Closed Bug 244952 Opened 20 years ago Closed 20 years ago

Crash creating multiple proxy instance for the same webservice

Categories

(Core Graveyard :: Web Services, defect)

Product:
Core Graveyard
Component:
Web Services
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chantepie, Assigned: chantepie)

References

Details

(Keywords: crash, fixed-aviary1.0, fixed1.7.5)

Attachments

(4 files, 2 obsolete files)

testcase
2.90 KB, application/gzip
Details
Patch for AVIARY_1_0_20040515_BRANCH
6.65 KB, patch
jst
: review+
jst
: superreview+
asa
: approval1.7.5+
Details | Diff | Splinter Review
Reviewed patch
6.62 KB, patch
Details | Diff | Splinter Review
Trunk patch
2.03 KB, patch
keeda
: review+
keeda
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113

When I try to use multiple instance of webservice proxy for the same WSDL (even
if each instance is in different chrome window), it crashes mozilla

Reproducible: Always
Steps to Reproduce:
1. Instanciate the first ws proxy instance
2. Instanciate the 2nd ws proxy instance
3. when the onLoad callback function of the 2nd instance get called it crashes

Actual Results:  
crash

Expected Results:  
works :-)

0x1286ddec in nsSchemaComponentBase::GetTargetNamespace(nsAString&) (
    this=0x1201b368, aTargetNamespace=@0x22b288)
    at c:/Docume~1/cchantepie.INTRANET/mozilla/extensions/webservices/schema/src
/nsSchemaComponentBase.cpp:61
61          return mSchema->GetTargetNamespace(aTargetNamespace);
Could you please provide a testcase ?
Attached file testcase 
Change src for js in the xul file and put all in a chrome app for testing
IP Address for webservices server is 213.41.168.38 (port 52080)
Doesn't forget to add map this ip to ipage-test.corsaire.fr as webservices server
needs it to be accessed through virtual host. Plz tell me if works.
Sorry but the new adresse that will work as long as needed for testing is 
213.41.158.81 (port 52080).
Thanks for the testcase. Purify says this ... 

[E] IPR: Invalid pointer read in
nsSchemaComponentBase::GetTargetNamespace(nsAString&) {1 occurrence}
        Reading 4 bytes from 0x0a2fd9e0 (4 bytes at 0x0a2fd9e0 illegal)
        Address 0x0a2fd9e0 points into a HeapAlloc'd block in unallocated region
of heap 0x02380000
        Thread ID: 0x440
        Error location
            nsSchemaComponentBase::GetTargetNamespace(nsAString&)
[nsschemacomponentbase.cpp:61]
                nsSchemaComponentBase::GetTargetNamespace(nsAString&
aTargetNamespace)
                {
                  if (mSchema) {
             =>     return mSchema->GetTargetNamespace(aTargetNamespace);
                  }
                
                  aTargetNamespace.Truncate();
            nsSchemaComplexType::GetTargetNamespace(nsAString&)
[nsschemaprivate.h:221]
                  virtual ~nsSchemaComplexType();
                
                  NS_DECL_ISUPPORTS
             =>   NS_IMPL_NSISCHEMACOMPONENT_USING_BASE
                  NS_DECL_NSISCHEMATYPE
                  NS_DECL_NSISCHEMACOMPLEXTYPE
                
            nsDefaultEncoder::Decode(nsISOAPEncoding *,nsIDOMElement
*,nsISchemaType *,nsISOAPAttachments *,nsIVariant * *)
[nsdefaultsoapencoder.cpp:1972]
            nsSOAPEncoding::Decode(nsIDOMElement *,nsISchemaType
*,nsISOAPAttachments *,nsIVariant * *) [nssoapencoding.cpp:338]
            nsSOAPBlock::GetValue(nsIVariant * *) [nssoapblock.cpp:177]
            nsSOAPParameter::GetValue(nsIVariant * *) [nssoapparameter.h:59]
            WSPCallContext::CallCompletionListener(void) [wspcallcontext.cpp:353]
            WSPCallContext::HandleResponse(nsISOAPResponse *,nsISOAPCall
*,UINT,int,int *) [wspcallcontext.cpp:153]
            nsHTTPSOAPTransportCompletion::HandleEvent(nsIDOMEvent *)
[nshttpsoaptransport.cpp:533]
            nsXMLHttpRequest::NotifyEventListeners(nsIDOMEventListener
*,nsISupportsArray *,nsIDOMEvent *) [nsxmlhttprequest.cpp:791]

Seems to me that mSchema (which is a weak pointer to something that is supposed
to own nsSchemaComponentBase) has already been deleted.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Looks like an ownership model issue in schema code.

peterv, any idea what might be going on here?
Keywords: crash
Summary: Multiple proxy instance for the same webservice → Crash creating multiple proxy instance for the same webservice
The nsSchemaLoader holds nsISchema's iirc, and the nsWSDLLoader holds a
nsISchemaLoader. But beyond that, I don't know what's happening.
Attached patch Quick patch from harshal (obsolete) — Splinter Review 
Thanx a lot harshal, my mozilla no more crashes :-)
Attached patch Enhanced patch (obsolete) — Splinter Review 
"cvs diff -Npu7" patch
Prevent schema DOM element from being parse again if the schema with the same
'targetNamespace' is already loaded in the hash.
Attachment #150015 - Attachment is obsolete: true
The problem here is (approximately) like this: 

The wsdlloader uses the schemaloader as a service. wsdl parts keep references to
schemacomponents. These are owned by a schema. The components themselves keep
weak pointers to the schema they are owned by. The schemaloader owns all the
schemas and keeps references to them in a hashtable that is keyed on the
targetnamespace.

The testcase creates two wsdlproxies for the same wsdl, one immediately after
the other. When the second wsdlproxy is created, the second wsdlloader asks the
schemaloader to load a schema thats already been loaded by the first one (they
have the same targetnamespace). The old schema is shunted out of the
schemaloader's hashtable, and new one is created. The old schema now doesn't
have anybody holding on to it and is thus destroyed; leaving the first proxy
holding on to references to schemacomponents that are pointing to a deleted
schema. This leads to crashes while decoding the soap message.

The patch that I mailed Cedric (and he attached above) prevented the crash by
not creating a new schema if an old one is present for a particular target
namespace. Cedric's patch seems to do essentially the same thing, but more
efficiently. But I don't know if this is really the right approach. What happens
if the wsdl gets updated and the schema changes? We won't pick up the changes
till mozilla is restarted. Should the schemaloader be a service? The SOAP code
in places just |CreateInstance|'s it. Maybe the wsdl code should do the same. I
really don't know enough to be able to say what the right solution is. Hmmmm...
> if the wsdl gets updated and the schema changes? We won't pick up the changes
> till mozilla is restarted. Should the schemaloader be a service? The SOAP code
> in places just |CreateInstance|'s it. Maybe the wsdl code should do the same. I
> really don't know enough to be able to say what the right solution is. Hmmmm...

It seems that when we change the WSDL content it's recommanded to change the
targetNamespace in order to indicate WSDL version so that the changed WSDL file
will not fit the ancient targetNamespace and will be loaded.

I think using this WSDL version to allow to have some cache and also allow to 
change WSDL. I haven't find more information about the strict syntax that should
be used to add version information into targetNamespace.

Something I don't really understand is why there is schema hash in nsWSDLLoader
whereas there is another hash in nsSchemaLoader which seems more relevant.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #151222 - Flags: review?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: web-services → chantepie
Status: REOPENED → NEW
Comment on attachment 151222 [details] [diff] [review]
Patch for AVIARY_1_0_20040515_BRANCH

Fixes multi wsproxy instances crashes using Apache SOAP as server (with .Net in
some cases)
Attachment #151222 - Flags: review? → review?(jst)
Comment on attachment 151222 [details] [diff] [review]
Patch for AVIARY_1_0_20040515_BRANCH

+  // Schema for given target namespace has already been 
+  if (os) {

Looks like that comment was cut short.

...
+    *_retval = os;
+  } // end of if
+  
+  // Load schema for this new target namespace
+  else {

This is asking for code to be inserted between the if and else. Please rewrite
that as:

...
+    *_retval = os;
+  } else {
+    // Load schema for this new target namespace

And next time, please attach a diff -w version for review, much easier to see
what really changed in cases like this with a whitespace independent diff.

r+sr=jst
Attachment #151222 - Flags: superreview+
Attachment #151222 - Flags: review?(jst)
Attachment #151222 - Flags: review+
Attachment #151222 - Flags: approval1.7.1?
Whiteboard: needed-aviary1.0
Flags: blocking-aviary1.0RC1?
cedric,  if you could attach a final patch with jst's review comments, I can
land this on the aviary branch.
Attached patch Reviewed patchSplinter Review 

    
  
Blocks: 249366

    
    

    
  
Cederic, could you please also post a diff that applies cleanly to trunk so that
someone can check this in for you. 
Flags: blocking-aviary1.0RC1?
Flags: blocking-aviary1.0RC1+
Flags: blocking-aviary1.0+

    
    

    
  
cedric: this patch is against an old cvs version from March, which means the
patch is already bitrotted.  Please unbitrot and submit the patch again :/


    
    

    
  
Oh, I am so there. 

I landed Cedric's Aviary patch since it fixed an update service crash I was
experiencing. 
Keywords: fixed-aviary1.0
Whiteboard: needed-aviary1.0

    
  

        Attachment #150081 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Trunk patchSplinter Review
      

    


  

    
  

        Attachment #154398 -
        Flags: review?(keeda)

    
    

    
  
Comment on attachment 154398 [details] [diff] [review]
Trunk patch

r=me. I think its safe to assume that jst's sr still applies (since this is
basically the same patch.)

        Attachment #154398 -
        Flags: superreview+

        Attachment #154398 -
        Flags: review?(keeda)

        Attachment #154398 -
        Flags: review+

    
    

    
  
Fix checked in on the trunk now too. Marking bug FIXED.
Status: NEW → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED

    
  
OS: Windows 2000 → All
Hardware: PC → All

    
    

    
  
Comment on attachment 151222 [details] [diff] [review]
Patch for AVIARY_1_0_20040515_BRANCH

a=asa for 1.7.x checkin.

        Attachment #151222 -
        Flags: approval1.7.x? → approval1.7.x+

    
  
Keywords: fixed1.7.5

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: