thunderbird-bin crashed with SIGSEGV when trying to Edit as New

Bug #499603 reported by Jiří Kovalský on 2009-12-22
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Thunderbird
Fix Released
Critical
thunderbird (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: thunderbird

This is a follow-up after I submitted bug #499044.

I received an automatic "Delivery Failure" message because I misspelled e-mail address. So I decided to simply edit attached e-mail as new, correct the e-mail address and send it again. I right clicked attached <subject>.eml e-mail, invoked "Open" from popup menu and then invoked "Message > Edit Message As New" from the main menu. This crashed my Thunderbird. 100% reproducible.

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Tue Dec 22 22:26:26 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/thunderbird/thunderbird-bin
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: nvidia
Package: thunderbird 2.0.0.23+build1+nobinonly-0ubuntu1
ProcCmdline: /usr/lib/thunderbird/thunderbird-bin
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic
SegvAnalysis:
 Segfault happened at: 0x1b1422 <__kernel_vsyscall+2>: ret
 PC (0x001b1422) ok
 Reason could not be automatically determined.
Signal: 11
SourcePackage: thunderbird
StacktraceTop:
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
Title: thunderbird-bin crashed with SIGSEGV
Uname: Linux 2.6.31-16-generic i686
UserGroups: adm admin audio cdrom dialout fuse lpadmin netdev plugdev root sambashare
XsessionErrors:
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (polkit-gnome-authentication-agent-1:2015): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (nautilus:2001): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (firefox:2391): GLib-WARNING **: g_set_prgname() called multiple times

Created an attachment (id=415914)
proposed fix

The bug is that mime isn't using xpcom reference counting semantics, so it's deleting an object that it should not. I also cleaned up a separate ref counting issue where mime was addreffing a pointer that had already been addreffed (though only getting rid of the delete fixes the crash).

For some reason, the url leak stuff added to nsStandardUrl.cpp exposed this issue, perhaps by changing the size of the url enough so that we weren't saved by heap buffer size rounding...

I'll try to come up with a mozmill test that at least exercises this code, though it won't guarantee anything...

(From update of attachment 415914)
Running with this patch and the patch from bug 312025, I am no longer crashing, while without this patch I crash within three forwards using the test message in that bug.

I also checked the code and its uses, and this seems like the right thing to do.

this should block 3.01

The changes in this patch are being implemented in trunk as part of bug 312025.

fixed on trunk.

fixed for 3.01

(In reply to comment #6)
> fixed for 3.01

Shouldn't this have landed on 'default' hg branch (too)?

Didn't this land on the trunk a week ago, as I said in #c5? Looks to me like it did.

(In reply to comment #8)
> Didn't this land on the trunk a week ago, as I said in #c5? Looks to me like it
> did.

Take a look at: http://hg.mozilla.org/releases/comm-1.9.1/rev/eb1a0eb3b4ef
(and http://hg.mozilla.org/releases/comm-1.9.1/rev/05a86172f79f)

It landed on COMM1915_20091112_RELBRANCH within comm-central rather than "default".

Can you back them out from the relbranch and reland on default please?

(In reply to comment #9)
> Can you back them out from the relbranch and reland on default please?

done.

This is from this crash report for Thunderbird 3:
ID: 24217b56-b770-485c-b621-1b1332091203

User comments from crash-stats:
Was browsing my inbox. I tried to open a recent mail, but an old mail from a month or so ago opened instead. I was trying to get the e-mail to display correctly, so I right-clicked and chose 'Edit as new...', which caused this crash.

There is a similar report on Launchpad for Thunderbird 2 with similar comments.

Frame Module Signature [Expand] Source
0 thunderbird-bin MimeDecoderWrite mailnews/mime/src/mimeenc.cpp:189
1 thunderbird-bin mime_decompose_file_output_fn mailnews/mime/src/mimedrft.cpp:1962
2 thunderbird-bin MimeMessage_parse_line mailnews/mime/src/mimemsg.cpp:222
3 thunderbird-bin MimeObject_parse_eof mailnews/mime/src/mimeobj.cpp:299
4 thunderbird-bin MimeContainer_parse_eof mailnews/mime/src/mimecont.cpp:129
5 thunderbird-bin MimeMessage_parse_eof mailnews/mime/src/mimemsg.cpp:542
6 thunderbird-bin mime_parse_stream_complete mailnews/mime/src/mimedrft.cpp:1209
7 thunderbird-bin nsStreamConverter::OnStopRequest mailnews/mime/src/nsStreamConverter.cpp:1068
8 thunderbird-bin nsImapCacheStreamListener::OnStopRequest mailnews/imap/src/nsImapProtocol.cpp:8333
9 thunderbird-bin nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:576
10 thunderbird-bin nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:401
11 libxpcom_core.so nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111
12 libxpcom_core.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:521
13 libxpcom_core.so NS_ProcessNextEvent_P nsThreadUtils.cpp:236
14 thunderbird-bin nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170
15 thunderbird-bin nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193
16 thunderbird-bin XRE_main toolkit/xre/nsAppRunner.cpp:3321
17 thunderbird-bin main mail/app/nsMailApp.cpp:103

Binary package hint: thunderbird

This is a follow-up after I submitted bug #499044.

I received an automatic "Delivery Failure" message because I misspelled e-mail address. So I decided to simply edit attached e-mail as new, correct the e-mail address and send it again. I right clicked attached <subject>.eml e-mail, invoked "Open" from popup menu and then invoked "Message > Edit Message As New" from the main menu. This crashed my Thunderbird. 100% reproducible.

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Tue Dec 22 22:26:26 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/thunderbird/thunderbird-bin
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: nvidia
Package: thunderbird 2.0.0.23+build1+nobinonly-0ubuntu1
ProcCmdline: /usr/lib/thunderbird/thunderbird-bin
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic
SegvAnalysis:
 Segfault happened at: 0x1b1422 <__kernel_vsyscall+2>: ret
 PC (0x001b1422) ok
 Reason could not be automatically determined.
Signal: 11
SourcePackage: thunderbird
StacktraceTop:
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
Title: thunderbird-bin crashed with SIGSEGV
Uname: Linux 2.6.31-16-generic i686
UserGroups: adm admin audio cdrom dialout fuse lpadmin netdev plugdev root sambashare
XsessionErrors:
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (polkit-gnome-authentication-agent-1:2015): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (nautilus:2001): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (firefox:2391): GLib-WARNING **: g_set_prgname() called multiple times

Jiří Kovalský (cesilko) wrote :

StacktraceTop:MimeDecoderWrite (data=0x97d1b90, buffer=0x26a387d "\n", size=0)
mime_decompose_file_output_fn (buf=0x26a387e "", size=1,
MimeMessage_parse_line (aLine=0xa3a4b48 "�i",
MimeObject_parse_eof (obj=0xa3a3890, abort_p=0)
MimeContainer_parse_eof (object=0xa3a3890, abort_p=0)

Changed in thunderbird (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace

Can we get an email in .eml format attached to this bug so we have a testcase and can fix the issue ?

Micah Gersten (micahg) on 2009-12-23
visibility: private → public
Micah Gersten (micahg) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software.
I'm going to mark it as Triaged and wait for upstream to work on this. Thanks for taking the time to make Ubuntu better! Please report any other issues you may find.

summary: - thunderbird-bin crashed with SIGSEGV
+ thunderbird-bin crashed with SIGSEGV when trying to Edit as New
Changed in thunderbird (Ubuntu):
status: New → Triaged
Changed in thunderbird:
status: Unknown → Confirmed

This a rare crash, ~2 per month. most don't have comments.
I examined crashes going back to July 10 and emailed submitter of
bp-cb7208d7-c8ab-426e-89a8-60a8f2091107
using 3.0a2
0 thunderbird-bin MimeDecoderWrite mozilla/mailnews/mime/src/mimeenc.cpp:189
1 thunderbird-bin mime_decompose_file_output_fn mozilla/mailnews/mime/src/mimedrft.cpp:1969
2 thunderbird-bin MimeMessage_parse_line mozilla/mailnews/mime/src/mimemsg.cpp:230
3 thunderbird-bin MimeObject_parse_eof mozilla/mailnews/mime/src/mimeobj.cpp:312
4 thunderbird-bin MimeContainer_parse_eof mozilla/mailnews/mime/src/mimecont.cpp:129
5 thunderbird-bin MimeMessage_parse_eof mozilla/mailnews/mime/src/mimemsg.cpp:550
6 thunderbird-bin mime_parse_stream_complete mozilla/mailnews/mime/src/mimedrft.cpp:1246
7 thunderbird-bin nsStreamConverter::OnStopRequest mozilla/mailnews/mime/src/nsStreamConverter.cpp:1027

MimeDecoderWrite(MimeDecoderData*, char const*, int) appears for Mac also but I didn't check if stack is same

Micah Gersten (micahg) wrote :

Upstream requested an .eml file that crashes. Do you have one that's not private? Thanks.

Created an attachment (id=419127)
Test E-Mail that causes crash for LP user

I fixed a crash in the mimedrft code which might fix this problem. The fix is in the 3.01 nightlies, and the 3.1 nightlies. bug 532693 has the fix I'm thinking of.

Jiří Kovalský (cesilko) wrote :

Yes, here is the e-mail. Please open it. It contains email "Telefonní číslo.eml" which crashes Thunderbird if you open it and try to "Edit Message As New".

Hope this helps. Good luck and Merry Christmas! :-)

Micah Gersten (micahg) wrote :

Thanks Jiří Kovalský, I passed this on upstream.

Micah Gersten (micahg) wrote :

@Jiří Kovalský

Are you willing to try the daily build of 3.0? Upstream said this might have been fixed on Monday. It will import your 2.0 profile into a new directory. It's called Shredder in the menu and you can launch from a terminal as thunderbird-3.0
https://edge.launchpad.net/~ubuntu-mozilla-daily/+archive/ppa/

Jiří Kovalský (cesilko) wrote :

Yes, I will give it a try and let you know. Thanks guys!

Jiří Kovalský (cesilko) wrote :

So, it works fine in build #20091224r4571 i.e. no crash! On the other hand the e-mail name is displayed incorrectly without proper encoding. See attached screenshots for comparison. Is this a regression caused by the fix?

Micah Gersten (micahg) wrote :

@Jiří Kovalský

Let's file a new bug for that encoding issue and I'll try to get upstream to look at it. Thanks for helping us test.

*** Bug 536498 has been marked as a duplicate of this bug. ***

Launchpad user confirmed that the 3.0.1 nightly build fixes the problem.

*** This bug has been marked as a duplicate of bug 532693 ***

Micah Gersten (micahg) wrote :

Changing upstream to the bug that actually fixed the crash.

Changed in thunderbird:
status: Confirmed → Unknown
milestone: none → 3.0.1
Changed in thunderbird:
status: Unknown → Fix Released

V. Fixed based on the use of the email example pointed by rkent.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.0.1+nobinonly-0ubuntu1

---------------
thunderbird (3.0.1+nobinonly-0ubuntu1) lucid; urgency=low

  * New upstream release v3.0.1 (THUNDERBIRD_3_0_1_RELEASE)
    - fix LP: #257483 - thunderbird-bin crashed with Badwindow Error
    - fix LP: #499603 - thunderbird-bin crashed with SIGSEGV when trying to
                        Edit as New

  * Fix FTBFS on Sparc by disabling jit (LP: #523627)
    - update debian/rules
  * Drop cairo FTBFS patch after upstream landing
    - drop debian/patches/bz466250_att349521_fix_ftbfs_with_cairo_fb.patch
    - update debian/series
 -- Micah Gersten <email address hidden> Sun, 21 Feb 2010 12:15:33 -0600

Changed in thunderbird (Ubuntu):
status: Triaged → Fix Released
Changed in thunderbird:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.