java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) or java.nio.Buffer.limitImpl(Buffer.java) or java.nio.Buffer.position(Buffer.java) or java.nio.Buffer.positionImpl(Buffer.java)

RESOLVED FIXED in Firefox 16

Status

()

Firefox for Android
General
--
critical
RESOLVED FIXED
5 years ago
9 months ago

People

(Reporter: Scoobidiver (away), Assigned: kats)

Tracking

(4 keywords)

16 Branch
Firefox 16
ARM
Android
crash, regression, reproducible, topcrash
Points:
---

Firefox Tracking Flags

(firefox15 unaffected, firefox16 fixed)

Details

(Whiteboard: [native-crash] [QA^], crash signature)

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

5 years ago
It first appeared in 16.0a1/20120615144113 and there are currently 17 crashes.
The regression window is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=da8c6039c25e&tochange=4e3362864fbd
It's likely a regression from bug 755070.

java.lang.IllegalArgumentException
	at java.nio.Buffer.limit(Buffer.java:251)
	at org.mozilla.gecko.gfx.ScreenshotLayer$ScreenshotImage.copyBuffer(ScreenshotLayer.java:137)
	at org.mozilla.gecko.gfx.ScreenshotLayer$ScreenshotImage.setBitmap(ScreenshotLayer.java:144)
	at org.mozilla.gecko.gfx.ScreenshotLayer.setBitmap(ScreenshotLayer.java:53)
	at org.mozilla.gecko.gfx.LayerRenderer.setCheckerboardBitmap(LayerRenderer.java:138)
	at org.mozilla.gecko.ScreenshotHandler$1.run(GeckoAppShell.java:2338)
	at android.os.Handler.handleCallback(Handler.java:587)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:123)
	at org.mozilla.gecko.GeckoBackgroundThread.run(GeckoBackgroundThread.java:31)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=ALL%3AALL&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=java.nio.Buffer&do_query=1
(Reporter)

Updated

5 years ago
Crash Signature: [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad position (limit 2097152): -40 at java.nio.Buffer.positionImpl(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad posi… → [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad position (limit 2097152): -40 at java.nio.Buffer.positionImpl(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad posi…
(Reporter)

Updated

5 years ago
Crash Signature: [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad position (limit 2097152): -40 at java.nio.Buffer.positionImpl(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad posi… → [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: at java.nio.Buffer.positionImpl(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad position (limit 2097152): -40 at java.…
I can reproduce this on my Galaxy Nexus in current trunk build when visiting https://www.ziggo.nl/producten/alles-in-1/
I have to have set the uagent (with Phony) to phone Android, though.
Hmm, and now I can't reproduce anymore.
(Reporter)

Updated

5 years ago
Crash Signature: [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: at java.nio.Buffer.positionImpl(Buffer.java) ] [@ java.lang.IllegalArgumentException: Bad position (limit 2097152): -40 at java.… → [@ java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) ] [@ java.lang.IllegalArgumentException: at java.nio.Buffer.position(Buffer.java) ] [@ java.lang.IllegalArgumentException: at java.nio.Buffer.positionImpl(Buffer.java) ]…
Summary: java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) or java.nio.Buffer.limitImpl(Buffer.java) or java.nio.Buffer.positionImpl(Buffer.java) → java.lang.IllegalArgumentException: at java.nio.Buffer.limit(Buffer.java) or java.nio.Buffer.limitImpl(Buffer.java) or java.nio.Buffer.position(Buffer.java) or java.nio.Buffer.positionImpl(Buffer.java)
This crash has occurred on the latest Nightly build while I was trying to use the Google Vkb. I will try to find some certain steps for it:

https://crash-stats.mozilla.com/report/index/bp-8a9cb080-f141-479b-8035-940832120618

--
Firefox 16.0a1 (2012-06-18)
Device: Galaxy Nexus
OS: Android 4.0.2
STR:

1. www.ups.com, pick your country
2. Tap into the top left package tracker, the virtual-keyboard is invoked

Leave device idle; track dozens of GeckoScreenshots in log-cat. Fennec eventually crashes
Steps to reproduce:
1. Open Fennec
2. Go to google.com
3. Tap on Images from the top menu
4. Tap on Google's vkb button from the search input field
5. Insert a couple of chars from it and wait

Expected result:
No crash occurs after step 5.

Actual result:
This crash occurs after step 5. Here are some reports:

https://crash-stats.mozilla.com/report/index/bp-084b2cb6-5bca-4ded-afe2-dfe932120618
https://crash-stats.mozilla.com/report/index/bp-20f8fd34-e2c7-49a3-842b-cf99c2120618
https://crash-stats.mozilla.com/report/index/bp-bde4fb7b-89b8-4b77-9a0a-dbf482120618
Keywords: reproducible
(In reply to Cristian Nicolae (:xti) from comment #5)
> https://crash-stats.mozilla.com/report/index/bp-084b2cb6-5bca-4ded-afe2-
> dfe932120618
> https://crash-stats.mozilla.com/report/index/bp-20f8fd34-e2c7-49a3-842b-
> cf99c2120618
> https://crash-stats.mozilla.com/report/index/bp-bde4fb7b-89b8-4b77-9a0a-
> dbf482120618

bug 765712
Simpler STR:

1. Go to google.com (classic version)
2. Put the app in background
3. Go to Android settings and wait

Note:
First, it will take some time until the first crash, but then, those crashes will be more and more frequently until there will be a crash after each 10s or less.
status-firefox16: --- → affected
status-firefox15: --- → unaffected
blassey, this Fennec 16 topcrash looks like fallout from the new screenshot code (bug 755070).
Assignee: nobody → blassey.bugs

Updated

5 years ago
Duplicate of this bug: 765712
Depends on: 766643
No longer blocks: 755070
http://www.neowin.net also seems to cause this crash after a while.

Comment 11

5 years ago
Dropping my crash here as I might have STR bp-2303d363-45f2-45ca-8fca-c24842120621

Comment 12

5 years ago
bp-b43291c5-68d7-4d3d-bb80-fc4402120624

Crashing while login or ordering from www.atumesa.com from an Xperia pro.
Created attachment 636206 [details] [diff] [review]
patch

not sure why I did (rect.bottom - 1) here
Attachment #636206 - Flags: review?(bugmail.mozilla)
Comment on attachment 636206 [details] [diff] [review]
patch

Review of attachment 636206 [details] [diff] [review]:
-----------------------------------------------------------------

I don't think this is right. The code in AndroidBridge::TakeScreenshot calls notifyScreenShot with the parameters (dstX, dstY, dstX + dstW, dstY + dstH) which end up becoming the left, top, right, and bottom of the rect. If dstX = 0, dstY = 0, dstW = 10, and dstH = 10, then rect.right + rect.bottom * stride = 10 + 10 * 10 = 110, which exceeds the 100 pixels (dstW * dstH) that were actually painted. That's why I suggested using rect.bottom - 1, but I guess that's not right either for some cases.
Attachment #636206 - Flags: review?(bugmail.mozilla) → review-
Created attachment 636319 [details] [diff] [review]
Slightly tested patch

buffer.left and buffer.right need to be multiplied by 2 as well to account for 16bpp. This version should in theory never throw an exception because of the clamping. If things don't screenshot fully then there are errors elsewhere (probably in the slicing code, as mentioned on IRC).
Attachment #636319 - Flags: review?(blassey.bugs)
Comment on attachment 636319 [details] [diff] [review]
Slightly tested patch

This prevents the crash using the STR AaronMT provided (go to ups.com and pick a country if needed, put focus in the tracking id textbox, and wait).

The crash is prevented by the clamping, since the rect is still (0, 0, 0, 0) and end is still calculated to be 1024.
Attachment #636319 - Attachment description: Completely untested patch → Slightly tested patch
Also I see scheduleCheckerboardScreenshotEvent getting called with these parameters when this happens:
sx = 18, sy = 135, sw = 1, sh = 15, dx = 9, dy = 239, dw = 0, dh = 26
Created attachment 636334 [details] [diff] [review]
Patch

This one also kills the useless screenshotting when the dest area has zero width or height.
Attachment #636319 - Attachment is obsolete: true
Attachment #636319 - Flags: review?(blassey.bugs)
Attachment #636334 - Flags: review?(blassey.bugs)
Comment on attachment 636334 [details] [diff] [review]
Patch

Review of attachment 636334 [details] [diff] [review]:
-----------------------------------------------------------------

::: mobile/android/base/gfx/ScreenshotLayer.java
@@ +129,5 @@
>                  super.finalize();
>              }
>          }
>  
> +        void copyBuffer(ByteBuffer src, ByteBuffer dst, Rect rect, int bufferWidth) {

r- for this change, just pass the stride

@@ +134,5 @@
> +            int start = (rect.left + rect.top * bufferWidth) * 2; // 2 for 16bpp
> +            int end = (rect.right + (rect.bottom - 1) * bufferWidth) * 2; // 2 for 16bpp
> +            // clamp stuff just to be safe
> +            start = Math.max(0, Math.min(dst.limit(), Math.min(src.limit(), start)));
> +            end = Math.max(start, Math.min(dst.limit(), Math.min(src.limit(), end)));

I think you actually want to clamp to src.capacity() here, since you'll be setting the src buffer's limit below and we only need to make sure that that call is valid.
Attachment #636334 - Flags: review?(blassey.bugs) → review-
Created attachment 637002 [details] [diff] [review]
Patch (v2)
Attachment #636334 - Attachment is obsolete: true
Attachment #637002 - Flags: review?(blassey.bugs)
Attachment #637002 - Flags: review?(blassey.bugs) → review+
Since the June 27 build, accessibility's Explore By Touch also triggers this bug. STR:

1. With ICS, TalkBack and Explore By Touch enabled in Accessibility settings, go to http://www.marcozehe.de.
2. Start sliding your finger down on the right-hand side until you reach the "Quick navigation keys now in Firefox for Android nightly builds" heading.
3. Slide down just a little bit more.

Result: Crash: bp-638e5071-5049-4766-9511-425a92120627
Whiteboard: [native-crash] → [native-crash] [QA^]
https://hg.mozilla.org/integration/mozilla-inbound/rev/7fa4b9a0d764
Assignee: blassey.bugs → bugmail.mozilla
status-firefox16: affected → fixed
Target Milestone: --- → Firefox 16
https://hg.mozilla.org/mozilla-central/rev/7fa4b9a0d764
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.