Closed Bug 608639 Opened 9 years ago Closed 8 years ago

Segmentation fault when reading from dictionary file [@ AffixMgr::parse_file]

Categories

(Core :: Spelling checker, defect, critical)

1.9.2 Branch
x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 710940

People

(Reporter: virchanza, Unassigned)

References

()

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12

Firefox kept crashing on lots of different pages. I tried creating a new profile for Firefox and I also tried running it in safe mode, but it still crashed.

Eventually I installed the "firefox-gdb" package so that I could try to run the GDB debugger and find the problem. The backtrace says that there's a segfault in "AffixMgr::parse_file".

Here's the backtrace:

(gdb) run
Starting program: /usr/lib/firefox-3.6.12/firefox-bin '-safe-mode'
[Thread debugging using libthread_db enabled]
[New Thread 0xb53f0b70 (LWP 2744)]
[New Thread 0xb4befb70 (LWP 2745)]
[New Thread 0xb40ffb70 (LWP 2746)]
[New Thread 0xb38feb70 (LWP 2747)]
[New Thread 0xb2effb70 (LWP 2748)]
[New Thread 0xb26feb70 (LWP 2749)]
[New Thread 0xb18ffb70 (LWP 2750)]
[New Thread 0xadfffb70 (LWP 2751)]
[Thread 0xadfffb70 (LWP 2751) exited]
[New Thread 0xadfffb70 (LWP 2752)]
[New Thread 0xad0ffb70 (LWP 2753)]
[New Thread 0xac8feb70 (LWP 2754)]
[New Thread 0xac0fdb70 (LWP 2755)]
[New Thread 0xab1ffb70 (LWP 2756)]
[New Thread 0xaa9feb70 (LWP 2757)]
[Thread 0xaa9feb70 (LWP 2757) exited]
[New Thread 0xaa9feb70 (LWP 2758)]
[New Thread 0xa96ffb70 (LWP 2759)]
[New Thread 0xa8efeb70 (LWP 2760)]
[New Thread 0xa86fdb70 (LWP 2761)]
[Thread 0xa86fdb70 (LWP 2761) exited]
[New Thread 0xa86fdb70 (LWP 2762)]

Program received signal SIGSEGV, Segmentation fault.
0xb7b480a7 in AffixMgr::parse_file (this=0xa9fdb000, affpath=0xa9a451c8 "/usr/lib/firefox-3.6.12/dictionaries/th.aff", key=0x0)
    at affixmgr.cpp:759
759	affixmgr.cpp: No such file or directory.
	in affixmgr.cpp
(gdb) backtrace
#0  0xb7b480a7 in AffixMgr::parse_file (this=0xa9fdb000, affpath=0xa9a451c8 "/usr/lib/firefox-3.6.12/dictionaries/th.aff", key=0x0)
    at affixmgr.cpp:759
#1  0xb7b484e7 in AffixMgr::AffixMgr (this=0xa9fdb000, affpath=0xa9a451c8 "/usr/lib/firefox-3.6.12/dictionaries/th.aff", ptr=0xa9d4e484, 
    md=0xa9d4e4d4, key=0x0) at affixmgr.cpp:168
#2  0xb7b52013 in Hunspell::Hunspell (this=0xa9d4e480, affpath=0xa9a451c8 "/usr/lib/firefox-3.6.12/dictionaries/th.aff", 
    dpath=0xbfffe34c "/usr/lib/firefox-3.6.12/dictionaries/th.dic", key=0x0) at hunspell.cpp:92
#3  0xb7b3b23d in mozHunspell::SetDictionary (this=0xa9a45160, aDictionary=0xa9d611a8) at mozHunspell.cpp:168
#4  0xb7b321b0 in mozSpellChecker::SetCurrentDictionary (this=0xa9cc0920, aDictionary=...) at mozSpellChecker.cpp:385
#5  0xb7a336fe in nsEditorSpellCheck::SetCurrentDictionary (this=0xa9cc9a20, aDictionary=0xa9d611a8) at nsEditorSpellCheck.cpp:464
#6  0xb7a344f8 in nsEditorSpellCheck::InitSpellChecker (this=0xa9cc9a20, aEditor=0xa979d5c0, aEnableSelectionChecking=0)
    at nsEditorSpellCheck.cpp:241
#7  0xb7b36d86 in mozInlineSpellChecker::SetEnableRealTimeSpell (this=0xa9cc0740, aEnabled=1) at mozInlineSpellChecker.cpp:733
#8  0xb7773f97 in nsEditor::SyncRealTimeSpell (this=0xa979d5c0) at nsEditor.cpp:1383
#9  0xb776e2e9 in nsEditor::PostCreate (this=0xa979d5c0) at nsEditor.cpp:292
#10 0xb74efa10 in nsTextControlFrame::InitEditor (this=0xa9cee608) at nsTextControlFrame.cpp:1585
#11 0xb74eff30 in nsTextControlFrame::DelayedEditorInit (this=0xa9cee608) at nsTextControlFrame.cpp:1358
#12 0xb74f1d6b in nsTextControlFrame::EditorInitializer::Run (this=0xa9cc9600) at nsTextControlFrame.h:232
#13 0xb75a1d31 in nsContentUtils::RemoveScriptBlocker () at nsContentUtils.cpp:4495
#14 0xb75bd805 in nsDocument::EndUpdate (this=0xa985e000, aUpdateType=1) at nsDocument.cpp:3929
#15 0xb7680225 in nsHTMLDocument::EndUpdate (this=0xa985e000, aUpdateType=1) at nsHTMLDocument.cpp:3034
#16 0xb75220c3 in mozAutoDocUpdate::~mozAutoDocUpdate (this=0xbfffe938, __in_chrg=<value optimized out>)
    at ./../../content/base/src/mozAutoDocUpdate.h:66
#17 0xb7678dac in SinkContext::FlushTags (this=0xa9a347f0) at nsHTMLContentSink.cpp:1388
#18 0xb7678b56 in HTMLContentSink::FlushPendingNotifications (this=0xa985e400, aType=Flush_ContentAndNotify) at nsHTMLContentSink.cpp:3177
#19 0xb75b839c in nsDocument::FlushPendingNotifications (this=0xa985e000, aType=Flush_ContentAndNotify) at nsDocument.cpp:6435
#20 0xb7482fcb in PresShell::FlushPendingNotifications (this=0xa97be5c0, aType=Flush_InterruptibleLayout) at nsPresShell.cpp:4867
#21 0xb747c878 in PresShell::ReflowEvent::Run (this=0xa9ae83f0) at nsPresShell.cpp:7106
#22 0xb7c2936c in nsThread::ProcessNextEvent (this=0xb5cda380, mayWait=0, result=0xbfffeacc) at nsThread.cpp:527
#23 0xb7bf7c53 in NS_ProcessNextEvent_P (thread=0x0, mayWait=0) at nsThreadUtils.cpp:250
#24 0xb7b6d9db in mozilla::ipc::MessagePump::Run (this=0xb5cac430, aDelegate=0xb5c28600) at MessagePump.cpp:110
#25 0xb7bc6156 in MessageLoop::RunInternal (this=0xb5c28600) at ./src/base/message_loop.cc:216
#26 0xb7bc617a in MessageLoop::RunHandler (this=0xb5c28600) at ./src/base/message_loop.cc:199
#27 0xb7bc61f1 in MessageLoop::Run (this=0xb5c28600) at ./src/base/message_loop.cc:173
#28 0xb7ac70e0 in nsBaseAppShell::Run (this=0xb1aa34c0) at nsBaseAppShell.cpp:174
#29 0xb7988960 in nsAppStartup::Run (this=0xb1ade970) at nsAppStartup.cpp:183
#30 0xb72c37c5 in XRE_main (argc=2, argv=0xbffff234, aAppData=0xb5c16380) at nsAppRunner.cpp:3483
#31 0x001117a4 in main (argc=2, argv=0xbffff234) at nsBrowserApp.cpp:158
(gdb) 

As a temporary solution, I was able to get Firefox working again by deleting all the "th*" dictionary files.

I never had a problem with Firefox crashing until I did a disto-upgrade from Ubuntu Lucid to Ubuntu Maverick. Right after I upgraded to Maverick, Firefox started crashing all the time.

Reproducible: Always

Steps to Reproduce:
1. Open Firefox
2. Navigate to Youtube.com
3. Click on any video at all to view it, and... well... the Firefox window disappears suddenly without a trace.
Actual Results:  

The Firefox window just disappears without a trace! (I had to run the GDB debugger to figure out what was going on)

Expected Results:  

It should have opened a page showing a Youtube video.


I didn't have any problems with Firefox until I did a distro-upgraded from Ubuntu Lucid to Ubuntu Maverick.

Right after I upgraded to Maverick, I saw that Firefox was crashing all the time.

The problem went away after I deleted all of my "th*" dictionary files.
Component: General → Spelling checker
Product: Firefox → Core
QA Contact: general → spelling-checker
Version: unspecified → 1.9.2 Branch
Keywords: crash
Summary: Segmentation fault when reading from dictionary file (AffixMgr::parse_file) → Segmentation fault when reading from dictionary file [@ AffixMgr::parse_file]
By the way, I still have a backup of the "th*" dictionary files on my hard disk in case anyone would like to try them out while debugging this. If you would like a copy of the files then you can e-mail me on this address:

BBBvirBBBchanza@vBBBirjaBBBcode.cBBBomBBB

Remove all the uppercase B's.
Virchanza, can you try this on a current nightly build? The 3.6 branch is using an older version of Hunspell and I'm curious if the newer version on trunk fixes this crash.
Sorry to sound like an idiot, Ryan, but I don't know what the "current nightly build" is or how to get it running on my machine???

I've only ever debugged my own programs -- this is the first time I've ever tried to debug someone else's program (only because I love Firefox so much and I've been stuck using Arora for the last week or so, I had to get Firefox working again!)

I'm running Ubuntu Maverick 10.10 and I have extensive knowledge of Linux. I'm very comfortable at the command line. Can you please talk me through the steps to download and run the current nightly build? I don't suppose it's as easy as "apt-get install"?
OK I went to "nightly.mozilla.org" and I downloaded the "Linux Intel" file built on 2010-11-01.

I untarred the file, and I navigated into the "firefox" folder. Then I copied my original "th*" dictionary files into the "dictionaries" folder. I ran the firefox program (which actually came up as Minefield or something), and I navigated to the YouTube website, and then I clicked on a video.

The nightly build did NOT crash, it worked fine with my "th*" dictionary files.
After trying out the Nightly build, I restored my original "th*" dictionary files in /usr/lib/firefox-3.6.12/dictionaries.

I then ran my normal version of Firefox, and I expected it to crash again when I went to view a YouTube video.

...but it didn't. No more crashing. The only thing that was different was that Firefox checked the compatibility of plug-in's when it started up. Now it works fine, it doesn't crash.

Damned if I know.
Hmm, very interesting. Maybe a stupid idea, but if you still have the crashing th* file saved somewhere, can you MD5 that and the original one (that's no longer crashing) to confirm no changes were made to the file somehow?
Crash Signature: [@ AffixMgr::parse_file]
The crash is also here on linux amd64, FF 8.0, trying to switch to th-locale!

#0  0x00007ffff579902f in AffixMgr::parse_file (this=0x7fffe6183000, affpath=<value optimized out>, key=<value optimized out>)
    at /usr/src/debug/mozilla/extensions/spellcheck/hunspell/src/affixmgr.cpp:807
#1  0x00007ffff57994b1 in AffixMgr::AffixMgr (this=0x7fffe6183000, affpath=<value optimized out>, ptr=<value optimized out>, md=<value optimized out>, 
    key=<value optimized out>) at /usr/src/debug/mozilla/extensions/spellcheck/hunspell/src/affixmgr.cpp:167
#2  0x00007ffff579c6a2 in Hunspell::Hunspell (this=0x7fffd0e25790, affpath=0x7fffd1bbeab8 "/usr/lib64/firefox/dictionaries/th-TH.aff", dpath=
    0x7fffffff9560 "/usr/lib64/firefox/dictionaries/th-TH.dic", key=0x0) at /usr/src/debug/mozilla/extensions/spellcheck/hunspell/src/hunspell.cpp:84
#3  0x00007ffff578cdf7 in mozHunspell::SetDictionary (this=0x7fffd2211020, aDictionary=<value optimized out>)
    at /usr/src/debug/mozilla/extensions/spellcheck/hunspell/src/mozHunspell.cpp:196
#4  0x00007ffff586040a in NS_InvokeByIndex_P (that=<value optimized out>, methodIndex=<value optimized out>, paramCount=1, params=<value optimized out>)
    at /usr/src/debug/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
#5  0x00007ffff5512e26 in Invoke (ccx=<value optimized out>, mode=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:3119
#6  Call (ccx=<value optimized out>, mode=<value optimized out>) at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2373
#7  XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2337
#8  0x00007ffff5516676 in XPC_WN_GetterSetter (cx=0x7fffe19b5400, argc=1, vp=0x7fffe6ffe258)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1641
#9  0x00007ffff5a502ba in CallJSNative (cx=0x7fffe19b5400, argsRef=<value optimized out>, construct=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:281
#10 js::Invoke (cx=0x7fffe19b5400, argsRef=<value optimized out>, construct=<value optimized out>) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:657
#11 0x00007ffff5a508f7 in Invoke (cx=0x7fffe19b5400, thisv=..., fval=..., argc=1, argv=<value optimized out>, rval=0x7fffffffa480)
    at /usr/src/debug/mozilla/js/src/jsinterp.h:169
#12 js::ExternalInvoke (cx=0x7fffe19b5400, thisv=..., fval=..., argc=1, argv=<value optimized out>, rval=0x7fffffffa480)
    at /usr/src/debug/mozilla/js/src/jsinterp.cpp:809
#13 0x00007ffff5a50980 in js::ExternalGetOrSet (cx=0x7fffe19b5400, obj=0x7fffd290f768, id=<value optimized out>, fval=..., mode=<value optimized out>, argc=
    1, argv=0x7fffffffa480, rval=0x7fffffffa480) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:849
#14 0x00007ffff5a68108 in set (cx=0x7fffe19b5400, obj=0x7fffd290f768, shape=0x7fffd291abc0, added=false, strict=<value optimized out>, vp=0x7fffffffa480)
    at /usr/src/debug/mozilla/js/src/jsscopeinlines.h:294
#15 js_NativeSet (cx=0x7fffe19b5400, obj=0x7fffd290f768, shape=0x7fffd291abc0, added=false, strict=<value optimized out>, vp=0x7fffffffa480)
    at /usr/src/debug/mozilla/js/src/jsobj.cpp:5232
#16 0x00007ffff5a6a260 in js_SetPropertyHelper (cx=0x7fffe19b5400, obj=0x7fffd290f768, id=<value optimized out>, defineHow=<value optimized out>, vp=
    0x7fffffffa480, strict=0) at /usr/src/debug/mozilla/js/src/jsobj.cpp:5699
#17 0x00007ffff5c60cfd in js::Interpret (cx=0x7fffe19b5400, entryFrame=0x7fffe6ffe090, interpMode=js::JSINTERP_NORMAL)
    at /usr/src/debug/mozilla/js/src/jsinterp.cpp:3823
#18 0x00007ffff5a501d4 in js::Invoke (cx=0x7fffe19b5400, argsRef=<value optimized out>, construct=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jsinterp.cpp:687
#19 0x00007ffff5a508f7 in Invoke (cx=0x7fffe19b5400, thisv=..., fval=..., argc=1, argv=<value optimized out>, rval=0x7fffffffa7d8)
    at /usr/src/debug/mozilla/js/src/jsinterp.h:169
#20 js::ExternalInvoke (cx=0x7fffe19b5400, thisv=..., fval=..., argc=1, argv=<value optimized out>, rval=0x7fffffffa7d8)
    at /usr/src/debug/mozilla/js/src/jsinterp.cpp:809
#21 0x00007ffff59db961 in JS_CallFunctionValue (cx=0x7fffe19b5400, obj=<value optimized out>, fval=18445618173040569312, argc=<value optimized out>, 
    argv=<value optimized out>, rval=<value optimized out>) at /usr/src/debug/mozilla/js/src/jsapi.cpp:5052
#22 0x00007ffff52b4c05 in nsJSContext::CallEventHandler (this=0x7fffe19b1f40, aTarget=<value optimized out>, aScope=<value optimized out>, 
    aHandler=<value optimized out>, aargv=0x7fffd0e32a40, arv=0x7fffffffaa00) at /usr/src/debug/mozilla/dom/base/nsJSEnvironment.cpp:1902
#23 0x00007ffff52f1fef in nsJSEventListener::HandleEvent (this=0x7fffdd135a80, aEvent=0x7fffd0e44ba0)
    at /usr/src/debug/mozilla/dom/src/events/nsJSEventListener.cpp:224
#24 0x00007ffff51cfcd5 in nsEventListenerManager::HandleEventSubType (this=0x7fffdd156c00, aListenerStruct=0x7fffdd156c28, aListener=0x7fffdd135a80, 
    aDOMEvent=0x7fffd0e44ba0, aCurrentTarget=0x7fffdd156b80, aPhaseFlags=<value optimized out>, aPusher=0x7fffffffadd0)
    at /usr/src/debug/mozilla/content/events/src/nsEventListenerManager.cpp:865
#25 0x00007ffff51cfeae in nsEventListenerManager::HandleEventInternal (this=0x7fffdd156c00, aPresContext=0x7fffdf76b000, aEvent=0x7fffd1b17040, aDOMEvent=
    0x7fffffffadb0, aCurrentTarget=0x7fffdd156b80, aFlags=6, aEventStatus=0x7fffffffadb8, aPusher=0x7fffffffadd0)
    at /usr/src/debug/mozilla/content/events/src/nsEventListenerManager.cpp:919
#26 0x00007ffff51e37ff in nsEventTargetChainItem::HandleEvent (this=0x7fffe3fda9a0, aVisitor=..., aFlags=6, aMayHaveNewListenerManagers=0, aPusher=
   0x7fffffffadd0) at /usr/src/debug/mozilla/content/events/src/nsEventDispatcher.cpp:215
#27 0x00007ffff51e3940 in nsEventTargetChainItem::HandleEventTargetChain (this=0x7fffe3fda4d0, aVisitor=..., aFlags=6, aCallback=0x0, 
    aMayHaveNewListenerManagers=0, aPusher=0x7fffffffadd0) at /usr/src/debug/mozilla/content/events/src/nsEventDispatcher.cpp:344
#28 0x00007ffff51e3fed in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=0x7fffe3fda4d0, aEvent=0x7fffd1b17040, aDOMEvent=
    0x7fffd0e44ba0, aEventStatus=0x7fffffffaffc, aCallback=0x0, aTargets=0x0) at /usr/src/debug/mozilla/content/events/src/nsEventDispatcher.cpp:672
#29 0x00007ffff51e4216 in nsEventDispatcher::DispatchDOMEvent (aTarget=0x7fffdd156b80, aEvent=<value optimized out>, aDOMEvent=0x7fffd0e44ba0, aPresContext=
    0x7fffdf76b000, aEventStatus=0x7fffffffaffc) at /usr/src/debug/mozilla/content/events/src/nsEventDispatcher.cpp:735
#30 0x00007ffff5008bee in PresShell::HandleDOMEventWithTarget (this=0x7fffdf75a800, aTargetContent=0x7fffdd156b80, aEvent=0x7fffd0e44ba0, 
    aStatus=<value optimized out>) at /usr/src/debug/mozilla/layout/base/nsPresShell.cpp:7163
#31 0x00007ffff513c238 in nsContentUtils::DispatchXULCommand (aTarget=0x7fffdd156b80, aTrusted=<value optimized out>, aSourceEvent=0x0, aShell=
    0x7fffdf75a800, aCtrl=0, aAlt=0, aShift=0, aMeta=0) at /usr/src/debug/mozilla/content/base/src/nsContentUtils.cpp:5174
#32 0x00007ffff510e383 in nsXULMenuCommandEvent::Run (this=0x7fffd0e2b740) at /usr/src/debug/mozilla/layout/xul/base/src/nsXULPopupManager.cpp:2373
#33 0x00007ffff585359b in nsThread::ProcessNextEvent (this=0x7ffff6d1a870, mayWait=0, result=0x7fffffffb18c)
    at /usr/src/debug/mozilla/xpcom/threads/nsThread.cpp:631
#34 0x00007ffff5825ee3 in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=<value optimized out>)
    at /usr/src/debug/obj/xpcom/build/nsThreadUtils.cpp:245
#35 0x00007ffff57ca5da in mozilla::ipc::MessagePump::Run (this=0x7ffff6dc5240, aDelegate=0x7ffff6dd60b0)
    at /usr/src/debug/mozilla/ipc/glue/MessagePump.cpp:110
#36 0x00007ffff58713d9 in RunHandler (this=0x7ffff6dd60b0) at /usr/src/debug/mozilla/ipc/chromium/src/base/message_loop.cc:205
#37 MessageLoop::Run (this=0x7ffff6dd60b0) at /usr/src/debug/mozilla/ipc/chromium/src/base/message_loop.cc:179
#38 0x00007ffff5728c1d in nsBaseAppShell::Run (this=0x7ffff6d2e740) at /usr/src/debug/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#39 0x00007ffff55f873c in nsAppStartup::Run (this=0x7fffe8a710c0) at /usr/src/debug/mozilla/toolkit/components/startup/nsAppStartup.cpp:224
#40 0x00007ffff4e90059 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>)
    at /usr/src/debug/mozilla/toolkit/xre/nsAppRunner.cpp:3544
#41 0x000000000040208d in do_main (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/mozilla/browser/app/nsBrowserApp.cpp:198
#42 main (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/mozilla/browser/app/nsBrowserApp.cpp:281

(gdb) l
802             strcpy(expw, wordchars);
803             free(wordchars);
804         } else *expw = '\0';
805
806         for (int i = 0; i <= 255; i++) {
807             if ( (csconv[i].cupper != csconv[i].clower) &&
808                 (! strchr(expw, (char) i))) {
809                     *(expw + strlen(expw) + 1) = '\0';
810                     *(expw + strlen(expw)) = (char) i;
811             }
(gdb) p wordchars
$1 = 0x0
(In reply to amai from comment #7)
[...]
> (gdb) p wordchars
> $1 = 0x0

That variable is innocent and not the reason, but Bug 620626#c20 looks close: csconv is NULL here. 
Any chance for a simple if() around that thing to prevent the crash??
I see relationships to bug 620626. So where to report this bug? Here or better on hunspell page (http://sourceforge.net/tracker/?atid=756395&group_id=143754&func=browse)?
Can somebody please provide the steps needed to reproduce this crash?
On my system it's trivial: Quick Locale switcher is installed (1.7.8 nowadays) and when I switch from any locale (e.g. english) to thai-locale the crash occurs.
The crash survived a couple of FF versions, not sure if the addon was updated meanwhile.
I am unable to reproduce the crash in a blank profile when switching from english to thai using Quick Locale Switcher 1.7.8. Do you have any further steps you take? Can you reproduce with an otherwise-blank profile?
Yeah, I couldn't reproduce it either.  :/
Tha crash happnes also with a clean profile, and just installing the Quick Locale addon. Maybe the data files from suse are broken -> I attach them.
However looking at the hunspell code reveals obvious path/chance for that crash by not handling that NULL properly. Maybe one could cook up a simple unit test exhibiting that problem with my language files!?
Here's what I did to reproduce the bug: I copied the th-TH.dic and th-TH.aff files from your attachment to firefoxdir/dictionaries, and I tried using the locale switcher add-on, and I couldn't reproduce the crash.

amai: can you find the XPI file that contains those dictionaries so that we can install them as a normal add-on?
That's non-trivial, they came with my plain OpenSuse installation, but I'll try!
And to comment 12: No, there is no additional step, and it works with any webpage or any amount of tabs, etc.
What version of OpenSuse do you use?  Maybe I can just install that in a virtual machine and give this a shot?

Also, can you please confirm that you can reproduce the crash with a nightly version of Firefox from http://nightly.mozilla.org/?

Thanks!
(In reply to Ehsan Akhgari [:ehsan] from comment #17)
> What version of OpenSuse do you use?  Maybe I can just install that in a
> virtual machine and give this a shot?

I use OpenSuse 12.1, amd64. Thanks for investigating!

I'll try to get a nightly running/crashing.
(In reply to Ehsan Akhgari [:ehsan] from comment #17)
> Also, can you please confirm that you can reproduce the crash with a nightly
> version of Firefox from http://nightly.mozilla.org/?

Well, that binary is running here, I may install quick locale changer and "changing" to another locale does not crash  but since I don't have the necessary data files/packages that seems to be a fruitless attempt, and is probably not a proof that this has been fixed!?
(In reply to amai from comment #19)
> (In reply to Ehsan Akhgari [:ehsan] from comment #17)
> > Also, can you please confirm that you can reproduce the crash with a nightly
> > version of Firefox from http://nightly.mozilla.org/?
> 
> Well, that binary is running here, I may install quick locale changer and
> "changing" to another locale does not crash  but since I don't have the
> necessary data files/packages that seems to be a fruitless attempt, and is
> probably not a proof that this has been fixed!?

What other data files/packages would you need to reproduce this crash?  Really what I would need here is to have a bullet list of easy-to-follow steps from a pristine OpenSuse 12.1 installation to a setup on which I can reproduce this crash on a nightly... :-)
(In reply to Ehsan Akhgari [:ehsan] from comment #20)
> > Well, that binary is running here, I may install quick locale changer and
> > "changing" to another locale does not crash  but since I don't have the
> > necessary data files/packages that seems to be a fruitless attempt, and is
> > probably not a proof that this has been fixed!?
> 
> What other data files/packages would you need to reproduce this crash? 
> Really what I would need here is to have a bullet list of easy-to-follow
> steps from a pristine OpenSuse 12.1 installation to a setup on which I can
> reproduce this crash on a nightly... :-)

I understand, but somehow I have problems to gather the data. I installed opensuse straightforward, then firefox from opensuse, it already pre-installed all language packages (therefore I don't know which .xpi were used!!), and the bug persisted with all opensuse version (even after changing to another repository called "packman"). From that perspective I did about nothing special. Quick locale switcher was my only manual installation.

My yinstallation tool (yast2) shows the following packages:
MozillaFirefox,MozillaFirefox-branding-opensuse,MozillaFirefox-buildsymbols,MozillaFirefox-debuginfo,MozillaFirefox-debugsource,MozillaFirefox-translationscommon,MozillaFirefox-translations-other in the most recent version (9.0.1-2.9.2 for most of them).

If we cannot get anybody to reproduce that way we may have to go down to Comment 14 - my understanding ist that the bug is in hunspell itself, so 90% of the callstack (Comment 17) is probably irrelevant.
OK, I got OpenSuse 12.1 installed, and I installed the language packs from the package manager.  Here are some observations:

1. Quick Locale Switcher doesn't seem to work.  When I select a different language, nothing happens.  I remember from a long time ago when I used this extension daily that the language used in the UI should change...

2. I can't reproduce the crash.  But I also don't seem to be able to find the Thai dictionary at all.  When I right click a textbox and go to Languages, Thai is not listed there.  In fact, there's only about 20 languages listed there, and it seems like a lot of the language packs do not come with dictionaries.
(In reply to Ehsan Akhgari [:ehsan] from comment #22)
> OK, I got OpenSuse 12.1 installed, and I installed the language packs from
> the package manager.  Here are some observations:
> 
> 1. Quick Locale Switcher doesn't seem to work.  When I select a different
> language, nothing happens.  I remember from a long time ago when I used this
> extension daily that the language used in the UI should change...

That is a setting which may be off by default. You may configure if you configure only about settings for web content (read: language) or the UI of firefox.

Did you get the MozillaFirefox-translations-other? That seems to contain thai files. th-TH.aff I cannot find there as of http://www.rpmfind.net//linux/RPM/opensuse/updates/11.4/x86_64/MozillaFirefox-translations-other-9.0-0.2.1.x86_64.html :-(
Yes, I did install that package.  I don't see a dictionaries directory under /usr/lib64/firefox/extensions/langpack-th@firefox.mozilla.org/ at all. :/
I reported as an Opensuse bug also. Maybe opening http://bugzilla.novell.com/show_bug.cgi?id=742640 can bring some help on my side!
BTW, if the code inside hunspell is responsible (it seems to be) shouldn't we report on their project also??
(In reply to amai from comment #26)
> BTW, if the code inside hunspell is responsible (it seems to be) shouldn't
> we report on their project also??

We could do that too, but without somebody being able to reproduce this, there is a little chance that it will get fixed.
Seems somebody filed a duplicate of this bug: Bug 710940 
I think my earlier attempt with an aurora build suffered from lack of suitable data files, but my crash analysis from comment 7 and comment 8 matches the given bug.
trusting your comment that this is bug 710940
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 710940
You need to log in before you can comment on or make changes to this bug.