Closed
Bug 631607
Opened 14 years ago
Closed 14 years ago
Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] or [@ linux-gate.so@0x424 ]
Categories
(Core :: Spelling checker, defect)
Tracking
()
VERIFIED
FIXED
mozilla2.0b12
People
(Reporter: benoit.grange, Assigned: ehsan.akhgari)
References
()
Details
(Keywords: crash, Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker])
Crash Data
Attachments
(1 file, 1 obsolete file)
2.08 KB,
patch
|
jst
:
review+
ehsan.akhgari
:
review+
christian
:
approval1.9.2.17+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b10) Gecko/20100101 Firefox/4.0b10 Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b11) Gecko/20100101 Firefox/4.0b11 ID:20110203141415 Using a french FF 4.0 b11 Reproducible: Always Steps to Reproduce: 1. Open http://www.quackit.com/html/codes/html_text_box_code.cfm 2. Clear the first text box, the one that says "Enter your comments here..." and type in "L'Islam ", and right click on the word. 3. Continue working, open new tabs, etc. Actual Results: Firefox crashes very soon after the right click. Once it did not crash immediatly and crashed at Quit. Multiple crash logs bp-68616d07-69cf-4c06-9ed2-bd8312110204 bp-546ad495-728e-41fc-ae31-305a12110204 bp-8bb1ddeb-baee-4c1b-ae64-c2a7d2110204 bp-ce04724b-89d9-4218-87d1-498362110204 bp-df9b12bd-02f9-45f6-94bb-58dc82110204 [crash at exit]. bp-824d322f-b8db-4b85-a7f8-750842110204 [crash later] the trace is everytime different, but most of them have a OOM condition or a malloc issue. I tried using other words, but only "L'Islam" causes problems so far ! Frame Module Signature [Expand] Source 0 mozalloc.dll mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:77 1 mozalloc.dll mozalloc_handle_oom memory/mozalloc/mozalloc_oom.cpp:54 2 xul.dll mozilla::`anonymous namespace'::ContainerState::CreateOrRecycleThebesLayer layout/base/FrameLayerBuilder.cpp:755 3 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1307 4 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor layout/base/FrameLayerBuilder.cpp:1568 5 xul.dll nsDisplayOpacity::BuildLayer layout/base/nsDisplayList.cpp:1600 6 xul.dll mozilla::BuildTempManagerForInactiveLayer layout/base/FrameLayerBuilder.cpp:1169 7 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1285 8 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 9 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 10 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor layout/base/FrameLayerBuilder.cpp:1568 11 xul.dll nsDisplayOpacity::BuildLayer layout/base/nsDisplayList.cpp:1600 12 xul.dll mozilla::BuildTempManagerForInactiveLayer layout/base/FrameLayerBuilder.cpp:1169 13 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1285 14 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 15 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 16 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 17 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor layout/base/FrameLayerBuilder.cpp:1568 18 xul.dll nsDisplayOwnLayer::BuildLayer layout/base/nsDisplayList.cpp:1667 19 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1246 20 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 21 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 22 xul.dll mozilla::`anonymous namespace'::ContainerState::ProcessDisplayItems layout/base/FrameLayerBuilder.cpp:1212 23 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor layout/base/FrameLayerBuilder.cpp:1568 24 xul.dll nsDisplayList::PaintForFrame layout/base/nsDisplayList.cpp:515 25 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:1557 26 xul.dll PresShell::Paint layout/base/nsPresShell.cpp:6174 27 xul.dll nsRegion::Or gfx/src/nsRegion.cpp:840 28 xul.dll nsViewManager::Refresh view/src/nsViewManager.cpp:424 29 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:925 30 @0x54833ab
Component: General → Spelling checker
Product: Firefox → Core
Version: unspecified → Trunk
Comment 1•14 years ago
|
||
Good! You are going to unblock bug 627727. Stack traces are various. I can reproduce with an English Minefield (French as first preferred language and French modern dictionary 4.0.3): bp-73b3f886-26b2-47b1-9971-801ab2110204 bp-3f55d9ad-3408-4f11-9b03-fc2542110204
Blocks: 627727
Status: UNCONFIRMED → NEW
Component: Spelling checker → General
Ever confirmed: true
QA Contact: general → general
Summary: Spell checker crash with French dictionaries → Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ]
Updated•14 years ago
|
blocking2.0: --- → ?
I am available if you need more information (a full dump, etc), IRC:yaben
The web page on which you may trigger the crash may be as simple as this <html> <body> <form method="post" action=""> <textarea name="commentsbox" cols="40" rows="5"></textarea><br> <input type="submit" value="Submit" /> </form> </body> </html> And it seems that the trigger of the problem is when you are asking for suggestions on a word where you have a Capital letter followed by an apostrophe (') followed by a Capitalised word. Have you looked at http://sourceforge.net/tracker/index.php?func=detail&aid=3158994&group_id=143754&atid=756395
Comment 4•14 years ago
|
||
According to that bug, the issue was introduced in version 1.2.13. Firefox is currently on 1.2.12 (with a few extra bonus fixes). If you want to see if it's the same issue, though, I've made a build with Hunspell 1.3.1 included. You can download it from the link below: http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/ryanvm@gmail.com-6b11a6e95151/
I tried your build and I am not able to crash it. BTW all 3.6.13, 4.0b10, 4.0b11 crash with the same STR, even if 3.6.13 has a different crash signature: 5d2b1ce2-ee81-4344-abd4-122da2110204 args_resolve *** This problem definitely hurts French users with the new dictionary. It should block final release.
blocking1.9.2: --- → ?
Keywords: crash
Updated•14 years ago
|
Component: General → Spelling checker
QA Contact: general → spelling-checker
Comment 6•14 years ago
|
||
Ehsan, how many cherry-picked patches do we want to take before we just bite the bullet and just take the Hunspell update?
Updated•14 years ago
|
Depends on: hunspell-1.3.2
Updated•14 years ago
|
Whiteboard: [fixed-in-hunspell-1.3.0]
Comment 7•14 years ago
|
||
looks like this missed beta11. I added hardblocker status whiteboard and this should be marked 2.0 beta N+ especially if we take a the full hunspell update.
Whiteboard: [fixed-in-hunspell-1.3.0] → [fixed-in-hunspell-1.3.0][hardblocker]
blocking2.0: ? → betaN+
Note that 4.0b11 also crashes under Linux with the same STR Crash ID bp-89b858a4-ef1c-4599-ab85-004332110206 Signature: linux-gate.so@0x424
Assignee | ||
Comment 9•14 years ago
|
||
(In reply to comment #6) > Ehsan, how many cherry-picked patches do we want to take before we just bite > the bullet and just take the Hunspell update? Do you have any idea which change in hunspell code fixed this crash?
Assignee: nobody → ehsan
Assignee | ||
Comment 10•14 years ago
|
||
This is the upstream patch which fixes this crash (taken from here: <http://sourceforge.net/tracker/index.php?func=detail&aid=3158994&group_id=143754&atid=756395>). I managed to reproduce this crash locally using the French dictionary, and the fix looks correct (and in my testing, it seems to fix the crash as well). Ben, it would be very helpful if you can verify this fix on your end too. I have submitted a try server build with this patch for you to test. The builds should be available at <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-dad73f9e5311> in a couple of hours.
Attachment #510203 -
Flags: review?(Olli.Pettay)
Assignee | ||
Comment 11•14 years ago
|
||
(Note to Olli: this is a betaN hardblocker...)
Assignee | ||
Updated•14 years ago
|
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker] → [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug]
Reporter | ||
Comment 12•14 years ago
|
||
Ehsan, sorry but it still crashes, I was able to reproduce within seconds on 2 of my 3 tries on Windows XP or Seven. bp-61201154-a3eb-49d2-9394-bd52d2110207 bp-4e003440-65d9-4297-9de5-ba7812110207 bp-2b3948ab-3fde-4383-8179-7cf382110207 The signature changed to mozalloc.dll@0x1a39 maybe because socorro does not have the symbols.
Comment 13•14 years ago
|
||
> This is the upstream patch which fixes this crash The current version of Hunspell in 4.0 is 1.2.12. The attached patch fixes a bug introduced in 1.2.13 so that is why it still crashes. See comment 4 and comment 5 to fix this bug. Is there a risk to have Hunspell 1.3.1 in nightlies to test it before the Beta 12 release?
OS: Windows 7 → All
Summary: Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] → Crash while spell checking with French modern dictionary 4.0.3 [@ mozalloc_abort(char const* const) ][@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ] or [@ linux-gate.so@0x424 ]
Updated•14 years ago
|
Attachment #510203 -
Flags: review?(Olli.Pettay)
Attachment #510203 -
Flags: review+
Attachment #510203 -
Flags: feedback?(nemeth)
Comment 14•14 years ago
|
||
Comment on attachment 510203 [details] [diff] [review] Patch (v1) This is the same patch as in http://sourceforge.net/tracker/?func=detail&aid=3158994&group_id=143754&atid=756395 to fix the bug introduced in 2010-11-03 in Hunspell CVS (before Hunspell 1.2.13 release). In fact, this is not enough for the full fix: non-BMP Unicode characters in the input can freeze Hunspell during suggestion search. This problem was fixed by Hunspell 1.3.1.
Assignee | ||
Comment 15•14 years ago
|
||
Comment on attachment 510203 [details] [diff] [review] Patch (v1) Ah, indeed, the crash still happens. :( Nemeth: is there any way for us to cherry-pick the fix to this crash?
Attachment #510203 -
Attachment is obsolete: true
Attachment #510203 -
Flags: feedback?(nemeth)
Assignee | ||
Updated•14 years ago
|
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug] → [fixed-in-hunspell-1.3.0][hardblocker][needs new patch]
Assignee | ||
Comment 16•14 years ago
|
||
OK, I finally debugged and fixed this on my own! The problem is in the duplication removal code in Hunspell::suggest <http://mxr.mozilla.org/mozilla-central/source/extensions/spellcheck/hunspell/src/hunspell.cpp#1008>. In the loop, the variable l is meant to track the number of items in the duplicate-free array. In case there are no duplicates, l will be equal to ns at the end of the loop. But if there are duplicates, as is the case for "L'Islam" with the French dictionary, l will be less than ns, and the ns-l last items in the array would be freed memory. The output conversion loop assumes that there are ns items in the array <http://mxr.mozilla.org/mozilla-central/source/extensions/spellcheck/hunspell/src/hunspell.cpp#1023>, which means that if later on RepList::conv returns non-zero for those items (which have "ZZZZ..." in the debug mode, as the memory will be filled with 0xa5, and valid strings in optimized mode, as free doesn't touch the memory contents), we will try to free this memory again, which results in malloc traces in debug mode and crashes in optimized mode. The fix is simple, we should synchronize the values of ns and l after the duplicate removal loop. hunspell-1.3.1 has this fix. I also added a break to the inner loop to prevent unneeded extra loops (because once we find a match in an iteration, all of the future items are guaranteed to not match, as any other possible duplicates have been removed in previous iterations. I mainly added that break to ease the merging of this cherry-picked fix for the next hunspell upgrade.
Attachment #510406 -
Flags: review?(nemeth)
Attachment #510406 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•14 years ago
|
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][needs new patch] → [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug]
Reporter | ||
Comment 17•14 years ago
|
||
Hello, thanks for your fix. I can test a trybuild !
Assignee | ||
Comment 18•14 years ago
|
||
(In reply to comment #17) > Hello, thanks for your fix. I can test a trybuild ! Oh, sorry I thought I pushed a build with this, but apparently I did not. Here's where you can find builds in a few hours: <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-c8b91fca1269>. Thanks!
Assignee | ||
Comment 19•14 years ago
|
||
(In reply to comment #18) > (In reply to comment #17) > > Hello, thanks for your fix. I can test a trybuild ! > > Oh, sorry I thought I pushed a build with this, but apparently I did not. > Here's where you can find builds in a few hours: > <http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/eakhgari@mozilla.com-c8b91fca1269>. > > Thanks! The builds are all available, BTW.
Reporter | ||
Comment 20•14 years ago
|
||
Ehsan, your trybuild tested ok on Windows XP and Seven with french dictionary. I hope the patch will be reviewed and approved for beta12 !
Updated•14 years ago
|
Attachment #510406 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 21•14 years ago
|
||
I landed the fix, but I'd still like to have Nemeth's review on the patch, if possible. http://hg.mozilla.org/mozilla-central/rev/fd47f7c9a3b8
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-hunspell-1.3.0][hardblocker][has patch][needs review smaug] → [fixed-in-hunspell-1.3.0][hardblocker]
Target Milestone: --- → mozilla2.0b12
Assignee | ||
Updated•14 years ago
|
Attachment #510406 -
Flags: approval1.9.2.15?
Comment 22•14 years ago
|
||
Not a blocker for the branch but we'll look at the approval request when it gets the review from nemeth.
blocking1.9.2: ? → needed
status1.9.2:
--- → wanted
Comment 23•14 years ago
|
||
It is ok. Indeed, newer Hunspell versions contain the same patch, too.
Assignee | ||
Comment 24•14 years ago
|
||
Comment on attachment 510406 [details] [diff] [review] Patch (v2) I'll take comment 23 as Németh's r+. :-)
Attachment #510406 -
Flags: review?(nemeth) → review+
Comment 25•14 years ago
|
||
(In reply to comment #24) > Comment on attachment 510406 [details] [diff] [review] > Patch (v2) > > I'll take comment 23 as Németh's r+. :-) Thanks, I meant it. (I didn't find the flag.)
Comment 26•14 years ago
|
||
Comment on attachment 510406 [details] [diff] [review] Patch (v2) a=LegNeato for 1.9.2.15
Attachment #510406 -
Flags: approval1.9.2.15? → approval1.9.2.15+
Reporter | ||
Comment 27•14 years ago
|
||
Verified OK on 4.0b12 build 1 Mozilla/5.0 (Windows NT 5.1; rv:2.0b12) Gecko/20100101 Firefox/4.0b12 ID:20110222210221
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•14 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 28•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1abc3d4ba037
Keywords: checkin-needed
Comment 29•14 years ago
|
||
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.
Updated•13 years ago
|
Crash Signature: [@ mozalloc_abort(char const* const) ]
[@ mozalloc_abort(char const* const) | mozalloc_handle_oom() ]
[@ linux-gate.so@0x424 ]
You need to log in
before you can comment on or make changes to this bug.
Description
•