desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #100050
[Bug 1322784]
Comment on attachment 8561105
Pad heap allocations passed to flag_qsort() on x86 Linux to work around gcc bug affecting Ubuntu packages
Approval Request Comment
[Feature/regressing bug #]: not a regression in our codebase
[User impact if declined]: #3 topcrash on Linux, specific to 32-bit Ubuntu-distributed builds. Firefox will randomly crash on 32-bit Linux builds the first time the user uses a textarea or otherwise does something that initializes the spellchecker. (It only crashes a small percentage of the time, but it affects a large number of users.)
[Describe test coverage new/current, TreeHerder]: None. Just landed on mozilla-inbound. I don't know of any way to test that the fix works without shipping it on the release channel.
[Risks and why]: Low risk; it's padding a few allocations in the spellcheck code with 2 extra bytes on all 32-bit Linux builds.
[String/UUID change made/needed]: no
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1322784
Title:
Firefox crashes in flag_qsort during spellchecker initialization on
x86 due to gcc bug
Status in The Mozilla Firefox Browser:
In Progress
Status in firefox package in Ubuntu:
Confirmed
Status in gcc-4.8 package in Ubuntu:
Incomplete
Bug description:
The most common Firefox crash on Linux in Mozilla's crash-stats system
is crashes in the function flag_qsort.
These crashes occur:
* only on x86 architecture
* only on Ubuntu packages (and not on Mozilla's builds)
* on precise and saucy and trusty (based on kernel versions reported with the crashes)
and appear to be due to a compiler bug in the compiler used to generate Ubuntu's builds. (It could be a common compiler bug triggered by different compiler options or a compiler bug specific to Ubuntu's gcc.)
The analysis that leads to the conclusion that this is a compiler bug
is in https://bugzilla.mozilla.org/show_bug.cgi?id=983817 . In
particular, the compiler is miscompiling an access to an element of an
array of unsigned short as a 32-bit read, and when the unsigned short
in question is the last one in the allocation and that allocation is
aligned so that the byte following has a different 0x100000 bit, this
can lead to crashes.
The most recent (whenever you follow the link) 7 days of crash reports
are available at: https://crash-
stats.mozilla.com/report/list?signature=flag_qsort&product=Firefox&query_type=contains&range_unit=weeks
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1322784/+subscriptions