← Back to team overview

desktop-packages team mailing list archive

[Bug 1322784]

 

Comment on attachment 8561105
Pad heap allocations passed to flag_qsort() on x86 Linux to work around gcc bug affecting Ubuntu packages

Approval Request Comment
[Feature/regressing bug #]: not a regression in our codebase
[User impact if declined]: #3 topcrash on Linux, specific to 32-bit Ubuntu-distributed builds.  Firefox will randomly crash on 32-bit Linux builds the first time the user uses a textarea or otherwise does something that initializes the spellchecker.  (It only crashes a small percentage of the time, but it affects a large number of users.)
[Describe test coverage new/current, TreeHerder]:  None.  Just landed on mozilla-inbound.  I don't know of any way to test that the fix works without shipping it on the release channel.
[Risks and why]: Low risk; it's padding a few allocations in the spellcheck code with 2 extra bytes on all 32-bit Linux builds.
[String/UUID change made/needed]: no

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1322784

Title:
  Firefox crashes in flag_qsort during spellchecker initialization on
  x86 due to gcc bug

Status in The Mozilla Firefox Browser:
  In Progress
Status in firefox package in Ubuntu:
  Confirmed
Status in gcc-4.8 package in Ubuntu:
  Incomplete

Bug description:
  The most common Firefox crash on Linux in Mozilla's crash-stats system
  is crashes in the function flag_qsort.

  These crashes occur:
   * only on x86 architecture
   * only on Ubuntu packages (and not on Mozilla's builds)
   * on precise and saucy and trusty (based on kernel versions reported with the crashes)
  and appear to be due to a compiler bug in the compiler used to generate Ubuntu's builds.  (It could be a common compiler bug triggered by different compiler options or a compiler bug specific to Ubuntu's gcc.)

  The analysis that leads to the conclusion that this is a compiler bug
  is in https://bugzilla.mozilla.org/show_bug.cgi?id=983817 .  In
  particular, the compiler is miscompiling an access to an element of an
  array of unsigned short as a 32-bit read, and when the unsigned short
  in question is the last one in the allocation and that allocation is
  aligned so that the byte following has a different 0x100000 bit, this
  can lead to crashes.

  The most recent (whenever you follow the link) 7 days of crash reports
  are available at: https://crash-
  stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1322784/+subscriptions