java.lang.IndexOutOfBoundsException: getChars (0 ... <n>) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at org.mozilla.gecko.GeckoEditable.invoke(GeckoEditable.java)

RESOLVED FIXED in Firefox 20

Status

()

Firefox for Android
Keyboards and IME
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: jchen)

Tracking

({crash})

Trunk
Firefox 21
ARM
Android
crash
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox19 unaffected, firefox20+ fixed, firefox21 fixed)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-cc77588f-7669-4a57-bc51-2c6822121202 .
=============================================================
(Reporter)

Comment 1

6 years ago
With that stack trace, there are three crashes in 20.0a1, the first one in 20.0a1/20121126.

java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0
	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:1016)
	at android.text.SpannableStringBuilder.getChars(SpannableStringBuilder.java:913)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:511)
	at org.mozilla.gecko.GeckoEditable.invoke(GeckoEditable.java:636)
	at $Proxy0.getChars(Native Method)
	at android.text.TextUtils.getChars(TextUtils.java:70)
	at android.text.TextUtils.substring(TextUtils.java:256)
	at android.view.inputmethod.BaseInputConnection.getTextBeforeCursor(BaseInputConnection.java:335)
	at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:218)
	at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:77)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:137)
	at android.app.ActivityThread.main(ActivityThread.java:4898)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:511)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1006)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:773)
	at dalvik.system.NativeStart.main(Native Method)

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=FennecAndroid%3A20.0a1&range_value=4&range_unit=weeks&query_search=signature&query_type=contains&query=android.text.SpannableStringBuilder.checkRange&do_query=1
Blocks: 805162
Crash Signature: [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java)] → [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java)] [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 12) ends beyond length 0 at an&hellip;
status-firefox20: --- → affected
Keywords: regression
Summary: java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) → java.lang.IndexOutOfBoundsException: getChars (0 ... <n>) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java) at org.mozilla.gecko.GeckoEditable.invoke(GeckoEditable.java)
Version: unspecified → Firefox 19

Updated

5 years ago
Whiteboard: [native-crash]
(Reporter)

Comment 2

5 years ago
Aurora seems unaffected.
There are 6 crashes in Nightly making it #11-19 top crasher.
Version: Firefox 19 → Firefox 20
(Reporter)

Updated

5 years ago
Crash Signature: [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java)] [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 12) ends beyond length 0 at an&hellip; → [@ java.lang.NullPointerException: at org.mozilla.gecko.GeckoEditable.replace(GeckoEditable.java)] [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringB&hellip;
(Reporter)

Comment 3

5 years ago
It's now #9 top crasher in 20.0a1.
tracking-fennec: --- → ?
tracking-firefox20: --- → ?
Keywords: topcrash
Tracking since it's a topcrasher, we can check back on the volume when we go to Aurora.
tracking-firefox20: ? → +
Assignee: nobody → nchen
tracking-fennec: ? → 20+
(Assignee)

Comment 5

5 years ago
Created attachment 698814 [details] [diff] [review]
Log and ignore Editable exceptions (v1)

This happens because of a race between Gecko changing the text and InputConnection reading the text. InputConnection first reads the selection offsets; Gecko then changes the text which alters the selection; InputConnection finally uses the old selection offsets to try to get text, and in this case the old selection offsets are outside of the text.

It will take a lot of work to fix this race, because when Gecko single-handedly changes the text, Java cannot simply wait for Gecko. There are several approaches, but the simplest case is probably just to catch the exception, and make Fennec not crash. The IME might misbehave as a result but this race should not be a common case, and I think it's a good compromise.
Attachment #698814 - Flags: review?(cpeterson)
status-firefox19: --- → unaffected
Comment on attachment 698814 [details] [diff] [review]
Log and ignore Editable exceptions (v1)

Review of attachment 698814 [details] [diff] [review]:
-----------------------------------------------------------------

This fix is kinda ugly, but I realize this is a workaround for a topcrash. These race conditions between the UI and Gecko threads have been a long sore point; it would be nice to fix a robust solution.

To avoid masking other bugs that might be throwing exceptions, can we only handle just the IndexOutOfBoundsException?

::: mobile/android/base/GeckoEditable.java
@@ +741,5 @@
> +            // return an empty value instead.
> +            Log.w(LOGTAG, "Exception in GeckoEditable." + method.getName(), e.getCause());
> +            Class<?> retClass = method.getReturnType();
> +            ret = retClass != Void.TYPE && retClass.isPrimitive() ? retClass.newInstance() :
> +                  retClass == String.class ? "" : null;

I'm a big fan of the ?: ternary operator, but I think nesting two ternary expressions together is too clever. :)

Let's just split this into something boring like:

    if (retClass != Void.TYPE && retClass.isPrimitive())
        ret = retClass.newInstance();
    else if (retClass == String.class)
        ret = "";
    else
        ret = null;
Attachment #698814 - Flags: review?(cpeterson) → review+
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/efddd115fd76
Status: NEW → ASSIGNED
status-firefox21: --- → fixed
Flags: in-testsuite-
(Assignee)

Comment 8

5 years ago
Created attachment 699885 [details] [diff] [review]
Log and ignore IndexOutOfBoundsException in Editable (v1.1)

Patch after addressing review comments.
Attachment #698814 - Attachment is obsolete: true
Attachment #699885 - Flags: review+
(Assignee)

Comment 9

5 years ago
Comment on attachment 699885 [details] [diff] [review]
Log and ignore IndexOutOfBoundsException in Editable (v1.1)

[Approval Request Comment]
Bug caused by (feature/regressing bug #): N/A
User impact if declined: Top-crash that's being tracked for Aurora
Testing completed (on m-c, etc.): Locally
Risk to taking this patch (and alternatives if risky): No risk; patch only catches crash and prevents crash from happening
String or UUID changes made by this patch: None
Attachment #699885 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

5 years ago
Whiteboard: [native-crash] → [native-crash][leave open]
(Reporter)

Updated

5 years ago
Target Milestone: --- → Firefox 21
Comment on attachment 699885 [details] [diff] [review]
Log and ignore IndexOutOfBoundsException in Editable (v1.1)

Approving on aurora.
Please keep an eye on the crash volume to make sure the patch has helped & lookout for any new regressions.
Attachment #699885 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Reporter)

Comment 12

5 years ago
It's not fixed: https://crash-stats.mozilla.com/report/list?signature=java.lang.NullPointerException%3A+at+org.mozilla.gecko.GeckoEditable.replace%28GeckoEditable.java%29
but no longer a top crasher
tracking-fennec: 20+ → ?
Crash Signature: [@ java.lang.NullPointerException: at org.mozilla.gecko.GeckoEditable.replace(GeckoEditable.java)] [@ java.lang.IndexOutOfBoundsException: getChars (0 ... 13) ends beyond length 0 at android.text.SpannableStringBuilder.checkRange(SpannableStringB&hellip; → [@ java.lang.NullPointerException: at org.mozilla.gecko.GeckoEditable.replace(GeckoEditable.java)] [@ java.lang.IndexOutOfBoundsException: charAt: -1 < 0 at android.text.SpannableStringBuilder.charAt(SpannableStringBuilder.java)] [@ java.lang.Ind&hellip;
status-firefox21: fixed → affected
tracking-firefox20: + → ?
Keywords: regression, topcrash
Version: Firefox 20 → Trunk
(Assignee)

Comment 13

5 years ago
(In reply to Scoobidiver from comment #12)
> It's not fixed:
> https://crash-stats.mozilla.com/report/list?signature=java.lang.
> NullPointerException%3A+at+org.mozilla.gecko.GeckoEditable.
> replace%28GeckoEditable.java%29
> but no longer a top crasher

The stack is very different. It should be a different bug.
(Reporter)

Comment 14

5 years ago
(In reply to Jim Chen [:jchen :nchen] from comment #13)
> The stack is very different. It should be a different bug.
OK. I will file it.
Crash Signature: [@ java.lang.NullPointerException: at org.mozilla.gecko.GeckoEditable.replace(GeckoEditable.java)] [@ java.lang.IndexOutOfBoundsException: charAt: -1 < 0 at android.text.SpannableStringBuilder.charAt(SpannableStringBuilder.java)] [@ java.lang.Ind&hellip; → [@ java.lang.IndexOutOfBoundsException: charAt: -1 < 0 at android.text.SpannableStringBuilder.charAt(SpannableStringBuilder.java)] [@ java.lang.IndexOutOfBoundsException: charAt: 0 >= length 0 at android.text.SpannableStringBuilder.charAt(Spannabl&hellip;
status-firefox21: affected → fixed
(Assignee)

Comment 15

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/006d27ddd615
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox20: affected → fixed
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Whiteboard: [native-crash][leave open] → [native-crash]

Updated

5 years ago
tracking-firefox20: ? → +
(Assignee)

Updated

5 years ago
Blocks: 832028
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.