Closed Bug 199694 Opened 22 years ago Closed 22 years ago

LiveConnect call kills JVM

Categories

(Core Graveyard :: Java: Live Connect, defect)

Product:
Core Graveyard
Component:
Java: Live Connect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 200016

People

(Reporter: marc, Assigned: beard)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

WinNT stack trace
5.12 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 <html> <body> <script language="Javascript"> t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1); </script> </body> </html> Reproducible: Always Steps to Reproduce: display the page Actual Results: jvm crash Expected Results: throw an exception Crashes Netscape, Mozilla, Phoenix and Opera
Confirming crash with up-to-date trunk build (rv:1.4a, 2003-03-28). Using Java Plug-in 1.4.1 on WinNT4.0. Will attach stack trace below -
Assignee: rogerl → beard
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
Summary: Liveconnect call kills JVM → LiveConnect call kills JVM
Attached file WinNT stack trace
cc'ing Joshua to see if "the unwrap function is supported by the Sun JPI", as explained in this comment in jsj_JSObject.c just above the crashpoint: JSObject * jsj_UnwrapJSObjectWrapper(JNIEnv *jEnv, jobject java_wrapper_obj) { JSObjectHandle *handle; #ifndef OJI #if JS_BYTES_PER_LONG == 8 handle = (JSObjectHandle*)((*jEnv)->GetLongField(jEnv, java_wrapper_obj, njJSObject_long_internal)); #else handle = (JSObjectHandle*)((*jEnv)->GetIntField(jEnv, java_wrapper_obj, njJSObject_internal)); #endif #else /* Unwrapping this wrapper requires knowledge of the structure of the object. This is privileged information that only the object implementor can know. In this case the object implementor is the java plugin (such as the Sun plugin class sun.plugin.javascript.navig5.JSObject. Since the plugin owns this structure, we defer to it to unwrap the object. If the plugin does not implement this callback, then it should be set to null. In that case we try something that works with Sun's plugin assuming that it has not yet been implemented yet. This 'else' case should be removed as soon as the unwrap function is supported by the Sun JPI. */ if (JSJ_callbacks && JSJ_callbacks->unwrap_java_wrapper != NULL) { handle = (JSObjectHandle*)JSJ_callbacks->unwrap_java_wrapper(jEnv, java_wrapper_obj); } else { jclass cid = (*jEnv)->GetObjectClass(jEnv, java_wrapper_obj); jfieldID fid = (*jEnv)->GetFieldID(jEnv, cid, "nativeJSObject", "I"); handle = (JSObjectHandle*)((*jEnv)->GetIntField(jEnv, java_wrapper_obj, fid)); } #endif /* JNI returns a NULL handle for a Java 'null' */ if (!handle) return NULL; return handle->js_obj; <<<----------------------------------- CRASHES HERE }
handle return from JPI is invalid *** This bug has been marked as a duplicate of 200016 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Verified Duplicate. Marc: thank you for this report. You have been cc'ed on bug 200016 so you can follow progress on this issue -
Status: RESOLVED → VERIFIED
Any chance something can be done about this? They're talking about it on Bugtraq and it makes the Mozilla project look uninterested in security issues.
illtud@illtud.com: this bug has been resolved as a duplicate report. Any questions or comments should be posted at the original report, bug 200016. That is where any progress is going to occur -
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: