Closed Bug 885292 Opened 7 years ago Closed 6 years ago

crash in nsSMimeVerificationListener::Notify @ nsXPCWrappedJS::AddRef when opening a signed email with S/mime

Categories

(Thunderbird :: Security, defect, critical)

24 Branch
All
macOS
defect
Not set
critical

Tracking

(thunderbird23 unaffected, thunderbird24- affected)

RESOLVED WORKSFORME
Tracking Status
thunderbird23 --- unaffected
thunderbird24 - affected

People

(Reporter: Usul, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-06ee5cc7-b2e5-4025-9ba3-295482130620 .
============================================================= 
0 	XUL 	nsXPCWrappedJS::AddRef 	js/xpconnect/src/XPCWrappedJS.cpp:158
1 	XUL 	nsSMimeVerificationListener::Notify 	objdir-tb/x86_64/mozilla/dist/include/nsCOMPtr.h:578
2 	XUL 	NS_TableDrivenQI 	objdir-tb/x86_64/mozilla/xpcom/build/nsISupportsImpl.cpp:16
3 	XUL 	nsSMimeVerificationJob::Run 	security/manager/ssl/src/nsCertVerificationThread.cpp:85
4 	XUL 	nsCertVerificationThread::Run 	security/manager/ssl/src/nsCertVerificationThread.cpp:143
5 	libnspr4.dylib 	libnspr4.dylib@0x1dad0 	
6 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:204
7 	libsystem_c.dylib 	libsystem_c.dylib@0x4e8bf 	
8 	libsystem_c.dylib 	libsystem_c.dylib@0x51b75 	
9 	libnspr4.dylib 	

Looking at https://hg.mozilla.org/comm-central I see 867437 and 882424 as potential regrssions.
The stack trace says it's caused by the feature of bug 770840.
Blocks: 773610, 770840
Summary: crash in nsXPCWrappedJS::AddRef when opening a signed email with S/mime → crash in nsSMimeVerificationListener::Notify @ nsXPCWrappedJS::AddRef when opening a signed email with S/mime
Version: Trunk → 24
I think mListener in nsSMimeVerificationJob has to be nsMainThreadPtrHandle too like the patch for bug 873615 does.
(In reply to Hiroyuki Ikezoe (:hiro) from comment #2)
> I think mListener in nsSMimeVerificationJob has to be nsMainThreadPtrHandle
> too like the patch for bug 873615 does.

I am doubtful that there are any JS implementors of nsISmimeVerificationListener. mxr.mozilla.org/addons/ certainly doesn't find any.
It looks more likely to me that one of these lines in Notify is triggering the problem:

>318   nsCOMPtr<nsICMSMessage> msg = do_QueryInterface(aVerifiedMessage);
>319   NS_ENSURE_TRUE(msg, NS_ERROR_FAILURE);
>320   
>321   nsCOMPtr<nsIX509Cert> signerCert;
>322   msg->GetSignerCert(getter_AddRefs(signerCert));
Is this still happening? and is this really a core issue?
(In reply to Mark Banner (:standard8) from comment #5)
> Is this still happening? and is this really a core issue?

Nope - don't know.
Not tracking for TB 24, as we don't seem to be hitting this any more. Could be a WFM?
(In reply to Mark Banner (:standard8) from comment #7)
> Not tracking for TB 24, as we don't seem to be hitting this any more. Could
> be a WFM?

last crashes are tb24.0a1 - approx 10 users in last 8 weeks. All with nsSMimeVerificationListener::Notif on the stack. i.e. zero TB24 beta crashes

Quite unclear to me which bug fixed this. None were using calendar - fixed Bug 870887, and all other bugs with this signature** have different stacks - which coincidentally have all been fixed in this general time period.

bug 870916 RESOLVED FIXED crash in nsSocketTransport::BuildSocket @ nsXPTCStubBase::AddRef
bug 882125 RESOLVED DUPLICATE Remove Off-Main-Thread XPCWrappedJS refcounting from nsLDAPOperation
bug 882196 RESOLVED FIXED Android crash in nsXPCWrappedJS::AddRef
bug 882200 RESOLVED FIXED crash in nsLDAPOperation::GetMessageListener @ nsXPCWrappedJS::AddRef
bug 882328 RESOLVED FIXED nsICameraGetCameraCallback addref-ed on non-Main thread
bug 882424 RESOLVED FIXED crash in SignedStatusRunnable::SignedStatusRunnable @ nsXPCWrappedJS::AddRef
bug 882637 RESOLVED DUPLICATE crash in mozilla::nsDOMCameraControl::Result @ nsXPCWrappedJS::AddRef
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.