhat.com :)
TB16 bp-ab19419d-555c-42c4-b48c-44e052120810

Comment 9

[Hiroyuki Ikezoe (:hiro)]

Attachment: possible fix

delete should be used for the memory allocated with 'new'.

Comment 10

[Mark Banner (:standard8)]

Comment on attachment 653590 [details] [diff] [review]
possible fix

r=me by inspection.

Comment 11

[Mark Banner (:standard8)]

Interestingly introduced by bug 679476, but didn't seem to show up until the 15 cycle.

Comment 12

[Mark Banner (:standard8)]

Comment on attachment 653590 [details] [diff] [review]
possible fix

[Triage Comment]
I want to take this given its a regression, and a simple fix.

Comment 13

[Mark Banner (:standard8)]

Checked in:

https://hg.mozilla.org/comm-central/rev/b3d2a3cb2696
https://hg.mozilla.org/releases/comm-aurora/rev/b503e5600997
https://hg.mozilla.org/releases/comm-beta/rev/efb5f08b1d8a

Comment 14

[Mark Banner (:standard8)]

And bustage fixes for the branches as the nsnull -> nullptr transition hasn't taken place there yet:

https://hg.mozilla.org/releases/comm-aurora/rev/5bde783cb95a
https://hg.mozilla.org/releases/comm-beta/rev/6bcd1eea7663