Launchpad has imported 33 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=983817.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2014-03-14T20:27:23+00:00 Snailtsunami wrote: User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release) Build ID: 20140218140052 Steps to reproduce: Clicked on a text field on github's web site and hit ctrl + v to paste a long public key into the text field, very quickly. Actual results: Browser stopped responding and crashed after a minute. Expected results: Text pasted; browser not crash. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/0 ------------------------------------------------------------------------ On 2014-03-14T20:29:07+00:00 Snailtsunami wrote: https://crash-stats.mozilla.com/report/index/9337a60c-e81b- 420b-a638-dfa982140314 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/1 ------------------------------------------------------------------------ On 2014-03-14T20:42:09+00:00 Lhenry wrote: I saw this happen; I'm wondering from the crash report if it may have been Firefox trying to spell-check the public key. Or, it may have something to do with text fields in a form and switching fields quickly. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/2 ------------------------------------------------------------------------ On 2014-04-01T05:15:02+00:00 Luc Pionchon wrote: I was directed to this report from this crash report [1] on my system. On my system, firefox is crahsing regularly (several times a day!) when I click a text field, or when I change the spell-check language. This is not systematic though. I am using 2 different languages in FF text fields, and I switch between them several times a day (maybe 20 times?). About 10% of the time FF will crash. This is highly unreliable. As a consequence I systematically copy/paste the content of the text field before I switch spell-check language (as the crash lose the last edit). This is truly frustrating. This bug appeared somewhere around FF26-FF27 about. It used to work fine before. [1] https://crash-stats.mozilla.com/report/index/e043de51-0fc8-4ddb- 93ae-ab7c82140331 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/3 ------------------------------------------------------------------------ On 2014-04-24T17:59:09+00:00 Kbrosnan-mozilla wrote: *** Bug 995356 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/4 ------------------------------------------------------------------------ On 2014-05-03T21:13:12+00:00 Lhenry wrote: >From the comments in other crashes, this may be an issue with focusing on a form's text field rather than a spelling check error. The crashes only happen on Linux and is still happening in builds for Firefox 29 from the end of April. There have been around 600 crashes with this signature in the last 7 days More crash reports: https://crash- stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-05-03+21%3A00%3A00&range_value=1 #tab-sigsummary Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/5 ------------------------------------------------------------------------ On 2014-05-04T13:06:20+00:00 Ehsan-mozilla wrote: This is a crash in the hunspell code we use to spell check. To people who can reproduce: what dictionaries do you have installed? Does someone have steps to reproduce? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/6 ------------------------------------------------------------------------ On 2014-05-04T13:13:30+00:00 Luc Pionchon wrote: I have French, English (UK) and English (US) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/7 ------------------------------------------------------------------------ On 2014-05-04T19:36:52+00:00 Ehsan-mozilla wrote: Thanks! It would be nice if someone can try installing those dictionaries and get us some steps to reproduce. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/8 ------------------------------------------------------------------------ On 2014-05-04T20:05:07+00:00 Luc Pionchon wrote: Unfortunately I have no steps to reproduce. On my system it is pretty random, which makes the issue even more frustrating (and a real pain). "May I click this field? Will FF crash this time? Or should I first copy the field content in the clipboard?". See also my comment in bug 995356. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/9 ------------------------------------------------------------------------ On 2014-05-04T21:55:50+00:00 Ehsan-mozilla wrote: (In reply to comment #9) > Unfortunately I have no steps to reproduce. On my system it is pretty random, > which makes the issue even more frustrating (and a real pain). "May I click > this field? Will FF crash this time? Or should I first copy the field content > in the clipboard?". See also my comment in bug 995356. One thing that you can try is to disable the English (UK) and French dictionaries one by one and see if disabling one of them will make the crash go away. I strongly suspect that this is due to a corrupted dictionary file. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/10 ------------------------------------------------------------------------ On 2014-05-05T13:03:36+00:00 Luc Pionchon wrote: How can I disable dictionaries? (I can't remember how I got them here) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/11 ------------------------------------------------------------------------ On 2014-05-05T14:12:21+00:00 Ehsan-mozilla wrote: (In reply to comment #11) > How can I disable dictionaries? > (I can't remember how I got them here) If you go to about:addons, do you see them listed either under Dictionaries or Extensions? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/12 ------------------------------------------------------------------------ On 2014-05-05T14:31:30+00:00 Luc Pionchon wrote: (In reply to comment #12) > If you go to about:addons, do you see them listed either under Dictionaries > or Extensions? no. There is one French dictionary listed, but it is disabled. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/13 ------------------------------------------------------------------------ On 2014-05-08T20:14:08+00:00 L. David Baron wrote: The fact that the crash addresses all end in five zeros is highly suspicious; is flag_qsort reading a word further than it ought to, and thus intermittently crossing a page boundary when the array it's sorting bumps up against the edge of that page? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/14 ------------------------------------------------------------------------ On 2014-05-08T20:39:20+00:00 L. David Baron wrote: So, flags_qsort expects begin to be the first index and end to be 1 greater than the last index. (It thus does more work than needed on one element arrays.) During the loop it maintains the invariants that all values in the range [begin + 1, l) are less than pivot and all values in [r, end) are greater than pivot. These ranges both might be empty. It exits the loop when l == r, which ensures that l is always a valid index; r might be equal to end and thus not a valid index. Then, after the loop, l is set to one less than r. If begin + 1 == end, then l == begin and r == end, since the while loop was never entered. So the code of flag_qsort itself looks ok to me, or at least if there's a problem, I haven't seen it. It seems somewhat unlikely for the compiler to misoptimize. The caller that matters is HashMgr::load_tables, which uses an allocation made in decode_flags, which does the allocation and gives the caller both the pointer and he length, so it looks like it's passing the right size as well. Integer overflow seems somewhat unlikely, although I suppose it's possible. I really wish the crash reports had at least line number information. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/15 ------------------------------------------------------------------------ On 2014-05-08T21:41:49+00:00 Ehsan-mozilla wrote: The format of the .dic file is basically like this: <N> # denoting the number of lines ... # followed by N lines And hunspell doesn't perform any bounds checking on the contents of the file, and in the past I've seen at least one crash which was caused by a dictionary file which got this wrong. Something like this would be my first guess as to what's happening here. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/16 ------------------------------------------------------------------------ On 2014-05-08T21:52:09+00:00 Luc Pionchon wrote: This is what I get from my hunspell dictionaries: $ cd /usr/share/hunspell $ ls *.dic en_GB.dic en_US.dic fr.dic $ head -1 en_GB.dic && wc -l en_GB.dic 56506 56507 en_GB.dic $ head -1 en_US.dic && wc -l en_US.dic 62154 62155 en_US.dic $ head -1 fr.dic && wc -l fr.dic 63062 63063 fr.dic Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/17 ------------------------------------------------------------------------ On 2014-05-08T22:23:06+00:00 Ehsan-mozilla wrote: Can you please tar up the .dic and .aff files there and attach it to the bug, and perhaps include some links to pages where you experience this crash? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/18 ------------------------------------------------------------------------ On 2014-05-09T03:16:20+00:00 Luc Pionchon wrote: Created attachment 8419869 user-share-hunspell.tgz Sure. Here is a tarball of my /usr/shar/hunspell directory. I remember that I removed manually the dictionaries that I did not wanted (like French local variants). fr.* comes from ubuntu package hunspell-fr en_US.* comes from ubuntu package hunspell-en-us en_GB.* comes from ubuntu package myspell-en-gb Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/19 ------------------------------------------------------------------------ On 2014-05-09T03:20:02+00:00 Luc Pionchon wrote: The pages where I experience crash are pretty random, as far as I recall. Of course frequently visited pages produce most crashes, like gmail or facebook just to name two. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/20 ------------------------------------------------------------------------ On 2014-05-09T03:24:21+00:00 Luc Pionchon wrote: (can you see the crashing page from my crash reports?) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/21 ------------------------------------------------------------------------ On 2014-05-09T05:55:29+00:00 L. David Baron wrote: Are all the people seeing this using Ubuntu's builds of Firefox (or some other distro?), or are any of you seeing this in Mozilla-generated builds? (The build IDs in crash stats don't match seem to match our builds.) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/22 ------------------------------------------------------------------------ On 2014-05-09T06:07:13+00:00 L. David Baron wrote: https://crash-stats.mozilla.com/report/index/f84c892b- 3d01-46f5-aa98-e64d92140501 shows (using minidump_stackwalk): Thread 0 (crashed) 0 libxul.so + 0x15ecb6e eip = 0xb4bb5b6e esp = 0xbfbf43d0 ebp = 0x8e5ffffe ebx = 0xb6dcaef4 esi = 0x00000002 edi = 0x82a14014 eax = 0x00000000 ecx = 0xb6dc532a edx = 0x00000001 efl = 0x00210282 (didn't get symbols set up) This is consistent with the disassembly of http://mirrors.kernel.org/ubuntu/pool/main/f/firefox/firefox_29.0+build1-0ubuntu0.13.10.3_i386.deb (that's the package for saucy), but not consistent with the disassembly of the Mozilla official Firefox 29 build. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/23 ------------------------------------------------------------------------ On 2014-05-09T06:10:41+00:00 L. David Baron wrote: Created attachment 8419927 function disassembly from Mozilla's official Firefox 29 build Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/24 ------------------------------------------------------------------------ On 2014-05-09T06:12:10+00:00 L. David Baron wrote: Created attachment 8419929 function disassembly from Ubuntu's saucy package Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/25 ------------------------------------------------------------------------ On 2014-05-09T06:21:18+00:00 L. David Baron wrote: The code we're looking at is: https://hg.mozilla.org/releases/mozilla-release/file/f60bc49e6bd5/extensions/spellcheck/hunspell/src/csutil.cpp#l226 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/26 ------------------------------------------------------------------------ On 2014-05-09T06:39:48+00:00 L. David Baron wrote: Created attachment 8419938 annotated disassembly from Ubuntu's saucy package This shows where the bug is. At the time of the crash we're loading flags[l] with a 32-bit read in order to compare it to pivot. Comparing with the registers in comment 23, we can see that: l == 1 (%edx) r == 2 (%esi) &flags[l] == 0x8e5fffe (%ebp) begin == 0 (%eax) pivot == 0x532a (%cx) In any case, I think this is pretty clearly a compiler bug. Not sure who we bug about such things, given that it's in Ubuntu's builds. (From the kernel versions I saw, it looks like it's showing up for precise and saucy.) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/27 ------------------------------------------------------------------------ On 2014-05-09T06:51:16+00:00 L. David Baron wrote: Who's the right person to talk to if the most frequent Firefox crash on Linux is a bug in the compiler used to build the Ubuntu packages? (Note that I've made no attempt so far to reduce a testcase for the compiler bug. It might or might not be fixed in trunk gcc, and I don't know what gcc options are needed. I'm not going to have the time to do so, either.) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/28 ------------------------------------------------------------------------ On 2014-05-09T07:00:42+00:00 L. David Baron wrote: https://crash- stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks is a link to the (current, not fixed in time) most recent week of crashes with this signature Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/29 ------------------------------------------------------------------------ On 2014-05-09T07:01:43+00:00 L. David Baron wrote: ... oh, and there are definitely trusty kernel versions in that list as well. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/30 ------------------------------------------------------------------------ On 2014-05-09T07:05:57+00:00 Luc Pionchon wrote: (In reply to David Baron [:dbaron] (needinfo? me) (UTC-7) from comment #28) > Who's the right person to talk to if the most frequent Firefox crash on > Linux is a bug in the compiler used to build the Ubuntu packages? maybe you could be in touch with the ubuntu firefox package maintainer (I am using a mainstream kernel, 3.14.0-031400rc6-generic) Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/31 ------------------------------------------------------------------------ On 2014-05-12T00:56:05+00:00 L. David Baron wrote: (In reply to pionchon.luc from comment #31) > maybe you could be in touch with the ubuntu firefox package maintainer I *think* that's who I made the needinfo request to in comment 28. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1322784/comments/32 ** Changed in: firefox Status: Unknown => Confirmed ** Changed in: firefox Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1322784 Title: Firefox crashes in flag_qsort during spellchecker initialization on x86 due to gcc bug To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1322784/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
