Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 130128 Chrome crashes on Windows when looking for suggestions for a 99 character misspelled word
Starred by 2 users Reported by shaswat....@prakat.com, May 29 2012 Back to list
Status: Verified
Owner:
Closed: Jan 2013
Components:
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocked on:
issue 167192


Sign in to add a comment
Chrome Version       : 19.0.1084.52 m
URLs (if applicable) : www.google.com
Other browsers tested: OK
 
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. go to www.google.com
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text

What is the expected result?
google chrome should not crash

What happens instead?
google chrome is crashing

Additional details:
In notepad enter 99 character (example:abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu") . Open google chrome and go to yahoo.com or any other site that has a text box. Paste the text in the text box. right click on the text box or on the text. Notice: the google chrome is crashed. Refer to the screenshot. 
 
google_chrome_crash.jpg
36.9 KB View Download
Additional steps to reproduce the problem
1. go to www.yahoo.com
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text
Comment 2 by tkent@chromium.org, May 30 2012
Labels: -Area-Undefined Area-WebKit WebKit-Forms WebKit-Editing Stability-Crash
What OS are you using?
Can you provide Crash IDs?  http://www.chromium.org/for-testers/bug-reporting-guidelines/reporting-crash-bug
Comment 3 by meh...@chromium.org, May 30 2012
Labels: Action-FeedbackNeeded
OS: windows 7 sp 1 64 bit
Not able to get the crash id.
Comment 6 by tkent@chromium.org, May 31 2012
Issue 130361 has been merged into this issue.
Comment 7 by tkent@chromium.org, May 31 2012
Labels: -Action-FeedbackNeeded Hotlist-ConOps OS-Windows
Status: Untriaged
I confirmed this on Windows 7 + Canary.
Crash IDs are not recorded :(

Comment 8 by tkent@chromium.org, Jun 1 2012
Labels: -WebKit-Forms -WebKit-Editing Feature-Spellcheck


>	chrome.dll!SuggestMgr::forgotchar_utf(char * * wlst, const w_char * word, int wl, int ns, int cpdsuggest)  Line 813 + 0xf bytes	C++
 	chrome.dll!SuggestMgr::suggest(char * * * slst, const char * w, int nsug, int * onlycompoundsug)  Line 308 + 0x2e bytes	C++
 	chrome.dll!Hunspell::suggest(char * * * slst, const char * word)  Line 768 + 0x21 bytes	C++
 	chrome.dll!SpellCheck::FillSuggestionList(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & wrong_word, std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > * optional_suggestions)  Line 453 + 0x49 bytes	C++
 	chrome.dll!SpellCheck::SpellCheckWord(const wchar_t * in_word, int in_word_len, int tag, int * misspelling_start, int * misspelling_len, std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > * optional_suggestions)  Line 193	C++
 	chrome.dll!SpellCheckProvider::spellCheck(const WebKit::WebString & text, int & offset, int & length, WebKit::WebVector<WebKit::WebString> * optional_suggestions)  Line 176	C++
 	webkit.dll!WebKit::ContextMenuClientImpl::getCustomMenuFromDefaultItems(WebCore::ContextMenu * defaultMenu)  Line 298 + 0x41 bytes	C++
 	webkit.dll!WebCore::ContextMenuController::showContextMenu(WebCore::Event * event)  Line 171 + 0x21 bytes	C++
 	webkit.dll!WebCore::ContextMenuController::handleContextMenuEvent(WebCore::Event * event)  Line 117	C++
 	webkit.dll!WebCore::Node::defaultEventHandler(WebCore::Event * event)  Line 2843	C++
 	webkit.dll!WebCore::TextControlInnerTextElement::defaultEventHandler(WebCore::Event * event)  Line 98	C++
 	webkit.dll!WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event> event)  Line 299 + 0x32 bytes	C++
 	webkit.dll!WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher * dispatcher)  Line 208	C++
 	webkit.dll!WebCore::EventDispatcher::dispatchEvent(WebCore::Node * node, WTF::PassRefPtr<WebCore::EventDispatchMediator> mediator)  Line 116 + 0x1e bytes	C++
 	webkit.dll!WebCore::Node::dispatchMouseEvent(const WebCore::PlatformMouseEvent & event, const WTF::AtomicString & eventType, int detail, WebCore::Node * relatedTarget)  Line 2769 + 0x9f bytes	C++
 	webkit.dll!WebCore::EventHandler::dispatchMouseEvent(const WTF::AtomicString & eventType, WebCore::Node * targetNode, bool __formal, int clickCount, const WebCore::PlatformMouseEvent & mouseEvent, bool setUnder)  Line 2233 + 0x23 bytes	C++
 	webkit.dll!WebCore::EventHandler::sendContextMenuEvent(const WebCore::PlatformMouseEvent & event)  Line 2528 + 0x2b bytes	C++
 	webkit.dll!WebKit::WebViewImpl::mouseContextMenu(const WebKit::WebMouseEvent & event)  Line 570	C++
 	webkit.dll!WebKit::WebViewImpl::handleMouseUp(WebCore::Frame & mainFrame, const WebKit::WebMouseEvent & event)  Line 622	C++
 	webkit.dll!WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page * page, WebKit::PageWidgetEventHandler & handler, const WebKit::WebInputEvent & event)  Line 131 + 0x17 bytes	C++
 	webkit.dll!WebKit::WebViewImpl::handleInputEvent(const WebKit::WebInputEvent & inputEvent)  Line 1727 + 0x3d bytes	C++
 	content.dll!RenderWidget::OnHandleInputEvent(const IPC::Message & message)  Line 551 + 0x1b bytes	C++
 	content.dll!IPC::Message::Dispatch<RenderWidget,RenderWidget>(const IPC::Message * msg, RenderWidget * obj, RenderWidget * sender, void (const IPC::Message &)* func)  Line 172 + 0x1f bytes	C++
 	content.dll!RenderWidget::OnMessageReceived(const IPC::Message & message)  Line 226 + 0x9f bytes	C++
 	content.dll!RenderViewImpl::OnMessageReceived(const IPC::Message & message)  Line 952 + 0xc bytes	C++
 	content.dll!MessageRouter::RouteMessage(const IPC::Message & msg)  Line 46 + 0x13 bytes	C++
 	content.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg)  Line 38 + 0x13 bytes	C++
 	content.dll!ChildThread::OnMessageReceived(const IPC::Message & msg)  Line 207 + 0x17 bytes	C++
 	ipc.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message)  Line 249 + 0x1b bytes	C++
 	ipc.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1)  Line 188 + 0x21 bytes	C++
 	ipc.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2)  Line 897	C++
 	ipc.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base)  Line 1254 + 0x2a bytes	C++
 	base.dll!base::Callback<void __cdecl(void)>::Run()  Line 272 + 0xe bytes	C++
 	base.dll!MessageLoop::RunTask(const base::PendingTask & pending_task)  Line 467	C++
 	base.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task)  Line 480	C++
 	base.dll!MessageLoop::DoWork()  Line 654 + 0xc bytes	C++
 	base.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate)  Line 28 + 0xf bytes	C++
 	base.dll!MessageLoop::RunInternal()  Line 424 + 0x29 bytes	C++
 	base.dll!MessageLoop::RunHandler()  Line 398	C++
 	base.dll!MessageLoop::Run()  Line 308	C++
 	content.dll!RendererMain(const content::MainFunctionParams & parameters)  Line 271 + 0x19 bytes	C++
 	content.dll!`anonymous namespace'::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate)  Line 318 + 0x12 bytes	C++
 	content.dll!`anonymous namespace'::ContentMainRunnerImpl::Run()  Line 575 + 0x14 bytes	C++
 	content.dll!content::ContentMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info, content::ContentMainDelegate * delegate)  Line 35 + 0x1a bytes	C++
 	chrome.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info)  Line 28 + 0x14 bytes	C++
 	chrome.exe!MainDllLoader::Launch(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sbox_info)  Line 423 + 0x10 bytes	C++
 	chrome.exe!RunChrome(HINSTANCE__ * instance)  Line 31 + 0x10 bytes	C++
 	chrome.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * prev, wchar_t * __formal, wchar_t * __formal)  Line 47 + 0x9 bytes	C++
 	chrome.exe!__tmainCRTStartup()  Line 547 + 0x2c bytes	C
 	chrome.exe!wWinMainCRTStartup()  Line 371	C
 	kernel32.dll!7622339a() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	ntdll.dll!76fb9ef2() 	
 	ntdll.dll!76fb9ec5() 	

Comment 9 by hbono@chromium.org, Jun 1 2012
Owner: hbono@chromium.org
Status: Assigned
Greetings,

Thank you for your bug report.
In brief, finding suggestions is a combination problem and it is better to skip finding them if a misspelled word is too long. (Even though it does not crash, it takes long time.)

Regards,

Hironori Bono
Comment 10 by jtan@chromium.org, Jun 5 2012
Labels: -Hotlist-ConOps
Owner: odean@chromium.org
Greetings,

I'm passing this issue to Tyler to transfer all spellchecker issues to a new team.

Regards,

Hironori Bono
Comment 12 by odean@chromium.org, Aug 14 2012
Cc: rlp@chromium.org
Comment 13 by groby@chromium.org, Aug 31 2012
Cc: groby@chromium.org
Cc: -groby@chromium.org -rlp@chromium.org
Labels: -Pri-2 Pri-1
Owner: groby@chromium.org
Groby: Please double-check that this is already fixed.
This issue still exists on chrome version Version 23.0.1271.95 m

Can't repro in  23.0.1271.95 on OSX or Linux. (Also doesn't repro in Canary, but that's not helping narrow this down)

Do you have any crash ID now, by any chance?

Also - what language is your spell checker set to?
Labels: Action-FeedbackNeeded
here is some steps to reproduce:
. go to www.yahoo.com
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text
Here is the video for additional steps to reproduce. Hope this helps.
chrome_issue.avi
3.5 MB Download
shaswat.paudel: Since this happens for in v23 and we cannot see it in v25, would you mind installing v25 side-by-side from https://tools.google.com/dlpage/chromesxs/ and seeing if that still happens?
shaswat.paudel: What language do you have selected for spellchecking in chrome://settings/languages?
I'm using language: English (United States).

I installed V25 as you mentioned and Yes, I can reproduce this issue. Here is the attached video. Hope this helps.

FYI: I'm using windows 7. 
Chrome_Issue01.avi
5.2 MB Download
shaswat.paudel: Thank you for being so responsive! I am thinking that maybe this has to do with anti-virus or memory... Would you mind letting us know what Anti-Virus you're using? Are you using 32-bit or 64-bit Windows? How much RAM does your computer have?
I am using Symantec. I do have 4gb RAM. Its 64 bit machine. 

I was able to reproduce this issue on multiple machines. So, it might not be the antivirus or memory issue. 

Comment 26 Deleted
I reproduced on Windows with Canary. Hooray!
Labels: -Action-FeedbackNeeded
Owner: rouslan@chromium.org
I reproduce this on Incognito Mode too. 

Comment 30 by groby@chromium.org, Dec 11 2012
Since it's easily reproducible - anybody got a crash ID?
No crash ID, presumably because the crash happens inside of the sandbox. (It shows the Aw Snap page instead of bringing down the whole browser.)
I can break into the crashing SuggestMgr::forgotchar_utf, but not sure what's up yet.
The problem seems to be forgotchar_utf writes one byte past the end of "char candidate[MAXSWUTF8L]" array.
Increasing the array size does not solve the problem, so that theory goes out of the window...
Status: Started
Submitted a patch upstream (https://sourceforge.net/tracker/?func=detail&aid=3595024&group_id=143754&atid=756395) and will be fixing it in src/third_party/hunspell, too.
Blockedon: chromium:167192
Project Member Comment 37 by bugdroid1@chromium.org, Dec 21 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174476

------------------------------------------------------------------------
r174476 | groby@chromium.org | 2012-12-21T23:25:41.328554Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/README.chromium?r1=174476&r2=174475&pathrev=174476
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/google.patch?r1=174476&r2=174475&pathrev=174476
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/src/hunspell/hunspell.cxx?r1=174476&r2=174475&pathrev=174476

Fix array-out-of-bounds error in hunspell

If you invoke SuggestMgr::forgotchar_utf() with wl=99, then the method will
write past the candidate_utf[MAXSWL] array. Here's a step through of what
happens:

int wl = 99; // word length is 99 charachters.
w_char candidate_utf[MAXSWL]; // buffer size is 100 chars.
w_char * p = candidate_utf + wl; // p = candidate_utf + 99.
*(p + 1) = *p; // writing to p + 1, which is candidate_utf + 100.

The fix is to reduce maximum length of spellchecked words from 99 to 98 characters.

Corresponding upstream bug report:
https://sourceforge.net/tracker/?func=detail&aid=3595024&group_id=143754&atid=756395

BUG= 130128 

Review URL: https://codereview.chromium.org/11442040
------------------------------------------------------------------------
Project Member Comment 38 by bugdroid1@chromium.org, Dec 22 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174507

------------------------------------------------------------------------
r174507 | rouslan@chromium.org | 2012-12-22T07:16:56.945609Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=174507&r2=174506&pathrev=174507

Update DEPS to pull the Hunspell with the latest fixes

This CL increments the version of Hunspell used in Chrome. The new version fixes
a crash when spell-checking a 99-character word. The new version also includes a
fix for 153249, for which DEPS was not rolled.

BUG= 130128 , 153249 


Review URL: https://chromiumcodereview.appspot.com/11660020
------------------------------------------------------------------------
The crash is fixed, but a minor side-effect that needs to be fixed is that 99-char words are now not underlined as misspelled. Only <=98 and >=100 char words get underlined as misspelled. Going to fix that problem before closing this bug.
Summary: Chrome crashes on Windows when looking for suggestions for a 99 character misspelled word (was: Google chrome crashes when you try to paste 99 character on text box and right click on the text)
Groby: I think that the originally-proposed patch is better and we should go back to that fix. The original patch increased the buffer size by 1 in the method that inserted one character at each position in the string: forgotchar_utf. The advantage of increasing the buffer size in forgotchar_utf is that the rest of the code can still assume that 99 character words are okay to check.

In contrast, the new patch prevents 99 character words from being spellchecked, but UI also does not mark these words as misspelled. Only words that are less than 99 characters and more than 99 characters in length are now underlined as misspelled. There are multiple places in hunspell.cxx where we check that length is < MAXWORDLEN. All these places would need to be changed to check for word length < MAXWORDLEN - 1. There's only one place to increase the buffer size for forgotchar_utf, however.

What do you think, Groby? Should we go back to the original fix?
I think you _did_ go back, right? No more input from me required?
I did not go back yet.
Comment 43 by groby@google.com, Jan 7 2013
Then let's go back. And filter through all places that use MAXWORDLEN, just in case. Extra bonus points if we can actually have regression tests :)

I love me some regression tests... yum!
Project Member Comment 45 by bugdroid1@chromium.org, Jan 10 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=175968

------------------------------------------------------------------------
r175968 | rlp@chromium.org | 2013-01-10T01:27:13.811303Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/src/hunspell/suggestmgr.cxx?r1=175968&r2=175967&pathrev=175968
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/google.patch?r1=175968&r2=175967&pathrev=175968
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/hunspell/src/hunspell/hunspell.cxx?r1=175968&r2=175967&pathrev=175968

[hunspell] Spellcheck 99-character words.

Because of regression in
http://src.chromium.org/viewvc/chrome?view=rev&revision=174476, the browser does
not check spelling in 99-character words. This CL makes sure that the browser
checks the spelling of 99-character words by increasing one of the buffers by
one character instead of reducing the number of characters checked. This
approach is simpler than the one in revision 174476.

Unit test: https://codereview.chromium.org/11776032/.

Upstream bug report:
https://sourceforge.net/tracker/?func=detail&aid=3595024&group_id=143754&atid=756395

BUG= 130128 

Review URL: https://codereview.chromium.org/11778031
------------------------------------------------------------------------
Project Member Comment 46 by bugdroid1@chromium.org, Jan 11 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176242

------------------------------------------------------------------------
r176242 | rouslan@chromium.org | 2013-01-11T03:16:00.936784Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/convert_dict/aff_reader.cc?r1=176242&r2=176241&pathrev=176242
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/convert_dict/dic_reader.cc?r1=176242&r2=176241&pathrev=176242
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/renderer/spellchecker/spellcheck_unittest.cc?r1=176242&r2=176241&pathrev=176242

Unit test for spellchecking 96- through 102-character words

This patch adds a test for checking the spelling of words that are from 96 to
102 characters in length. Hunspell should mark the words in the test as
misspelled and provide no suggestions. The corresponding change in
src/third_party/hunspell: http://codereview.chromium.org/11778031.

BUG= 130128 

Review URL: https://chromiumcodereview.appspot.com/11776032
------------------------------------------------------------------------
Status: Fixed
Project Member Comment 48 by bugdroid1@chromium.org, Mar 11 2013
Labels: -Area-WebKit -Feature-Spellcheck Cr-Content Cr-UI-Browser-Spellcheck
Project Member Comment 49 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
This issue seems to be fixed on Chrome Version 27.0.1453.93 m
Labels: TE_verified_27.0.1453.93
Status: Verified
this issue is fixed and verified in Win7 27.0.1453.93.

Sign in to add a comment