Closed
Bug 23502
Opened 25 years ago
Closed 22 years ago
pnglet images not getting drawn in Mozilla
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: rbs, Assigned: brendan)
References
()
Details
(Keywords: dom0, Whiteboard: [js1.2])
Attachments
(7 files)
With debug build ID 1999122808, on Win38, Mozilla asserts at the above URL, with the error message: ###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file C:\Mozilla\src\mozilla\dom\src\jsurl\nsJSProtocolHandler.cpp, line 211 NOTES ----- The page uses some nifty JS features to *draw* and *embed* inline PNG images, a la SVG... STEP TO REPRODUCE ----------------- Visit the above URL EXPECTED RESULTS ---------------- There shouldn't be any problems. The page should appear will all images. Nav 4.7 has no problem with the page.
Win38 above should read Win98. I was able to reproduce the problem with following test case: [the directory "pnglet/" contains js files from http://www.elf.org/pnglets/js/, and pnglet/pixel.gif was copied from http://www.elf.org/images/pixel.gif] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Drawing MathML</title> <script type="text/javascript" language="javascript1.2" src="pnglet/Array.js"> </script> <script type="text/javascript" language="javascript1.2" src="pnglet/dataUrl.js"> </script> <script type="text/javascript" language="javascript1.2" src="pnglet/Pnglet.js"> </script> <script type="text/javascript" language="javascript1.2"> // emit a target for a later example image function embedimage(name, vspace) { document.write('<img align="left" width="32" height="32" vspace="', vspace, '" alt="', name, '" name="', name, '" src="pnglet/pixel.gif">'); } // the target names and the functions which compute them var imgdata = new Array( 'pnglet', '', 'pieslice', 'p.pieslice(green, blue, 16,16, 20,20, 0,270)' ); var pnglets = new Object(); var nnMethod = 'javascriptUrl'; function loadimages(i) { function install(name, value) { var p = new Pnglet(32, 32, 8); var black = p.color(0,0,0,0), red = p.color(255,0,0), green = p.color(0,255,0), blue = p.color(0,0,255), white = p.color(255,255,255); eval(value); pnglets[name] = p.output(); if (document.images[name]) { if (nnMethod == 'javascriptUrl') document.images[name].src = "javascript:pnglets."+name; if (nnMethod == 'dataUrl') document.images[name].src = dataUrl('image/png', pnglets[name]); } } if (i+1 < imgdata.length) { install(imgdata[i], imgdata[i+1]); setTimeout("window.loadimages("+(i+2)+")", 10); } } </script> </head> <body text="#ffffff" bgcolor="#000000" onload="javascript:loadimages(0)"> <p><script type="text/javascript">embedimage('pnglet',0)</script> <pre> // a 32 pixel, 8 color image. </pre> <p><script type="text/javascript">embedimage('pieslice',0)</script> <pre> // a 32 pixel, 8 color pieslice; </pre> </body> </html>
Of note, I came across the problem when looking at ways to experiment plotting a function defined with MathML -- that is, while investigating how I can make a demo of dynamic math through the current MathML Mozilla effort. Having these Pnglets could help building such a graphical demo.
Sometimes BugZilla behaves strangely. I unsucessefully tried to create an attachment. I am enclosing it right here. The same example as above. But as a ready-to-use working example. All links are resolved and you can simply save the file on your system for experimentation. [On Nav 4.7, it draws a pieslice.] ======= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Drawing PNG... a la SVG</title> <script type="text/javascript" language="javascript1.2" src="http://www.elf.org/js/Array.js"> </script> <script type="text/javascript" language="javascript1.2" src="http://www.elf.org/js/dataUrl.js"> </script> <script type="text/javascript" language="javascript1.2" src="http://www.elf.org/js/Pnglet.js"> </script> <script type="text/javascript" language="javascript1.2"> // emit a target for a later example image function embedimage(name, vspace) { document.write('<img align="left" width="32" height="32" vspace="', vspace, '" alt="', name, '" name="', name, '" src="http://www.elf.org/images/pixel.gif">'); } // the target names and the functions which compute them var imgdata = new Array( 'pnglet', '', 'pieslice', 'p.pieslice(green, blue, 16,16, 20,20, 0,270)' ); var pnglets = new Object(); var nnMethod = 'javascriptUrl'; function loadimages(i) { function install(name, value) { var p = new Pnglet(32, 32, 8); var black = p.color(0,0,0,0), red = p.color(255,0,0), green = p.color(0,255,0), blue = p.color(0,0,255), white = p.color(255,255,255); eval(value); pnglets[name] = p.output(); if (document.images[name]) { if (nnMethod == 'javascriptUrl') document.images[name].src = "javascript:pnglets."+name; if (nnMethod == 'dataUrl') document.images[name].src = dataUrl('image/png', pnglets[name]); } } if (i+1 < imgdata.length) { install(imgdata[i], imgdata[i+1]); setTimeout("window.loadimages("+(i+2)+")", 10); } } </script> </head> <body text="#ffffff" bgcolor="#000000" onload="javascript:loadimages(0)"> <p><script type="text/javascript">embedimage('pnglet',0)</script> <pre> // a 32 pixel, 8 color image. </pre> <p><script type="text/javascript">embedimage('pieslice',0)</script> <pre> // a 32 pixel, 8 color pieslice; </pre> </body> </html>
Comment 4•25 years ago
|
||
Travis owns this assert; reassigning to him for a closer look.
Assignee: mccabe → travis
Comment 5•25 years ago
|
||
i just crashed on this page. stack trace: nsJSProtocolHandler::NewChannel(nsJSProtocolHandler * const 0x032d9300, const char * 0x003e1edc ??_C@_04JMJF@load?$AA@, nsIURI * 0x032d91f0, nsILoadGroup * 0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, nsIURI * 0x00000000, unsigned int 0, unsigned int 0, nsIChannel * * 0x0012c590) line 207 + 36 bytes nsIOService::NewChannelFromURI(nsIOService * const 0x00d07270, const char * 0x003e1edc ??_C@_04JMJF@load?$AA@, nsIURI * 0x032d91f0, nsILoadGroup * 0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, nsIURI * 0x00000000, unsigned int 0, unsigned int 0, nsIChannel * * 0x0012c590) line 276 + 59 bytes NS_OpenURI(nsIChannel * * 0x0012c62c, nsIURI * 0x032d91f0, nsILoadGroup * 0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, unsigned int 0, unsigned int 0) line 82 + 58 bytes ImageNetContextImpl::GetURL(ilIURL * 0x032d96b0, NET_ReloadMethod NET_NORMAL_RELOAD, ilINetReader * 0x032d9670) line 670 + 55 bytes IL_GetImage(const char * 0x032d9ce0, _IL_GroupContext * 0x0296d070, OpaqueObserverList * 0x032d9bc0, _NI_IRGB * 0x00000000, unsigned int 32, unsigned int 32, unsigned int 0, void * 0x0296cfd0) line 2068 + 35 bytes ImageRequestImpl::Init(void * 0x0296d070, const char * 0x032d9ce0, nsIImageRequestObserver * 0x032d9e44, const unsigned int * 0x00000000, unsigned int 32, unsigned int 32, unsigned int 0, ilINetContext * 0x0296cfd0) line 259 + 49 bytes ImageGroupImpl::GetImage(const char * 0x032d9ce0, nsIImageRequestObserver * 0x032d9e44, const unsigned int * 0x00000000, unsigned int 32, unsigned int 32, unsigned int 0) line 272 + 46 bytes nsFrameImageLoader::Init(nsFrameImageLoader * const 0x032d9e40, nsIPresContext * 0x029f8780, nsIImageGroup * 0x0296d120, const nsString & {...}, const unsigned int * 0x00000000, const nsSize * 0x00f0aff4, nsIFrame * 0x00f0af78, unsigned int (nsIPresContext *, nsIFrameImageLoader *, nsIFrame *, void *, unsigned int)* ...) line 173 + 57 bytes nsPresContext::StartLoadImage(nsPresContext * const 0x029f8780, const nsString & {...}, const unsigned int * 0x00000000, const nsSize * 0x00f0aff4, nsIFrame * 0x00f0af78, unsigned int (nsIPresContext *, nsIFrameImageLoader *, nsIFrame *, void *, unsigned int)* 0x01ab26d0 nsHTMLImageLoader::ImageLoadCB(nsIPresContext *, nsIFrameImageLoader *, nsIFrame *, void *, unsigned int), ...) nsHTMLImageLoader::StartLoadImage(nsIPresContext * 0x029f8780) line 204 + 63 bytes nsHTMLImageLoader::UpdateURLSpec(nsIPresContext * 0x029f8780, const nsString & {...}) line 249 nsImageFrame::AttributeChanged(nsImageFrame * const 0x00f0af78, nsIPresContext * 0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int 2) line 841 nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 0x02d2eea0, nsIPresContext * 0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int 2) line 7669 + 35 bytes StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x02d297d0, nsIPresContext * 0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 996 PresShell::AttributeChanged(PresShell * const 0x02d2ec98, nsIDocument * 0x02dae560, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 2480 + 57 bytes nsDocument::AttributeChanged(nsDocument * const 0x02dae560, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 1674 nsGenericHTMLElement::SetAttribute(int 3, nsIAtom * 0x017deb80, const nsString & {...}, int 1) line 740 nsHTMLImageElement::SetSrcInner(nsIURI * 0x02db8680, const nsString & {...}) line 806 + 29 bytes nsHTMLImageElement::SetProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, long 15750532, long * 0x0012dd94) line 588 + 33 bytes nsJSUtils::nsCallJSScriptObjectSetProperty(nsISupports * 0x0298fe10, JSContext * 0x0293c0a0, JSObject * 0x02560500, long 15750532, long * 0x0012dd94) line 241 + 27 bytes SetHTMLImageElementProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, long 15750532, long * 0x0012dd94) line 564 + 25 bytes js_SetProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, long 40479872, long * 0x0012dd94) line 2056 + 139 bytes js_Interpret(JSContext * 0x0293c0a0, long * 0x0012df28) line 2240 + 957 bytes js_Invoke(JSContext * 0x0293c0a0, unsigned int 2, unsigned int 0) line 681 + 13 bytes js_Interpret(JSContext * 0x0293c0a0, long * 0x0012e770) line 2273 + 15 bytes js_Invoke(JSContext * 0x0293c0a0, unsigned int 1, unsigned int 0) line 681 + 13 bytes js_Interpret(JSContext * 0x0293c0a0, long * 0x0012efb8) line 2273 + 15 bytes js_Invoke(JSContext * 0x0293c0a0, unsigned int 1, unsigned int 2) line 681 + 13 bytes js_InternalInvoke(JSContext * 0x0293c0a0, JSObject * 0x00f3f958, long 38717248, unsigned int 0, unsigned int 1, long * 0x0012f144, long * 0x0012f0f0) line 754 + 19 bytes JS_CallFunctionValue(JSContext * 0x0293c0a0, JSObject * 0x00f3f958, long 38717248, unsigned int 1, long * 0x0012f144, long * 0x0012f0f0) line 2772 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0293ade0, void * 0x00f3f958, void * 0x024ec740, unsigned int 1, void * 0x0012f144, int * 0x0012f140) line 562 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02e10664) line 128 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0287a240, nsIDOMEvent * 0x02e10664, unsigned int 1) line 677 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x029f8780, nsEvent * 0x0012fbe4, nsIDOMEvent * * 0x0012f540, unsigned int 7, nsEventStatus * 0x0012fc24) line 1228 + 31 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0293e7f4, nsIPresContext * 0x029f8780, nsEvent * 0x0012fbe4, nsIDOMEvent * * 0x0012f540, unsigned int 1, nsEventStatus * 0x0012fc24) line 3327 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x029436d0, nsIDocumentLoader * 0x029453c0, nsIChannel * 0x02db9f50, unsigned int 0) line 3171 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x029453c0, nsIChannel * 0x02db9f50, unsigned int 0) line 603 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 494 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x029453c4, nsIChannel * 0x0326b120, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 438 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x02945360, nsIChannel * 0x0326b120, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 535 + 42 bytes nsHTTPChannel::ResponseCompleted(nsIChannel * 0x0326de34, nsIStreamListener * 0x02e13d60, unsigned int 0, const unsigned short * 0x00000000) line 1333 nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const 0x02d3d270, nsIChannel * 0x0326de34, nsISupports * 0x0326b120, unsigned int 0, const unsigned short * 0x00000000) line 256 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x02d2cfd0) line 279 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x02d2cf80) line 93 + 12 bytes PL_HandleEvent(PLEvent * 0x02d2cf80) line 526 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00d061e0) line 487 + 9 bytes _md_EventReceiverProc(HWND__ * 0x033b0294, unsigned int 49335, unsigned int 0, long 13656544) line 975 + 9 bytes USER32! 77e71268() 00d061e0()
Keywords: crash
Comment 6•25 years ago
|
||
pulled on 2000-02-06, windows NT.
This should be fixed. Wasn't my bug in the first place, but I think the other places that were causing these problems are fixed now.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Re-opening. Removed 'crash' keywords since it doesn't crash anymore. Added 4xp keyword since the problem now is that Mozilla (tip of the tree) doesn't show the images, which are shown correctly with 4.x. Visit the URL above with Nav 4.x and Mozilla to see the differences.
Re-assigning to default module owner due to REOPEN
Assignee: travis → rogerl
Status: REOPENED → NEW
QA Contact: rginda → pschwartau
Comment 10•24 years ago
|
||
Using Mozilla tip builds 2000-07-12 on WinNT, Linux: Confirming bug as originally stated: the images draw correctly in NN4.7, but will not draw in Moz on either WinNT or Linux. On each OS I noticed this in the JavaScript console: JavaScript error: http://www.elf.org/js/Pnglet.js line 371 : u has no properties I am attaching the file Pnglet.js to this bug for reference. Here are relevant code lines in Pnglet.js leading up to line 371: 326 327 var ind = new Array(n); /* list of vertex indices, sorted by pt[ind[j]].y */ 328 var active = new Array(0); /* start with an empty active list */ 329 330 /* create y-sorted array of indices ind[k] into vertex list */ 331 for (var k = 0; k < n; k += 1) ind[k] = k; 332 ind.sort(function(i1, i2) { return pty(i1) <= pty(i2) ? -1 : 1; }); 333 var k = 0; /* ind[k] is next vertex to process */ 334 var y0 = Math.max(0, Math.ceil(pty(ind[0])+.5)); /* ymin of polygon */ 335 var y1 = Math.min(this.height, Math.floor(pty(ind[n-1])-.5)); /* ymax of polygon */ 336 337 for (var y = y0; y <= y1; y += 1) { /* step through scanlines */ 338 /* scanline y is at y+.5 in continuous coordinates */ 339 340 /* check vertices between previous scanline and current one, if any */ 341 for (; k<n && pty(ind[k]) <= y+.5; k += 1) { 342 /* to simplify, if pt.y=y+.5, pretend it's above */ 343 /* invariant: y-.5 < pt[i].y <= y+.5 */ 344 var i = ind[k]; 345 346 /* 347 * insert or delete edges before and after vertex i (i-1 to i, 348 * and i to i+1) from active list if they cross scanline y 349 */ 350 var j = (i-1+n)%n; /* vertex previous to i */ 351 if (pty(j) <= y-.5) { /* old edge, remove from active list */ 352 cdelete(j); 353 } else if (pty(j) > y+.5) { /* new edge, add to active list */ 354 cinsert(j, y); 355 } 356 if (i != ind[k]) { 357 alert("Your browser's implementation of JavaScript is seriously broken,\n"+ 358 "as in variables are changing value of their own volition.\n"+ 359 "You should upgrade to a newer version browser."); 360 return; 361 } 362 j = (i+1)%n; /* vertex next after i */ 363 if (pty(j) <= y-.5) { /* old edge, remove from active list */ 364 cdelete(i); 365 } else if (pty(j) > y+.5) { /* new edge, add to active list */ 366 cinsert(i, y); 367 } 368 } 369 370 /* sort active edge list by active[j].x */ 371 active.sort(function(u,v) { return u.x <= v.x ? -1 : 1; }); 372 etc.
Comment 11•24 years ago
|
||
Comment 13•24 years ago
|
||
Using Mozilla tip builds 2000-07-14 1PM Pacific Time on WinNT, Linux. Now I am crashing when I try to load the given URL, www.elf.org/pnglets/ The page loads briefly - you can see the page in the browser for a few seconds - but these messages begin appearing in the debug console: ###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file nsJSProtocolHandler.cpp, line 114 ###!!! Break: at file nsJSProtocolHandler.cpp, line 114 WARNING: cell content 0x89398a0 has large height 93390 ###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file nsJSProtocolHandler.cpp, line 114 ###!!! Break: at file nsJSProtocolHandler.cpp, line 114 WARNING: cell content 0x89398a0 has large height 93390 ###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file nsJSProtocolHandler.cpp, line 114 ###!!! Break: at file nsJSProtocolHandler.cpp, line 114 WARNING: cell content 0x89398a0 has large height 93390 ###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file nsJSProtocolHandler.cpp, line 114 etc. etc. And the browser crashes -
Comment 14•24 years ago
|
||
Assignee | ||
Comment 16•24 years ago
|
||
Adding js1.5 keyword, raising severity. /be
Severity: normal → major
Keywords: js1.5
Assignee | ||
Comment 17•24 years ago
|
||
Resummarizing.
Summary: ASSERTION: NS_ENSURE_TRUE(globalOwner) failed → crash in JS engine, called from Array.prototype.sort
Comment 18•24 years ago
|
||
What seems to happen is that the sort function is called with a non object entry in the table (don't know how that happens). This causes 'u.x' to evaluate to NaN and so the comparison always returns 1. Inside js_qsort_r, this value let's the first interior loop continue into negative indices to varying effects depending on the contents of memory.
Status: NEW → ASSIGNED
Comment 19•24 years ago
|
||
The line 'new Array(0)' sets the initial element to the value 0 (since this is run under version 1.2). Anybody know the internals of qsort? I'm thinking that changing that inner loop to : [jsarray.c, line 624, function js_qsort_r()] while (i < j) { for (; j > i ;) { // <--- ADD THIS TO LOOP CONTROL b = (char *)qa->vec + j * qa->elsize; if ((*qa->cmp)(b, pivot, qa->arg) <= 0) break; j--; } memmove(a, b, qa->elsize); comments?
Assignee | ||
Comment 20•24 years ago
|
||
rogerl -- that looks like a fix (nit: why not make it a while loop instead of for(;;)?). Does it cure all ills? /be
Assignee | ||
Comment 21•24 years ago
|
||
Another nit: make the inner loop a do-while to avoid retesting gratuitously on the first iteration. /be
Comment 22•24 years ago
|
||
ok, here's the patch piece: (it's just a piece because I have other changes in jsarray.c with which I didn't want to muddy the waters) @@ -600,13 +621,13 @@ a = (char *)qa->vec + i * qa->elsize; memmove(pivot, a, qa->elsize); while (i < j) { - for (;;) { + do { b = (char *)qa->vec + j * qa->elsize; if ((*qa->cmp)(b, pivot, qa->arg) <= 0) break; j--; - } + } while (j > i); I think it's a cure all - I don't see any other uncontrolled loops.
Assignee | ||
Comment 23•24 years ago
|
||
r,a=brendan@mozilla.org -- let's get this in today when the tree opens, for the next mozilla milestone and so tlundeen@webcrossing.com and other js1.5 customers get it soon. Thanks, /be
Comment 24•24 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 25•24 years ago
|
||
Re-opening as the problem reported in the bug is still there with a tip of the tree. I don't know if there has been a regression since your last fix, as I am not seeing the expected graphics on the test page. rogerl, with your build, do you see similar graphics as shown in Nav4.x?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 26•24 years ago
|
||
Rogerl's fix was good, and stops a crash or assertbotch (debug builds). That crash was not the only symptom reported under this bug, and it won't be the last unless we decide to make this bug refer to that symptom and cause only, and let it stay closed. I'm easy either way, but let's not keep reassigning it to rogerl. This is a hairy 4.x page, and it even contains JS1.2 bugs that somehow don't seem to affect it in 4.x (but are nevertheless bugs in its usage of JS1.2, e.g. new Array(0) being expected to create an array of length 0 rather than an array of length 1 whose element at index 0 has value 0). Phil and I spent some time looking at this today, and will again tomorrow. But after that, I'm on vacation for 10 days. I think this bug needs an owner who will dig deep, file appropriate other bugs as symptoms map to distinct causes, and drive things to a good conclusion. Who will do that? Someone please step forward. Otherwise, I'll do it when I get back. /be
Comment 27•24 years ago
|
||
To summarize: There are four JS files used in http://www.elf.org/pnglets/ Array.js dataUrl.js Pnglet.js examples.js I am not sure whether all the code from these files is needed. For example, I don't think the function embedimages() in examples.js is ever called. At any rate, there is an error in Pnglet.js in the way a new Array is instantiated: <SCRIPT language="JavaScript1.2" src=../js/Pnglet.js > (Now look at this line in Pnglet.js) : var active = new Array(0); /* start with an empty active list */ The author means to create a new, empty array; i.e. with length 0. However, version 1.2 instantiates arrays differently than other Netscape/Mozilla implementations of JavaScript. (see the HTML file I have attached which demonstrates this). In Netscape/Mozilla JavaScript 1.2, the above syntax creates an array of length 1, whose first element is 0. This creates problems later in the file Pnglet.js : 369 370 /* sort active edge list by active[j].x */ 371 active.sort(function(u,v) { return u.x <= v.x ? -1 : 1; }); 372 373 /* draw horizontal segments for scanline y */ 374 for (var j = 0; j < active.length; j += 2){/*draw horizontal segments */ 375 /* span 'tween j & j+1 is inside, span tween j+1 & j+2 is outside */ 376 var xl = Math.ceil(active[j].x+.5); /* left end of span */ 377 if (xl<0) xl = 0; 378 var xr = Math.floor(active[j+1].x-.5); /* right end of span */ 379 if (xr>this.width-1) xr = this.width-1; 380 if (xl<=xr) 381 this.horizontalLine(fillColor, xl, xr, y);/* draw pixels in span */ 382 active[j].x += active[j].dx; /* increment edge coords */ 383 active[j+1].x += active[j+1].dx; 384 } Our original problem occurred on line 371. The error was "u has no properties" (see entry at 2000-07-15 18:58). It occurred because of the unintended first element of the active[ ] array: it is not an object; it has no "x" property. The fix that rogerl has put in has stopped Mozilla from crashing on the program, and has brought us farther along, to line 378. This is what we now get when we load http://www.elf.org/pnglets/ : Error: active[ j + 1] has no properties Source File: http://www.elf.org/js/Pnglet.js line 378 Notice the loop increments the index j by 2, and tests the condition "j < active.length ". The error would not occur if the active[] array had an EVEN number of elements, say with indices 0,1,2,3. The index j would begin at 0, increment to 2, and then to 4, which does not pass the test. Inside the loop, we could safely access both the elements active[j] and active[ j+1]. But because of the unintended element 0 at index 0, this array has an ODD number of elements, say with indices 0,1,2,3,4. The index j begins at 0, increments to 2, and then to 4, which passes the test. But then inside the loop we try to access the element with index j+1=5, which is undefined. Hence the error "active[ j + 1] has no properties" There are two solutions to these problems. One is to replace the definition of the "active" Array with the following: var active = new Array(); (i.e. no "0" in the parentheses) The other solution is NOT to set the "language" attribute in the <SCRIPT> tag to "JavaScript 1.2". There might be features specific to version 1.2 that the author intended to use; if not, the language attribute should simply be set to "JavaScript". Unfortunately, we still have not solved all the issues raised by this bug. If we do change the definition of the "active" array, we no longer get any errors in Mozilla in the JavaScript console. However, none of the pnglet images draw on the page, as they do in NN4.72 Of note is the following function in the file elements.js function install(name, value) { var p = new Pnglet(32, 32, 8); var black = p.color(0,0,0,0), red = p.color(255,0,0), green = p.color(0,255,0), blue = p.color(0,0,255), white = p.color(255,255,255); eval(value); pnglets[name] = p.output(); if (document.images[name]) { if (nnMethod == 'javascriptUrl') document.images[name].src = "javascript:pnglets."+name; etc. This sets the SRC attribute of an IMG element to a JavaScript URL. For example, when debugging you find assignments like this: document.images[arc1].src = "javascript: pnglets.arc1" where in JavaScript, pnglets.arc1 = ‘?PNG……(binary data)……….’ The author of the web page http://www.elf.org/pnglets mentions many problems associated with assingnments like this. Anyone who works on this problem should read his comments! In the meantime, we are assigning to DOM Level 0 to get their analysis of what might be going wrong, and why the pnglet images get drawn in NN4.72, but not in Mozilla.
Assignee: rogerl → jst
Status: REOPENED → NEW
Component: Javascript Engine → DOM Level 0
QA Contact: pschwartau → desale
Summary: crash in JS engine, called from Array.prototype.sort → pnglet images not getting drawn in Mozilla [WAS: crash in JS engine, called from Array.prototype.sort]
Comment 28•24 years ago
|
||
Comment 29•24 years ago
|
||
Note: The discrepancy in the way JS 1.2 instantiates new Arrays does not occur on my Mac (OS9). Only on my Linux and WinNT boxes...
Comment 30•24 years ago
|
||
Comment 31•24 years ago
|
||
Comment 32•24 years ago
|
||
Assignee | ||
Comment 33•24 years ago
|
||
Removing crash and js1.5 keywords now that this bug describes only what seem to be DOM level 0 and/or imglib bugs in computing PNG data via img.src=javascript: URL attribute setting. /be
Comment 34•24 years ago
|
||
Me thinks that we have a problem reading from javascript: URLs in many cases, nominating for beta3 since this cuts down severely on the functionality offered by javascript: URLs.
Comment 35•24 years ago
|
||
nsbeta3- for now... Johnny, if you think that there is a more generic problem with JS urls not working properly, please file a separate bug. Thanks!
Whiteboard: [nsbeta3-]
Assignee | ||
Comment 36•24 years ago
|
||
Argh, this needs more diagnosis before it can be nsbeta3-minused, I claim. I'll take it. /be
Assignee: jst → brendan
Status: ASSIGNED → NEW
Comment 38•24 years ago
|
||
Adding crash keyword to all open crash bugs that don't already have it...
Keywords: crash
Assignee | ||
Comment 39•24 years ago
|
||
Hello, I removed crash a few comments back, because this no longer crashes. Please don't add crash blindly based on Summary keyword match. I'll remove the "was:" summary parenthetical. /be
Keywords: crash
Summary: pnglet images not getting drawn in Mozilla [WAS: crash in JS engine, called from Array.prototype.sort] → pnglet images not getting drawn in Mozilla
Comment 40•24 years ago
|
||
Comment 41•24 years ago
|
||
I created a test setup where I made the following changes: pnglet_test.html: removed unnecessary stuff for clarity. pnglet.js: changed new Array(0) to new Array() fixed initial loop values in the initialize functions pnglet.js/examples.js: fixed image urls to point to images/ below pnglet_test.html verified that it works in NN 4.72 tested with a debug build on win2000. The page displays initially with broken images for the images/pixel.gif which does not happen for NN. Then an Assertion fires: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner' in dom/src/jsurl/nsJSProtocolHandler.cpp line 114 attaching test setup.
Assignee | ||
Comment 42•24 years ago
|
||
I'm going to work on this for rtm. The latest symptom (assertbotch) is bad. /be
Assignee | ||
Updated•24 years ago
|
Target Milestone: M18 → ---
Comment 43•24 years ago
|
||
Marking [rtm need info] since you are working on this. Is there a patch in the offing anytime soon? Is it time to let this go for the RTM?
Whiteboard: [nsbeta3-] → [nsbeta3-][rtm need info]
Assignee | ||
Updated•24 years ago
|
Keywords: rtm → mozilla1.0
Whiteboard: [nsbeta3-][rtm need info] → [nsbeta3-]
Target Milestone: --- → mozilla0.9
Assignee | ||
Comment 44•24 years ago
|
||
Sorry, I didn't get time to figure out a fix. /be
Reporter | ||
Comment 45•23 years ago
|
||
spam to generate a bugzilla activity, the current target M0.9 is closing soon.
Updated•23 years ago
|
Target Milestone: mozilla0.9.2 → mozilla0.9.3
Assignee | ||
Comment 48•23 years ago
|
||
I don't know when I'll get to this, and I haven't retested the page lately -- maybe other fixes have cured its ills? /be
Target Milestone: mozilla0.9.3 → mozilla0.9.5
Assignee | ||
Comment 50•23 years ago
|
||
Perf/footprint work takes precedence. /be
Target Milestone: mozilla0.9.7 → mozilla0.9.8
Assignee | ||
Comment 51•23 years ago
|
||
Anyone: are we still broken?
Target Milestone: mozilla0.9.8 → mozilla0.9.9
Comment 52•23 years ago
|
||
Still broken: when I load the site, I'm still getting the JS Console error reported in the middle of Comment #27 above: > The fix that rogerl has put in has stopped Mozilla from crashing on > the program, and has brought us farther along, to line 378. This is > what we now get when we load http://www.elf.org/pnglets/ : > Error: active[ j + 1] has no properties > Source File: http://www.elf.org/js/Pnglet.js > line 378
Assignee | ||
Comment 53•22 years ago
|
||
Look what a miserable owner I am for this bug. Plus, I'm not convinced it has anything to do with core JS any longer. Need a reduced testcase, bumping to Future for now, and I'm begging for a better owner to take steal this bug! /be
Target Milestone: mozilla0.9.9 → Future
Comment 54•22 years ago
|
||
WFM. Mozilla 1.1.b properly displays the pnglets on the referenced URL. Glenn
Comment 56•22 years ago
|
||
The site also WORKSFORME using Mozilla 1.0 branch 20020806xx WinNT. When I load the site, I am no longer getting any errors in the JS Console. While the page is loading, I scroll down and watch all the images getting drawn dynamically. They all draw fine! Resolving as WORKSFORME -
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 22 years ago
Resolution: --- → WORKSFORME
Updated•20 years ago
|
Whiteboard: [js1.2]
You need to log in
before you can comment on or make changes to this bug.
Description
•