Bug 494824
Summary: | thunderbird crashed with coredump during news reading | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zdenek Kabelac <zkabelac> |
Component: | thunderbird | Assignee: | Martin Stransky <stransky> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | gecko-bugs-nobody, mcepl, stransky |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-06-08 08:23:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zdenek Kabelac
2009-04-08 09:34:33 UTC
Hmm - forget to append version number: thunderbird-3.0-2.1.beta2.fc11.x86_64 Hmm, Jan could you take a look, whether you see anything interesting? Otherwise, Zdeněk, I will leave this on NEEDINFO for you, and let us know if you find anything like that happening again. Well these crashes are usually hard to reproduce - but from this backtrace - it looks like __GI_memmove takes len=4294967060 - which is 0xffffff14- so most probably the size here is a problem as in this case it looks like some signed error code - just a very very wild guess though - someone should check the code and try to think how this value got there ? Ok happened to me twice today - and always I've been reading my mailbox and I've been switching to a newsgroup - last time to lkml with about ~800 unread articles. So maybe this information will help ? And speaking of reading lkml - actually now every try to open this group leads to crash. Here is what valgrind shows before crash - so most probably reading address is invalid (probably the size with error code really means there was an error). ==21270== Thread 1: ==21270== Invalid read of size 1 ==21270== at 0x4C26D48: memmove (mc_replace_strmem.c:517) ==21270== by 0x1840256E: unsigned int* nsTArray<unsigned int>::ReplaceElementsAt<unsigned int>(unsigned int, unsigned int, unsigned int const*, unsigned int) (nsTArray.h:494) ==21270== by 0x183F62D2: nsMsgDBView::InsertMsgHdrAt(unsigned int, nsIMsgDBHdr*, unsigned int, unsigned int, unsigned int) (nsTArray.h:529) ==21270== by 0x184032A6: nsMsgThreadedDBView::OnNewHeader(nsIMsgDBHdr*, unsigned int, int) (nsMsgThreadedDBView.cpp:654) ==21270== by 0x184AE0E0: nsMsgDatabase::NotifyHdrAddedAll(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*) (nsMsgDatabase.cpp:682) ==21270== by 0x184B07FE: nsMsgDatabase::AddNewHdrToDB(nsIMsgDBHdr*, int) (nsMsgDatabase.cpp:3035) ==21270== by 0x1855F2C8: nsNNTPNewsgroupList::CallFilters() (nsNNTPNewsgroupList.cpp:1157) ==21270== by 0x1856466E: nsNNTPProtocol::ProcessXover() (nsNNTPProtocol.cpp:3557) ==21270== by 0x1856F83C: nsNNTPProtocol::ProcessProtocolState(nsIURI*, nsIInputStream*, unsigned int, unsigned int) (nsNNTPProtocol.cpp:5136) ==21270== by 0x183AD359: nsMsgProtocol::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (nsMsgProtocol.cpp:347) ==21270== by 0x18D37BD8: nsInputStreamPump::OnStateTransfer() (nsInputStreamPump.cpp:508) ==21270== by 0x18D37CD4: nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (nsInputStreamPump.cpp:398) ==21270== Address 0x124d12a4b is not stack'd, malloc'd or (recently) free'd 145 m_syswrap/syscall-amd64-linux.S: AdresĂĄĹ nebo soubor neexistuje. Could not find the frame base for "vgPlain_client_syscall". Taking this one, already addressed similar issue upstream (https://bugzilla.mozilla.org/show_bug.cgi?id=494756). Closing as UPSTREAM. |