Last Comment Bug 725170 - crash java [@ java.lang.IndexOutOfBoundsException: getChars (142793 ... 142794) ends beyond length 74889 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) ]
: crash java [@ java.lang.IndexOutOfBoundsException: getChars (142793 ... 14279...
Status: RESOLVED FIXED
[native-crash], str-wanted
: crash
Product: Firefox for Android
Classification: Client Software
Component: Keyboards and IME (show other bugs)
: Trunk
: ARM Android
: P1 critical (vote)
: Firefox 13
Assigned To: Chris Peterson [:cpeterson]
:
Mentors:
: 663930 (view as bug list)
Depends on:
Blocks: 772225
  Show dependency treegraph
 
Reported: 2012-02-07 17:03 PST by Kevin Brosnan [:kbrosnan]
Modified: 2012-07-09 14:26 PDT (History)
10 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed
+


Attachments
bug-725170-reset-ime-selection.patch (3.64 KB, patch)
2012-02-27 14:09 PST, Chris Peterson [:cpeterson]
dougt: review+
Details | Diff | Review

Description Kevin Brosnan [:kbrosnan] 2012-02-07 17:03:20 PST
This bug was filed from the Socorro interface and is 
report bp-ec99b765-0fb0-4af3-9ecd-f1b252120202 .
============================================================= 

Someone with Java stack access please add it to this bug. Similar to bug 720092 however the build ID is after the fix for 720092 landed.
Comment 1 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-02-07 17:16:03 PST
java.lang.IndexOutOfBoundsException: getChars (142793 ... 142794) ends beyond length 74889
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:967)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:871)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextBeforeCursor(BaseInputConnection.java:317)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:222)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:79)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:130)
	at org.mozilla.gecko.GeckoApp$32.run(GeckoApp.java:1670)
	at android.os.Handler.handleCallback(Handler.java:587)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:130)
	at android.app.ActivityThread.main(ActivityThread.java:3691)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:507)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:912)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:670)
	at dalvik.system.NativeStart.main(Native Method)

Need a range check to make sure length isn't greater than the difference?
Comment 2 Alex Pakhotin (:alexp) 2012-02-07 18:31:16 PST
This bug is of the same nature as bug 720092 - somewhere some string span gets garbage values. This time the crash is in a function, which we do not even override.

I assume, nobody can reproduce it?
Comment 3 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-02-08 07:39:39 PST
Not at this time.
Comment 4 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-02-11 20:01:47 PST
https://crash-stats.mozilla.com/report/index/b9690c40-a98a-42f7-b180-ddc052120205
https://crash-stats.mozilla.com/report/index/4330aecc-7702-4857-9b9d-ad0a42120210

These 2 crashes seems to happen on Kindle Fire

20120205031129
20120202194935
Comment 5 Chris Peterson [:cpeterson] 2012-02-27 10:18:59 PST
I think this bug should be a fennec-1.0 blocker because it's a crash. I believe this is actually an Android framework but, but I am testing a workaround now.
Comment 6 Chris Peterson [:cpeterson] 2012-02-27 14:09:58 PST
Created attachment 601062 [details] [diff] [review]
bug-725170-reset-ime-selection.patch

I believe this crash is an Android framework bug [1] where a focus change can invalidate text selection offsets. I am unable to reproduce the crash myself, but the supposed workaround is the reset the selection offsets when the app regains focus in onResume(). A side effect of this patch is that any selected text will lose its selection when Fennec is hidden by another activity, such as another app or Fennec's Settings screen.

In theory, this patch's workaround might make bug 720092's try/catch workaround unnecessary.

[1] https://code.google.com/p/android/issues/detail?id=5164
Comment 7 Ryan VanderMeulen [:RyanVM] 2012-02-28 15:49:00 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/d923ae85be05
Comment 8 Matt Brubeck (:mbrubeck) 2012-02-29 11:21:38 PST
https://hg.mozilla.org/mozilla-central/rev/d923ae85be05
Comment 9 Scoobidiver (away) 2012-03-05 01:07:21 PST
There is still one crash in 13.0a1/20120303: bp-3baaaf1b-215f-4c5a-a11f-995d32120304
Comment 10 Brad Lassey [:blassey] (use needinfo?) 2012-03-05 13:28:29 PST
not blocking for 1 crash report
Comment 11 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-03-05 13:59:40 PST
Is https://crash-stats.mozilla.com/report/index/fe80b8ba-e5ec-4c3e-99c4-2d5172120304 the same crash?

java.lang.IndexOutOfBoundsException: setSpan (4 ... 5) ends beyond length 2
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:1016)
	at android.text.SpannableStringBuilder.setSpan(SpannableStringBuilder.java:543)
	at android.text.SpannableStringBuilder.setSpan(SpannableStringBuilder.java:535)
	at android.view.inputmethod.BaseInputConnection.setComposingRegion(BaseInputConnection.java:691)
	at org.mozilla.gecko.GeckoInputConnection.setComposingRegion(GeckoInputConnection.java:332)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:327)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:75)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:130)
	at org.mozilla.gecko.GeckoApp$32.run(GeckoApp.java:1777)
	at android.os.Handler.handleCallback(Handler.java:587)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:130)
	at android.app.ActivityThread.main(ActivityThread.java:3859)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:507)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:840)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:598)
	at dalvik.system.NativeStart.main(Native Method)
Comment 12 Chris Peterson [:cpeterson] 2012-03-05 14:03:39 PST
@nhirata, yes, that crash is basically the same problem as this bug: SpannableStringBuilder.checkRange() finds an index greater than the length of the string.
Comment 14 Chris Peterson [:cpeterson] 2012-03-06 15:53:58 PST
*** Bug 663930 has been marked as a duplicate of this bug. ***
Comment 15 Scoobidiver (away) 2012-03-08 07:56:02 PST
It still crashes in 13.0a1/20120307: bp-28cb5938-ed29-48b5-8382-72b442120308
Comment 16 Brad Lassey [:blassey] (use needinfo?) 2012-03-08 09:39:43 PST
(In reply to Scoobidiver from comment #15)
> It still crashes in 13.0a1/20120307: bp-28cb5938-ed29-48b5-8382-72b442120308

It looks like the patch at least reduced the issue. Scoobidiver, could you file another bug to track any remaining issues?
Comment 17 Scoobidiver (away) 2012-03-08 09:53:15 PST
(In reply to Brad Lassey [:blassey] from comment #16)
> Scoobidiver, could you file another bug to track any remaining issues?
I filed bug 734156.
Comment 18 Paul Feher 2012-06-14 08:18:01 PDT
Closing this as verified/fixed since was not reproduced for the last 4 weeks
Comment 19 Scoobidiver (away) 2012-06-14 08:55:08 PDT
(In reply to Paul Feher from comment #18)
> Closing this as verified/fixed since was not reproduced for the last 4 weeks
There are 76 crashes over the last week: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=ALL%3AALL&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&reason=&do_query=1

They are tracked in bug 747629 and bug 760396.

Note You need to log in before you can comment on or make changes to this bug.