gmail crashes composing a message

Here is end of the gmail webapps log file:
Overriden UA for https://mail.google.com/mail/u/0/photos/bfiller%40gmail.com%2Cbill.filler%40canonical.com?at=AF6bupO
koiDO9n6uA8affS6RMcwoOD32Ew&sz=100&pld=1 : Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/
535.19 (KHTML, like ^M
libust[5704/5736]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5735]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5736]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5735]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttng-ust-comm.c:886)^M
terminate called after throwing an instance of 'std::out_of_range'^M
  what(): basic_string::substr^M

I can reliably reproduce. Trying to get a usable crash file / stacktrace.

I can reproduce with a simple oxide WebView pointing to http://gmail.com, without any UA string set (which as a consequence gives me the desktop version of gmail, but the crash still happens). I’m guessing the crash is in oxide, but I haven’t been able to get a stacktrace yet.

I can also reproduce with a simple oxide WebView pointing to http://html5doctor.com/the-contenteditable-attribute/#first-example, by appending a new line at the end of the editable paragraph, then typing "Hey" then pressing space. Disabling spellchecking in the system settings makes the crash happen even earlier, just after typing "H".

Can't make it crash from webbrowser-app. Nor can I crash Gmail while sending a simple message like in the description.

I am running oxide-1.2.4 which may be the difference with your respective test environments. Can you try to update? (it's in utopic now)

I can reproduce with a local build from the latest trunk, so I don’t think it was fixed in 1.2.4 (or if it was, it then regressed again in trunk, which sounds pretty unlikely). Are you testing with the chrome on android UA override as suggested in the description?

Just managed to get a usable stacktrace:

#0 0xb5e438e6 in ?? () from /lib/arm-linux-gnueabihf/libc.so.6
#1 0xb5e51e5e in raise () from /lib/arm-linux-gnueabihf/libc.so.6
#2 0xb5e52b4e in abort () from /lib/arm-linux-gnueabihf/libc.so.6
#3 0xb5fd90fc in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#4 0xb5fd7920 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#5 0xb5fd7976 in std::terminate() () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#6 0xb5fd7b96 in __cxa_throw () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#7 0xb60150ce in std::__throw_out_of_range(char const*) () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#8 0xafc064f2 in _M_check (__s=0xb00f8d64 "basic_string::substr", __pos=<optimized out>, this=0x1860818)
    at /usr/include/c++/4.8/bits/basic_string.h:324
#9 substr (__n=<optimized out>, __pos=<optimized out>, this=0x1860818)
    at /usr/include/c++/4.8/bits/basic_string.h:2208
#10 content::RenderWidgetHostViewBase::GetSelectedText (this=0x1860808)
    at ../../../../third_party/chromium/src/content/browser/renderer_host/render_widget_host_view_base.cc:441
#11 0xae539cb8 in oxide::WebView::GetSelectedText (this=<optimized out>)
    at ../../../../shared/browser/oxide_web_view.cc:888
#12 0xae512b52 in oxide::qt::WebView::InputMethodQuery (this=<optimized out>, query=<optimized out>)
    at ../../../../qt/core/browser/oxide_qt_web_view.cc:914
#13 0xae52156c in oxide::qt::WebViewAdapter::inputMethodQuery (this=<optimized out>, query=<optimized out>)
    at ../../../../qt/core/glue/oxide_qt_web_view_adapter.cc:238
#14 0xb06c177e in oxide::qquick::WebViewInputArea::inputMethodQuery(Qt::InputMethodQuery) const ()
   from /usr/lib/arm-linux-gnueabihf/qt5/qml/com/canonical/Oxide/libqmloxideplugin.so
#15 0xb6e2a8cc in QQuickItem::event(QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Quick.so.5
#16 0xb67a3918 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/arm-linux-gnueabihf/libQt5Widgets.so.5
#17 0xb67a766c in QApplication::notify(QObject*, QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Widgets.so.5
#18 0x0168bcf0 in ?? ()

If I type the following in a contenteditable div: "hey \nH" then press space, I see RenderWidgetHostView::SelectionChanged() being called with text = "hey ", offset = 0 and range = {5,5}.
At this point the range is invalid because text.length() is 4, and trying to get a substring of it at index 5 throws a std::out_of_range exception.

I’m wondering whether the input method may be incorrectly eating the linefeed (\n) character.
By the way the behaviour of the OSK looks incorrect to me in this case: when pressing space, shouldn’t the current word suggestion be validated? Instead, it’s entirely deleted. I’m not seeing that happen in e.g. the messaging app, so it might be an issue in oxide (adding an ubuntu-keyboard task just in case).

It appears the word is correctly committed (in case of the example in the comment above, "H"), but instantly afterwards the selection is changed (RenderWidgetHostView::SelectionChanged() is called) with the committed word removed. I don’t know why yet.

Note, according to Olivier this bug doesn't just happen with Gmail with modified UA string. It happens with an editable content div http://html5doctor.com/the-contenteditable-attribute/#first-example see comment 4 from above

The issue (where RenderWidgetHostView::SelectionChanged(…) is invoked with an invalid selection range) seems to happen when the word being committed is the first one on a new line. What happens then is that oxide correctly reports the "text before cursor" with the trailing whitespaces (including \n characters), but for some reason they are trimmed in the text that is passed to SelectionChanged. Not sure why yet.