Closed Bug 827065 Opened 9 years ago Closed 9 years ago

mobile Persona login page triggers assertion in Android nsWindow.cpp::FlushIMEChanges (change.isTextChange)


(Firefox for Android Graveyard :: Keyboards and IME, defect)

Not set


(Not tracked)

Firefox 21


(Reporter: dmosedale, Assigned: jchen)





(1 file)

This is in a build from mozilla-inbound today (Saturday December 5th).  Reproducible every time I've tried it since yesterday.

1. Navigate to
2. Wait for the Persona logo to load
3. Click the Persona logo
4. After the keyboard pops up, type a character

When running under JimDB, one sees:

Program received signal SIGSEGV, Segmentation fault.
Loading libraries and symbols...
[Switching to Thread 11477]
0x5ae9ebe0 in nsWindow::FlushIMEChanges (this=0x532e2780)
    at /Users/dmose/r/inbound/src/widget/android/nsWindow.cpp:2104
2104	        MOZ_ASSERT(change.IsTextChange());

I'm not used to seeing assertions manifest as SIGSEGV, but maybe that's just how Android does it or something.

The change object looks pretty suspect to me.  Here it is, along with the stack trace:

(gdb) p change
$1 = (nsWindow::IMEChange &) @0x532e28d8: {mStart = 0, mOldEnd = 2147483647, mNewEnd = -2147483648}
(gdb) bt
#0  0x5ae9ebe0 in nsWindow::FlushIMEChanges (this=0x532e2780)
    at /Users/dmose/r/inbound/src/widget/android/nsWindow.cpp:2104
#1  0x5ae9e086 in nsWindow::OnIMEEvent (this=0x532e2780, ae=0x532acd50)
    at /Users/dmose/r/inbound/src/widget/android/nsWindow.cpp:1823
#2  0x5ae9bccc in nsWindow::OnGlobalAndroidEvent (ae=0x532acd50)
    at /Users/dmose/r/inbound/src/widget/android/nsWindow.cpp:885
#3  0x5ae88150 in nsAppShell::ProcessNextNativeEvent (this=0x51d608e0, mayWait=true)
    at /Users/dmose/r/inbound/src/widget/android/nsAppShell.cpp:557
#4  0x5aea4382 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x51d608e0, mayWait=true, recursionDepth=0)
    at /Users/dmose/r/inbound/src/widget/xpwidgets/nsBaseAppShell.cpp:139
#5  0x5aea474a in nsBaseAppShell::OnProcessNextEvent (this=0x51d608e0, thr=0x51d4f0f0, mayWait=true, recursionDepth=0)
    at /Users/dmose/r/inbound/src/widget/xpwidgets/nsBaseAppShell.cpp:298
#6  0x5b33b8d2 in nsThread::ProcessNextEvent (this=0x51d4f0f0, mayWait=true, result=0x51eff807)
    at /Users/dmose/r/inbound/src/xpcom/threads/nsThread.cpp:600
#7  0x5b2dcdfe in NS_ProcessNextEvent_P (thread=0x51d4f0f0, mayWait=true)
    at /Users/dmose/r/inbound/objdir-droid/xpcom/build/nsThreadUtils.cpp:237
#8  0x5afd7cb6 in mozilla::ipc::MessagePump::Run (this=0x51d512e0, aDelegate=0x51d720c0)
    at /Users/dmose/r/inbound/src/ipc/glue/MessagePump.cpp:117
#9  0x5b394d88 in MessageLoop::RunInternal (this=0x51d720c0)
    at /Users/dmose/r/inbound/src/ipc/chromium/src/base/
#10 0x5b394d22 in MessageLoop::RunHandler (this=0x51d720c0)
    at /Users/dmose/r/inbound/src/ipc/chromium/src/base/
#11 0x5b394cca in MessageLoop::Run (this=0x51d720c0)
---Type <return> to continue, or q <return> to quit---
    at /Users/dmose/r/inbound/src/ipc/chromium/src/base/
#12 0x5aea4406 in nsBaseAppShell::Run (this=0x51d608e0)
    at /Users/dmose/r/inbound/src/widget/xpwidgets/nsBaseAppShell.cpp:163
#13 0x5acdd480 in nsAppStartup::Run (this=0x525d2a30)
    at /Users/dmose/r/inbound/src/toolkit/components/startup/nsAppStartup.cpp:288
#14 0x59ccfb04 in XREMain::XRE_mainRun (this=0x51effa80) at /Users/dmose/r/inbound/src/toolkit/xre/nsAppRunner.cpp:3823
#15 0x59ccfd24 in XREMain::XRE_main (this=0x51effa80, argc=9, argv=0x51d69048, aAppData=0x4cde0a30)
    at /Users/dmose/r/inbound/src/toolkit/xre/nsAppRunner.cpp:3890
#16 0x59ccfed2 in XRE_main (argc=9, argv=0x51d69048, aAppData=0x4cde0a30, aFlags=0)
    at /Users/dmose/r/inbound/src/toolkit/xre/nsAppRunner.cpp:4093
#17 0x59cdb130 in GeckoStart (data=0x290420, appData=0x4cde0a30)
    at /Users/dmose/r/inbound/src/toolkit/xre/nsAndroidStartup.cpp:73
#18 0x4cdb1424 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x1b0618, jc=0x21d00001, jargs=0x20000005)
    at /Users/dmose/r/inbound/src/mozglue/android/APKOpen.cpp:669
#19 0x40931cf4 in dvmPlatformInvoke ()
   from /Users/dmose/r/tools/android-gdb/moz-gdb/lib/0009edd536b43f/system/lib/
#20 0x4096bfae in dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*) ()
   from /Users/dmose/r/tools/android-gdb/moz-gdb/lib/0009edd536b43f/system/lib/
#21 0x4096dcde in dvmResolveNativeMethod(unsigned int const*, JValue*, Method const*, Thread*) ()
   from /Users/dmose/r/tools/android-gdb/moz-gdb/lib/0009edd536b43f/system/lib/
#22 0x40943b50 in dvmJitToInterpNoChain ()
   from /Users/dmose/r/tools/android-gdb/moz-gdb/lib/0009edd536b43f/system/lib/
#23 0x40943b50 in dvmJitToInterpNoChain ()
   from /Users/dmose/r/tools/android-gdb/moz-gdb/lib/0009edd536b43f/system/lib/
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Summary: assertion in Android nsWindow.cpp::FlushIMEChanges (change.isTextChange) → mobile Persona login page triggers assertion in Android nsWindow.cpp::FlushIMEChanges (change.isTextChange)
Component: General → Keyboards and IME
Product: Fennec → Firefox for Android
I had this in my patch queue for Bug 809329 but I'm moving the specific patch to here instead.

This patch changes selection change tracking to a boolean instead, so instead of having to track the latest selection offsets in OnIMESelectionChange, we just query for the offsets when we actually notify Java.

This patch also fixes the cause of this bug. During focus, we send a text change with offsets INT32_MAX, but subsequent changes might merge with this change, resulting in integer overflow. By using INT32_MAX / 2 we avoid the overflow and it is still a large enough value.
Attachment #698843 - Flags: review?(cpeterson)
Assignee: nobody → nchen
Comment on attachment 698843 [details] [diff] [review]
Simplify selection update code and use new focus text update offsets (v1)

Review of attachment 698843 [details] [diff] [review]:

Attachment #698843 - Flags: review?(cpeterson) → review+
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 21
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.