New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606059 link

Starred by 4 users
Status: Fixed
Owner:
yabinh@chromium.org
Last visit > 30 days ago
Closed: Aug 2016
Cc:
yabinh@chromium.org
aelias@chromium.org
changwan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Blocked on:
issue 551193


Sign in to add a comment

Crash after pasting into an editable content area

Reported by junche...@evernote.com, Apr 22 2016 
Steps to reproduce the problem:
1. Go to http://www.encyclopedia.com/topic/environmentalism.aspx
2. Select all content
3. Copy
4. Go to m.editpad.org
5. Paste the clipboard 3 or more times
6. The whole browser will crash.

What is the expected behavior?
The browser should not crash

What went wrong?
The whole browser crashes.

Crashed report ID: 

How much crashed? Whole browser

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 49.0.2623.105  Channel: stable
OS Version: 5.1
Flash Version: 

Please contact if you need more information on reproducing the issue, but if you follow the steps or the video, you should have no problem reproducing the issue.
chrome crash.webm
9.8 MB Download

Comment 1 by ppolise...@chromium.org, Apr 22 2016

Owner: yfried...@chromium.org
Status: Assigned (was: Unconfirmed)
Hello

Thanks for reporting the issue. This issue is reproducible, tested on Nexus5/M, chrome stable:49.0.2623.105.

Logcat @ http://go/chrome-androidlogs1/6/606059

Comment 2 by yfried...@chromium.org, Apr 25 2016

Owner: changwan@chromium.org
04-22 16:22:59.147  3489  3523 D OpenGLRenderer: endAllStagingAnimators on 0x915f5d80 (ListView) with handle 0x929629e0
04-22 16:22:59.289  3489  3489 W System.err: java.lang.IndexOutOfBoundsException: setSpan (-36903 ... -36903) starts before 0
04-22 16:22:59.290  3489  3489 W System.err: 	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:1095)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.text.SpannableStringBuilder.setSpan(SpannableStringBuilder.java:665)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:543)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:492)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:491)
04-22 16:22:59.290  3489  3489 W System.err: 	at org.chromium.content.browser.input.AdapterInputConnection.updateState(AdapterInputConnection.java:197)
04-22 16:22:59.290  3489  3489 W System.err: 	at org.chromium.content.browser.input.ImeAdapter.updateState(ImeAdapter.java:289)
04-22 16:22:59.290  3489  3489 W System.err: 	at org.chromium.content.browser.ContentViewCore.updateImeAdapter(ContentViewCore.java:2388)
04-22 16:22:59.290  3489  3489 W System.err: 	at org.chromium.base.SystemMessageHandler.nativeDoRunLoopOnce(Native Method)
04-22 16:22:59.290  3489  3489 W System.err: 	at org.chromium.base.SystemMessageHandler.handleMessage(SystemMessageHandler.java:39)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.os.Handler.dispatchMessage(Handler.java:102)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.os.Looper.loop(Looper.java:148)
04-22 16:22:59.290  3489  3489 W System.err: 	at android.app.ActivityThread.main(ActivityThread.java:5417)
04-22 16:22:59.290  3489  3489 W System.err: 	at java.lang.reflect.Method.invoke(Native Method)
04-22 16:22:59.290  3489  3489 W System.err: 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
04-22 16:22:59.290  3489  3489 W System.err: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)


Possibly an overflow/underflow issue.

Comment 3 by changwan@chromium.org, Apr 25 2016

Cc: aelias@chromium.org changwan@chromium.org
Components: UI>Input>Text>IME
Owner: yabinh@chromium.org

Comment 4 by yabinh@chromium.org, Jun 3 2016 

This is because an overflow in SpannableStringBuilder.java in Line 539:
final int offset = (selectionStart - start) * newLen / origLen;

The text we copy has about 25k characters. When we paste it the 3rd time, selectionStart = 50k, start = 0, newLen = 75k, origLen=50k. So when we compute 50k*75k, we get a overflow. |offset| is negative. It will raise IndexOutOfBoundsException in SpannableStringBuilder#checkRange() in Line 1095.

Comment 5 by aelias@chromium.org, Jun 3 2016

Blockedon: 551193
Cc: yabinh@chromium.org
Owner: changwan@chromium.org
OK, this is a ReplicaInputConnection-specific codepath, so marking blocked on IME thread launch bug.  It looks like this could be worked around by resetting the selection offset to 0 before the replace call, but that code is on the way out anyway.

Comment 6 by changwan@chromium.org, Jun 8 2016 

Issue 521747 has been merged into this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd10c315594d2a20e31a94a7a6c7adb9a0961c56

commit bd10c315594d2a20e31a94a7a6c7adb9a0961c56
Author: yabinh <yabinh@chromium.org>
Date: Wed Jun 15 05:40:27 2016

Chrome can crash if pasting long text into textarea, because there is an
overflow bug in SpannableStringBuilder#replace(). If ImeThread is
enabled, we don't need to call the above function. Thus, we can get rid
of that bug.

BUG= 606059 

Review-Url: https://codereview.chromium.org/2033723003
Cr-Commit-Position: refs/heads/master@{#399850}

[modify] https://crrev.com/bd10c315594d2a20e31a94a7a6c7adb9a0961c56/content/public/android/javatests/src/org/chromium/content/browser/input/ImeTest.java

Comment 8 by changwan@chromium.org, Jun 22 2016

Owner: yabinh@chromium.org

Comment 9 by yabinh@chromium.org, Aug 8 2016

Status: Fixed (was: Assigned)

Sign in to add a comment