Bug#390230: More information

[nicolas . bonifas]

Hello,
I think I found the origin of the bug: it is caused by an out-of-bound value
being given to flagp, in js_GC. The top of the execution stack follows.
I can easily reproduce the bug. I just have to add a new account, and check the
mail on a pop3 account that contains a lot of mails (the problem generaly
happens around the 1000th mail).
This bug should probably be reported upstream, as it is not Debian-specific.
Regards,
Nicolas

(gdb) bt full
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb74b98b6 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2  0xb74b96db in sleep () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#3  0x08064559 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:133
No locals.
#4  0x08065c61 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
        oldact = (sigaction *) 0x806c980
#5  <signal handler called>
No symbol table info available.
#6  0xb7e63921 in js_GC (cx=0x822c000, gcflags=0)
    at /home/tbird/mozilla/js/src/jsgc.c:1855
        rt = (JSRuntime *) 0x8158e80
        iter = (JSContext *) 0x0
        acx = (JSContext *) 0x0
        fp = (JSStackFrame *) 0x0
        chain = (JSStackFrame *) 0x0
        i = 0
        depth = 6
        nslots = 0
        type = 0
        sh = (JSStackHeader *) 0x0
        tvr = (JSTempValueRooter *) 0x0
        nbytes = 8
        nflags = 1
        a = (JSArena *) 0x8b657b8
        ap = (JSArena **) 0x0
        flags = 0 '\0'
        flagp = (uint8 *) 0x2005 <Address 0x2005 out of bounds>
        split = (uint8 *) 0x8a80c00 ""
        thing = (JSGCThing *) 0x8a80c08
        limit = (JSGCThing *) 0x8b67800
        flp = (JSGCThing **) 0x5
        oflp = (JSGCThing **) 0x82f1648
        finalizer = (GCFinalizeOp) 0xb7e92056 <js_FinalizeObject>
        bytesptr = (uint32 *) 0x8158fec
        all_clear = 114880
        currentThread = 134665544
        requestDebit = 1
#7  0xb7e62a7a in js_ForceGC (cx=0x822c000, gcflags=0)
    at /home/tbird/mozilla/js/src/jsgc.c:1515
        i = 16
#8  0xb7e26e0c in JS_GC (cx=0x822c000)
    at /home/tbird/mozilla/js/src/jsapi.c:1830
No locals.
#9  0xb7e26e7c in JS_MaybeGC (cx=0x822c000)
    at /home/tbird/mozilla/js/src/jsapi.c:1852
        rt = (JSRuntime *) 0x8158e80
        bytes = 216099
        lastBytes = 143343
#10 0xb551b36f in nsJSContext::ScriptEvaluated (this=0x822b860, aTerminated=0)
    at /home/tbird/mozilla/dom/src/base/nsJSEnvironment.cpp:2098
No locals.
#11 0xb551a79a in nsJSContext::ScriptExecuted (this=0x822b860)
    at /home/tbird/mozilla/dom/src/base/nsJSEnvironment.cpp:2174
No locals.
#12 0xb72454e5 in ~AutoScriptEvaluate (this=0xbfd183a0)
    at /home/tbird/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:106
No locals.
#13 0xb72477b4 in nsXPCWrappedJSClass::CallMethod (this=0x887a9e0,
    wrapper=0x887ab68, methodIndex=6, info=0x848c168, nativeParams=0xbfd18560)
    at /home/tbird/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1659
        stackbase = (jsval *) 0x8baef60
        sp = (jsval *) 0x8baef6c
        i = 1 '\001'
        argc = 1 '\001'