java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java)

RESOLVED FIXED in Firefox 13

Status

()

Firefox for Android
General
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: cpeterson)

Tracking

({crash})

13 Branch
Firefox 13
ARM
Android
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
After the fix of bug 725170, there are 4 crashes:
bp-3fedfed1-1c93-4aa5-8787-ec95c2120305 (20120301)
bp-3baaaf1b-215f-4c5a-a11f-995d32120304 (20120303)
bp-d6ad9528-cf15-4a0c-aa74-4efbd2120307 (20120307)
bp-28cb5938-ed29-48b5-8382-72b442120308 (20120307)

java.lang.IndexOutOfBoundsException: getChars (0 ... 8000) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextBeforeCursor(BaseInputConnection.java:311)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:202)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:73)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:123)
	at org.mozilla.gecko.GeckoApp$35.run(GeckoApp.java:1769)
	at android.os.Handler.handleCallback(Handler.java:587)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:123)
	at android.app.ActivityThread.main(ActivityThread.java:4627)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:521)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:858)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A13.0a1&range_value=1&range_unit=weeks&query_search=signature&query_type=startswith&query=java.lang.IndexOutOfBoundsException%3A+getChars&reason=&build_id=&process_type=any&hang_type=any&do_query=1
(Assignee)

Comment 1

6 years ago
I am testing a fix now.
Assignee: nobody → cpeterson
Status: NEW → ASSIGNED
(Assignee)

Comment 2

6 years ago
Created attachment 604266 [details] [diff] [review]
bug-734156-part-1-backout-d923ae85be05.patch

Backout ineffective workaround d923ae85be05 (Reset IME selection when Fennec resumes). It's not working, so I will post a different workaround.
Attachment #604266 - Flags: review?(blassey.bugs)
(Assignee)

Comment 3

6 years ago
Created attachment 604267 [details] [diff] [review]
bug-734156-part-2-clamp-selection.patch

Clamp current selection's indexes.

Android's BaseInputConnection.java is vulnerable to IndexOutOfBoundsExceptions because it does not adequately protect against stale indexes for selections exceeding the content length when the Editable content changes. We must clamp the indexes to be safe.

I suspect BaseInputConnection.java may have similar problems with stale indexes for composing spans. The workaround for those problems is pretty complicated, so I would prefer to wait and see if that potential problem arises.
Attachment #604267 - Flags: review?(blassey.bugs)
Attachment #604266 - Flags: review?(blassey.bugs) → review+
Attachment #604267 - Flags: review?(blassey.bugs) → review+
(Assignee)

Updated

6 years ago
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/d86407a9f476
https://hg.mozilla.org/integration/mozilla-inbound/rev/9d5bc6ed7214
Keywords: checkin-needed
Target Milestone: --- → Firefox 13
https://hg.mozilla.org/mozilla-central/rev/d86407a9f476
https://hg.mozilla.org/mozilla-central/rev/9d5bc6ed7214
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: 40504 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) ] [@ java.lang.IndexOutOfBoundsException: getChars (114 ... 116) ends beyond length 115 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.j… → at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) ] 40504 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) ] [@ java.lang.IndexOutOfBoundsException: getChars (114 ... 116) ends beyond leng…
(Assignee)

Updated

6 years ago
Blocks: 749571
(Assignee)

Updated

6 years ago
Blocks: 738331
(Assignee)

Updated

5 years ago
Blocks: 772225
You need to log in before you can comment on or make changes to this bug.