494824 – thunderbird crashed with coredump during news reading

Bug 494824 - thunderbird crashed with coredump during news reading

Summary: thunderbird crashed with coredump during news reading

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	thunderbird
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-08 09:34 UTC by Zdenek Kabelac
Modified:	2018-04-11 11:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-06-08 08:23:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zdenek Kabelac 2009-04-08 09:34:33 UTC

Description of problem:

This coredump appeared on my disk:

#0  0x00007f4966445deb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x00007f4965f6f308 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:212
#2  <signal handler called>
#3  _wordcopy_bwd_dest_aligned (dstp=139956836554136, srcp=139956836554120, len=536870882) at wordcopy.c:358
#4  0x00007f4961be4059 in *__GI_memmove (dest=0x7f493d86d68c, src=<value optimized out>, len=4294967060)
    at memmove.c:99
#5  0x00007f4952d6056f in nsTArray<unsigned int>::ReplaceElementsAt<unsigned int> (this=0x7f4943467448, start=416, 
    count=0, array=0x7fff6e86fc8c, arrayLen=1) at ../../../mozilla/dist/include/xpcom/nsTArray.h:494
#6  0x00007f4952d542d3 in InsertElementAt<nsMsgKey> (item=<value optimized out>, index=<value optimized out>, 
    this=<value optimized out>) at ../../../mozilla/dist/include/xpcom/nsTArray.h:529
#7  nsMsgDBView::InsertMsgHdrAt (item=<value optimized out>, index=<value optimized out>, this=<value optimized out>)
    at /usr/src/debug/thunderbird-3.0/mailnews/base/src/nsMsgDBView.cpp:1502
#8  0x00007f4952d612a7 in nsMsgThreadedDBView::OnNewHeader (this=0x7f4943467400, newHdr=0x7f494ad10d60, 
    aParentKey=818448, ensureListed=<value optimized out>)
    at /usr/src/debug/thunderbird-3.0/mailnews/base/src/nsMsgThreadedDBView.cpp:654
#9  0x00007f4952e0c0e1 in nsMsgDatabase::NotifyHdrAddedAll (this=<value optimized out>, aHdrAdded=0x7f494ad10d60, 
    aParentKey=818448, aFlags=65552, aInstigator=0x0)
    at /usr/src/debug/thunderbird-3.0/mailnews/db/msgdb/src/nsMsgDatabase.cpp:682
#10 0x00007f4952e0e7ff in nsMsgDatabase::AddNewHdrToDB (this=0x7f49383511d0, newHdr=0x7f494ad10d60, notify=1)
    at /usr/src/debug/thunderbird-3.0/mailnews/db/msgdb/src/nsMsgDatabase.cpp:3035
#11 0x00007f4952ebd2c9 in nsNNTPNewsgroupList::CallFilters (this=0x7f492e36f200)
    at /usr/src/debug/thunderbird-3.0/mailnews/news/src/nsNNTPNewsgroupList.cpp:1157
#12 0x00007f4952ec266f in nsNNTPProtocol::ProcessXover (this=0x7f4943467800)
    at /usr/src/debug/thunderbird-3.0/mailnews/news/src/nsNNTPProtocol.cpp:3557
#13 0x00007f4952ecd83d in nsNNTPProtocol::ProcessProtocolState (this=0x7f4943467800, url=<value optimized out>, 
    inputStream=0x7f49365e5e10, sourceOffset=<value optimized out>, length=19805)
    at /usr/src/debug/thunderbird-3.0/mailnews/news/src/nsNNTPProtocol.cpp:5136
#14 0x00007f4952d0b35a in nsMsgProtocol::OnDataAvailable (this=0x7f4943467818, request=<value optimized out>, 
    ctxt=<value optimized out>, inStr=0x7f49365e5e10, sourceOffset=249282, count=19805)
    at /usr/src/debug/thunderbird-3.0/mailnews/base/util/nsMsgProtocol.cpp:347
#15 0x00007f495253abd9 in nsInputStreamPump::OnStateTransfer (this=0x7f493451e0b0)
    at /usr/src/debug/thunderbird-3.0/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#16 0x00007f495253acd5 in nsInputStreamPump::OnInputStreamReady (this=0x7f493451e0b0, stream=0x7f4a3d86d598)
    at /usr/src/debug/thunderbird-3.0/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#17 0x00007f4965ae23d4 in nsInputStreamReadyEvent::Run (this=0x7f495e51b040)
    at /usr/src/debug/thunderbird-3.0/mozilla/xpcom/io/nsStreamUtils.cpp:111
#18 0x00007f4965af6ab1 in nsThread::ProcessNextEvent (this=0x7f495e4bcd30, mayWait=1, result=0x7fff6e87012c)
    at /usr/src/debug/thunderbird-3.0/mozilla/xpcom/threads/nsThread.cpp:510
#19 0x00007f4965ac7984 in NS_ProcessNextEvent_P (thread=0x7f4a3d86d598, mayWait=1032246680) at nsThreadUtils.cpp:227
#20 0x00007f4950dd25c9 in nsBaseAppShell::Run (this=0x7f4953873c40)
    at /usr/src/debug/thunderbird-3.0/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#21 0x00007f49500cf8a2 in nsAppStartup::Run (this=0x7f49532557c0)
    at /usr/src/debug/thunderbird-3.0/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#22 0x00007f4965f695ca in XRE_main (argc=<value optimized out>, argv=<value optimized out>, 
    aAppData=<value optimized out>) at /usr/src/debug/thunderbird-3.0/mozilla/toolkit/xre/nsAppRunner.cpp:3279
#23 0x00000000004019bc in main (argc=1, argv=0x7fff6e870968)
    at /usr/src/debug/thunderbird-3.0/mail/app/nsMailApp.cpp:103


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. no idea - doesn't happen regularly
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Zdenek Kabelac 2009-04-08 09:37:06 UTC

Hmm - forget to append version number: thunderbird-3.0-2.1.beta2.fc11.x86_64

Comment 2 Matěj Cepl 2009-04-29 22:18:47 UTC

Hmm, Jan could you take a look, whether you see anything interesting?

Otherwise, Zdeněk, I will leave this on NEEDINFO for you, and let us know if you find anything like that happening again.

Comment 3 Zdenek Kabelac 2009-04-30 09:20:55 UTC

Well these crashes are usually hard to reproduce - but from this backtrace - it looks like __GI_memmove  takes len=4294967060  - which is 0xffffff14- so most probably the size here is a problem as in this case it looks like some signed error code - just a very very wild guess though - someone should check the code and try to think how this value got there ?

Comment 4 Zdenek Kabelac 2009-04-30 12:40:14 UTC

Ok happened to me twice today - and always I've been reading my mailbox and I've been switching to a newsgroup - last time to lkml with about ~800 unread articles.

So maybe this information will help ?

Comment 5 Zdenek Kabelac 2009-04-30 13:18:21 UTC

And speaking of reading lkml - actually now every try to open this group leads to crash.

Here is what valgrind shows before crash - so most probably reading address is invalid (probably the size with error code really means there was an error).


==21270== Thread 1:
==21270== Invalid read of size 1
==21270==    at 0x4C26D48: memmove (mc_replace_strmem.c:517)
==21270==    by 0x1840256E: unsigned int* nsTArray<unsigned int>::ReplaceElementsAt<unsigned int>(unsigned int, unsigned int, unsigned int const*, unsigned int) (nsTArray.h:494)
==21270==    by 0x183F62D2: nsMsgDBView::InsertMsgHdrAt(unsigned int, nsIMsgDBHdr*, unsigned int, unsigned int, unsigned int) (nsTArray.h:529)
==21270==    by 0x184032A6: nsMsgThreadedDBView::OnNewHeader(nsIMsgDBHdr*, unsigned int, int) (nsMsgThreadedDBView.cpp:654)
==21270==    by 0x184AE0E0: nsMsgDatabase::NotifyHdrAddedAll(nsIMsgDBHdr*, unsigned int, int, nsIDBChangeListener*) (nsMsgDatabase.cpp:682)
==21270==    by 0x184B07FE: nsMsgDatabase::AddNewHdrToDB(nsIMsgDBHdr*, int) (nsMsgDatabase.cpp:3035)
==21270==    by 0x1855F2C8: nsNNTPNewsgroupList::CallFilters() (nsNNTPNewsgroupList.cpp:1157)
==21270==    by 0x1856466E: nsNNTPProtocol::ProcessXover() (nsNNTPProtocol.cpp:3557)
==21270==    by 0x1856F83C: nsNNTPProtocol::ProcessProtocolState(nsIURI*, nsIInputStream*, unsigned int, unsigned int) (nsNNTPProtocol.cpp:5136)
==21270==    by 0x183AD359: nsMsgProtocol::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (nsMsgProtocol.cpp:347)
==21270==    by 0x18D37BD8: nsInputStreamPump::OnStateTransfer() (nsInputStreamPump.cpp:508)
==21270==    by 0x18D37CD4: nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (nsInputStreamPump.cpp:398)
==21270==  Address 0x124d12a4b is not stack'd, malloc'd or (recently) free'd
145	m_syswrap/syscall-amd64-linux.S: AdresĂĄĹ nebo soubor neexistuje.
Could not find the frame base for "vgPlain_client_syscall".

Comment 6 Martin Stransky 2009-05-26 13:19:36 UTC

Taking this one, already addressed similar issue upstream (https://bugzilla.mozilla.org/show_bug.cgi?id=494756).

Comment 7 Martin Stransky 2009-06-08 08:23:41 UTC

Closing as UPSTREAM.

Note You need to log in before you can comment on or make changes to this bug.