This sounds bad, but I can't reproduce.  Can you trigger this crash consistently?  
Are you using Windows XP or Vista?

I'm using Windows XP Pro with SP3 and my Google Chrome is translated into Portuguese
(Brazilian)... And yes, everytime I try to add a word it crashes!

I changed language to Portugese (Brazilian) but still can't repro the crash. However, 
let me look at the code to find points of failure nevertheless.

Patrick, can u repro ?

-Sid

OK, btw I don't know if it changes anything (probably not because all that "tabs are
separeted processes" stuff, but I had open: Gmail, Gdocs and Gcalendar and reproduced
the bug on a textarea on Gmail and on this very textarea I'm writing right now...

I can't reproduce this crash either.  I tried setting both my default and spell-check 
languages to Portuguese (Brazil).  fgfemperor, is this how you have your 
configuration set up?

Yes, both of them are configured as Portguese Brazilian!

I was able to reproduce the crash, though not consistently.  For me it takes several 
attempts.  I've triggered it three times so far.  It appears to happen when right-
clicking on the underlined word.

FAULTING_IP: 
chrome_1000000!flag_bsearch+12 [c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\csutil.cxx @ 207]
01491af7 movzx   edx,word ptr [edx+eax*2]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 01491af7 (chrome_1000000!flag_bsearch+0x00000012)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 648f5932
Attempt to read from address 648f5932

FAULTING_THREAD:  00000ed0

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at 
"0x%08lx". The memory could not be "%s".

READ_ADDRESS:  648f5932 

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 0149b18b to 01491af7

STACK_TEXT:  
00f2e840 0149b18b 648f574a 00000000 00000000 chrome_1000000!flag_bsearch+0x12 
[c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\csutil.cxx @ 207]
00f2e860 014989aa 01ea7a20 00f2e8d8 00000008 
chrome_1000000!SuggestMgr::checkword+0xab [c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\suggestmgr.cxx @ 1090]
00f2e888 01499f58 01ec8670 00f2e8d8 00000008 chrome_1000000!SuggestMgr::testsug+0x76 
[c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\suggestmgr.cxx @ 86]
00f2eb38 01498c2a 01ec8670 00000007 00000000 
chrome_1000000!SuggestMgr::forgotchar_utf+0xfb [c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\suggestmgr.cxx @ 620]
00f2edd8 01491188 00f2f4b0 00f2f088 00afc1c8 chrome_1000000!SuggestMgr::suggest+0x244 
[c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\suggestmgr.cxx @ 163]
00f2f494 01220c06 00f2f590 00f2f610 00f2faf0 chrome_1000000!Hunspell::suggest+0x5b7 
[c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\hunspell.cxx @ 710]
00f2f5cc 01221e54 00f2f7bc 00000007 00f2f608 
chrome_1000000!SpellChecker::SpellCheckWord+0x2ad [c:\b\slave\chrome-
official\build\src\chrome\browser\spellchecker.cc @ 445]
00f2f810 01221a2a 01e75040 00000000 01ebcc38 
chrome_1000000!ResourceMessageFilter::OnReceiveContextMenuMsg+0x76 
[c:\b\slave\chrome-official\build\src\chrome\browser\resource_message_filter.cc @ 
252]
00f2f88c 0118884b 00f2faf0 00f2faf0 01e75030 
chrome_1000000!ResourceMessageFilter::OnMessageReceived+0x1da [c:\b\slave\chrome-
official\build\src\chrome\browser\resource_message_filter.cc @ 157]
00f2f89c 0118aa71 00f2faf0 00f2faf0 01ebcd0c 
chrome_1000000!IPC::ChannelProxy::Context::TryFilters+0x24 [c:\b\slave\chrome-
official\build\src\chrome\common\ipc_channel_proxy.cc @ 41]
00f2f8ac 0118f4e3 00f2faf0 01ebcc38 01ebdca9 
chrome_1000000!IPC::SyncChannel::SyncContext::OnMessageReceived+0x10 
[c:\b\slave\chrome-official\build\src\chrome\common\ipc_sync_channel.cc @ 325]
00f2fb1c 0118f8a3 01ebcc38 00af9934 00000000 
chrome_1000000!IPC::Channel::ProcessIncomingMessages+0x268 [c:\b\slave\chrome-
official\build\src\chrome\common\ipc_channel.cc @ 295]
00f2fbc4 010173fe 000003dc 00000000 00af9928 
chrome_1000000!IPC::Channel::OnObjectSignaled+0xa5 [c:\b\slave\chrome-
official\build\src\chrome\common\ipc_channel.cc @ 425]
00f2fc6c 010170ca 00000000 00af9968 00af9928 
chrome_1000000!base::MessagePumpWin::SignalWatcher+0xac [c:\b\slave\chrome-
official\build\src\base\message_pump_win.cc @ 500]
00f2fd3c 01016e92 00af9928 00000000 00000000 
chrome_1000000!base::MessagePumpWin::WaitForWork+0x22d [c:\b\slave\chrome-
official\build\src\base\message_pump_win.cc @ 387]
00f2fd70 01016b6c 00f2feb0 00b002c8 00f2feb0 
chrome_1000000!base::MessagePumpWin::DoRunLoop+0xb5 [c:\b\slave\chrome-
official\build\src\base\message_pump_win.cc @ 305]
00f2fd94 010166da 00000000 01008f11 00f2feb0 
chrome_1000000!base::MessagePumpWin::RunWithDispatcher+0x39 [c:\b\slave\chrome-
official\build\src\base\message_pump_win.cc @ 129]
00f2fd9c 01008f11 00f2feb0 00f2feb0 00b002c8 
chrome_1000000!base::MessagePumpWin::Run+0xb [c:\b\slave\chrome-
official\build\src\base\message_pump_win.h @ 136]
00f2fe40 01008e85 1950e3bf 00f2feb0 00b002c8 
chrome_1000000!MessageLoop::RunInternal+0x86 [c:\b\slave\chrome-
official\build\src\base\message_loop.cc @ 182]
00f2fe78 01008e28 00f2feb0 00000001 00f2fe00 
chrome_1000000!MessageLoop::RunHandler+0x4f [c:\b\slave\chrome-
official\build\src\base\message_loop.cc @ 165]
00f2fe98 0147efef 7c9106eb 00000020 00b00308 chrome_1000000!MessageLoop::Run+0x15 
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 139]
00f2ff70 0100d0c0 0158ca91 00b002c8 1950e26b 
chrome_1000000!base::Thread::ThreadMain+0x7d [c:\b\slave\chrome-
official\build\src\base\thread.cc @ 159]
00f2ff74 0158ca91 00b002c8 1950e26b 7c9106eb chrome_1000000!`anonymous 
namespace'::ThreadFunc+0x9 [c:\b\slave\chrome-
official\build\src\base\platform_thread_win.cc @ 29]
00f2ffac 0158cb36 00000020 7c80b683 00b00308 chrome_1000000!_callthreadstartex+0x1b 
[f:\sp\vctools\crt_bld\self_x86\crt\src\threadex.c @ 348]
00f2ffb4 7c80b683 00b00308 7c9106eb 00000020 chrome_1000000!_threadstartex+0x7f 
[f:\sp\vctools\crt_bld\self_x86\crt\src\threadex.c @ 326]
00f2ffec 00000000 0158cab7 00b00308 00000000 kernel32!BaseThreadStart+0x37


FOLLOWUP_IP: 
chrome_1000000!flag_bsearch+12 [c:\b\slave\chrome-
official\build\src\chrome\third_party\hunspell\src\hunspell\csutil.cxx @ 207]
01491af7 movzx   edx,word ptr [edx+eax*2]

FAULTING_SOURCE_CODE:  
   203:    int left = 0;
   204:    int right = length - 1;
   205:    while (left <= right) {
   206:       mid = (left + right) / 2;
>  207:       if (flags[mid] == flag) return 1;
   208:       if (flag < flags[mid]) right = mid - 1;
   209:       else left = mid + 1;
   210:    }
   211:    return 0;
   212: }


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  chrome_1000000!flag_bsearch+12

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: chrome_1000000

IMAGE_NAME:  chrome.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  48d95a7c

STACK_COMMAND:  ~5s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_chrome.dll!flag_bsearch

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_chrome_1000000!flag_bsearch+12

Followup: MachineOwner
---------

Looks similar to issue 3040.

(No comment was entered for this change.)

Still happens on 0.3.154.0 everytime I try to add the word "Guaycuru" to the 
dictionary.

Its on the process of being fixed (http://codereview.chromium.org/6430)

Fixed in http://codereview.chromium.org/6430

I can't reproduce the crash, But I can see some other issues, I will file them 
separately.

Version 0.3.154.3 and still has a problem, this function crash my Chrome!!!!!
OS = Windows XP SP2

Word to add= Euphorbiaceae
Textbox from Gmail website

Same here, 0.3.154.3, XP SP2, word: Guaycuru still crashes...

Reopening, we'll take another look at this.  We suspected this was the same root 
cause as issue 3040, but that may not be the case.

(No comment was entered for this change.)

I have some requests as we haven't had much luck reproducing this crash.  If you could do the following that would greatly help us.

1. Shut down Google Chrome completely (if it's running).  Make sure no chrome.exe processes are running.  I recommend using Wrench menu > Exit to close everything.
2. Go to Start > Run and type in:
   "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --noerrdialogs
3. Reproduce the crash with this new window.
4. There will be no application error dialog, the browser will just disappear on a crash.
5. Go to Start > Run and type in %TEMP% and hit enter.
6. Find the most recent .dmp file in this folder.  It will be named like "3ccb9c93-8e2f-4059-8922-71d3afd1952c.dmp".  The file timestamp should be very recent since it was just 
created.  Sorting by Date Modified will make this easy.
7. Attach the .dmp file to a private email addressed to me (optional: zip it up first to reduce size).

Also, if you don't mind sharing your custom spell-check dictionary with us, that may also be helpful in identifying this problem.  This dictionary will consist of all the words you 
have added yourself.  It will be in plain text format.  You can find the dictionary file here:

"%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Custom Dictionary.txt"

If you don't mind, please also send that file to me in a private email.

Please refer to this bug in your email(s) for quick reference.

I did everything you said, but no dump file was produced. I looked in my TEMP folder, 
on my Google Chrome folder and also searched my whole computer for *.dmp files 
created today, and none was found... Do i have to put any other command line 
arguments to make it produce the dump? Also, "Guaycuru" is the first and only word I 
tried to add, so I don't even have a Custom Dictionary.txt file...

Ok, so I followed the steps I found here: http://www.google.com/support/chrome/bin/answer.py?answer=107788 and got the dump 
file to be produced. Sent it to your email.

Sid had a fix for this in r3546.  The hypothesis is that the application does not have permission to write to the custom dictionary file.

If you would like to help us verify whether that worked, then please try the following:

Download and install the latest Chromium build from:
http://build.chromium.org/buildbot/continuous/LATEST/mini_installer.exe

Try to reproduce the crash with that build.  You can find it under Start > Programs > Chromium > Chromium.

If you can't reproduce, then it looks like the fix worked.  Unfortunately, though the fix avoids the crash, the "Add to dictionary" feature won't 
work properly.  In this case nothing will be written to the custom dictionary as the application doesn't have permission to do so.

Once you're done with the experiment you can uninstall the new Chromium build if you'd like.  This won't affect your Google Chrome installation.  
You can delete the new user data by deleting the folder "%USERPROFILE%\Local Settings\Application Data\Chromium" (this is separate from the Google 
Chrome user data).

Well, I did what you asked me to... Installed chromium, tried to reproduce the bug... 
and got it again... That nasty crash... Should I try to generate a dump from within 
chromium as well?

Thanks for running that experiment for us!  So even though the patch we checked in 
was good and necessary, it sounds like it did not fix the crash in this instance.

Yes, another crash dump would be useful, just to be sure it's still the same problem.  
Please include the revision number in the email.  Type about:version into the URL 
bar, you should see Developer Build XXXX, XXXX is the revision number.

We'll get to the bottom of this.  Thanks for being patient with us.

I can't get Chromium to generate a crash dump. How should I do it?

fgfemperor: Try following these instructions to generate a crash dump: http://www.google.com/support/chrome/bin/answer.py?answer=107788

OK, got, don't know why it only works sometimes... Sent it to your email again! =)

I'll presume you meant you sent it to Patrick (because I don't see it) :)

Right, I've got it.  But I do still need the revision number in order to make sense 
of the crash dump.

Chromium: 0.3.155.0 (Versão do desenvolvedor 3603)
Which means Developer Version 3603 ;-)

Thanks again.  Now the crash appears to be in a slightly different location.  This time it's in fclose rather than fputs.

Here's the stack:

00d0fbfc 0169be8f 00000000 00000000 00000000 chrome_1160000!`anonymous namespace'::PureCall+0x3 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_dll_main.cc @ 61]
00d0fc44 0117a19c 00000000 00d0fd00 011ab62a chrome_1160000!fclose+0x35 [f:\sp\vctools\crt_bld\self_x86\crt\src\fclose.c @ 47]
00d0fc50 011ab62a 00000000 00d0feb4 02b3e008 chrome_1160000!file_util::CloseFile+0xc [c:\b\slave\chromium-rel-xp\build\src\base\file_util.cc @ 298]
00d0fc60 011717fd 00000000 00d0feb4 00000001 chrome_1160000!AddWordToCustomDictionaryTask::Run+0x4a [c:\b\slave\chromium-rel-xp\build\src\chrome\browser\spellchecker.cc @ 515]
00d0fd00 011723fa 02b3e008 00b106e0 00b106c0 chrome_1160000!MessageLoop::RunTask+0x7d [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 306]
00d0fd50 0117f2fa 00000000 00b106c0 00000000 chrome_1160000!MessageLoop::DoWork+0x1ea [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 413]
00d0fd80 0117ddd2 00d0feb4 00d0feb4 00d0feb4 chrome_1160000!base::MessagePumpForUI::DoRunLoop+0x5a [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_win.cc @ 367]
00d0fda0 0116f6fe 00d0feb4 00000000 00d0fe50 chrome_1160000!base::MessagePumpWin::RunWithDispatcher+0x42 [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_win.cc @ 132]
00d0fdb0 01171f77 00d0feb4 00b109e8 00b05c20 chrome_1160000!base::MessagePumpWin::Run+0xe [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_win.h @ 124]
00d0fe50 01172110 b488f62f 00b109fc 00b109e8 chrome_1160000!MessageLoop::RunInternal+0xb7 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 194]
00d0fe84 0117298d 00000001 00000000 00000000 chrome_1160000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 178]
00d0fea0 016c192a 00000000 00000000 00000000 chrome_1160000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 152]
00d0ff6c 011732ed 00d0ffac 0169a501 00b109e8 chrome_1160000!base::Thread::ThreadMain+0x8a [c:\b\slave\chromium-rel-xp\build\src\base\thread.cc @ 159]
00d0ff74 0169a501 00b109e8 b488f707 00000000 chrome_1160000!`anonymous namespace'::ThreadFunc+0xd [c:\b\slave\chromium-rel-xp\build\src\base\platform_thread_win.cc @ 29]
00d0ffac 0169a5a6 00000000 7c80b683 00b05c20 chrome_1160000!_callthreadstartex+0x1b [f:\sp\vctools\crt_bld\self_x86\crt\src\threadex.c @ 348]
00d0ffb4 7c80b683 00b05c20 00000000 00000000 chrome_1160000!_threadstartex+0x7f [f:\sp\vctools\crt_bld\self_x86\crt\src\threadex.c @ 326]
00d0ffec 00000000 0169a527 00b05c20 00000000 kernel32!BaseThreadStart+0x37

It looks like the FILE pointer is null in this crash, too.  Do we also need to do a 
null check before calling fclose?

So it seems ! Will make the changes now.

We checked in another fix for this crasher in r3659.  If you could repeat the above 
experiment with the latest Chromium (about:version should have a revision number >= 
3659), that would be very helpful.  The same problem applies here too: this only 
fixes the crash, the added word won't be saved to the custom dictionary.

Yes, no crash here. The word wasn't saved to the dictionary but Chromium didn't crash 
either! I repeated the experiment 3 times just to be sure!
Chromium	0.3.155.0 (Versão do desenvolvedor 3695)
;-)

Thanks for confirming that the new fix worked!  We really appreciate all of your 
help.

As for your problem, it's a bit strange to not be able to write to your Local AppData 
folder.  You may want to check if there's anything unusual about your setup, such as:

   * If you don't have write permission for that folder.
   * If you're on a guest account.

That's about all I can recommend, I'm definitely not an expert on this.

Well, actually I'm testing it both at my work place and my personal notebook. On both 
I have write access to my AppData folder and on both I'm running as a Administrator 
account!

In build: 0.3.154.6 (Official Build 3810)

I still got a crash on 0.3.154.6 !!!

Sent a Crash Dump to Patrick again...

Okay, I see the problem.

On trunk, the code looks like this:

    FILE* f = file_util::OpenFile(file_name_, "a+");
    if (f != NULL)
      fputs(word_.c_str(), f);
    file_util::CloseFile(f);

Reference:
http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/spellchecker.cc?revision=3546&view=markup

But in 0.3.154.6, the code looks like this:

    FILE* f = fopen(file_name_char, "a+");
    if (f != NULL)
      fputs(word_.c_str(), f);
    fclose(f);

Reference:
http://src.chromium.org/viewvc/chrome/branches/official/build_154.6/src/chrome/browser/spellchecker.cc?revision=3975&view=markup

The difference being that on trunk we use file_util::CloseFile, which now does a null
check before calling fclose, but on the release branch we call fclose directly, so we
don't get the null check.  We'll have to get this remedied on the release branch.

Oh, I see.... what about this difference:
FILE* f = file_util:OpenFile(file_name_, "a+");
FILE* f = fopen(file_name_char, "a+");

file_name_ against file_name_char? not trying to be annoying here, just something I 
crossed my eyes on...

Good point, that's another difference.  We should use the file_util functions for 
both opening and closing.

file_util had been in use though out in the trunk. It is now required to integrate 
those CLs into the release branch - Mark is on it.