| Thread Previous • Date Previous • Date Next • Thread Next |
Comment on attachment 8561105 Pad heap allocations passed to flag_qsort() on x86 Linux to work around gcc bug affecting Ubuntu packages Approval Request Comment [Feature/regressing bug #]: not a regression in our codebase [User impact if declined]: #3 topcrash on Linux, specific to 32-bit Ubuntu-distributed builds. Firefox will randomly crash on 32-bit Linux builds the first time the user uses a textarea or otherwise does something that initializes the spellchecker. (It only crashes a small percentage of the time, but it affects a large number of users.) [Describe test coverage new/current, TreeHerder]: None. Just landed on mozilla-inbound. I don't know of any way to test that the fix works without shipping it on the release channel. [Risks and why]: Low risk; it's padding a few allocations in the spellcheck code with 2 extra bytes on all 32-bit Linux builds. [String/UUID change made/needed]: no -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1322784 Title: Firefox crashes in flag_qsort during spellchecker initialization on x86 due to gcc bug Status in The Mozilla Firefox Browser: In Progress Status in firefox package in Ubuntu: Confirmed Status in gcc-4.8 package in Ubuntu: Incomplete Bug description: The most common Firefox crash on Linux in Mozilla's crash-stats system is crashes in the function flag_qsort. These crashes occur: * only on x86 architecture * only on Ubuntu packages (and not on Mozilla's builds) * on precise and saucy and trusty (based on kernel versions reported with the crashes) and appear to be due to a compiler bug in the compiler used to generate Ubuntu's builds. (It could be a common compiler bug triggered by different compiler options or a compiler bug specific to Ubuntu's gcc.) The analysis that leads to the conclusion that this is a compiler bug is in https://bugzilla.mozilla.org/show_bug.cgi?id=983817 . In particular, the compiler is miscompiling an access to an element of an array of unsigned short as a 32-bit read, and when the unsigned short in question is the last one in the allocation and that allocation is aligned so that the byte following has a different 0x100000 bit, this can lead to crashes. The most recent (whenever you follow the link) 7 days of crash reports are available at: https://crash- stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1322784/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
