Closed Bug 747629 Opened 8 years ago Closed 7 years ago
.lang .Index Out Of Bounds Exception: get Chars (a ... b) ends beyond length c or has end before start at android .text .Spannable String Builder .check Range(Spannable String Builder .java) at android .text .Text Utils .get Chars
13.60 KB, patch
|Details | Diff | Splinter Review|
13.31 KB, patch
|Details | Diff | Splinter Review|
6.18 KB, patch
|Details | Diff | Splinter Review|
It has the same stack as bug 731156. There is about one crash a week, the latest one happened in 14.0a1/20120420: bp-0245e849-ab02-4b55-88e0-1a8572120421. java.lang.IndexOutOfBoundsException: getChars (1 ... 1) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943) at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847) at android.text.TextUtils.getChars(TextUtils.java:69) at android.text.TextUtils.substring(TextUtils.java:255) at android.view.inputmethod.BaseInputConnection.getTextAfterCursor(BaseInputConnection.java:375) at org.mozilla.gecko.GeckoInputConnection.getTextAfterCursor(GeckoInputConnection.java:287) at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:196) at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:75) at android.os.Handler.dispatchMessage(Handler.java:99) at android.os.Looper.loop(Looper.java:130) at android.app.ActivityThread.main(ActivityThread.java:3703) at java.lang.reflect.Method.invokeNative(Native Method) at java.lang.reflect.Method.invoke(Method.java:507) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:841) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:599) at dalvik.system.NativeStart.main(Native Method) More reports at: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A14.0a1&range_value=4&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&reason=&do_query=1
Summary: java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) → java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars
My fix for bug 765831 (part-4-clamp-getTextBeforeAfterCursor.patch) should fix this SpannableStringBuilder exception.
There are still crashes in the trunk. See bp-6373cafe-5bda-489b-a107-493132120626.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The fix for bug 769520, which landed in build Nightly 16 (2012-07-10), should have fixed these IndexOutOfBoundsExceptions. I'm resolving this bug as FIXED because I do not see any IndexOutOfBoundsExceptions in Socorro for builds >= Nightly 16 (2012-07-10).
Reopening after the backout of bug 769520. See bp-20583978-db7c-456c-8ea3-298cd2120908
There are currently 34 crashes in 15.0.1 in the first hours of its release. It makes it #14 top crasher.
There are now 91 crashes that makes it #3 top crasher in 15.0.1.
Tracking for 16, assuming that Chris is going to work on a new fix for bug 769520 that doesn't cause the regressions we did 15.0.1 for (bug 780543 and bug 788600)
(In reply to Scoobidiver from comment #6) > There are now 91 crashes that makes it #3 top crasher in 15.0.1. Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
(In reply to Robert Kaiser (:firstname.lastname@example.org) from comment #8) > Didn't hold up though, it's not in the top 100 on 15.0.1 any more. There are 2650 crashes in 15.0.1 which makes it #2 top crasher: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A15.0.1&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&do_query=1 Bug 774366 comment 2 would help to have directly its right rank.
Part 1: Post (most) Gecko's IME callbacks from Gecko thread to UI thread. * This is a speculative band-aid fix. This patch (mostly) backs out the backout the "fixed" bug 780543. notifyIMEChange() is called on the Gecko thread. We want to run all InputMethodManager code on the UI thread to avoid IME race conditions that cause crashes like bug 747629. However, if notifySelectionChange() is run on the UI thread, it causes mysterious problems with repeating characters like bug 780543. This band-aid fix is to run all InputMethodManager code on the UI thread except notifySelectionChange() until I can find the root cause.
Attachment #663623 - Flags: review?(blassey.bugs)
Part 2: Assert IME code is running on UI thread.
Attachment #663625 - Flags: review?(blassey.bugs)
Part 3: Remove unnecessary InputMethodManager parameters.
Attachment #663626 - Flags: review?(blassey.bugs)
If we want it in 16.0b5, it should be reviewed quickly.
(In reply to Scoobidiver from comment #13) > If we want it in 16.0b5, it should be reviewed quickly. I'm just waiting for a review from blassey. However, this is a risky speculative change, so I would not feel comfortable landing this fix in 16.0b5 with just 0 or 1 days for testing on Nightly. Next week's 16.0b6 would be a more conservative target.
Attachment #663623 - Flags: review?(blassey.bugs) → review+
Attachment #663625 - Flags: review?(blassey.bugs) → review+
Attachment #663626 - Flags: review?(blassey.bugs) → review+
I landed my speculative fix on m-i: https://hg.mozilla.org/integration/mozilla-inbound/rev/4d33341a7ec3 https://hg.mozilla.org/integration/mozilla-inbound/rev/153fc8564818 https://hg.mozilla.org/integration/mozilla-inbound/rev/9f8dc0d8eb25 I will leave this bug open for a few days and watch if the Socorro crash reports quiet down.
Comparing the Socorro crash reports for IME IndexOutOfBoundsExceptions from the 4 days prior and the 4 days after my fix, I believe my fix worked: * Nightly 18 = 6 -> 0! * Aurora 17 = 6 -> 11 * Beta 16 = ~400 -> ~300 * Firefox 15 = ~900 -> ~1000
Status: REOPENED → RESOLVED
Closed: 8 years ago → 7 years ago
Resolution: --- → FIXED
Whiteboard: [native-crash], [leave open] → [native-crash]
(In reply to Chris Peterson (:cpeterson) from comment #14) > Next week's 16.0b6 would be a more conservative target. Based on this and comment 17, should we land it in Beta ASAP?
Target Milestone: --- → Firefox 18
I would like to uplift this fix to Aurora 17, but I am too paranoid to uplift this multithreaded IME fix to 16.0b6, our last beta before release. If I am reading the Socorro crash reports correctly, IME IndexOutOfBoundsExceptions in Beta 16 and Firefox 15 are far outnumbered by our libxul.so and libflashplayer.so crashes, so not uplifting this IME fix should have a huge impact on our topcrashes.
Comment on attachment 663623 [details] [diff] [review] part-1-post-IME-callbacks-v4.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Backing out bug 769520 to fix regression bug 780543. User impact if declined: ~1000 IME crashes/week on Firefox 15. Testing completed (on m-c, etc.): m-c. Socorro crash reports are down to 0 with no recent IME regressions identified. Risk to taking this patch (and alternatives if risky): Medium risk because this fix affects IME and multithreaded code. This is a speculative band-aid fix. This patch reverses most of a backout. String or UUID changes made by this patch: N/A
Attachment #663623 - Flags: approval-mozilla-aurora?
Comment on attachment 663625 [details] [diff] [review] part-2-add-thread-asserts-v4.patch [Approval Request Comment] Bug 747629 patch 2 of 3 adds some DEBUG-only logging and asserts. It is not absolutely required, but it only affects DEBUG code paths. Including this patch makes uplifting other patches and debugging easier.
Attachment #663625 - Flags: approval-mozilla-aurora?
Comment on attachment 663626 [details] [diff] [review] part-3-remove-InputMethodManager-parameters.patch Bug 747629 patch 3 of 3 does not need to be uplifted.
Comment on attachment 663623 [details] [diff] [review] part-1-post-IME-callbacks-v4.patch [Triage Comment] We've seen regressions from IME fixes in the past, but given a whole beta cycle my hope is that we find them before release.
Attachment #663623 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #663625 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
No crashes on 17 or 18 in crash stats. Marking verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.