734156 - java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java)

Status: RESOLVED FIXED

(Firefox for Android Graveyard :: General, defect)

Description

[Scoobidiver (away)]

After the fix of bug 725170, there are 4 crashes:
bp-3fedfed1-1c93-4aa5-8787-ec95c2120305 (20120301)
bp-3baaaf1b-215f-4c5a-a11f-995d32120304 (20120303)
bp-d6ad9528-cf15-4a0c-aa74-4efbd2120307 (20120307)
bp-28cb5938-ed29-48b5-8382-72b442120308 (20120307)

java.lang.IndexOutOfBoundsException: getChars (0 ... 8000) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextBeforeCursor(BaseInputConnection.java:311)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:202)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:73)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:123)
	at org.mozilla.gecko.GeckoApp$35.run(GeckoApp.java:1769)
	at android.os.Handler.handleCallback(Handler.java:587)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:123)
	at android.app.ActivityThread.main(ActivityThread.java:4627)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:521)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:858)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A13.0a1&range_value=1&range_unit=weeks&query_search=signature&query_type=startswith&query=java.lang.IndexOutOfBoundsException%3A+getChars&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Comment 1

[Chris Peterson [:cpeterson]]

I am testing a fix now.

Comment 2

[Chris Peterson [:cpeterson]]

Attachment: bug-734156-part-1-backout-d923ae85be05.patch

Backout ineffective workaround d923ae85be05 (Reset IME selection when Fennec resumes). It's not working, so I will post a different workaround.

Comment 3

[Chris Peterson [:cpeterson]]

Attachment: bug-734156-part-2-clamp-selection.patch

Clamp current selection's indexes.

Android's BaseInputConnection.java is vulnerable to IndexOutOfBoundsExceptions because it does not adequately protect against stale indexes for selections exceeding the content length when the Editable content changes. We must clamp the indexes to be safe.

I suspect BaseInputConnection.java may have similar problems with stale indexes for composing spans. The workaround for those problems is pretty complicated, so I would prefer to wait and see if that potential problem arises.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/d86407a9f476
https://hg.mozilla.org/integration/mozilla-inbound/rev/9d5bc6ed7214

Comment 5

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

https://hg.mozilla.org/mozilla-central/rev/d86407a9f476
https://hg.mozilla.org/mozilla-central/rev/9d5bc6ed7214