Closed Bug 747629 Opened 8 years ago Closed 7 years ago

java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars

Categories

(Firefox for Android :: Keyboards and IME, defect, critical)

ARM
Android
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Firefox 18
Tracking Status
firefox15 - affected
firefox16 - wontfix
firefox17 + fixed
firefox18 --- fixed

People

(Reporter: scoobidiver, Assigned: cpeterson)

References

Details

(Keywords: crash, topcrash, Whiteboard: [native-crash])

Crash Data

Attachments

(3 files)

It has the same stack as bug 731156. There is about one crash a week, the latest one happened in 14.0a1/20120420: bp-0245e849-ab02-4b55-88e0-1a8572120421.

java.lang.IndexOutOfBoundsException: getChars (1 ... 1) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextAfterCursor(BaseInputConnection.java:375)
	at org.mozilla.gecko.GeckoInputConnection.getTextAfterCursor(GeckoInputConnection.java:287)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:196)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:75)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:130)
	at android.app.ActivityThread.main(ActivityThread.java:3703)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:507)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:841)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:599)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A14.0a1&range_value=4&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&reason=&do_query=1
Summary: java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) → java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars
Component: General → IME
QA Contact: general → ime
Depends on: 765831
My fix for bug 765831 (part-4-clamp-getTextBeforeAfterCursor.patch) should fix this SpannableStringBuilder exception.
Assignee: nobody → cpeterson
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 16
There are still crashes in the trunk. See bp-6373cafe-5bda-489b-a107-493132120626.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The fix for bug 769520, which landed in build Nightly 16 (2012-07-10), should have fixed these IndexOutOfBoundsExceptions. I'm resolving this bug as FIXED because I do not see any IndexOutOfBoundsExceptions in Socorro for builds >= Nightly 16 (2012-07-10).
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Depends on: 769520
Reopening after the backout of bug 769520.
See bp-20583978-db7c-456c-8ea3-298cd2120908
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: Firefox 16 → ---
There are currently 34 crashes in 15.0.1 in the first hours of its release. It makes it #14 top crasher.
There are now 91 crashes that makes it #3 top crasher in 15.0.1.
Keywords: topcrash
Tracking for 16, assuming that Chris is going to work on a new fix for bug 769520 that doesn't cause the regressions we did 15.0.1 for (bug 780543 and bug 788600)
(In reply to Scoobidiver from comment #6)
> There are now 91 crashes that makes it #3 top crasher in 15.0.1.

Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
Keywords: topcrash
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
There are 2650 crashes in 15.0.1 which makes it #2 top crasher: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A15.0.1&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&do_query=1

Bug 774366 comment 2 would help to have directly its right rank.
Keywords: topcrash
Part 1: Post (most) Gecko's IME callbacks from Gecko thread to UI thread.

* This is a speculative band-aid fix. This patch (mostly) backs out the backout the "fixed" bug 780543.

notifyIMEChange() is called on the Gecko thread. We want to run all InputMethodManager code on the UI thread to avoid IME race conditions that cause crashes like bug 747629. However, if notifySelectionChange() is run on the UI thread, it causes mysterious problems with repeating characters like bug 780543. This band-aid fix is to run all InputMethodManager code on the UI thread except notifySelectionChange() until I can find the root cause.
Attachment #663623 - Flags: review?(blassey.bugs)
Part 2: Assert IME code is running on UI thread.
Attachment #663625 - Flags: review?(blassey.bugs)
Part 3: Remove unnecessary InputMethodManager parameters.
Attachment #663626 - Flags: review?(blassey.bugs)
If we want it in 16.0b5, it should be reviewed quickly.
(In reply to Scoobidiver from comment #13)
> If we want it in 16.0b5, it should be reviewed quickly.

I'm just waiting for a review from blassey.

However, this is a risky speculative change, so I would not feel comfortable landing this fix in 16.0b5 with just 0 or 1 days for testing on Nightly. Next week's 16.0b6 would be a more conservative target.
Attachment #663623 - Flags: review?(blassey.bugs) → review+
Attachment #663625 - Flags: review?(blassey.bugs) → review+
Attachment #663626 - Flags: review?(blassey.bugs) → review+
I landed my speculative fix on m-i:

https://hg.mozilla.org/integration/mozilla-inbound/rev/4d33341a7ec3
https://hg.mozilla.org/integration/mozilla-inbound/rev/153fc8564818
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f8dc0d8eb25

I will leave this bug open for a few days and watch if the Socorro crash reports quiet down.
Whiteboard: [native-crash] → [native-crash], [leave open]
Comparing the Socorro crash reports for IME IndexOutOfBoundsExceptions from the 4 days prior and the 4 days after my fix, I believe my fix worked:

  * Nightly 18 = 6 -> 0!
  * Aurora 17 = 6 -> 11
  * Beta 16 = ~400 -> ~300
  * Firefox 15 = ~900 -> ~1000
Status: REOPENED → RESOLVED
Closed: 8 years ago7 years ago
Resolution: --- → FIXED
Whiteboard: [native-crash], [leave open] → [native-crash]
(In reply to Chris Peterson (:cpeterson) from comment #14)
> Next week's 16.0b6 would be a more conservative target.
Based on this and comment 17, should we land it in Beta ASAP?
Target Milestone: --- → Firefox 18
I would like to uplift this fix to Aurora 17, but I am too paranoid to uplift this multithreaded IME fix to 16.0b6, our last beta before release.

If I am reading the Socorro crash reports correctly, IME IndexOutOfBoundsExceptions in Beta 16 and Firefox 15 are far outnumbered by our libxul.so and libflashplayer.so crashes, so not uplifting this IME fix should have a huge impact on our topcrashes.
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Backing out bug 769520 to fix regression bug 780543.
User impact if declined: ~1000 IME crashes/week on Firefox 15.
Testing completed (on m-c, etc.): m-c. Socorro crash reports are down to 0 with no recent IME regressions identified.
Risk to taking this patch (and alternatives if risky): Medium risk because this fix affects IME and multithreaded code. This is a speculative band-aid fix. This patch reverses most of a backout.
String or UUID changes made by this patch: N/A
Attachment #663623 - Flags: approval-mozilla-aurora?
Comment on attachment 663625 [details] [diff] [review]
part-2-add-thread-asserts-v4.patch

[Approval Request Comment]
Bug 747629 patch 2 of 3 adds some DEBUG-only logging and asserts. It is not absolutely required, but it only affects DEBUG code paths. Including this patch makes uplifting other patches and debugging easier.
Attachment #663625 - Flags: approval-mozilla-aurora?
Comment on attachment 663626 [details] [diff] [review]
part-3-remove-InputMethodManager-parameters.patch

Bug 747629 patch 3 of 3 does not need to be uplifted.
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Triage Comment]
We've seen regressions from IME fixes in the past, but given a whole beta cycle my hope is that we find them before release.
Attachment #663623 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #663625 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
No crashes on 17 or 18 in crash stats. Marking verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.