Closed Bug 631607 Opened 14 years ago Closed 14 years ago

Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] or [@ linux-gate.so@0x424 ]

Categories

(Core :: Spelling checker, defect)

Product:
Core
Component:
Spelling checker
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla2.0b12
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- needed
status1.9.2 --- .17-fixed

People

(Reporter: benoit.grange, Assigned: ehsan.akhgari)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker])

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch (v2)
2.08 KB, patch
jst
: review+
ehsan.akhgari
: review+
christian
: approval1.9.2.17+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b10) Gecko/20100101 Firefox/4.0b10
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b11) Gecko/20100101 Firefox/4.0b11 ID:20110203141415

Using a french FF 4.0 b11


Reproducible: Always

Steps to Reproduce:
1. Open http://www.quackit.com/html/codes/html_text_box_code.cfm
2. Clear the first text box, the one that says "Enter your comments here..." and
type in "L'Islam ", and right click on the word.
3. Continue working, open new tabs, etc.
Actual Results:  
Firefox crashes very soon after the right click.
Once it did not crash immediatly and crashed at Quit.



Multiple crash logs

bp-68616d07-69cf-4c06-9ed2-bd8312110204
bp-546ad495-728e-41fc-ae31-305a12110204
bp-8bb1ddeb-baee-4c1b-ae64-c2a7d2110204
bp-ce04724b-89d9-4218-87d1-498362110204
bp-df9b12bd-02f9-45f6-94bb-58dc82110204 [crash at exit].
bp-824d322f-b8db-4b85-a7f8-750842110204 [crash later]

the trace is everytime different, but most of them have a OOM condition or a malloc issue.

I tried using other words, but only "L'Islam" causes problems so far !
Frame 	Module 	Signature [Expand] 	Source
0 	mozalloc.dll 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:77
1 	mozalloc.dll 	mozalloc_handle_oom 	memory/mozalloc/mozalloc_oom.cpp:54
2 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::CreateOrRecycleThebesLayer 	layout/base/FrameLayerBuilder.cpp:755
3 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1307
4 	xul.dll 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1568
5 	xul.dll 	nsDisplayOpacity::BuildLayer 	layout/base/nsDisplayList.cpp:1600
6 	xul.dll 	mozilla::BuildTempManagerForInactiveLayer 	layout/base/FrameLayerBuilder.cpp:1169
7 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1285
8 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
9 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
10 	xul.dll 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1568
11 	xul.dll 	nsDisplayOpacity::BuildLayer 	layout/base/nsDisplayList.cpp:1600
12 	xul.dll 	mozilla::BuildTempManagerForInactiveLayer 	layout/base/FrameLayerBuilder.cpp:1169
13 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1285
14 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
15 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
16 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
17 	xul.dll 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1568
18 	xul.dll 	nsDisplayOwnLayer::BuildLayer 	layout/base/nsDisplayList.cpp:1667
19 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1246
20 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
21 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
22 	xul.dll 	mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1212
23 	xul.dll 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1568
24 	xul.dll 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:515
25 	xul.dll 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1557
26 	xul.dll 	PresShell::Paint 	layout/base/nsPresShell.cpp:6174
27 	xul.dll 	nsRegion::Or 	gfx/src/nsRegion.cpp:840
28 	xul.dll 	nsViewManager::Refresh 	view/src/nsViewManager.cpp:424
29 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:925
30 		@0x54833ab
Component: General → Spelling checker
Product: Firefox → Core
Version: unspecified → Trunk
Good! You are going to unblock bug 627727.

Stack traces are various.

I can reproduce with an English Minefield (French as first preferred language and French modern dictionary 4.0.3):
bp-73b3f886-26b2-47b1-9971-801ab2110204
bp-3f55d9ad-3408-4f11-9b03-fc2542110204
Blocks: 627727
Status: UNCONFIRMED → NEW
Component: Spelling checker → General
Ever confirmed: true
QA Contact: general → general
Summary: Spell checker crash with French dictionaries → Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ]
blocking2.0: --- → ?
I am available if you need more information (a full dump, etc), IRC:yaben
The web page on which you may trigger the crash may be as simple as this

<html>
<body>

<form method="post" action="">
<textarea name="commentsbox" cols="40" rows="5"></textarea><br>
<input type="submit" value="Submit" />
</form>

</body>
</html>

And it seems that the trigger of the problem is when you are asking for suggestions on a word where you have a Capital letter followed by an apostrophe (') followed by a Capitalised word.

Have you looked at http://sourceforge.net/tracker/index.php?func=detail&aid=3158994&group_id=143754&atid=756395
According to that bug, the issue was introduced in version 1.2.13. Firefox is currently on 1.2.12 (with a few extra bonus fixes). If you want to see if it's the same issue, though, I've made a build with Hunspell 1.3.1 included. You can download it from the link below:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/ryanvm@gmail.com-6b11a6e95151/
I tried your build and I am not able to crash it.

BTW all 3.6.13, 4.0b10, 4.0b11 crash with the same STR, even if 3.6.13 has a different crash signature:

5d2b1ce2-ee81-4344-abd4-122da2110204 args_resolve

*** This problem definitely hurts French users with the new dictionary. It should block final release.
blocking1.9.2: --- → ?
Keywords: crash
Component: General → Spelling checker
QA Contact: general → spelling-checker
Ehsan, how many cherry-picked patches do we want to take before we just bite the bullet and just take the Hunspell update?
Whiteboard: [fixed-in-hunspell-1.3.0]
looks like this missed beta11.

I added hardblocker status whiteboard and this should be marked 2.0 beta N+ 

especially if we take a the full hunspell update.
Whiteboard: [fixed-in-hunspell-1.3.0] → [fixed-in-hunspell-1.3.0][hardblocker]
Note that 4.0b11 also crashes under Linux with the same STR

Crash ID bp-89b858a4-ef1c-4599-ab85-004332110206

Signature: linux-gate.so@0x424
(In reply to comment #6)
> Ehsan, how many cherry-picked patches do we want to take before we just bite
> the bullet and just take the Hunspell update?

Do you have any idea which change in hunspell code fixed this crash?
Assignee: nobody → ehsan
Attached patch Patch (v1) (obsolete) — Splinter Review 
This is the upstream patch which fixes this crash (taken from here: <http://sourceforge.net/tracker/index.php?func=detail&aid=3158994&group_id=143754&atid=756395>).  I managed to reproduce this crash locally using the French dictionary, and the fix looks correct (and in my testing, it seems to fix the crash as well).

Ben, it would be very helpful if you can verify this fix on your end too.  I have submitted a try server build with this patch for you to test.  The builds should be available at <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-dad73f9e5311> in a couple of hours.
Attachment #510203 - Flags: review?(Olli.Pettay)
(Note to Olli: this is a betaN hardblocker...)
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker] → [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug]
Ehsan, sorry but it still crashes, I was able to reproduce within seconds on 2 of my 3 tries on Windows XP or Seven. 

bp-61201154-a3eb-49d2-9394-bd52d2110207    	
bp-4e003440-65d9-4297-9de5-ba7812110207
bp-2b3948ab-3fde-4383-8179-7cf382110207

The signature changed to

mozalloc.dll@0x1a39 maybe because socorro does not have the symbols.
> This is the upstream patch which fixes this crash
The current version of Hunspell in 4.0 is 1.2.12. The attached patch fixes a bug introduced in 1.2.13 so that is why it still crashes.
See comment 4 and comment 5 to fix this bug.
Is there a risk to have Hunspell 1.3.1 in nightlies to test it before the Beta 12 release?
OS: Windows 7 → All
Summary: Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] → Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] or [@ linux-gate.so@0x424 ]
Attachment #510203 - Flags: review?(Olli.Pettay)
Attachment #510203 - Flags: review+
Attachment #510203 - Flags: feedback?(nemeth)
Comment on attachment 510203 [details] [diff] [review]
Patch (v1)

This is the same patch as in http://sourceforge.net/tracker/?func=detail&aid=3158994&group_id=143754&atid=756395 to fix the bug introduced in 2010-11-03 in Hunspell CVS (before Hunspell 1.2.13 release). In fact, this is not enough for the full fix: non-BMP Unicode characters in the input can freeze Hunspell during suggestion search. This problem was fixed by Hunspell 1.3.1.
Comment on attachment 510203 [details] [diff] [review]
Patch (v1)

Ah, indeed, the crash still happens.  :(

Nemeth: is there any way for us to cherry-pick the fix to this crash?
Attachment #510203 - Attachment is obsolete: true
Attachment #510203 - Flags: feedback?(nemeth)
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug] → [fixed-in-hunspell-1.3.0][hardblocker][needs new patch]
Attached patch Patch (v2)Splinter Review 
OK, I finally debugged and fixed this on my own!

The problem is in the duplication removal code in Hunspell::suggest <http://mxr.mozilla.org/mozilla-central/source/extensions/spellcheck/hunspell/src/hunspell.cpp#1008>.

In the loop, the variable l is meant to track the number of items in the duplicate-free array.  In case there are no duplicates, l will be equal to ns at the end of the loop.  But if there are duplicates, as is the case for "L'Islam" with the French dictionary, l will be less than ns, and the ns-l last items in the array would be freed memory.  The output conversion loop assumes that there are ns items in the array <http://mxr.mozilla.org/mozilla-central/source/extensions/spellcheck/hunspell/src/hunspell.cpp#1023>, which means that if later on RepList::conv returns non-zero for those items (which have "ZZZZ..." in the debug mode, as the memory will be filled with 0xa5, and valid strings in optimized mode, as free doesn't touch the memory contents), we will try to free this memory again, which results in malloc traces in debug mode and crashes in optimized mode.

The fix is simple, we should synchronize the values of ns and l after the duplicate removal loop.  hunspell-1.3.1 has this fix.  I also added a break to the inner loop to prevent unneeded extra loops (because once we find a match in an iteration, all of the future items are guaranteed to not match, as any other possible duplicates have been removed in previous iterations.  I mainly added that break to ease the merging of this cherry-picked fix for the next hunspell upgrade.
Attachment #510406 - Flags: review?(nemeth)
Attachment #510406 - Flags: review?(Olli.Pettay)
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][needs new patch] → [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug]
Hello, thanks for your fix. I can test a trybuild !
(In reply to comment #17)
> Hello, thanks for your fix. I can test a trybuild !

Oh, sorry I thought I pushed a build with this, but apparently I did not.  Here's where you can find builds in a few hours: <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-c8b91fca1269>.

Thanks!
(In reply to comment #18)
> (In reply to comment #17)
> > Hello, thanks for your fix. I can test a trybuild !
> 
> Oh, sorry I thought I pushed a build with this, but apparently I did not. 
> Here's where you can find builds in a few hours:
> <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-c8b91fca1269>.
> 
> Thanks!

The builds are all available, BTW.
Ehsan, your trybuild tested ok on Windows XP and Seven with french dictionary.

I hope the patch will be reviewed and approved for beta12 !
Attachment #510406 - Flags: review?(Olli.Pettay) → review+
I landed the fix, but I'd still like to have Nemeth's review on the patch, if possible.

http://hg.mozilla.org/mozilla-central/rev/fd47f7c9a3b8
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug] → [fixed-in-hunspell-1.3.0][hardblocker]
Target Milestone: --- → mozilla2.0b12
Attachment #510406 - Flags: approval1.9.2.15?
Not a blocker for the branch but we'll look at the approval request when it gets the review from nemeth.
blocking1.9.2: ? → needed
status1.9.2: --- → wanted
It is ok. Indeed, newer Hunspell versions contain the same patch, too.
Comment on attachment 510406 [details] [diff] [review]
Patch (v2)

I'll take comment 23 as Németh's r+.  :-)
Attachment #510406 - Flags: review?(nemeth) → review+
(In reply to comment #24)
> Comment on attachment 510406 [details] [diff] [review]
> Patch (v2)
> 
> I'll take comment 23 as Németh's r+.  :-)

Thanks, I meant it. (I didn't find the flag.)
Comment on attachment 510406 [details] [diff] [review]
Patch (v2)

a=LegNeato for 1.9.2.15
Attachment #510406 - Flags: approval1.9.2.15? → approval1.9.2.15+
Verified OK on 4.0b12 build 1

Mozilla/5.0 (Windows NT 5.1; rv:2.0b12) Gecko/20100101 Firefox/4.0b12 ID:20110222210221
Status: RESOLVED → VERIFIED
Keywords: checkin-needed
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.
Crash Signature: [@ mozalloc_abort(char const* const) ] [@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] [@ linux-gate.so@0x424 ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: