thunderbird-bin crashed with SIGSEGV when trying to Edit as New
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Thunderbird |
Fix Released
|
Critical
|
|||
thunderbird (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: thunderbird
This is a follow-up after I submitted bug #499044.
I received an automatic "Delivery Failure" message because I misspelled e-mail address. So I decided to simply edit attached e-mail as new, correct the e-mail address and send it again. I right clicked attached <subject>.eml e-mail, invoked "Open" from popup menu and then invoked "Message > Edit Message As New" from the main menu. This crashed my Thunderbird. 100% reproducible.
ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Tue Dec 22 22:26:26 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelMo
Package: thunderbird 2.0.0.23+
ProcCmdline: /usr/lib/
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SegvAnalysis:
Segfault happened at: 0x1b1422 <__kernel_
PC (0x001b1422) ok
Reason could not be automatically determined.
Signal: 11
SourcePackage: thunderbird
StacktraceTop:
?? () from /usr/lib/
?? () from /usr/lib/
?? () from /usr/lib/
?? () from /usr/lib/
?? () from /usr/lib/
Title: thunderbird-bin crashed with SIGSEGV
Uname: Linux 2.6.31-16-generic i686
UserGroups: adm admin audio cdrom dialout fuse lpadmin netdev plugdev root sambashare
XsessionErrors:
(gnome-
(gnome-
(polkit-
(nautilus:2001): Eel-CRITICAL **: eel_preferences
(firefox:2391): GLib-WARNING **: g_set_prgname() called multiple times
visibility: | private → public |
Changed in thunderbird: | |
status: | Unknown → Confirmed |
Changed in thunderbird: | |
status: | Unknown → Fix Released |
Changed in thunderbird: | |
importance: | Unknown → Critical |
Created an attachment (id=415914)
proposed fix
The bug is that mime isn't using xpcom reference counting semantics, so it's deleting an object that it should not. I also cleaned up a separate ref counting issue where mime was addreffing a pointer that had already been addreffed (though only getting rid of the delete fixes the crash).
For some reason, the url leak stuff added to nsStandardUrl.cpp exposed this issue, perhaps by changing the size of the url enough so that we weren't saved by heap buffer size rounding...
I'll try to come up with a mozmill test that at least exercises this code, though it won't guarantee anything...