Closed Bug 225423 Opened 21 years ago Closed 21 years ago

Loading URL crashes Moz [@ JavaObject_getPropertyById ]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.6beta

People

(Reporter: wolruf, Assigned: brendan)

References

(
URL
)

Details

(4 keywords, Whiteboard: fix eta: 2003-nov-25)

Crash Data

Attachments

(2 files)

DrWatson Win2k stack FB 20031113
83.26 KB, text/plain
Details
proposed fix
6.14 KB, patch
shaver
: review+
asa
: approval1.6b+
Details | Diff | Splinter Review 
build ID: 20031111 on Win2k + Sun's JRE 1.4.2_02

Steps to reproduce crash:
1. Load URL http://www15.placeware.com/cc/test/check.html
2. Wait until Java loads
3. Mozilla crashes.

Doesn't crash IE6 + JRE 1.4.2_02
stack was generated through Dr.Watson, can someone provide a Talkback ID or
proper stack in the time being (I won't get access to such a computer today) ?
Keywords: stackwanted
---> Java: OJI
Assignee: live-connect → joshua.xia
Component: Java: Live Connect → Java: OJI
QA Contact: PhilSchwartau → general
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031030
Java Plug-in 1.4.2_02 for Netscape Navigator (DLL Helper)

I´m just trieing to get you a TalkbackID, didn´t succed so far. Loading this
page was brought my memory down, but my memory manager recovered some.
The website tells me I should use a more modern browser:

There are one or more problems preventing you from entering the meeting. Please
correct the problem(s) below, then click here to try again.

    * You must change your Platform configuration to use PlaceWare.
      You are using an unsupported browser, Netscape Communicator 5. PlaceWare
will not run using this browser. For the best experience we recommend using
Microsoft Internet Explorer 4 through 6, Netscape Communicator 4.06 through
4.79, or Netscape 7.
*** Bug 224781 has been marked as a duplicate of this bug. ***
This worked fine with the MozillaFirebird 11/03 nightly and not with the 11/04
nightly.
Flags: blocking1.6b?
Flags: blocking1.6b? → blocking1.6?
*** Bug 225696 has been marked as a duplicate of this bug. ***
from checkins in the regression window 11/03 to 11/04, bug 212563 could be a
culprit as the sites crashing involve creating frames through JS with
document.write.
bug 224781 comment 8 mentions the patch for bug 212563 (attachment 134397 [details] [diff] [review]) could
be wrong: anyone tried this bandaid ?
Assignee: joshua.xia → events
Component: Java: OJI → DOM Events
QA Contact: general → ian
What's the stack backtrace?  I don't see one here.

/be
Flags: blocking1.6b?
Brendan, see comment 1, I cannot generate a proper Talkback ID yet so I got it
from DrWatson, I will post the full stack from DrWatson but I'm not sure if it
can bring more information.

    
    

    
  
Re commnet #7.

I am the person who mentioned the patch for bug 212563 as a possible cause. 
This was before this was found to be more related to java.  At the time the only
known crash was logging in to https://certadmin.entrust.com and that page:

1.  uses a java login applet
2.  the resultant page (after login) uses frames
3.  Is password protected
4.  Is SSL

Trying to find patches related to any of those, the checkin for bug 212563 kind
of stood out.

That cehcikin could still be the culprit, but based on the Dr.Watson stacktrace,
however, I am more suspicious of <a
href="http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=PhoenixTinderbox&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=11%2F03%2F2003+12%3A23%3A00&maxdate=11%2F03%2F2003+12%3A24%3A00&cvsroot=%2Fcvsroot">this</a>
checkin.

    
    

    
  
What's the relationship between this bug and bug 222237?  Is this a DUP? 
Anyway, why is this DOM Events instead of Java: LiveConnect?

/be

    
    

    
  
Bug 222237 was submitted on October 15th.  This bug was not introduced until the
November 3rd/4th timeframe.  They are seperate problems.

    
    

    
  
Someone needs to reproduce under a debugger, and get the line number in
jsj_JavaObject.c, and ideally the bad state in registers, local memory, etc.

/be

    
    

    
  
I think I'm hitting this bug with all the unofficial MozillaZine nightlies
beyond 20031103. I use the P4/SSE nightlies advertised in the MozillaZine
Firebird Builds forum, and every single one beyond 20031103 hits this bug.

This is for the Linux versions of MozillaFirebird.

To reproduce:

1. Install Java SDK 1.4.2.
2. Use the Netscape6.1 gcc3.2 plugin.
3. Go to www.hushmail.com.
4. Attempt to log in with a valid HushMail account.

When the browser tries to load the HushMail.com Encryption Engine, the browser
crashes with no errors.

    
    

    
  
There are many sites that exhibit this issue.  However, the only one that has
been found for which you don't need a valid login to cause the crash is the one
in the original report.  The easiest way to reproduce is to just visit:

http://www15.placeware.com/cc/test/check.html

That said, the fact that you cannot reach that site is NOT why this has been
nomated as a release blocker.  There are numerous on-line banking and other
financial sites that use a JAVA Applet login that crash upon successful login. 
Also the Entrust site for certificate management (https://certadmin.entrust.com)
exhibits this problem.

    
    

    
  
One additional point that I left out.  This bug is NOT about
liveconnect/placeware not working with Mozilla.  That is BUG #184176.  This new
bug was introduced recently.  Before this bug was introduced, the placeware test
URL would return a page saying the browser is NOT supported.  With this bug the
browser crashes.

    
    

    
  
*** Bug 226461 has been marked as a duplicate of this bug. ***

    
    

    
  
Backing out Brendan's 11/03/2003 12:23 PST checkin to jsinterp.c corrects this
issue.  I am not sure exactly what the issue was that this patch was supposed to
be fixing as it does not appear to be associated with any bug.

    
    

    
  
It appears that checkin was part of the fix for bug 196097

    
    

    
  
I wonder if perhaps it would be safer to put the code in jsinterp back the way
it was and add a seperate call to ComputeThis for the noSuchMethod case rather
than trying to move the existing one.  That way this change will only affect the
No Such Method case without any other side effects.

    
    

    
  
Taking.

/be
Assignee: events → brendan
Component: DOM Events → JavaScript Engine
Flags: blocking1.6b? → blocking1.6b+
QA Contact: ian → PhilSchwartau

    
  
Status: NEW → ASSIGNED
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.6beta

    
    

    
  
According to the changelogs, the bug brendan was working on was probably bug
196097. The fix might have been a follow up to that code.
See also bug 224956 a regression introduced by the same checkin.

    
    

    
  
Will the reversion of Mr. Brendan's change affect the Linux nightly trunk?

    
    

    
  
*** Bug 226654 has been marked as a duplicate of this bug. ***

    
    

    
  
Here is the stack per Olivier request:
	jsj3250.dll!jsj_GetClassInstanceMembers()  Line 600	C++
 	jsj3250.dll!jsj_JavaInstanceMethodWrapper(JSContext * cx=0x0196c3c0, JSObject
* obj=0x01a437c0, unsigned int argc=0, long * argv=0x01ab2a2c, long *
vp=0x0012ec58)  Line 1800 + 0x11	C++
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, unsigned int flags=)
 Line 932 + 0x1c	C
 	js3250.dll!js_Interpret(JSContext * cx=0x0196c3c0, long * result=0x0012ef40) 
Line 2954	C
 	js3250.dll!js_Execute(JSContext * cx=0x00000001, JSObject * chain=0x01a443e8,
JSScript * script=0x0195b048, JSStackFrame * down=0x0012f128, unsigned int
special=32, long * result=0x0012ef40)  Line 1148	C
 	js3250.dll!obj_eval(JSContext * cx=, JSObject * obj=, unsigned int argc=, long
* argv=, long * rval=)  Line 1069 + 0x11	C
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, unsigned int flags=)
 Line 932 + 0x1c	C
 	js3250.dll!js_Interpret(JSContext * cx=0x0196c3c0, long * result=0x0012f0fc) 
Line 2954	C
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, unsigned int flags=)
 Line 949 + 0xb	C
 	js3250.dll!js_Interpret(JSContext * cx=0x0196c3c0, long * result=0x0012f304) 
Line 2954	C
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, unsigned int flags=)
 Line 949 + 0xb	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x00000000, JSObject *
obj=0x01a56820, long fval=26486216, unsigned int flags=0, unsigned int
argc=26657772, long * argv=0x0012f4cc, long * rval=0x0012f478)  Line 1026 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x0196c3c0, JSObject *
obj=0x01a56820, long fval=26486216, unsigned int argc=1, long * argv=0x0012f4cc,
long * rval=0x0012f478)  Line 3572 + 0x26	C
 	jsdom.dll!nsJSContext::CallEventHandler(void * aTarget=0x01a56820, void *
aHandler=0x019425c8, unsigned int argc=1, void * argv=0x0012f4cc, int *
aBoolResult=0x0012f4c8, int aReverseReturnResult=0)  Line 1245 + 0x1b	C++
 	jsdom.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x0124eb20) 
Line 182	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsIDOMEventTarget *
aCurrentTarget=0x019c25c8, unsigned int aSubType=1, nsCxPusher pusher={...},
nsCOMPtr<nsIJSEventListener> jslistener={...}, nsCOMPtr<nsIScriptContext>
scriptCX={...})  Line 1420 + 0x9	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsIPresContext *
aPresContext=0x00000008, nsEvent * aEvent=0x0012f75c, nsIDOMEvent * *
aDOMEvent=0x0012f6e8, nsIDOMEventTarget * aCurrentTarget=0x019c25c8, unsigned
int aFlags=7, nsEventStatus * aEventStatus=0x0012f788)  Line 1513 + 0x24	C++
 	jsdom.dll!GlobalWindowImpl::HandleDOMEvent(nsIPresContext *
aPresContext=0x01b29840, nsEvent * aEvent=0x0012f75c, nsIDOMEvent * *
aDOMEvent=0x0012f6e8, unsigned int aFlags=1, nsEventStatus *
aEventStatus=0x0012f788)  Line 846	C++
 	gklayout.dll!DocumentViewerImpl::LoadComplete(unsigned int aStatus=0)  Line
909 + 0x48	C++
 	docshell.dll!nsDocShell::EndPageLoad(nsIWebProgress * aProgress=0x60142bbd,
nsIChannel * aChannel=0x013cbfe4, unsigned int aStatus=26514904)  Line 4326	C++
 	necko.dll!nsHttpChannel::GetURI(nsIURI * * URI=0x00000000)  Line 2615	C++
 	gklayout.dll!nsBoxFrame::GetPrefSize(nsBoxLayoutState & aBoxLayoutState={...},
nsSize & aSize={...})  Line 930 + 0x12	C++
 	gklayout.dll!nsGfxScrollFrame::GetScrollbarSizes(nsIPresContext *
aPresContext=0x77f473f3, int * aVbarWidth=0x019930e0, int *
aHbarHeight=0x00000028)  Line 324 + 0x12	C++
 	ntdll.dll!_RtlpAllocateFromHeapLookaside@4()  + 0x2d	
 	ntdll.dll!_RtlpFreeToHeapLookaside@8()  + 0x1f	
 	ntdll.dll!_RtlFreeHeap@12()  + 0xfc	
 	msvcr71.dll!free(void * pBlock=0x878b0000)  Line 103	C
 	0001fc45()	



    
    

    
  
Exact message is:

Unhandled exception at 0x60b56bf0 (jsj3250.dll) in MozillaFirebird.exe:
0xC0000005: Access violation reading location 0x00000015.

Code around the crash:

JavaMemberDescriptor *
jsj_GetClassInstanceMembers(JSContext *cx,
                            JNIEnv *jEnv,
                            JavaClassDescriptor *class_descriptor)
{
    if (class_descriptor->instance_members_reflected != REFLECT_COMPLETE)

60B56BF0  cmp         dword ptr [edi+14h],2 <=========== CRASH HERE

60B56BF4  push        esi  
60B56BF5  mov         esi,eax 
60B56BF7  je          jsj_GetClassInstanceMembers+52h (60B56C42h) 
        reflect_java_methods_and_fields(cx, jEnv, class_descriptor, JS_FALSE);
60B56BF9  cmp         dword ptr [edi+14h],0 
60B56BFD  jne         jsj_GetClassInstanceMembers+52h (60B56C42h) 
60B56BFF  push        0    
60B56C01  push        edi  
60B56C02  push        ebx  

Registers:

EAX = 01540938 EBX = 01A341F8 ECX = 00000000 EDX = 01ACD8C0 
ESI = 01A341F8 EDI = 00000001 EIP = 60B56BF0 ESP = 0012EBBC 
EBP = 00000001 EFL = 00010202 

00000015 = ???????? 




    
    

    
  
So class_descriptor == 0x1? cute

    
    

    
  
There's an ancient, ugly data dependency from ComputeThis to the
liveconnect-only clasp->convert calling code in js_Invoke, which obviously broke
when I moved the call to ComputeThis up to come early in js_Invoke.  I'm
developing a fix; I hope to have a patch by tomorrow a.m.

/be
Whiteboard: fix eta: 2003-nov-25

    
    

    
  
*** Bug 226485 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  
Back out jsinterp.c rev 3.130, rework the necessary follow-on fix to
ComputeThis only in the JS_HAS_NO_SUCH_METHOD special case.  See the comment
there. 

Nit-picked a ComputeThis-related comment error (no code change).

/be

    
    

    
  
Comment on attachment 136325 [details] [diff] [review]
proposed fix

So LiveConnect lets Java methods reflect as first class JS functions, but
they're unlike JS functions in that they are "bound" to their containing object
so that object is always the |this| parameter when a method is invokved.

If you say var m = applet.method; m(), |this| will still be applet.  In JS,
|this| binds dynamically to the global object, or more precisely, the object at
the end of m's parent-linked scope chain.

Rev 1.130 moved the call to ComputeThis, the subroutine of js_Invoke that
implements most of the |this| binding logic,  up above the LiveConnect-oriented
special case that converts (via clasp->convert) a JavaMember object that stands
for a field or method (and can handle overloading) into a method-reflecting JS
function object (with the right JSFUN_BOUND_METHOD flag and parent slot).  That
left the LiveConnect code holding a bogus |this| parameter, not applet in the
example, but a global object, probably a DOM window.  Wrong-shaped private data
=> rapid death.

/be

        Attachment #136325 -
        Flags: review?(shaver)

        Attachment #136325 -
        Flags: approval1.6b?

    
    

    
  
I'm guilty in the last comment of misusing "dynamic" to describe JavaScript's
|this|-binding rule.  If it were dynamic in the same sense as dynamic scoping,
then you'd expect the callee's |this| to be the same as the caller's |this|, or
strictly induced by the caller's |this|.  In my opinion, it's a botch in the
Edition 3 version of the ECMA-262 spec that nested functions do not bind |this|
that way.

Instead, whether nested or not, the callee function's |this| depends on the
object to the left of the last dot in the caller's invocation expression.  If
there is no such object to the left of a dot (as in the m() case), then |this|
binds to the last object on the scope chain linked by __parent__ that starts at
the callee object.  (As usual, dot and bracket notation to access a property are
equivalent.)

JS has used this rule forever; it's necessary for top-level functions (but not
for nested functions, again in my opinion) in lieu of method declarations, in
order to let function-valued properties bind |this| to the object containing the
property, for poor-man's or class-less methods.

So |this|-binding in JS could be called "invocation-based", or some such made up
term.  Is there a better existing term in programming language theory?

/be

    
    

    
  
I wrote:

> If there is no such object to the left of a dot (as in the m() case), then
> |this| binds to the last object on the scope chain linked by __parent__ that
> starts at the callee object.  (As usual, dot and bracket notation to access a
> property are equivalent.)

I misspoke here.  In the m() case, the value of m, or its scope chain, does not
matter.  What matters is in which property m is bound.  If m is a local
variable, then conceptually it's the property of an activation object.  Per
ECMA-262, such objects are never exposed, even via |this| -- they are censored.
 Instead, in the spec, null is used temporarily, and when the property reference
base of null is used as a |this| parameter, the "global object" is substituted
for null.

In real-world web browsers (something neither the w3c DOM specs, nor ECMA-262,
bother to spec), there are many global objects.  Hence the use of parent-linked
scope chains to find top-level objects at the end of such chains, so that
multi-window/frame web-page JS does not suffer from dynamic scoping.  See this
comment from ComputeThis:

        /*
         * ECMA requires "the global object", but in the presence of multiple
         * top-level objects (windows, frames, or certain layers in the client
         * object model), we prefer fun's parent.  An example that causes this
         * code to run:
         *
         *   // in window w1
         *   function f() { return this }
         *   function g() { return f }
         *
         *   // in window w2
         *   var h = w1.g()
         *   alert(h() == w1)
         *
         * The alert should display "true".
         */

Anyway, whether "global" or "top-level", the point is that for an invocation
expression of the form m(), there is no object to the left of the last dot in
the callee expression (m).  So the object in which m is bound is used as |this|,
unless it's an activation object, in which case (via a null intermediate, in the
ECMA spec), the right global object will be bound to |this| in the invocation.

To reiterate the criticism of nested function |this| binding in ECMA-262 Ed. 3:
a nested function binds a property of the activation object of the outer
function, therefore, as with local var m, activation-object-censoring kicks in
and causes |this| for the inner function being invoked to bind to the global (a
global ;-) object.  Which sucks if the inner function wants |this| to bind to
the outer function's |this|, a common case.  The usual workaround is something
like this:

  function outer(a, b) {
    var self = this;
    function inner(c) {
      return self.some_method(a, b, c);
    }
    return inner;
  }

/be

    
    

    
  
Comment on attachment 136325 [details] [diff] [review]
proposed fix

This looks OK.	r=shaver.

        Attachment #136325 -
        Flags: review?(shaver) → review+

    
    

    
  
Comment on attachment 136325 [details] [diff] [review]
proposed fix

a=asa (on behalf of drivers) for checkin to 1.6beta

        Attachment #136325 -
        Flags: approval1.6b? → approval1.6b+

    
    

    
  
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
    

    
  
wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6b) Gecko/20031125
Tinderbox BuildID 2003112523

tested URLs of dupes: Bug 224781, Bug 225696, Bug 226654 all working.

At first, testcase 1 of Bug 226485 seemed to work, but when I closed the tab,
all the contents of all other tabs was gray, contents was only redrawn in the
area used by opening and closing a menu.
Trying to reload didn´t succeed, throbber was spinning forever.
Didn´t retry.

    
    

    
  
re comment #38.  did you have valid logins for all the URLs you tested?  All the
dupe crashes required a login with a valid username/password to cause a crash.

    
    

    
  
The testcases in Bug 226485 don't require a login.

    
    

    
  
re comment 39:
no, I didn´t try to login, but two of these bugs have been crashing for me.
I don´t remember having tested Bug 224781 before.
Bug 255696 was crashing for me without logging in, before the virtual keyboard
came up, now this is working.
Bug 226654 was crashing for me, the left frame didn´t fill with content.
I didn´t report, as there were enough comments, now this is working.

I tested a bit more on Bug 226485, that one isn´t fixed for me.
Closing the browser, Java stays, closing the tab only the other tabs don´t
display. Had to reboot to get rid of Java, didn´t see it in the taskmanager.


    
    

    
  
Bug 224781 definitley required a login to reproduce the crash as did several
other sites (mostly web mail and banking sites that use java login applets) that
no bug was submited for.  This is actually the case that I am most interested in
making sure it is fixed, not just becuase it is my bug, but also becuase it is
not at all clear to me why a login applet would be using the live-connect feature.

    
    

    
  
OK my Mozilla Firebird build finally completed.  I can now verify that bug
224781 is definietly fixed by this.  I tested under original failure conditions
using Mozilla Firebird and a valid username/password.

Good job Brendan.

    
    

    
  
Both testcases from Bug 226485 (I'm the reporter of this bug)
now work fine with 2003112608 under Windows XP

    
    

    
  
*** Bug 226832 has been marked as a duplicate of this bug. ***

    
    

    
  
Marking Verified FIXED in light of contributors' findings above.
Thanks to all -
Status: RESOLVED → VERIFIED
Flags: blocking1.6?

    
    

    
  
*** Bug 226996 has been marked as a duplicate of this bug. ***
Flags: testcase-
Crash Signature: [@ JavaObject_getPropertyById ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: