java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars

VERIFIED FIXED in Firefox 17

Status

()

Firefox for Android
Keyboards and IME
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: cpeterson)

Tracking

({crash, topcrash})

Trunk
Firefox 18
ARM
Android
crash, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15- affected, firefox16- wontfix, firefox17+ fixed, firefox18 fixed)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
It has the same stack as bug 731156. There is about one crash a week, the latest one happened in 14.0a1/20120420: bp-0245e849-ab02-4b55-88e0-1a8572120421.

java.lang.IndexOutOfBoundsException: getChars (1 ... 1) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextAfterCursor(BaseInputConnection.java:375)
	at org.mozilla.gecko.GeckoInputConnection.getTextAfterCursor(GeckoInputConnection.java:287)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:196)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:75)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:130)
	at android.app.ActivityThread.main(ActivityThread.java:3703)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:507)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:841)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:599)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A14.0a1&range_value=4&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&reason=&do_query=1
(Reporter)

Updated

5 years ago
Summary: java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) → java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars
(Assignee)

Updated

5 years ago
status-firefox14: --- → affected
Component: General → IME
QA Contact: general → ime
(Assignee)

Updated

5 years ago
Depends on: 765831
(Assignee)

Comment 1

5 years ago
My fix for bug 765831 (part-4-clamp-getTextBeforeAfterCursor.patch) should fix this SpannableStringBuilder exception.
Assignee: nobody → cpeterson
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → affected
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Target Milestone: --- → Firefox 16
(Reporter)

Updated

5 years ago
status-firefox15: --- → affected
status-firefox16: affected → ---
(Reporter)

Comment 2

5 years ago
There are still crashes in the trunk. See bp-6373cafe-5bda-489b-a107-493132120626.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 3

5 years ago
The fix for bug 769520, which landed in build Nightly 16 (2012-07-10), should have fixed these IndexOutOfBoundsExceptions. I'm resolving this bug as FIXED because I do not see any IndexOutOfBoundsExceptions in Socorro for builds >= Nightly 16 (2012-07-10).
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
status-firefox15: affected → fixed
status-firefox16: --- → fixed
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Depends on: 769520
(Reporter)

Comment 4

5 years ago
Reopening after the backout of bug 769520.
See bp-20583978-db7c-456c-8ea3-298cd2120908
Status: RESOLVED → REOPENED
status-firefox14: affected → ---
status-firefox15: fixed → ---
status-firefox16: fixed → ---
Resolution: FIXED → ---
Target Milestone: Firefox 16 → ---
(Reporter)

Comment 5

5 years ago
There are currently 34 crashes in 15.0.1 in the first hours of its release. It makes it #14 top crasher.
(Reporter)

Comment 6

5 years ago
There are now 91 crashes that makes it #3 top crasher in 15.0.1.
tracking-firefox15: --- → ?
tracking-firefox16: --- → ?
Keywords: topcrash
tracking-firefox15: ? → -
tracking-firefox16: ? → +
Tracking for 16, assuming that Chris is going to work on a new fix for bug 769520 that doesn't cause the regressions we did 15.0.1 for (bug 780543 and bug 788600)

Updated

5 years ago
status-firefox15: --- → affected
status-firefox16: --- → affected

Comment 8

5 years ago
(In reply to Scoobidiver from comment #6)
> There are now 91 crashes that makes it #3 top crasher in 15.0.1.

Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
Keywords: topcrash
(Reporter)

Comment 9

5 years ago
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
There are 2650 crashes in 15.0.1 which makes it #2 top crasher: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A15.0.1&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&do_query=1

Bug 774366 comment 2 would help to have directly its right rank.
Keywords: topcrash
(Assignee)

Comment 10

5 years ago
Created attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

Part 1: Post (most) Gecko's IME callbacks from Gecko thread to UI thread.

* This is a speculative band-aid fix. This patch (mostly) backs out the backout the "fixed" bug 780543.

notifyIMEChange() is called on the Gecko thread. We want to run all InputMethodManager code on the UI thread to avoid IME race conditions that cause crashes like bug 747629. However, if notifySelectionChange() is run on the UI thread, it causes mysterious problems with repeating characters like bug 780543. This band-aid fix is to run all InputMethodManager code on the UI thread except notifySelectionChange() until I can find the root cause.
Attachment #663623 - Flags: review?(blassey.bugs)
(Assignee)

Comment 11

5 years ago
Created attachment 663625 [details] [diff] [review]
part-2-add-thread-asserts-v4.patch

Part 2: Assert IME code is running on UI thread.
Attachment #663625 - Flags: review?(blassey.bugs)
(Assignee)

Comment 12

5 years ago
Created attachment 663626 [details] [diff] [review]
part-3-remove-InputMethodManager-parameters.patch

Part 3: Remove unnecessary InputMethodManager parameters.
Attachment #663626 - Flags: review?(blassey.bugs)
(Reporter)

Comment 13

5 years ago
If we want it in 16.0b5, it should be reviewed quickly.
(Assignee)

Comment 14

5 years ago
(In reply to Scoobidiver from comment #13)
> If we want it in 16.0b5, it should be reviewed quickly.

I'm just waiting for a review from blassey.

However, this is a risky speculative change, so I would not feel comfortable landing this fix in 16.0b5 with just 0 or 1 days for testing on Nightly. Next week's 16.0b6 would be a more conservative target.
Attachment #663623 - Flags: review?(blassey.bugs) → review+
Attachment #663625 - Flags: review?(blassey.bugs) → review+
Attachment #663626 - Flags: review?(blassey.bugs) → review+

Updated

5 years ago
status-firefox16: affected → wontfix
tracking-firefox16: + → -
tracking-firefox17: --- → +
(Assignee)

Comment 15

5 years ago
I landed my speculative fix on m-i:

https://hg.mozilla.org/integration/mozilla-inbound/rev/4d33341a7ec3
https://hg.mozilla.org/integration/mozilla-inbound/rev/153fc8564818
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f8dc0d8eb25

I will leave this bug open for a few days and watch if the Socorro crash reports quiet down.
status-firefox17: --- → affected
status-firefox18: --- → fixed
Whiteboard: [native-crash] → [native-crash], [leave open]
https://hg.mozilla.org/mozilla-central/rev/4d33341a7ec3
https://hg.mozilla.org/mozilla-central/rev/153fc8564818
https://hg.mozilla.org/mozilla-central/rev/9f8dc0d8eb25
(Assignee)

Comment 17

5 years ago
Comparing the Socorro crash reports for IME IndexOutOfBoundsExceptions from the 4 days prior and the 4 days after my fix, I believe my fix worked:

  * Nightly 18 = 6 -> 0!
  * Aurora 17 = 6 -> 11
  * Beta 16 = ~400 -> ~300
  * Firefox 15 = ~900 -> ~1000
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Whiteboard: [native-crash], [leave open] → [native-crash]
(Reporter)

Comment 18

5 years ago
(In reply to Chris Peterson (:cpeterson) from comment #14)
> Next week's 16.0b6 would be a more conservative target.
Based on this and comment 17, should we land it in Beta ASAP?
Target Milestone: --- → Firefox 18
(Assignee)

Comment 19

5 years ago
I would like to uplift this fix to Aurora 17, but I am too paranoid to uplift this multithreaded IME fix to 16.0b6, our last beta before release.

If I am reading the Socorro crash reports correctly, IME IndexOutOfBoundsExceptions in Beta 16 and Firefox 15 are far outnumbered by our libxul.so and libflashplayer.so crashes, so not uplifting this IME fix should have a huge impact on our topcrashes.
(Assignee)

Comment 20

5 years ago
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Backing out bug 769520 to fix regression bug 780543.
User impact if declined: ~1000 IME crashes/week on Firefox 15.
Testing completed (on m-c, etc.): m-c. Socorro crash reports are down to 0 with no recent IME regressions identified.
Risk to taking this patch (and alternatives if risky): Medium risk because this fix affects IME and multithreaded code. This is a speculative band-aid fix. This patch reverses most of a backout.
String or UUID changes made by this patch: N/A
Attachment #663623 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 21

5 years ago
Comment on attachment 663625 [details] [diff] [review]
part-2-add-thread-asserts-v4.patch

[Approval Request Comment]
Bug 747629 patch 2 of 3 adds some DEBUG-only logging and asserts. It is not absolutely required, but it only affects DEBUG code paths. Including this patch makes uplifting other patches and debugging easier.
Attachment #663625 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 22

5 years ago
Comment on attachment 663626 [details] [diff] [review]
part-3-remove-InputMethodManager-parameters.patch

Bug 747629 patch 3 of 3 does not need to be uplifted.
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Triage Comment]
We've seen regressions from IME fixes in the past, but given a whole beta cycle my hope is that we find them before release.
Attachment #663623 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Updated

5 years ago
Attachment #663625 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 24

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/286237ed62a9
https://hg.mozilla.org/releases/mozilla-aurora/rev/52a57e4fea0d
status-firefox17: affected → fixed
No crashes on 17 or 18 in crash stats. Marking verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.