Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Verified
Closed: Jan 2013
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocked on:
issue 167192

Sign in to add a comment
Chrome crashes on Windows when looking for suggestions for a 99 character misspelled word
Reported by, May 29 2012 Back to list
Chrome Version       : 19.0.1084.52 m
URLs (if applicable) :
Other browsers tested: OK
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. go to
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text

What is the expected result?
google chrome should not crash

What happens instead?
google chrome is crashing

Additional details:
In notepad enter 99 character (example:abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu") . Open google chrome and go to or any other site that has a text box. Paste the text in the text box. right click on the text box or on the text. Notice: the google chrome is crashed. Refer to the screenshot. 
36.9 KB View Download
Additional steps to reproduce the problem
1. go to
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text
Comment 2 by, May 30 2012
Labels: -Area-Undefined Area-WebKit WebKit-Forms WebKit-Editing Stability-Crash
What OS are you using?
Can you provide Crash IDs?
Comment 3 by, May 30 2012
Labels: Action-FeedbackNeeded
OS: windows 7 sp 1 64 bit
Not able to get the crash id.
Comment 6 by, May 31 2012
 Issue 130361  has been merged into this issue.
Comment 7 by, May 31 2012
Labels: -Action-FeedbackNeeded Hotlist-ConOps OS-Windows
Status: Untriaged
I confirmed this on Windows 7 + Canary.
Crash IDs are not recorded :(

Comment 8 by, Jun 1 2012
Labels: -WebKit-Forms -WebKit-Editing Feature-Spellcheck

>	chrome.dll!SuggestMgr::forgotchar_utf(char * * wlst, const w_char * word, int wl, int ns, int cpdsuggest)  Line 813 + 0xf bytes	C++
 	chrome.dll!SuggestMgr::suggest(char * * * slst, const char * w, int nsug, int * onlycompoundsug)  Line 308 + 0x2e bytes	C++
 	chrome.dll!Hunspell::suggest(char * * * slst, const char * word)  Line 768 + 0x21 bytes	C++
 	chrome.dll!SpellCheck::FillSuggestionList(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & wrong_word, std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > * optional_suggestions)  Line 453 + 0x49 bytes	C++
 	chrome.dll!SpellCheck::SpellCheckWord(const wchar_t * in_word, int in_word_len, int tag, int * misspelling_start, int * misspelling_len, std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > * optional_suggestions)  Line 193	C++
 	chrome.dll!SpellCheckProvider::spellCheck(const WebKit::WebString & text, int & offset, int & length, WebKit::WebVector<WebKit::WebString> * optional_suggestions)  Line 176	C++
 	webkit.dll!WebKit::ContextMenuClientImpl::getCustomMenuFromDefaultItems(WebCore::ContextMenu * defaultMenu)  Line 298 + 0x41 bytes	C++
 	webkit.dll!WebCore::ContextMenuController::showContextMenu(WebCore::Event * event)  Line 171 + 0x21 bytes	C++
 	webkit.dll!WebCore::ContextMenuController::handleContextMenuEvent(WebCore::Event * event)  Line 117	C++
 	webkit.dll!WebCore::Node::defaultEventHandler(WebCore::Event * event)  Line 2843	C++
 	webkit.dll!WebCore::TextControlInnerTextElement::defaultEventHandler(WebCore::Event * event)  Line 98	C++
 	webkit.dll!WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event> event)  Line 299 + 0x32 bytes	C++
 	webkit.dll!WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher * dispatcher)  Line 208	C++
 	webkit.dll!WebCore::EventDispatcher::dispatchEvent(WebCore::Node * node, WTF::PassRefPtr<WebCore::EventDispatchMediator> mediator)  Line 116 + 0x1e bytes	C++
 	webkit.dll!WebCore::Node::dispatchMouseEvent(const WebCore::PlatformMouseEvent & event, const WTF::AtomicString & eventType, int detail, WebCore::Node * relatedTarget)  Line 2769 + 0x9f bytes	C++
 	webkit.dll!WebCore::EventHandler::dispatchMouseEvent(const WTF::AtomicString & eventType, WebCore::Node * targetNode, bool __formal, int clickCount, const WebCore::PlatformMouseEvent & mouseEvent, bool setUnder)  Line 2233 + 0x23 bytes	C++
 	webkit.dll!WebCore::EventHandler::sendContextMenuEvent(const WebCore::PlatformMouseEvent & event)  Line 2528 + 0x2b bytes	C++
 	webkit.dll!WebKit::WebViewImpl::mouseContextMenu(const WebKit::WebMouseEvent & event)  Line 570	C++
 	webkit.dll!WebKit::WebViewImpl::handleMouseUp(WebCore::Frame & mainFrame, const WebKit::WebMouseEvent & event)  Line 622	C++
 	webkit.dll!WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page * page, WebKit::PageWidgetEventHandler & handler, const WebKit::WebInputEvent & event)  Line 131 + 0x17 bytes	C++
 	webkit.dll!WebKit::WebViewImpl::handleInputEvent(const WebKit::WebInputEvent & inputEvent)  Line 1727 + 0x3d bytes	C++
 	content.dll!RenderWidget::OnHandleInputEvent(const IPC::Message & message)  Line 551 + 0x1b bytes	C++
 	content.dll!IPC::Message::Dispatch<RenderWidget,RenderWidget>(const IPC::Message * msg, RenderWidget * obj, RenderWidget * sender, void (const IPC::Message &)* func)  Line 172 + 0x1f bytes	C++
 	content.dll!RenderWidget::OnMessageReceived(const IPC::Message & message)  Line 226 + 0x9f bytes	C++
 	content.dll!RenderViewImpl::OnMessageReceived(const IPC::Message & message)  Line 952 + 0xc bytes	C++
 	content.dll!MessageRouter::RouteMessage(const IPC::Message & msg)  Line 46 + 0x13 bytes	C++
 	content.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg)  Line 38 + 0x13 bytes	C++
 	content.dll!ChildThread::OnMessageReceived(const IPC::Message & msg)  Line 207 + 0x17 bytes	C++
 	ipc.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message)  Line 249 + 0x1b bytes	C++
 	ipc.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1)  Line 188 + 0x21 bytes	C++
 	ipc.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2)  Line 897	C++
 	ipc.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base)  Line 1254 + 0x2a bytes	C++
 	base.dll!base::Callback<void __cdecl(void)>::Run()  Line 272 + 0xe bytes	C++
 	base.dll!MessageLoop::RunTask(const base::PendingTask & pending_task)  Line 467	C++
 	base.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task)  Line 480	C++
 	base.dll!MessageLoop::DoWork()  Line 654 + 0xc bytes	C++
 	base.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate)  Line 28 + 0xf bytes	C++
 	base.dll!MessageLoop::RunInternal()  Line 424 + 0x29 bytes	C++
 	base.dll!MessageLoop::RunHandler()  Line 398	C++
 	base.dll!MessageLoop::Run()  Line 308	C++
 	content.dll!RendererMain(const content::MainFunctionParams & parameters)  Line 271 + 0x19 bytes	C++
 	content.dll!`anonymous namespace'::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate)  Line 318 + 0x12 bytes	C++
 	content.dll!`anonymous namespace'::ContentMainRunnerImpl::Run()  Line 575 + 0x14 bytes	C++
 	content.dll!content::ContentMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info, content::ContentMainDelegate * delegate)  Line 35 + 0x1a bytes	C++
 	chrome.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info)  Line 28 + 0x14 bytes	C++
 	chrome.exe!MainDllLoader::Launch(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sbox_info)  Line 423 + 0x10 bytes	C++
 	chrome.exe!RunChrome(HINSTANCE__ * instance)  Line 31 + 0x10 bytes	C++
 	chrome.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * prev, wchar_t * __formal, wchar_t * __formal)  Line 47 + 0x9 bytes	C++
 	chrome.exe!__tmainCRTStartup()  Line 547 + 0x2c bytes	C
 	chrome.exe!wWinMainCRTStartup()  Line 371	C
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	

Comment 9 by, Jun 1 2012
Status: Assigned

Thank you for your bug report.
In brief, finding suggestions is a combination problem and it is better to skip finding them if a misspelled word is too long. (Even though it does not crash, it takes long time.)


Hironori Bono
Comment 10 by, Jun 5 2012
Labels: -Hotlist-ConOps

I'm passing this issue to Tyler to transfer all spellchecker issues to a new team.


Hironori Bono
Comment 12 by, Aug 14 2012
Comment 13 by, Aug 31 2012
Labels: -Pri-2 Pri-1
Groby: Please double-check that this is already fixed.
This issue still exists on chrome version Version 23.0.1271.95 m

Can't repro in  23.0.1271.95 on OSX or Linux. (Also doesn't repro in Canary, but that's not helping narrow this down)

Do you have any crash ID now, by any chance?

Also - what language is your spell checker set to?
Labels: Action-FeedbackNeeded
here is some steps to reproduce:
. go to
2. copy "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"
3. paste it on yahoo search text box
4. right click on the text
Here is the video for additional steps to reproduce. Hope this helps.
3.5 MB Download
shaswat.paudel: Since this happens for in v23 and we cannot see it in v25, would you mind installing v25 side-by-side from and seeing if that still happens?
shaswat.paudel: What language do you have selected for spellchecking in chrome://settings/languages?
I'm using language: English (United States).

I installed V25 as you mentioned and Yes, I can reproduce this issue. Here is the attached video. Hope this helps.

FYI: I'm using windows 7. 
5.2 MB Download
shaswat.paudel: Thank you for being so responsive! I am thinking that maybe this has to do with anti-virus or memory... Would you mind letting us know what Anti-Virus you're using? Are you using 32-bit or 64-bit Windows? How much RAM does your computer have?
I am using Symantec. I do have 4gb RAM. Its 64 bit machine. 

I was able to reproduce this issue on multiple machines. So, it might not be the antivirus or memory issue. 

Comment 26 Deleted
I reproduced on Windows with Canary. Hooray!
Labels: -Action-FeedbackNeeded
I reproduce this on Incognito Mode too. 

Comment 30 by, Dec 11 2012
Since it's easily reproducible - anybody got a crash ID?
No crash ID, presumably because the crash happens inside of the sandbox. (It shows the Aw Snap page instead of bringing down the whole browser.)
I can break into the crashing SuggestMgr::forgotchar_utf, but not sure what's up yet.
The problem seems to be forgotchar_utf writes one byte past the end of "char candidate[MAXSWUTF8L]" array.
Increasing the array size does not solve the problem, so that theory goes out of the window...
Status: Started
Submitted a patch upstream ( and will be fixing it in src/third_party/hunspell, too.
Blockedon: chromium:167192
Project Member Comment 37 by, Dec 21 2012
The following revision refers to this bug:

r174476 | | 2012-12-21T23:25:41.328554Z

Changed paths:

Fix array-out-of-bounds error in hunspell

If you invoke SuggestMgr::forgotchar_utf() with wl=99, then the method will
write past the candidate_utf[MAXSWL] array. Here's a step through of what

int wl = 99; // word length is 99 charachters.
w_char candidate_utf[MAXSWL]; // buffer size is 100 chars.
w_char * p = candidate_utf + wl; // p = candidate_utf + 99.
*(p + 1) = *p; // writing to p + 1, which is candidate_utf + 100.

The fix is to reduce maximum length of spellchecked words from 99 to 98 characters.

Corresponding upstream bug report:

BUG= 130128 

Review URL:
Project Member Comment 38 by, Dec 22 2012
The following revision refers to this bug:

r174507 | | 2012-12-22T07:16:56.945609Z

Changed paths:

Update DEPS to pull the Hunspell with the latest fixes

This CL increments the version of Hunspell used in Chrome. The new version fixes
a crash when spell-checking a 99-character word. The new version also includes a
fix for 153249, for which DEPS was not rolled.

BUG= 130128 , 153249 

Review URL:
The crash is fixed, but a minor side-effect that needs to be fixed is that 99-char words are now not underlined as misspelled. Only <=98 and >=100 char words get underlined as misspelled. Going to fix that problem before closing this bug.
Summary: Chrome crashes on Windows when looking for suggestions for a 99 character misspelled word (was: Google chrome crashes when you try to paste 99 character on text box and right click on the text)
Groby: I think that the originally-proposed patch is better and we should go back to that fix. The original patch increased the buffer size by 1 in the method that inserted one character at each position in the string: forgotchar_utf. The advantage of increasing the buffer size in forgotchar_utf is that the rest of the code can still assume that 99 character words are okay to check.

In contrast, the new patch prevents 99 character words from being spellchecked, but UI also does not mark these words as misspelled. Only words that are less than 99 characters and more than 99 characters in length are now underlined as misspelled. There are multiple places in hunspell.cxx where we check that length is < MAXWORDLEN. All these places would need to be changed to check for word length < MAXWORDLEN - 1. There's only one place to increase the buffer size for forgotchar_utf, however.

What do you think, Groby? Should we go back to the original fix?
I think you _did_ go back, right? No more input from me required?
I did not go back yet.
Comment 43 by, Jan 7 2013
Then let's go back. And filter through all places that use MAXWORDLEN, just in case. Extra bonus points if we can actually have regression tests :)

I love me some regression tests... yum!
Project Member Comment 45 by, Jan 10 2013
The following revision refers to this bug:

r175968 | | 2013-01-10T01:27:13.811303Z

Changed paths:

[hunspell] Spellcheck 99-character words.

Because of regression in, the browser does
not check spelling in 99-character words. This CL makes sure that the browser
checks the spelling of 99-character words by increasing one of the buffers by
one character instead of reducing the number of characters checked. This
approach is simpler than the one in revision 174476.

Unit test:

Upstream bug report:

BUG= 130128 

Review URL:
Project Member Comment 46 by, Jan 11 2013
The following revision refers to this bug:

r176242 | | 2013-01-11T03:16:00.936784Z

Changed paths:

Unit test for spellchecking 96- through 102-character words

This patch adds a test for checking the spelling of words that are from 96 to
102 characters in length. Hunspell should mark the words in the test as
misspelled and provide no suggestions. The corresponding change in

BUG= 130128 

Review URL:
Status: Fixed
Project Member Comment 48 by, Mar 11 2013
Labels: -Area-WebKit -Feature-Spellcheck Cr-Content Cr-UI-Browser-Spellcheck
Project Member Comment 49 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
This issue seems to be fixed on Chrome Version 27.0.1453.93 m
Labels: TE_verified_27.0.1453.93
Status: Verified
this issue is fixed and verified in Win7 27.0.1453.93.

Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck
Sign in to add a comment