Ubuntu
thunderbird package

thunderbird-bin crashed with SIGSEGV when trying to Edit as New

Bug #499603 reported by Jiří Kovalský
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Thunderbird
Fix Released
Critical
Mozilla Thunderbird 3.0.1
thunderbird (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: thunderbird

This is a follow-up after I submitted bug #499044.

I received an automatic "Delivery Failure" message because I misspelled e-mail address. So I decided to simply edit attached e-mail as new, correct the e-mail address and send it again. I right clicked attached <subject>.eml e-mail, invoked "Open" from popup menu and then invoked "Message > Edit Message As New" from the main menu. This crashed my Thunderbird. 100% reproducible.

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Tue Dec 22 22:26:26 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/thunderbird/thunderbird-bin
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: nvidia
Package: thunderbird 2.0.0.23+build1+nobinonly-0ubuntu1
ProcCmdline: /usr/lib/thunderbird/thunderbird-bin
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic
SegvAnalysis:
 Segfault happened at: 0x1b1422 <__kernel_vsyscall+2>: ret
 PC (0x001b1422) ok
 Reason could not be automatically determined.
Signal: 11
SourcePackage: thunderbird
StacktraceTop:
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
Title: thunderbird-bin crashed with SIGSEGV
Uname: Linux 2.6.31-16-generic i686
UserGroups: adm admin audio cdrom dialout fuse lpadmin netdev plugdev root sambashare
XsessionErrors:
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (polkit-gnome-authentication-agent-1:2015): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (nautilus:2001): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (firefox:2391): GLib-WARNING **: g_set_prgname() called multiple times

See original description
Revision history for this message
In , Bienvenu (bienvenu) wrote :

Created an attachment (id=415914)
proposed fix

The bug is that mime isn't using xpcom reference counting semantics, so it's deleting an object that it should not. I also cleaned up a separate ref counting issue where mime was addreffing a pointer that had already been addreffed (though only getting rid of the delete fixes the crash).

For some reason, the url leak stuff added to nsStandardUrl.cpp exposed this issue, perhaps by changing the size of the url enough so that we weren't saved by heap buffer size rounding...

I'll try to come up with a mozmill test that at least exercises this code, though it won't guarantee anything...

Revision history for this message
In , Kent-caspia (kent-caspia) wrote :

(From update of attachment 415914)
Running with this patch and the patch from bug 312025, I am no longer crashing, while without this patch I crash within three forwards using the test message in that bug.

I also checked the code and its uses, and this seems like the right thing to do.

Revision history for this message
In , Bienvenu (bienvenu) wrote :

this should block 3.01

Revision history for this message
In , Kent-caspia (kent-caspia) wrote :

The changes in this patch are being implemented in trunk as part of bug 312025.

Revision history for this message
In , Bienvenu (bienvenu) wrote :

fixed on trunk.

Revision history for this message
In , Bienvenu (bienvenu) wrote :

fixed for 3.01

Revision history for this message
In , Sgautherie-bz (sgautherie-bz) wrote :

(In reply to comment #6)
> fixed for 3.01

Shouldn't this have landed on 'default' hg branch (too)?

Revision history for this message
In , Bienvenu (bienvenu) wrote :

Didn't this land on the trunk a week ago, as I said in #c5? Looks to me like it did.

Revision history for this message
In , Bugzilla-standard8 (bugzilla-standard8) wrote :

(In reply to comment #8)
> Didn't this land on the trunk a week ago, as I said in #c5? Looks to me like it
> did.

Take a look at: http://hg.mozilla.org/releases/comm-1.9.1/rev/eb1a0eb3b4ef
(and http://hg.mozilla.org/releases/comm-1.9.1/rev/05a86172f79f)

It landed on COMM1915_20091112_RELBRANCH within comm-central rather than "default".

Can you back them out from the relbranch and reland on default please?

Revision history for this message
In , Bienvenu (bienvenu) wrote :

(In reply to comment #9)
> Can you back them out from the relbranch and reland on default please?

done.

Revision history for this message
In , Mozilla-bugs-micahscomputing (mozilla-bugs-micahscomputing) wrote :

This is from this crash report for Thunderbird 3:
ID: 24217b56-b770-485c-b621-1b1332091203

User comments from crash-stats:
Was browsing my inbox. I tried to open a recent mail, but an old mail from a month or so ago opened instead. I was trying to get the e-mail to display correctly, so I right-clicked and chose 'Edit as new...', which caused this crash.

There is a similar report on Launchpad for Thunderbird 2 with similar comments.

Frame Module Signature [Expand] Source
0 thunderbird-bin MimeDecoderWrite mailnews/mime/src/mimeenc.cpp:189
1 thunderbird-bin mime_decompose_file_output_fn mailnews/mime/src/mimedrft.cpp:1962
2 thunderbird-bin MimeMessage_parse_line mailnews/mime/src/mimemsg.cpp:222
3 thunderbird-bin MimeObject_parse_eof mailnews/mime/src/mimeobj.cpp:299
4 thunderbird-bin MimeContainer_parse_eof mailnews/mime/src/mimecont.cpp:129
5 thunderbird-bin MimeMessage_parse_eof mailnews/mime/src/mimemsg.cpp:542
6 thunderbird-bin mime_parse_stream_complete mailnews/mime/src/mimedrft.cpp:1209
7 thunderbird-bin nsStreamConverter::OnStopRequest mailnews/mime/src/nsStreamConverter.cpp:1068
8 thunderbird-bin nsImapCacheStreamListener::OnStopRequest mailnews/imap/src/nsImapProtocol.cpp:8333
9 thunderbird-bin nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:576
10 thunderbird-bin nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:401
11 libxpcom_core.so nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111
12 libxpcom_core.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:521
13 libxpcom_core.so NS_ProcessNextEvent_P nsThreadUtils.cpp:236
14 thunderbird-bin nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170
15 thunderbird-bin nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193
16 thunderbird-bin XRE_main toolkit/xre/nsAppRunner.cpp:3321
17 thunderbird-bin main mail/app/nsMailApp.cpp:103

Revision history for this message
Jiří Kovalský (cesilko) wrote : thunderbird-bin crashed with SIGSEGV

Binary package hint: thunderbird

This is a follow-up after I submitted bug #499044.

I received an automatic "Delivery Failure" message because I misspelled e-mail address. So I decided to simply edit attached e-mail as new, correct the e-mail address and send it again. I right clicked attached <subject>.eml e-mail, invoked "Open" from popup menu and then invoked "Message > Edit Message As New" from the main menu. This crashed my Thunderbird. 100% reproducible.

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Tue Dec 22 22:26:26 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/thunderbird/thunderbird-bin
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: nvidia
Package: thunderbird 2.0.0.23+build1+nobinonly-0ubuntu1
ProcCmdline: /usr/lib/thunderbird/thunderbird-bin
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic
SegvAnalysis:
 Segfault happened at: 0x1b1422 <__kernel_vsyscall+2>: ret
 PC (0x001b1422) ok
 Reason could not be automatically determined.
Signal: 11
SourcePackage: thunderbird
StacktraceTop:
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
 ?? () from /usr/lib/thunderbird/components/libmail.so
Title: thunderbird-bin crashed with SIGSEGV
Uname: Linux 2.6.31-16-generic i686
UserGroups: adm admin audio cdrom dialout fuse lpadmin netdev plugdev root sambashare
XsessionErrors:
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:1905): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (polkit-gnome-authentication-agent-1:2015): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (nautilus:2001): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (firefox:2391): GLib-WARNING **: g_set_prgname() called multiple times

Revision history for this message
Jiří Kovalský (cesilko) wrote :
Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt (retraced)

StacktraceTop:MimeDecoderWrite (data=0x97d1b90, buffer=0x26a387d "\n", size=0)
mime_decompose_file_output_fn (buf=0x26a387e "", size=1,
MimeMessage_parse_line (aLine=0xa3a4b48 "�i",
MimeObject_parse_eof (obj=0xa3a3890, abort_p=0)
MimeContainer_parse_eof (object=0xa3a3890, abort_p=0)

Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt (retraced)
Changed in thunderbird (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Revision history for this message
In , Ludovic-mozillamessaging (ludovic-mozillamessaging) wrote :

Can we get an email in .eml format attached to this bug so we have a testcase and can fix the issue ?

Micah Gersten (micahg)
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software.
I'm going to mark it as Triaged and wait for upstream to work on this. Thanks for taking the time to make Ubuntu better! Please report any other issues you may find.

summary: - thunderbird-bin crashed with SIGSEGV
+ thunderbird-bin crashed with SIGSEGV when trying to Edit as New
Changed in thunderbird (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: Unknown → Confirmed
Revision history for this message
In , Vseerror (vseerror) wrote :

This a rare crash, ~2 per month. most don't have comments.
I examined crashes going back to July 10 and emailed submitter of
bp-cb7208d7-c8ab-426e-89a8-60a8f2091107
using 3.0a2
0 thunderbird-bin MimeDecoderWrite mozilla/mailnews/mime/src/mimeenc.cpp:189
1 thunderbird-bin mime_decompose_file_output_fn mozilla/mailnews/mime/src/mimedrft.cpp:1969
2 thunderbird-bin MimeMessage_parse_line mozilla/mailnews/mime/src/mimemsg.cpp:230
3 thunderbird-bin MimeObject_parse_eof mozilla/mailnews/mime/src/mimeobj.cpp:312
4 thunderbird-bin MimeContainer_parse_eof mozilla/mailnews/mime/src/mimecont.cpp:129
5 thunderbird-bin MimeMessage_parse_eof mozilla/mailnews/mime/src/mimemsg.cpp:550
6 thunderbird-bin mime_parse_stream_complete mozilla/mailnews/mime/src/mimedrft.cpp:1246
7 thunderbird-bin nsStreamConverter::OnStopRequest mozilla/mailnews/mime/src/nsStreamConverter.cpp:1027

MimeDecoderWrite(MimeDecoderData*, char const*, int) appears for Mac also but I didn't check if stack is same

Revision history for this message
Micah Gersten (micahg) wrote :

Upstream requested an .eml file that crashes. Do you have one that's not private? Thanks.

Revision history for this message
In , Mozilla-bugs-micahscomputing (mozilla-bugs-micahscomputing) wrote :

Created an attachment (id=419127)
Test E-Mail that causes crash for LP user

Revision history for this message
In , Bienvenu (bienvenu) wrote :

I fixed a crash in the mimedrft code which might fix this problem. The fix is in the 3.01 nightlies, and the 3.1 nightlies. bug 532693 has the fix I'm thinking of.

Revision history for this message
Jiří Kovalský (cesilko) wrote :

Yes, here is the e-mail. Please open it. It contains email "Telefonní číslo.eml" which crashes Thunderbird if you open it and try to "Edit Message As New".

Hope this helps. Good luck and Merry Christmas! :-)

Revision history for this message
Micah Gersten (micahg) wrote :

Thanks Jiří Kovalský, I passed this on upstream.

Revision history for this message
Micah Gersten (micahg) wrote :

@Jiří Kovalský

Are you willing to try the daily build of 3.0? Upstream said this might have been fixed on Monday. It will import your 2.0 profile into a new directory. It's called Shredder in the menu and you can launch from a terminal as thunderbird-3.0
https://edge.launchpad.net/~ubuntu-mozilla-daily/+archive/ppa/

Revision history for this message
Jiří Kovalský (cesilko) wrote :

Yes, I will give it a try and let you know. Thanks guys!

Revision history for this message
Jiří Kovalský (cesilko) wrote :
Revision history for this message
Jiří Kovalský (cesilko) wrote :
Revision history for this message
Jiří Kovalský (cesilko) wrote :

So, it works fine in build #20091224r4571 i.e. no crash! On the other hand the e-mail name is displayed incorrectly without proper encoding. See attached screenshots for comparison. Is this a regression caused by the fix?

Revision history for this message
Micah Gersten (micahg) wrote :

@Jiří Kovalský

Let's file a new bug for that encoding issue and I'll try to get upstream to look at it. Thanks for helping us test.

Revision history for this message
In , Mozilla-bugs-micahscomputing (mozilla-bugs-micahscomputing) wrote :

*** Bug 536498 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Mozilla-bugs-micahscomputing (mozilla-bugs-micahscomputing) wrote :

Launchpad user confirmed that the 3.0.1 nightly build fixes the problem.

*** This bug has been marked as a duplicate of bug 532693 ***

Revision history for this message
Micah Gersten (micahg) wrote :

Changing upstream to the bug that actually fixed the crash.

Changed in thunderbird:
status: Confirmed → Unknown
milestone: none → 3.0.1
Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: Unknown → Fix Released
Revision history for this message
In , Ludovic-mozillamessaging (ludovic-mozillamessaging) wrote :

V. Fixed based on the use of the email example pointed by rkent.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.0.1+nobinonly-0ubuntu1

---------------
thunderbird (3.0.1+nobinonly-0ubuntu1) lucid; urgency=low

  * New upstream release v3.0.1 (THUNDERBIRD_3_0_1_RELEASE)
    - fix LP: #257483 - thunderbird-bin crashed with Badwindow Error
    - fix LP: #499603 - thunderbird-bin crashed with SIGSEGV when trying to
                        Edit as New

  * Fix FTBFS on Sparc by disabling jit (LP: #523627)
    - update debian/rules
  * Drop cairo FTBFS patch after upstream landing
    - drop debian/patches/bz466250_att349521_fix_ftbfs_with_cairo_fb.patch
    - update debian/series
 -- Micah Gersten <email address hidden> Sun, 21 Feb 2010 12:15:33 -0600

Changed in thunderbird (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.