gmail crashes composing a message

Bug #1375900 reported by Bill Filler on 2014-09-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Oxide
Critical
Olivier Tilloy
1.3
Critical
Olivier Tilloy
ubuntu-keyboard
Invalid
High
Michael Sheldon
webbrowser-app
Invalid
High
Unassigned

Bug Description

In an effort to test and fix lp:1374562 and lp:1375889 I've tested with this UA string used by Chrome for Android:

Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19

Those issue are fixed with this string, but am seeing a crash when composing a new message:

1) compose a new message
2) in the body type:
Hi Joe,
How are you?

For me the webapp crashes after typing "How"

Bill Filler (bfiller) on 2014-09-30
Changed in webbrowser-app:
importance: Undecided → High
Bill Filler (bfiller) wrote :

Here is end of the gmail webapps log file:
Overriden UA for https://mail.google.com/mail/u/0/photos/bfiller%40gmail.com%2Cbill.filler%40canonical.com?at=AF6bupO
koiDO9n6uA8affS6RMcwoOD32Ew&sz=100&pld=1 : Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/
535.19 (KHTML, like ^M
libust[5704/5736]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5735]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5736]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)^M
libust[5704/5735]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttng-ust-comm.c:886)^M
terminate called after throwing an instance of 'std::out_of_range'^M
  what(): basic_string::substr^M

Olivier Tilloy (osomon) wrote :

I can reliably reproduce. Trying to get a usable crash file / stacktrace.

Changed in webbrowser-app:
status: New → Triaged
Olivier Tilloy (osomon) wrote :

I can reproduce with a simple oxide WebView pointing to http://gmail.com, without any UA string set (which as a consequence gives me the desktop version of gmail, but the crash still happens). I’m guessing the crash is in oxide, but I haven’t been able to get a stacktrace yet.

summary: - gmail crashes composing a message when using Chrome UA override
+ gmail crashes composing a message
Olivier Tilloy (osomon) wrote :

I can also reproduce with a simple oxide WebView pointing to http://html5doctor.com/the-contenteditable-attribute/#first-example, by appending a new line at the end of the editable paragraph, then typing "Hey" then pressing space. Disabling spellchecking in the system settings makes the crash happen even earlier, just after typing "H".

David Barth (dbarth) wrote :

Can't make it crash from webbrowser-app. Nor can I crash Gmail while sending a simple message like in the description.

I am running oxide-1.2.4 which may be the difference with your respective test environments. Can you try to update? (it's in utopic now)

Olivier Tilloy (osomon) wrote :

I can reproduce with a local build from the latest trunk, so I don’t think it was fixed in 1.2.4 (or if it was, it then regressed again in trunk, which sounds pretty unlikely). Are you testing with the chrome on android UA override as suggested in the description?

Olivier Tilloy (osomon) wrote :

Just managed to get a usable stacktrace:

#0 0xb5e438e6 in ?? () from /lib/arm-linux-gnueabihf/libc.so.6
#1 0xb5e51e5e in raise () from /lib/arm-linux-gnueabihf/libc.so.6
#2 0xb5e52b4e in abort () from /lib/arm-linux-gnueabihf/libc.so.6
#3 0xb5fd90fc in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#4 0xb5fd7920 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#5 0xb5fd7976 in std::terminate() () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#6 0xb5fd7b96 in __cxa_throw () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#7 0xb60150ce in std::__throw_out_of_range(char const*) () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#8 0xafc064f2 in _M_check (__s=0xb00f8d64 "basic_string::substr", __pos=<optimized out>, this=0x1860818)
    at /usr/include/c++/4.8/bits/basic_string.h:324
#9 substr (__n=<optimized out>, __pos=<optimized out>, this=0x1860818)
    at /usr/include/c++/4.8/bits/basic_string.h:2208
#10 content::RenderWidgetHostViewBase::GetSelectedText (this=0x1860808)
    at ../../../../third_party/chromium/src/content/browser/renderer_host/render_widget_host_view_base.cc:441
#11 0xae539cb8 in oxide::WebView::GetSelectedText (this=<optimized out>)
    at ../../../../shared/browser/oxide_web_view.cc:888
#12 0xae512b52 in oxide::qt::WebView::InputMethodQuery (this=<optimized out>, query=<optimized out>)
    at ../../../../qt/core/browser/oxide_qt_web_view.cc:914
#13 0xae52156c in oxide::qt::WebViewAdapter::inputMethodQuery (this=<optimized out>, query=<optimized out>)
    at ../../../../qt/core/glue/oxide_qt_web_view_adapter.cc:238
#14 0xb06c177e in oxide::qquick::WebViewInputArea::inputMethodQuery(Qt::InputMethodQuery) const ()
   from /usr/lib/arm-linux-gnueabihf/qt5/qml/com/canonical/Oxide/libqmloxideplugin.so
#15 0xb6e2a8cc in QQuickItem::event(QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Quick.so.5
#16 0xb67a3918 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/arm-linux-gnueabihf/libQt5Widgets.so.5
#17 0xb67a766c in QApplication::notify(QObject*, QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Widgets.so.5
#18 0x0168bcf0 in ?? ()

Olivier Tilloy (osomon) wrote :

If I type the following in a contenteditable div: "hey \nH" then press space, I see RenderWidgetHostView::SelectionChanged() being called with text = "hey ", offset = 0 and range = {5,5}.
At this point the range is invalid because text.length() is 4, and trying to get a substring of it at index 5 throws a std::out_of_range exception.

I’m wondering whether the input method may be incorrectly eating the linefeed (\n) character.
By the way the behaviour of the OSK looks incorrect to me in this case: when pressing space, shouldn’t the current word suggestion be validated? Instead, it’s entirely deleted. I’m not seeing that happen in e.g. the messaging app, so it might be an issue in oxide (adding an ubuntu-keyboard task just in case).

Olivier Tilloy (osomon) on 2014-10-02
Changed in oxide:
status: New → Confirmed
Olivier Tilloy (osomon) wrote :

It appears the word is correctly committed (in case of the example in the comment above, "H"), but instantly afterwards the selection is changed (RenderWidgetHostView::SelectionChanged() is called) with the committed word removed. I don’t know why yet.

Changed in oxide:
importance: Undecided → Critical
Changed in webbrowser-app:
status: Triaged → Invalid
Bill Filler (bfiller) on 2014-10-05
Changed in ubuntu-keyboard:
status: New → Triaged
importance: Undecided → High
tags: added: rtm14
Bill Filler (bfiller) wrote :

Note, according to Olivier this bug doesn't just happen with Gmail with modified UA string. It happens with an editable content div http://html5doctor.com/the-contenteditable-attribute/#first-example see comment 4 from above

Olivier Tilloy (osomon) on 2014-10-07
Changed in oxide:
assignee: nobody → Olivier Tilloy (osomon)
Changed in oxide:
milestone: none → branch-1.3
David Barth (dbarth) on 2014-10-07
tags: added: ota-1 touch-2014-10-23
Olivier Tilloy (osomon) on 2014-10-09
Changed in oxide:
status: Confirmed → In Progress
Changed in ubuntu-keyboard:
assignee: nobody → Michael Sheldon (michael-sheldon)
Changed in oxide:
milestone: branch-1.3 → branch-1.4
Olivier Tilloy (osomon) wrote :

The issue (where RenderWidgetHostView::SelectionChanged(…) is invoked with an invalid selection range) seems to happen when the word being committed is the first one on a new line. What happens then is that oxide correctly reports the "text before cursor" with the trailing whitespaces (including \n characters), but for some reason they are trimmed in the text that is passed to SelectionChanged. Not sure why yet.

Olivier Tilloy (osomon) on 2014-10-16
Changed in oxide:
status: In Progress → Fix Released
Changed in ubuntu-keyboard:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers