Closed Bug 224649 Opened 21 years ago Closed 20 years ago

javascript tries to set property of java object fails

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7final

People

(Reporter: xiaobin.lu, Assigned: jst)

References

(
URL
)

Details

Attachments

(2 files, 1 obsolete file)

Testcase
1.40 KB, application/octet-stream
Details
Add missing '\'.
8.57 KB, patch
jst
: review+
jst
: superreview+
chofmann
: approval1.7+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007

Javascript can't set public field of java object.

I attached the java file and a html page. After further debugging into the 
issue, I think this bug should belong to javascript engine instead of 
liveconnect.

Here is my analysis:
 If I write something like below in javascript:
       docuement.appletObject.TEST_MESSAGE = 20;

  Javascript engine will call js_SetProperty (See js\src\jsobj.c), here is the 
code:
        if (!js_LookupProperty(cx, obj, id, &pobj, (JSProperty **)&sprop))
        return JS_FALSE;

    if (sprop && !OBJ_IS_NATIVE(pobj)) {
        OBJ_DROP_PROPERTY(cx, pobj, (JSProperty *)sprop);
        sprop = NULL;
    }

    The js_LookupProperty will succeed, however, since OBJ_IS_NATIVE returns 
false, it will execute OBJ_DROP_PROPERTY. OBJ_IS_NATIVE is a macro like below:
      #define MAP_IS_NATIVE
(map)                                                    \
    ((map)->ops == &js_ObjectOps ||                                           \
      ((map)->ops && (map)->ops->newObjectMap == js_ObjectOps.newObjectMap))  
#define OBJ_IS_NATIVE(obj)  MAP_IS_NATIVE((obj)->map)

 Since obj is a really a JavaObject(if you are familiar with liveconnect), so 
the map->ops won't be &js_ObjectOps or the newObjectMap won't be 
js_ObjectOps.newObjectMap. So the OBJ_IS_NATIVE will return false. This case 
the property be dropped from the object, I guess.

   I want to know whether javascript here does the right thing. Could some 
javascript guru evaluate this and tell us is this a liveconnect bug or 
javascript problem?

    






Reproducible: Always

Steps to Reproduce:
1. Open Mozilla
2. Visit the Test.html

Actual Results:  
The second dialog box shows "Value of MyApplet.getTestMessage():Test"

Expected Results:  
The second dialog box shows "Value of MyApplet.getTestMessage():20"

This works for Netscape 4.7 and IE.
Attached file Testcase 
The testcase contains a Java class/source file & a html page.
cc'ing Brendan, Mike on this question -
OBJ_DROP_PROPERTY doesn't remove properties from objects, it simply drops a
reference used for controlling the lifetime of the JSProperty in question.  Do
you see the liveconnect property-setter being called, for your test in question?
Sorry, the JS engine code is correct.  Can you say what is going wrong in more
detail?

/be
Component: JavaScript Engine → Java: Live Connect
The setter of the liveconnect object(jsj_JavaObject::setPropertybyId) is not 
getting called.

Let me try to clarify.
 
In Javascript, I wrote something like: "document.myApplet.TEST_MESSAGE = 20", 
this will call into jsobj.c:js_SetProperty. Here is the code from lxr:
          
     if (!js_LookupProperty(cx, obj, id, &pobj, (JSProperty **)&sprop))
          return JS_FALSE;
 
     if (sprop && !OBJ_IS_NATIVE(pobj)) {
         OBJ_DROP_PROPERTY(cx, pobj, (JSProperty *)sprop);
         sprop = NULL;
     }
     
     attrs = JSPROP_ENUMERATE;
     flags = 0;
     shortid = 0;
     clasp = OBJ_GET_CLASS(cx, obj);
     getter = clasp->getProperty;
-->  setter = clasp->setProperty;
    
  js_LookupProperty will call the liveconnect lookupProperty correctly. I 
noticed that the setter has been set to "XPC_WN_Helper_SetProperty" during my 
debugging. And I think something maybe wrong here and finally cause the wrong 
method to get called. (Just my thought, should we try to get "proto" object 
and if proto is not native object, call "OBJ_SET_PROPERTY"? This is just my 
thought got from the "js_LookupProperty".) 




ECMA-262 Edition 3 section 8.6.2.2 says that js_SetProperty has to work that
way.  If the property does not exist in the object itself (only on a prototype,
whether native or host object -- step 3 in 8.6.2.2), then a new property is
created which "shadows" the proto-property (step 6).

Why was js_SetProperty even called here?  Shouldn't JavaObject_setPropertyById
have been called instead, if you were setting the property of a JavaObject?

Note that js_SetProperty assumes OBJ_IS_NATIVE(obj).  If you were to implement a
non-native JSObjectOps, and point its setProperty hook at js_SetProperty, you
would create an invalid situation.

/be
Assignee: general → xiaobin.lu
Is the applet object a native (JSObjectOps) object, whose prototype is a Java
(JavaObject_ops) object?  That can't work, given how ECMA specifies [[Put]],
also known as JSObjectOps.setProperty, must work.

/be
Cc'ing DOM guys in case there's some bogus prototyping going on (see comment 7).

/be
When the browser tries to get the Java object, it creates a JSObject ( I think 
it is a xpc wrapped native embed node) whose prototype is the JSObject wrapped 
around the real applet object. The code is in nsDOMClassInfo.cpp:line 5727 (
nsHTMLExternalObjSH::PostCreate). That is why js_SetProperty is called instead 
of "JavaObject_setPropertyById". 

The problem is if we delegate the call to js_SetProperty of that xpc embed node, 
should we consider how to set the property in its prototype object? As Brendan 
commented (comment #6), if the logic inside js_SetProperty is right, then there 
must be something wrong in the xpconnect code. Since when we put the JavaObject 
as a prototype object in a xpc wrapped native embed node, we should consider how 
to set the property of the its prototype.
 
When did this regress?  The patch checked in for bug 12367 was different from
the only attachment in that bug, but I don't know why.  I know why the patch
checked in for that bug (rev 3.98 of js/src/jsobj.c) does what it does -- it
does that for ECMA conformance, per comment 6.  But the patch in 12367 does what
the code in nsHTMLExternalObjSH::PostCreate expects.

jst, do you remember any of this?

/be
Rev 3.98 of jsobj.c was checked in over two years ago, on 03-Sep-2001.

/be
Component: Java: Live Connect → DOM HTML
Reassign to DOM guy.
Assignee: xiaobin.lu → jst
And the QA, too -
QA Contact: PhilSchwartau → ian
Brendan, I'm curious why the patch for bug 12367
(http://bugzilla.mozilla.org/attachment.cgi?id=47921&action=view) is different
from the real code
(http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2704)? Using the
original patch, setting the field value of java object will be successful.
Kyle, I know -- that's what I said in comment 10, second sentence.  But I went
on to say that I don't know why the patch wasn't what was checked in.  And that
I do know that the checked-in change was necessary to preserve ECMA conformance,
per comment 6 first paragraph.

The patch attached to bug 12367 is not valid per ECMA-262.

The issue I raised in comment 11 (and comment 10) is this: why wasn't this
broken for the last two years?  Or was it broken, and no one noticed?

I'll try to find jst on IRC and figure out the real fix.

/be
Brendan, first, sorry for not being aware that you already mentioned that;
second, I still think the original patch does not break ECMA conformance. 
  if (sprop && !OBJ_IS_NATIVE(pobj)) 
means the property was found, and it's not a native object, so we should go to
ECMA-262 Edition 3 section 8.6.2.2 step 4 - call the object's setProperty
method, rather than pretending the property was not found (set sprop = NULL).
I think the reason, that no one noticed this issue before, is partly because of
the poor performance of js->java call. Even with the simplest test case, it will
take 3+ minutes to complete the first js->java call on my P4 1.8GHz windows box.
Re: comment 16: you are misreading the code and/or the ECMA spec.  The code in
js_SetProperty has a non-null sprop, but it comes from a non-native object pobj,
returned from the call to js_LookupProperty.  That means it comes from a
prototype object of obj, the input parameter to js_SetProperty that is a native
object (by definition -- otherwise you wouldn't have called js_SetProperty on obj).

Since pobj is a prototype, sprop is not "in" obj in the sense of the spec, and
ECMA-262 Edition 3 8.6.2.2 step 3 applies.

Re: comment 17: I cannot believe it takes 3 minutes to call from JS into Java on
such a fast machine.  What is going on?  Are a ton of classes being loaded? 
Whatever the problem, that performance problem is fatal to LiveConnect.  Is
there a bug on file to track that performance problem?

/be
The reason of liveconnect preformace lies in its agrresive reflection to the 
javaobject/javaclass. One of the main goals of JEA design is to resolve the 
performance problem of liveconnect. It utilizes the similar idea as Microsoft 
IDispatch mechanism to do the scripting.
Xiaobin, thanks for confirming that.  Isn't it the case that LiveConnect used to
perform better?  What changed?  I'm in favor of JEA (I hope you're looking at
the IDispatch support added to xpconnect by dbradley), but if we used to have
better LiveConnect performance with OJI, can't we do something in the short run
to recover that better performance?

/be
The reason of the bad performance of liveconnect is due to the current 
implementation of liveconnect module itself. We never have a better performance 
since then.

There is a way to get a good performance with the current implementation which 
will involves a lot change. I would rather persue the change in JEA. We are now 
busy with the implementation/prototyping. And I got it to work with 
JavaObject already and the performace is comparable to Netscape 4.x liveconnect 
implementation. 

The JEA implementation of liveconnect still uses the current hook between 
javascript engine and liveconnect (JSObjectOps), but the internal 
implementation uses the similar idea of IDispatch (e.g, getPropertybyID will 
call getIDOfName etc). I haven't got a chance to talk to dbradley to see how it 
can utilize the hook of xpconnect IDispatch engine. But I would rather to make 
the current thing work better and later on we can think how to improve it to 
utilize the xpconnect IDispatch stuff.
I have some time to look into this problem again. 

As shown in the picture at the end of nsHTMLExternalObjSH::PostCreate(), every
applet object is wrapped by a xpc native node:

  // this.__proto__.__proto__.__proto__
  //   ^      ^         ^         ^
  //   |      |__ pi (plugin instance) wrapper, most likely wrapped
  //   |          by LiveConnect
  //   |__ xpc wrapped native embed node

Whenever we call the lookupProperty/getProperty/setProperty methods of an
applet, it always goes to js_LookupProperty/js_GetProperty/js_SetProperty
(through XPC_WN_NoCall_JSOps). 

An applet object not only has java properties, but also has DOM properties. In
js_LookupProperty, we try to find the native property at first, then over to
obj.proto if failed (http://lxr.mozilla.org/mozilla/source/js/src/jsobj.c#2481).
Same thing we did in js_GetProperty
(http://lxr.mozilla.org/mozilla/source/js/src/jsobj.c#2652). So we should *not*
assume that every obj goes into js_SetProperty is native.
I noticed that the setProperty of java applet was already broken in mozilla 1.0
that is the earliest mozilla I can find.
> So we should *not* assume that every obj goes into js_SetProperty is native.

Yes, we should and do -- you mean "we should *not* assume that every native
object has a native prototype" I think -- but js_SetProperty handles that case
too, per ECMA-262 (it creates a shadowing property directly in the native
object, which hides or "shadows" the prototype's property of the same id).

So the way plugins are prototyped is in conflict with ECMA-262.  We need a way
to merge the DOM and applet objects without using prototyping.  One way to do it
is with a DOM object whose class hooks know how to get and set properties in the
applet, too.  jst, how hard would that be?

/be
Modifying the way plugins are prototyped is a big change. Can we just take this
1-line patch as a short term workaround until we rewrite the whole plugins
prototyping things? This bug is a blocker of liveconnect funtionality.

RCS file: /cvsroot/mozilla/js/src/jsobj.c,v
retrieving revision 3.155
diff -p -u -r3.155 jsobj.c
--- jsobj.c     11 Feb 2004 07:21:59 -0000      3.155
+++ jsobj.c     30 Mar 2004 09:08:24 -0000
@@ -2707,7 +2707,7 @@ js_SetProperty(JSContext *cx, JSObject *
  
     if (sprop && !OBJ_IS_NATIVE(pobj)) {
         OBJ_DROP_PROPERTY(cx, pobj, (JSProperty *)sprop);
-        sprop = NULL;
+        return OBJ_SET_PROPERTY(cx, pobj, id, vp);
     }
  
     /*
URL: jar:http://bugzilla.mozilla.org/attac...
OS: Windows XP → All
Why should we violate the ECMA spec to fix LiveConnect?  That patch will have
bad effects for the usual case, where there is a N:1, not a 1:1, relationship
between the direct object (the plugin DOM object) and its prototype (the applet
object).  Then any setting of a property in a non-native prototype shared among
N direct objects will collide in the prototype, rather than shadow the
proto-property with a native, direct property of the same id.

Kyle, you make a good point that redoing the prototype chain now is a bigger fix
than needed.  A minimal fix in nsDOMClassInfo.cpp is not that hard; it should
avoid hacking directly into the JS engine in a code path not specific to this
LiveConnect special case.  I can't stress enough how important it is to make
hacks and workarounds (and even ultimate fixes, if they require special case
code) be as local to the situation they address as possible -- until you have
enough instances of the special case to generalize into a lower layer.

Attaching a first cut patch.  I'm not going to have time to push it through
testing and review, but if others can help do those tasks, I can approve it for 1.7.

/be
Kyle, can you remove your jsobj.c patch and test this patch?  Thanks.

/be
Attachment #145120 - Flags: superreview?(jst)
Attachment #145120 - Flags: review?(jst)
Note that that patch needs an '\' at the end of the line:

+#define EXTERNAL_OBJ_SCRIPTABLE_FLAGS
Attached patch Add missing '\'.Splinter Review 

    
  

        Attachment #145120 -
        Attachment is obsolete: true

        Attachment #145120 -
        Flags: superreview?(jst)

        Attachment #145120 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 145128 [details] [diff] [review]
Add missing '\'.

r+sr=jst

        Attachment #145128 -
        Flags: superreview+

        Attachment #145128 -
        Flags: review+

    
    

    
  
Let's get this tested and I'll get another driver to approve the patch for 1.7.

/be
Flags: blocking1.7+

    
    

    
  
Comment on attachment 145128 [details] [diff] [review]
Add missing '\'.

I tested it. It works like a charm. Thanks for fixing this. Should we do the
equivalent to the GetProperty?

    
    

    
  
Comment on attachment 145128 [details] [diff] [review]
Add missing '\'.

Kyle: there's no need for extra work in the getProperty case, because the
shadowing problem doesn't exist for get -- only for set ([[Put]] in ECMA
terms).  You can get an id from an object o, and if it has a prototype p in
which id is defined, you'll find that property without creating a property in o
that hides the one in p.  Only if you are setting o[id] will you potentially
make a shadowing property, per ECMA.

Going for 1.7 approval so jst can do the checkin.

/be

        Attachment #145128 -
        Flags: approval1.7?

    
    

    
  
okay, thanks for the clear and throughout explanation.
Target Milestone: --- → mozilla1.7final

    
    

    
  
Comment on attachment 145128 [details] [diff] [review]
Add missing '\'.

a=chofmann for 1.7

        Attachment #145128 -
        Flags: approval1.7? → approval1.7+

    
    

    
  
Fix checked in. Thanks for the patch, brendan!
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
  
Component: DOM: HTML → DOM: Core & HTML
QA Contact: ian → general

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: