Crash in [@ mozilla::mozHunspellCallbacks::GetLine]
Categories
(Core :: Spelling checker, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| thunderbird_esr91 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | blocking | verified disabled |
| firefox95 | blocking | fixed |
People
(Reporter: mccr8, Assigned: shravanrn)
References
(Regression)
Details
(4 keywords)
Crash Data
Attachments
(4 obsolete files)
Crash report: https://crash-stats.mozilla.org/report/index/56a1a777-ff81-4f3a-a7f4-bf66f0211001
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(t_line)
Top 10 frames of crashing thread:
0 xul.dll static mozilla::mozHunspellCallbacks::GetLine extensions/spellcheck/hunspell/glue/mozHunspellRLBoxHost.cpp:153
1 xul.dll static rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::sandbox_callback_interceptor<bool, unsigned int, char**> third_party/rlbox/include/rlbox_sandbox.hpp:273
2 xul.dll static rlbox::rlbox_wasm2c_sandbox::callback_interceptor<1, bool, unsigned int, unsigned int> third_party/rlbox_wasm2c_sandbox/include/rlbox_wasm2c_sandbox.hpp:310
3 rlbox.dll w2c_FileMgr__getline_std____2__basic_string_char__std____2__char_traits_char___std____2__allocator_char_____ security/rlbox/rlbox.dll.wasm.c:33149
4 rlbox.dll w2c_HashMgr__load_tables_char_const___char_const__ security/rlbox/rlbox.dll.wasm.c:82026
5 rlbox.dll w2c_HashMgr__HashMgr_char_const___char_const___char_const__ security/rlbox/rlbox.dll.wasm.c:81066
6 rlbox.dll w2c_HunspellImpl__HunspellImpl_char_const___char_const___char_const__ security/rlbox/rlbox.dll.wasm.c:90836
7 rlbox.dll w2c_Hunspell_create security/rlbox/rlbox.dll.wasm.c:109083
8 xul.dll RLBoxHunspell::RLBoxHunspell extensions/spellcheck/hunspell/glue/RLBoxHunspell.cpp:78
9 xul.dll mozHunspell::SetDictionary extensions/spellcheck/hunspell/glue/mozHunspell.cpp:189
This is a release assert on the result of aSandbox.malloc_in_sandbox().
|
Reporter | |
Comment 1•3 years ago
|
||
There were 8 of these crashes from 4 installations in the 20210929155324 build, but I don't know if that's just a fluke.
|
||
Comment 2•3 years ago
|
||
All with Windows 32-bit. Regression from bug 1727266?
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 3•3 years ago
|
||
investigating
|
|
Assignee | |
Comment 4•3 years ago
•
|
||
It looks like this bug is due to the hunspell rlbox sandbox running out of memory when processing the spell checking.
A couple of observations
- The likelihood that this happens on 32-bit platforms more than 64-bit is expected as the 32-bit platforms provide a lesser amount of memory per sandbox (8mb per sandbox currently) compared to sandboxes on 64-bit platforms (4gb per sandbox)
- It is surprising that this is seen only on windows 32. There should be no reason this is different from linux 32-bit. The only point of difference I can think of is that this code reads text files, and text files on windows end each line with "\r\n" instead of unix's "\n" making them slightly larger, but this is unlikely to be the culprit due to the small difference.
Despite the source of the issue, the next steps we have to take are identical
- Try to repro the crashes by replicating the locales/platforms in the crash report (we tried this and so far no repro's found)
- Land patch for bug 1734421 which is an unrelated bug (despite first appearances); however the fix for that bug happens to expands the 32-bit sandbox memory from 8mb to 16mb which will help here.
- Land a patch that gracefully handles malloc failure and returns an error code instead of failing
- Run additional tests to make sure there are no memory leaks within the sandboxed code that is causing this OOM
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 7•3 years ago
|
||
- Land a patch that gracefully handles malloc failure and returns an error code instead of failing
- Run additional tests to make sure there are no memory leaks within the sandboxed code that is causing this OOM
Confirmed that there is a memory leak in allocations made inside sandbox memory (point 4 above). While the memory leak is sandboxed, the sandbox eventually runs out of space.
The submitted phab handles both point 3 and point 4.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 8•3 years ago
|
||
Bug 1727266 was backed out for 94.0b3, so hopefully we'll see these crashes go away there. Will call this fixed for 94 once we see that reflected in the crash reports.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 9•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
|
|
||
Comment 11•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
Bug 1727266 was backed out for 94.0b3, so hopefully we'll see these crashes go away there. Will call this fixed for 94 once we see that reflected in the crash reports.
No crashes in 94.0b3.
|
||
Comment 13•3 years ago
|
||
This bug is now rather confusing. Some stuff was disabled, but not because of a patch in this bug, and then there are some other patches around.
Since this bug was apparently used for https://hg.mozilla.org/mozilla-central/rev/d65c4c465903, could the
rlbox fixes (which aren't really spellchecker related) moved to some new bug?
|
||
Comment 14•3 years ago
|
||
Changing the priority to p2 as the bug is tracked by a release manager for the current nightly.
See What Do You Triage for more information
|
|
Assignee | |
Comment 15•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Comment 16•3 years ago
|
||
|
||
Comment 17•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/29ed3620fa91
https://hg.mozilla.org/mozilla-central/rev/d52827e69092
https://hg.mozilla.org/mozilla-central/rev/a6fef4dc35c2
|
||
Comment 18•3 years ago
|
||
Backed out for causing sandboxing crashes with the spellchecker (Bug 1736171)
Backout link: https://hg.mozilla.org/integration/autoland/rev/8ad4b1bf184499ef0550b1014f6e7326ed132750
|
||
Comment 19•3 years ago
•
|
||
Backout merged to central: https://hg.mozilla.org/mozilla-central/rev/8ad4b1bf184499ef0550b1014f6e7326ed132750
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 20•3 years ago
|
||
Comment on attachment 9246087 [details]
Bug 1733686 part 3 - Re-enable hunspell rlbox sandbox on 32-bits platforms. r=glandium
Revision D128571 was moved to bug 1737704. Setting attachment 9246087 [details] to obsolete.
|
|
||
Comment 21•3 years ago
|
||
Comment on attachment 9244659 [details]
Bug 1733686 - Fix Hunspell memory cleanup and OOM handling r=glandium
Revision D127736 was moved to bug 1737740. Setting attachment 9244659 [details] to obsolete.
|
||
Comment 22•3 years ago
|
||
The specific issue that was causing these crashes was fixed in bug 1737740, and reenabling hunspell on 32-bit is tracked in bug 1737704.
I'm closing this bug out. Given the confusing history of this bug, please file new bugs for any further issues.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•