Last Comment Bug 747629 - java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c or has end before start at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at android.text.TextUtils.getChars
: java.lang.IndexOutOfBoundsException: getChars (a ... b) ends beyond length c ...
Status: VERIFIED FIXED
[native-crash]
: crash, topcrash
Product: Firefox for Android
Classification: Client Software
Component: Keyboards and IME (show other bugs)
: Trunk
: ARM Android
: -- critical (vote)
: Firefox 18
Assigned To: Chris Peterson [:cpeterson]
:
Mentors:
Depends on: 765831 769520
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-21 05:08 PDT by Scoobidiver (away)
Modified: 2013-01-02 11:16 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
affected
-
wontfix
+
fixed
fixed


Attachments
part-1-post-IME-callbacks-v4.patch (13.60 KB, patch)
2012-09-21 18:53 PDT, Chris Peterson [:cpeterson]
blassey.bugs: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review
part-2-add-thread-asserts-v4.patch (13.31 KB, patch)
2012-09-21 18:54 PDT, Chris Peterson [:cpeterson]
blassey.bugs: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review
part-3-remove-InputMethodManager-parameters.patch (6.18 KB, patch)
2012-09-21 18:55 PDT, Chris Peterson [:cpeterson]
blassey.bugs: review+
Details | Diff | Review

Description Scoobidiver (away) 2012-04-21 05:08:23 PDT
It has the same stack as bug 731156. There is about one crash a week, the latest one happened in 14.0a1/20120420: bp-0245e849-ab02-4b55-88e0-1a8572120421.

java.lang.IndexOutOfBoundsException: getChars (1 ... 1) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:943)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:847)
	at android.text.TextUtils.getChars(TextUtils.java:69)
	at android.text.TextUtils.substring(TextUtils.java:255)
	at android.view.inputmethod.BaseInputConnection.getTextAfterCursor(BaseInputConnection.java:375)
	at org.mozilla.gecko.GeckoInputConnection.getTextAfterCursor(GeckoInputConnection.java:287)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:196)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:75)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:130)
	at android.app.ActivityThread.main(ActivityThread.java:3703)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:507)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:841)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:599)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A14.0a1&range_value=4&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&reason=&do_query=1
Comment 1 Chris Peterson [:cpeterson] 2012-06-20 10:28:48 PDT
My fix for bug 765831 (part-4-clamp-getTextBeforeAfterCursor.patch) should fix this SpannableStringBuilder exception.
Comment 2 Scoobidiver (away) 2012-06-26 13:38:05 PDT
There are still crashes in the trunk. See bp-6373cafe-5bda-489b-a107-493132120626.
Comment 3 Chris Peterson [:cpeterson] 2012-07-16 15:34:07 PDT
The fix for bug 769520, which landed in build Nightly 16 (2012-07-10), should have fixed these IndexOutOfBoundsExceptions. I'm resolving this bug as FIXED because I do not see any IndexOutOfBoundsExceptions in Socorro for builds >= Nightly 16 (2012-07-10).
Comment 4 Scoobidiver (away) 2012-09-09 00:11:32 PDT
Reopening after the backout of bug 769520.
See bp-20583978-db7c-456c-8ea3-298cd2120908
Comment 5 Scoobidiver (away) 2012-09-11 03:02:51 PDT
There are currently 34 crashes in 15.0.1 in the first hours of its release. It makes it #14 top crasher.
Comment 6 Scoobidiver (away) 2012-09-11 08:28:51 PDT
There are now 91 crashes that makes it #3 top crasher in 15.0.1.
Comment 7 Lukas Blakk [:lsblakk] use ?needinfo 2012-09-12 15:12:43 PDT
Tracking for 16, assuming that Chris is going to work on a new fix for bug 769520 that doesn't cause the regressions we did 15.0.1 for (bug 780543 and bug 788600)
Comment 8 Robert Kaiser (not working on stability any more) 2012-09-20 09:54:09 PDT
(In reply to Scoobidiver from comment #6)
> There are now 91 crashes that makes it #3 top crasher in 15.0.1.

Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
Comment 9 Scoobidiver (away) 2012-09-20 10:12:05 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> Didn't hold up though, it's not in the top 100 on 15.0.1 any more.
There are 2650 crashes in 15.0.1 which makes it #2 top crasher: https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A15.0.1&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&do_query=1

Bug 774366 comment 2 would help to have directly its right rank.
Comment 10 Chris Peterson [:cpeterson] 2012-09-21 18:53:41 PDT
Created attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

Part 1: Post (most) Gecko's IME callbacks from Gecko thread to UI thread.

* This is a speculative band-aid fix. This patch (mostly) backs out the backout the "fixed" bug 780543.

notifyIMEChange() is called on the Gecko thread. We want to run all InputMethodManager code on the UI thread to avoid IME race conditions that cause crashes like bug 747629. However, if notifySelectionChange() is run on the UI thread, it causes mysterious problems with repeating characters like bug 780543. This band-aid fix is to run all InputMethodManager code on the UI thread except notifySelectionChange() until I can find the root cause.
Comment 11 Chris Peterson [:cpeterson] 2012-09-21 18:54:17 PDT
Created attachment 663625 [details] [diff] [review]
part-2-add-thread-asserts-v4.patch

Part 2: Assert IME code is running on UI thread.
Comment 12 Chris Peterson [:cpeterson] 2012-09-21 18:55:10 PDT
Created attachment 663626 [details] [diff] [review]
part-3-remove-InputMethodManager-parameters.patch

Part 3: Remove unnecessary InputMethodManager parameters.
Comment 13 Scoobidiver (away) 2012-09-24 14:52:53 PDT
If we want it in 16.0b5, it should be reviewed quickly.
Comment 14 Chris Peterson [:cpeterson] 2012-09-24 15:02:47 PDT
(In reply to Scoobidiver from comment #13)
> If we want it in 16.0b5, it should be reviewed quickly.

I'm just waiting for a review from blassey.

However, this is a risky speculative change, so I would not feel comfortable landing this fix in 16.0b5 with just 0 or 1 days for testing on Nightly. Next week's 16.0b6 would be a more conservative target.
Comment 15 Chris Peterson [:cpeterson] 2012-09-26 19:29:41 PDT
I landed my speculative fix on m-i:

https://hg.mozilla.org/integration/mozilla-inbound/rev/4d33341a7ec3
https://hg.mozilla.org/integration/mozilla-inbound/rev/153fc8564818
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f8dc0d8eb25

I will leave this bug open for a few days and watch if the Socorro crash reports quiet down.
Comment 17 Chris Peterson [:cpeterson] 2012-10-01 13:07:50 PDT
Comparing the Socorro crash reports for IME IndexOutOfBoundsExceptions from the 4 days prior and the 4 days after my fix, I believe my fix worked:

  * Nightly 18 = 6 -> 0!
  * Aurora 17 = 6 -> 11
  * Beta 16 = ~400 -> ~300
  * Firefox 15 = ~900 -> ~1000
Comment 18 Scoobidiver (away) 2012-10-01 13:34:18 PDT
(In reply to Chris Peterson (:cpeterson) from comment #14)
> Next week's 16.0b6 would be a more conservative target.
Based on this and comment 17, should we land it in Beta ASAP?
Comment 19 Chris Peterson [:cpeterson] 2012-10-01 14:36:01 PDT
I would like to uplift this fix to Aurora 17, but I am too paranoid to uplift this multithreaded IME fix to 16.0b6, our last beta before release.

If I am reading the Socorro crash reports correctly, IME IndexOutOfBoundsExceptions in Beta 16 and Firefox 15 are far outnumbered by our libxul.so and libflashplayer.so crashes, so not uplifting this IME fix should have a huge impact on our topcrashes.
Comment 20 Chris Peterson [:cpeterson] 2012-10-01 14:40:59 PDT
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Backing out bug 769520 to fix regression bug 780543.
User impact if declined: ~1000 IME crashes/week on Firefox 15.
Testing completed (on m-c, etc.): m-c. Socorro crash reports are down to 0 with no recent IME regressions identified.
Risk to taking this patch (and alternatives if risky): Medium risk because this fix affects IME and multithreaded code. This is a speculative band-aid fix. This patch reverses most of a backout.
String or UUID changes made by this patch: N/A
Comment 21 Chris Peterson [:cpeterson] 2012-10-01 14:44:51 PDT
Comment on attachment 663625 [details] [diff] [review]
part-2-add-thread-asserts-v4.patch

[Approval Request Comment]
Bug 747629 patch 2 of 3 adds some DEBUG-only logging and asserts. It is not absolutely required, but it only affects DEBUG code paths. Including this patch makes uplifting other patches and debugging easier.
Comment 22 Chris Peterson [:cpeterson] 2012-10-01 14:45:21 PDT
Comment on attachment 663626 [details] [diff] [review]
part-3-remove-InputMethodManager-parameters.patch

Bug 747629 patch 3 of 3 does not need to be uplifted.
Comment 23 Alex Keybl [:akeybl] 2012-10-01 15:18:20 PDT
Comment on attachment 663623 [details] [diff] [review]
part-1-post-IME-callbacks-v4.patch

[Triage Comment]
We've seen regressions from IME fixes in the past, but given a whole beta cycle my hope is that we find them before release.
Comment 25 Kevin Brosnan [:kbrosnan] 2013-01-02 11:16:43 PST
No crashes on 17 or 18 in crash stats. Marking verified.

Note You need to log in before you can comment on or make changes to this bug.