[Bug 1322784] Re: Firefox crashes in flag_qsort during spellchecker initialization on x86 due to gcc bug
Bug Watch Updater
1322784 at bugs.launchpad.net
Sat May 24 03:22:26 UTC 2014
Launchpad has imported 33 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=983817.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2014-03-14T20:27:23+00:00 Snailtsunami wrote:
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140218140052
Steps to reproduce:
Clicked on a text field on github's web site and hit ctrl + v to paste a
long public key into the text field, very quickly.
Actual results:
Browser stopped responding and crashed after a minute.
Expected results:
Text pasted; browser not crash.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/0
------------------------------------------------------------------------
On 2014-03-14T20:29:07+00:00 Snailtsunami wrote:
https://crash-stats.mozilla.com/report/index/9337a60c-e81b-
420b-a638-dfa982140314
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/1
------------------------------------------------------------------------
On 2014-03-14T20:42:09+00:00 Lhenry wrote:
I saw this happen; I'm wondering from the crash report if it may have
been Firefox trying to spell-check the public key. Or, it may have
something to do with text fields in a form and switching fields quickly.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/2
------------------------------------------------------------------------
On 2014-04-01T05:15:02+00:00 Luc Pionchon wrote:
I was directed to this report from this crash report [1] on my system.
On my system, firefox is crahsing regularly (several times a day!) when
I click a text field, or when I change the spell-check language. This is
not systematic though. I am using 2 different languages in FF text
fields, and I switch between them several times a day (maybe 20 times?).
About 10% of the time FF will crash. This is highly unreliable. As a
consequence I systematically copy/paste the content of the text field
before I switch spell-check language (as the crash lose the last edit).
This is truly frustrating.
This bug appeared somewhere around FF26-FF27 about. It used to work fine
before.
[1] https://crash-stats.mozilla.com/report/index/e043de51-0fc8-4ddb-
93ae-ab7c82140331
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/3
------------------------------------------------------------------------
On 2014-04-24T17:59:09+00:00 Kbrosnan-mozilla wrote:
*** Bug 995356 has been marked as a duplicate of this bug. ***
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/4
------------------------------------------------------------------------
On 2014-05-03T21:13:12+00:00 Lhenry wrote:
>From the comments in other crashes, this may be an issue with focusing
on a form's text field rather than a spelling check error. The crashes
only happen on Linux and is still happening in builds for Firefox 29
from the end of April. There have been around 600 crashes with this
signature in the last 7 days
More crash reports: https://crash-
stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-05-03+21%3A00%3A00&range_value=1
#tab-sigsummary
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/5
------------------------------------------------------------------------
On 2014-05-04T13:06:20+00:00 Ehsan-mozilla wrote:
This is a crash in the hunspell code we use to spell check.
To people who can reproduce: what dictionaries do you have installed?
Does someone have steps to reproduce?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/6
------------------------------------------------------------------------
On 2014-05-04T13:13:30+00:00 Luc Pionchon wrote:
I have French, English (UK) and English (US)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/7
------------------------------------------------------------------------
On 2014-05-04T19:36:52+00:00 Ehsan-mozilla wrote:
Thanks! It would be nice if someone can try installing those
dictionaries and get us some steps to reproduce.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/8
------------------------------------------------------------------------
On 2014-05-04T20:05:07+00:00 Luc Pionchon wrote:
Unfortunately I have no steps to reproduce. On my system it is pretty
random, which makes the issue even more frustrating (and a real pain).
"May I click this field? Will FF crash this time? Or should I first copy
the field content in the clipboard?". See also my comment in bug 995356.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/9
------------------------------------------------------------------------
On 2014-05-04T21:55:50+00:00 Ehsan-mozilla wrote:
(In reply to comment #9)
> Unfortunately I have no steps to reproduce. On my system it is pretty random,
> which makes the issue even more frustrating (and a real pain). "May I click
> this field? Will FF crash this time? Or should I first copy the field content
> in the clipboard?". See also my comment in bug 995356.
One thing that you can try is to disable the English (UK) and French
dictionaries one by one and see if disabling one of them will make the
crash go away. I strongly suspect that this is due to a corrupted
dictionary file.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/10
------------------------------------------------------------------------
On 2014-05-05T13:03:36+00:00 Luc Pionchon wrote:
How can I disable dictionaries?
(I can't remember how I got them here)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/11
------------------------------------------------------------------------
On 2014-05-05T14:12:21+00:00 Ehsan-mozilla wrote:
(In reply to comment #11)
> How can I disable dictionaries?
> (I can't remember how I got them here)
If you go to about:addons, do you see them listed either under
Dictionaries or Extensions?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/12
------------------------------------------------------------------------
On 2014-05-05T14:31:30+00:00 Luc Pionchon wrote:
(In reply to comment #12)
> If you go to about:addons, do you see them listed either under Dictionaries
> or Extensions?
no.
There is one French dictionary listed, but it is disabled.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/13
------------------------------------------------------------------------
On 2014-05-08T20:14:08+00:00 L. David Baron wrote:
The fact that the crash addresses all end in five zeros is highly
suspicious; is flag_qsort reading a word further than it ought to, and
thus intermittently crossing a page boundary when the array it's sorting
bumps up against the edge of that page?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/14
------------------------------------------------------------------------
On 2014-05-08T20:39:20+00:00 L. David Baron wrote:
So, flags_qsort expects begin to be the first index and end to be 1
greater than the last index. (It thus does more work than needed on one
element arrays.) During the loop it maintains the invariants that all
values in the range [begin + 1, l) are less than pivot and all values in
[r, end) are greater than pivot. These ranges both might be empty. It
exits the loop when l == r, which ensures that l is always a valid
index; r might be equal to end and thus not a valid index.
Then, after the loop, l is set to one less than r. If begin + 1 == end,
then l == begin and r == end, since the while loop was never entered.
So the code of flag_qsort itself looks ok to me, or at least if there's
a problem, I haven't seen it. It seems somewhat unlikely for the
compiler to misoptimize.
The caller that matters is HashMgr::load_tables, which uses an allocation made in decode_flags, which does the allocation and gives the caller both the pointer and he length, so it looks like it's passing the right size as well.
Integer overflow seems somewhat unlikely, although I suppose it's possible.
I really wish the crash reports had at least line number information.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/15
------------------------------------------------------------------------
On 2014-05-08T21:41:49+00:00 Ehsan-mozilla wrote:
The format of the .dic file is basically like this:
<N> # denoting the number of lines
... # followed by N lines
And hunspell doesn't perform any bounds checking on the contents of the
file, and in the past I've seen at least one crash which was caused by a
dictionary file which got this wrong.
Something like this would be my first guess as to what's happening here.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/16
------------------------------------------------------------------------
On 2014-05-08T21:52:09+00:00 Luc Pionchon wrote:
This is what I get from my hunspell dictionaries:
$ cd /usr/share/hunspell
$ ls *.dic
en_GB.dic en_US.dic fr.dic
$ head -1 en_GB.dic && wc -l en_GB.dic
56506
56507 en_GB.dic
$ head -1 en_US.dic && wc -l en_US.dic
62154
62155 en_US.dic
$ head -1 fr.dic && wc -l fr.dic
63062
63063 fr.dic
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/17
------------------------------------------------------------------------
On 2014-05-08T22:23:06+00:00 Ehsan-mozilla wrote:
Can you please tar up the .dic and .aff files there and attach it to the
bug, and perhaps include some links to pages where you experience this
crash?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/18
------------------------------------------------------------------------
On 2014-05-09T03:16:20+00:00 Luc Pionchon wrote:
Created attachment 8419869
user-share-hunspell.tgz
Sure.
Here is a tarball of my /usr/shar/hunspell directory.
I remember that I removed manually the dictionaries that I did not
wanted (like French local variants).
fr.* comes from ubuntu package hunspell-fr
en_US.* comes from ubuntu package hunspell-en-us
en_GB.* comes from ubuntu package myspell-en-gb
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/19
------------------------------------------------------------------------
On 2014-05-09T03:20:02+00:00 Luc Pionchon wrote:
The pages where I experience crash are pretty random, as far as I
recall. Of course frequently visited pages produce most crashes, like
gmail or facebook just to name two.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/20
------------------------------------------------------------------------
On 2014-05-09T03:24:21+00:00 Luc Pionchon wrote:
(can you see the crashing page from my crash reports?)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/21
------------------------------------------------------------------------
On 2014-05-09T05:55:29+00:00 L. David Baron wrote:
Are all the people seeing this using Ubuntu's builds of Firefox (or some
other distro?), or are any of you seeing this in Mozilla-generated
builds? (The build IDs in crash stats don't match seem to match our
builds.)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/22
------------------------------------------------------------------------
On 2014-05-09T06:07:13+00:00 L. David Baron wrote:
https://crash-stats.mozilla.com/report/index/f84c892b-
3d01-46f5-aa98-e64d92140501 shows (using minidump_stackwalk):
Thread 0 (crashed)
0 libxul.so + 0x15ecb6e
eip = 0xb4bb5b6e esp = 0xbfbf43d0 ebp = 0x8e5ffffe ebx = 0xb6dcaef4
esi = 0x00000002 edi = 0x82a14014 eax = 0x00000000 ecx = 0xb6dc532a
edx = 0x00000001 efl = 0x00210282
(didn't get symbols set up)
This is consistent with the disassembly of
http://mirrors.kernel.org/ubuntu/pool/main/f/firefox/firefox_29.0+build1-0ubuntu0.13.10.3_i386.deb
(that's the package for saucy), but not consistent with the disassembly of the Mozilla official Firefox 29 build.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/23
------------------------------------------------------------------------
On 2014-05-09T06:10:41+00:00 L. David Baron wrote:
Created attachment 8419927
function disassembly from Mozilla's official Firefox 29 build
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/24
------------------------------------------------------------------------
On 2014-05-09T06:12:10+00:00 L. David Baron wrote:
Created attachment 8419929
function disassembly from Ubuntu's saucy package
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/25
------------------------------------------------------------------------
On 2014-05-09T06:21:18+00:00 L. David Baron wrote:
The code we're looking at is:
https://hg.mozilla.org/releases/mozilla-release/file/f60bc49e6bd5/extensions/spellcheck/hunspell/src/csutil.cpp#l226
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/26
------------------------------------------------------------------------
On 2014-05-09T06:39:48+00:00 L. David Baron wrote:
Created attachment 8419938
annotated disassembly from Ubuntu's saucy package
This shows where the bug is. At the time of the crash we're loading
flags[l] with a 32-bit read in order to compare it to pivot.
Comparing with the registers in comment 23, we can see that:
l == 1 (%edx)
r == 2 (%esi)
&flags[l] == 0x8e5fffe (%ebp)
begin == 0 (%eax)
pivot == 0x532a (%cx)
In any case, I think this is pretty clearly a compiler bug. Not sure who we bug about such things, given that it's in Ubuntu's builds. (From the kernel versions I saw, it looks like it's showing up for precise and saucy.)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/27
------------------------------------------------------------------------
On 2014-05-09T06:51:16+00:00 L. David Baron wrote:
Who's the right person to talk to if the most frequent Firefox crash on
Linux is a bug in the compiler used to build the Ubuntu packages?
(Note that I've made no attempt so far to reduce a testcase for the
compiler bug. It might or might not be fixed in trunk gcc, and I don't
know what gcc options are needed. I'm not going to have the time to do
so, either.)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/28
------------------------------------------------------------------------
On 2014-05-09T07:00:42+00:00 L. David Baron wrote:
https://crash-
stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks
is a link to the (current, not fixed in time) most recent week of
crashes with this signature
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/29
------------------------------------------------------------------------
On 2014-05-09T07:01:43+00:00 L. David Baron wrote:
... oh, and there are definitely trusty kernel versions in that list as
well.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/30
------------------------------------------------------------------------
On 2014-05-09T07:05:57+00:00 Luc Pionchon wrote:
(In reply to David Baron [:dbaron] (needinfo? me) (UTC-7) from comment #28)
> Who's the right person to talk to if the most frequent Firefox crash on
> Linux is a bug in the compiler used to build the Ubuntu packages?
maybe you could be in touch with the ubuntu firefox package maintainer
(I am using a mainstream kernel, 3.14.0-031400rc6-generic)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/31
------------------------------------------------------------------------
On 2014-05-12T00:56:05+00:00 L. David Baron wrote:
(In reply to pionchon.luc from comment #31)
> maybe you could be in touch with the ubuntu firefox package maintainer
I *think* that's who I made the needinfo request to in comment 28.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/32
** Changed in: firefox
Status: Unknown => Confirmed
** Changed in: firefox
Importance: Unknown => Medium
--
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1322784
Title:
Firefox crashes in flag_qsort during spellchecker initialization on
x86 due to gcc bug
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1322784/+subscriptions
More information about the Ubuntu-mozillateam-bugs
mailing list