Closed Bug 23502 Opened 21 years ago Closed 18 years ago

pnglet images not getting drawn in Mozilla

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: rbs, Assigned: brendan)

References

()

Details

(Keywords: dom0, Whiteboard: [js1.2])

Attachments

(7 files)

With debug build ID 1999122808, on Win38, Mozilla asserts at the
above URL, with the error message:

###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner',
file C:\Mozilla\src\mozilla\dom\src\jsurl\nsJSProtocolHandler.cpp, line 211

NOTES
-----
The page uses some nifty JS features to *draw* and *embed* inline
PNG images, a la SVG...

STEP TO REPRODUCE
-----------------
Visit the above URL

EXPECTED RESULTS
----------------
There shouldn't be any problems. The page should appear will all images.
Nav 4.7 has no problem with the page.
Win38 above should read Win98.

I was able to reproduce the problem with following test case:
[the directory "pnglet/" contains js files from
http://www.elf.org/pnglets/js/, and pnglet/pixel.gif
was copied from http://www.elf.org/images/pixel.gif]


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Drawing MathML</title>
<script type="text/javascript"
        language="javascript1.2"
        src="pnglet/Array.js">
</script>
<script type="text/javascript"
        language="javascript1.2"
        src="pnglet/dataUrl.js">
</script>
<script type="text/javascript"
        language="javascript1.2"
        src="pnglet/Pnglet.js">
</script>

<script type="text/javascript"
        language="javascript1.2">
// emit a target for a later example image
function embedimage(name, vspace) {
   document.write('<img align="left" width="32" height="32" vspace="', vspace,
		  '" alt="', name, '" name="', name, '"
src="pnglet/pixel.gif">');
}

// the target names and the functions which compute them
var imgdata = new Array(
  'pnglet', '',
  'pieslice', 'p.pieslice(green, blue, 16,16, 20,20, 0,270)'
);

var pnglets = new Object();
var nnMethod = 'javascriptUrl';

function loadimages(i) {
    function install(name, value) {
	var p = new Pnglet(32, 32, 8);
	var black = p.color(0,0,0,0),
	    red   = p.color(255,0,0),
	    green = p.color(0,255,0),
	    blue  = p.color(0,0,255),
	    white = p.color(255,255,255);
	eval(value);
	pnglets[name] = p.output();
	if (document.images[name]) {
	    if (nnMethod == 'javascriptUrl')
		document.images[name].src = "javascript:pnglets."+name;
	    if (nnMethod == 'dataUrl')
		document.images[name].src = dataUrl('image/png', pnglets[name]);
	}
    }
    if (i+1 < imgdata.length) {
	install(imgdata[i], imgdata[i+1]);
	setTimeout("window.loadimages("+(i+2)+")", 10);
    }
}
</script>
</head>

<body text="#ffffff"
      bgcolor="#000000"
      onload="javascript:loadimages(0)">

<p><script type="text/javascript">embedimage('pnglet',0)</script>
<pre>
// a 32 pixel, 8 color image.
</pre>


<p><script type="text/javascript">embedimage('pieslice',0)</script>
<pre>
// a 32 pixel, 8 color pieslice;
</pre>

</body>
</html>
Of note, I came across the problem when looking at ways to experiment
plotting a function defined with MathML -- that is, while investigating
how I can make a demo of dynamic math through the current MathML Mozilla
effort. Having these Pnglets could help building such a graphical demo.
Sometimes BugZilla behaves strangely. I unsucessefully tried to create
an attachment.

I am enclosing it right here. The same example as above. But as a
ready-to-use working example. All links are resolved and you can
simply save the file on your system for experimentation.
[On Nav 4.7, it draws a pieslice.]
=======

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Drawing PNG... a la SVG</title>
<script type="text/javascript"
        language="javascript1.2"
        src="http://www.elf.org/js/Array.js">
</script>
<script type="text/javascript"
        language="javascript1.2"
        src="http://www.elf.org/js/dataUrl.js">
</script>
<script type="text/javascript"
        language="javascript1.2"
        src="http://www.elf.org/js/Pnglet.js">
</script>

<script type="text/javascript"
        language="javascript1.2">
// emit a target for a later example image
function embedimage(name, vspace) {
   document.write('<img align="left" width="32" height="32" vspace="', vspace,
		  '" alt="', name, '" name="', name, '"
src="http://www.elf.org/images/pixel.gif">');
}

// the target names and the functions which compute them
var imgdata = new Array(
  'pnglet', '',
  'pieslice', 'p.pieslice(green, blue, 16,16, 20,20, 0,270)'
);

var pnglets = new Object();
var nnMethod = 'javascriptUrl';

function loadimages(i) {
    function install(name, value) {
	var p = new Pnglet(32, 32, 8);
	var black = p.color(0,0,0,0),
	    red   = p.color(255,0,0),
	    green = p.color(0,255,0),
	    blue  = p.color(0,0,255),
	    white = p.color(255,255,255);
	eval(value);
	pnglets[name] = p.output();
	if (document.images[name]) {
	    if (nnMethod == 'javascriptUrl')
		document.images[name].src = "javascript:pnglets."+name;
	    if (nnMethod == 'dataUrl')
		document.images[name].src = dataUrl('image/png', pnglets[name]);
	}
    }
    if (i+1 < imgdata.length) {
	install(imgdata[i], imgdata[i+1]);
	setTimeout("window.loadimages("+(i+2)+")", 10);
    }
}
</script>
</head>

<body text="#ffffff"
      bgcolor="#000000"
      onload="javascript:loadimages(0)">

<p><script type="text/javascript">embedimage('pnglet',0)</script>
<pre>
// a 32 pixel, 8 color image.
</pre>


<p><script type="text/javascript">embedimage('pieslice',0)</script>
<pre>
// a 32 pixel, 8 color pieslice;
</pre>

</body>
</html>
Travis owns this assert; reassigning to him for a closer look.
Assignee: mccabe → travis
i just crashed on this page. 

stack trace:
nsJSProtocolHandler::NewChannel(nsJSProtocolHandler * const 0x032d9300, const 
char * 0x003e1edc ??_C@_04JMJF@load?$AA@, nsIURI * 0x032d91f0, nsILoadGroup * 
0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, nsIURI * 
0x00000000, unsigned int 0, unsigned int 0, nsIChannel * * 0x0012c590) line 207 
+ 36 bytes
nsIOService::NewChannelFromURI(nsIOService * const 0x00d07270, const char * 
0x003e1edc ??_C@_04JMJF@load?$AA@, nsIURI * 0x032d91f0, nsILoadGroup * 
0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, nsIURI * 
0x00000000, unsigned int 0, unsigned int 0, nsIChannel * * 0x0012c590) line 276 
+ 59 bytes
NS_OpenURI(nsIChannel * * 0x0012c62c, nsIURI * 0x032d91f0, nsILoadGroup * 
0x02945360, nsIInterfaceRequestor * 0x00000000, unsigned int 0, unsigned int 0, 
unsigned int 0) line 82 + 58 bytes
ImageNetContextImpl::GetURL(ilIURL * 0x032d96b0, NET_ReloadMethod 
NET_NORMAL_RELOAD, ilINetReader * 0x032d9670) line 670 + 55 bytes
IL_GetImage(const char * 0x032d9ce0, _IL_GroupContext * 0x0296d070, 
OpaqueObserverList * 0x032d9bc0, _NI_IRGB * 0x00000000, unsigned int 32, 
unsigned int 32, unsigned int 0, void * 0x0296cfd0) line 2068 + 35 bytes
ImageRequestImpl::Init(void * 0x0296d070, const char * 0x032d9ce0, 
nsIImageRequestObserver * 0x032d9e44, const unsigned int * 0x00000000, unsigned 
int 32, unsigned int 32, unsigned int 0, ilINetContext * 0x0296cfd0) line 259 + 
49 bytes
ImageGroupImpl::GetImage(const char * 0x032d9ce0, nsIImageRequestObserver * 
0x032d9e44, const unsigned int * 0x00000000, unsigned int 32, unsigned int 32, 
unsigned int 0) line 272 + 46 bytes
nsFrameImageLoader::Init(nsFrameImageLoader * const 0x032d9e40, nsIPresContext * 
0x029f8780, nsIImageGroup * 0x0296d120, const nsString & {...}, const unsigned 
int * 0x00000000, const nsSize * 0x00f0aff4, nsIFrame * 0x00f0af78, unsigned int 
(nsIPresContext *, nsIFrameImageLoader *, nsIFrame *, void *, unsigned int)* 
...) line 173 + 57 bytes
nsPresContext::StartLoadImage(nsPresContext * const 0x029f8780, const nsString & 
{...}, const unsigned int * 0x00000000, const nsSize * 0x00f0aff4, nsIFrame * 
0x00f0af78, unsigned int (nsIPresContext *, nsIFrameImageLoader *, nsIFrame *, 
void *, unsigned int)* 0x01ab26d0 nsHTMLImageLoader::ImageLoadCB(nsIPresContext 
*, nsIFrameImageLoader *, nsIFrame *, void *, unsigned int), ...) 
nsHTMLImageLoader::StartLoadImage(nsIPresContext * 0x029f8780) line 204 + 63 
bytes
nsHTMLImageLoader::UpdateURLSpec(nsIPresContext * 0x029f8780, const nsString & 
{...}) line 249
nsImageFrame::AttributeChanged(nsImageFrame * const 0x00f0af78, nsIPresContext * 
0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int 2) line 
841
nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 
0x02d2eea0, nsIPresContext * 0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom 
* 0x017deb80, int 2) line 7669 + 35 bytes
StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x02d297d0, nsIPresContext * 
0x029f8780, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 
996
PresShell::AttributeChanged(PresShell * const 0x02d2ec98, nsIDocument * 
0x02dae560, nsIContent * 0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 
2480 + 57 bytes
nsDocument::AttributeChanged(nsDocument * const 0x02dae560, nsIContent * 
0x0298fe20, int 3, nsIAtom * 0x017deb80, int -1) line 1674
nsGenericHTMLElement::SetAttribute(int 3, nsIAtom * 0x017deb80, const nsString & 
{...}, int 1) line 740
nsHTMLImageElement::SetSrcInner(nsIURI * 0x02db8680, const nsString & {...}) 
line 806 + 29 bytes
nsHTMLImageElement::SetProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, 
long 15750532, long * 0x0012dd94) line 588 + 33 bytes
nsJSUtils::nsCallJSScriptObjectSetProperty(nsISupports * 0x0298fe10, JSContext * 
0x0293c0a0, JSObject * 0x02560500, long 15750532, long * 0x0012dd94) line 241 + 
27 bytes
SetHTMLImageElementProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, long 
15750532, long * 0x0012dd94) line 564 + 25 bytes
js_SetProperty(JSContext * 0x0293c0a0, JSObject * 0x02560500, long 40479872, 
long * 0x0012dd94) line 2056 + 139 bytes
js_Interpret(JSContext * 0x0293c0a0, long * 0x0012df28) line 2240 + 957 bytes
js_Invoke(JSContext * 0x0293c0a0, unsigned int 2, unsigned int 0) line 681 + 13 
bytes
js_Interpret(JSContext * 0x0293c0a0, long * 0x0012e770) line 2273 + 15 bytes
js_Invoke(JSContext * 0x0293c0a0, unsigned int 1, unsigned int 0) line 681 + 13 
bytes
js_Interpret(JSContext * 0x0293c0a0, long * 0x0012efb8) line 2273 + 15 bytes
js_Invoke(JSContext * 0x0293c0a0, unsigned int 1, unsigned int 2) line 681 + 13 
bytes
js_InternalInvoke(JSContext * 0x0293c0a0, JSObject * 0x00f3f958, long 38717248, 
unsigned int 0, unsigned int 1, long * 0x0012f144, long * 0x0012f0f0) line 754 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x0293c0a0, JSObject * 0x00f3f958, long 
38717248, unsigned int 1, long * 0x0012f144, long * 0x0012f0f0) line 2772 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0293ade0, void * 0x00f3f958, 
void * 0x024ec740, unsigned int 1, void * 0x0012f144, int * 0x0012f140) line 562 
+ 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02e10664) line 128 + 57 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0287a240, 
nsIDOMEvent * 0x02e10664, unsigned int 1) line 677 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x029f8780, nsEvent * 
0x0012fbe4, nsIDOMEvent * * 0x0012f540, unsigned int 7, nsEventStatus * 
0x0012fc24) line 1228 + 31 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0293e7f4, 
nsIPresContext * 0x029f8780, nsEvent * 0x0012fbe4, nsIDOMEvent * * 0x0012f540, 
unsigned int 1, nsEventStatus * 0x0012fc24) line 3327
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x029436d0, nsIDocumentLoader * 
0x029453c0, nsIChannel * 0x02db9f50, unsigned int 0) line 3171 + 34 bytes
nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x029453c0, nsIChannel 
* 0x02db9f50, unsigned int 0) line 603
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 494
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x029453c4, nsIChannel * 
0x0326b120, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 
0x00000000) line 438
nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x02945360, nsIChannel * 
0x0326b120, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 
0x00000000) line 535 + 42 bytes
nsHTTPChannel::ResponseCompleted(nsIChannel * 0x0326de34, nsIStreamListener * 
0x02e13d60, unsigned int 0, const unsigned short * 0x00000000) line 1333
nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const 0x02d3d270, 
nsIChannel * 0x0326de34, nsISupports * 0x0326b120, unsigned int 0, const 
unsigned short * 0x00000000) line 256
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x02d2cfd0) line 
279
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x02d2cf80) line 93 + 12 bytes
PL_HandleEvent(PLEvent * 0x02d2cf80) line 526 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00d061e0) line 487 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x033b0294, unsigned int 49335, unsigned int 0, 
long 13656544) line 975 + 9 bytes
USER32! 77e71268()
00d061e0()
Keywords: crash
pulled on 2000-02-06, windows NT.
This should be fixed.  Wasn't my bug in the first place, but I think the other 
places that were causing these problems are fixed now.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Re-opening. Removed 'crash' keywords since it doesn't crash anymore.
Added 4xp keyword since the problem now is that Mozilla (tip of the tree)
doesn't show the images, which are shown correctly with 4.x.
Visit the URL above with Nav 4.x and Mozilla to see the differences.
Status: RESOLVED → REOPENED
Keywords: crash4xp
Resolution: FIXED → ---
Re-assigning to default module owner due to REOPEN
Assignee: travis → rogerl
Status: REOPENED → NEW
QA Contact: rginda → pschwartau
Using Mozilla tip builds 2000-07-12 on WinNT, Linux: 

Confirming bug as originally stated: the images draw correctly in NN4.7,
but will not draw in Moz on either WinNT or Linux. On each OS I noticed 
this in the JavaScript console: 

JavaScript error:
http://www.elf.org/js/Pnglet.js line 371 : u has no properties



I am attaching the file Pnglet.js to this bug for reference. 
Here are relevant code lines in Pnglet.js leading up to line 371:  

326  
327      var ind = new Array(n);		/* list of vertex indices, 
sorted by pt[ind[j]].y */
328      var active = new Array(0);		/* start with an empty active 
list */
329  
330      /* create y-sorted array of indices ind[k] into vertex list */
331      for (var k = 0; k < n; k += 1) ind[k] = k;
332      ind.sort(function(i1, i2) { return pty(i1) <= pty(i2) ? -1 : 1; });
333      var k = 0;				/* ind[k] is next vertex to 
process */
334      var y0 = Math.max(0, Math.ceil(pty(ind[0])+.5));			
/* ymin of polygon */
335      var y1 = Math.min(this.height, Math.floor(pty(ind[n-1])-.5));	/* ymax 
of polygon */
336  
337      for (var y = y0; y <= y1; y += 1) {		/* step through 
scanlines */
338  	/* scanline y is at y+.5 in continuous coordinates */
339  
340  	/* check vertices between previous scanline and current one, if any */
341  	for (; k<n && pty(ind[k]) <= y+.5; k += 1) {
342  	    /* to simplify, if pt.y=y+.5, pretend it's above */
343  	    /* invariant: y-.5 < pt[i].y <= y+.5 */
344  	    var i = ind[k];	
345  
346  	    /*
347  	     * insert or delete edges before and after vertex i (i-1 to i,
348  	     * and i to i+1) from active list if they cross scanline y
349  	     */
350  	    var j = (i-1+n)%n;		/* vertex previous to i */
351  	    if (pty(j) <= y-.5)	{	/* old edge, remove from active list */
352  		cdelete(j);
353  	    } else if (pty(j) > y+.5) {	/* new edge, add to active list */
354  		cinsert(j, y);
355  	    }
356  	    if (i != ind[k]) {
357  		alert("Your browser's implementation of JavaScript is seriously 
broken,\n"+
358  		      "as in variables are changing value of their own 
volition.\n"+
359  		      "You should upgrade to a newer version browser.");
360  		return;
361  	    }
362  	    j = (i+1)%n;		/* vertex next after i */
363  	    if (pty(j) <= y-.5)	{	/* old edge, remove from active list */
364  		cdelete(i);
365  	    } else if (pty(j) > y+.5) {	/* new edge, add to active list */
366  		cinsert(i, y);
367  	    }
368  	}
369  
370  	/* sort active edge list by active[j].x */
371  	active.sort(function(u,v) { return u.x <= v.x ? -1 : 1; });
372  

           etc.
Changing OS to All -
OS: Windows 98 → All
Using Mozilla tip builds 2000-07-14 1PM Pacific Time on WinNT, Linux.

Now I am crashing when I try to load the given URL, www.elf.org/pnglets/
The page loads briefly - you can see the page in the browser for a few
seconds - but these messages begin appearing in the debug console:

###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file 
nsJSProtocolHandler.cpp, line 114
###!!! Break: at file nsJSProtocolHandler.cpp, line 114
WARNING: cell content 0x89398a0 has large height 93390 
###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file 
nsJSProtocolHandler.cpp, line 114
###!!! Break: at file nsJSProtocolHandler.cpp, line 114
WARNING: cell content 0x89398a0 has large height 93390 
###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file 
nsJSProtocolHandler.cpp, line 114
###!!! Break: at file nsJSProtocolHandler.cpp, line 114
WARNING: cell content 0x89398a0 has large height 93390 
###!!! ASSERTION: NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner', file 
nsJSProtocolHandler.cpp, line 114

            etc.
            etc.

And the browser crashes -
Adding crash keyword -
Keywords: crash
Adding js1.5 keyword, raising severity.

/be
Severity: normal → major
Keywords: js1.5
Resummarizing.
Summary: ASSERTION: NS_ENSURE_TRUE(globalOwner) failed → crash in JS engine, called from Array.prototype.sort
What seems to happen is that the sort function is called with a non object entry 
in the table (don't know how that happens). This causes 'u.x' to evaluate to NaN 
and so the comparison always returns 1. Inside js_qsort_r, this value let's the 
first interior loop continue into negative indices to varying effects depending 
on the contents of memory. 
Status: NEW → ASSIGNED
The line 'new Array(0)' sets the initial element to the value 0 (since this is 
run under version 1.2).

Anybody know the internals of qsort? I'm thinking that changing that inner loop 
to :
[jsarray.c, line 624, function js_qsort_r()]

	while (i < j) {
	    for (; j > i ;) {      // <--- ADD THIS TO LOOP CONTROL
		b = (char *)qa->vec + j * qa->elsize;
		if ((*qa->cmp)(b, pivot, qa->arg) <= 0)
		    break;
		j--;
	    }
	    memmove(a, b, qa->elsize);

comments?
rogerl -- that looks like a fix (nit: why not make it a while loop instead of
for(;;)?).  Does it cure all ills?

/be
Another nit: make the inner loop a do-while to avoid retesting gratuitously on
the first iteration.

/be
ok, here's the patch piece:   (it's just a piece because I have other changes 
                               in jsarray.c with which I didn't want to muddy 
                               the waters)

@@ -600,13 +621,13 @@
        a = (char *)qa->vec + i * qa->elsize;
        memmove(pivot, a, qa->elsize);
        while (i < j) {
-           for (;;) {
+           do {
                b = (char *)qa->vec + j * qa->elsize;
                if ((*qa->cmp)(b, pivot, qa->arg) <= 0)
                    break;
                j--;
-           }
+           } while (j > i);

I think it's a cure all - I don't see any other uncontrolled loops.
r,a=brendan@mozilla.org -- let's get this in today when the tree opens, for the 
next mozilla milestone and so tlundeen@webcrossing.com and other js1.5 customers 
get it soon.  Thanks,

/be
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago20 years ago
Resolution: --- → FIXED
Re-opening as the problem reported in the bug is still there with a tip of the
tree. I don't know if there has been a regression since your last fix, as I am
not seeing the expected graphics on the test page. rogerl, with your build, do
you see similar graphics as shown in Nav4.x?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Rogerl's fix was good, and stops a crash or assertbotch (debug builds).  That 
crash was not the only symptom reported under this bug, and it won't be the last 
unless we decide to make this bug refer to that symptom and cause only, and let 
it stay closed.

I'm easy either way, but let's not keep reassigning it to rogerl.  This is a 
hairy 4.x page, and it even contains JS1.2 bugs that somehow don't seem to 
affect it in 4.x (but are nevertheless bugs in its usage of JS1.2, e.g. new 
Array(0) being expected to create an array of length 0 rather than an array of 
length 1 whose element at index 0 has value 0).

Phil and I spent some time looking at this today, and will again tomorrow.  But 
after that, I'm on vacation for 10 days.  I think this bug needs an owner who 
will dig deep, file appropriate other bugs as symptoms map to distinct causes, 
and drive things to a good conclusion.  Who will do that?  Someone please step 
forward.  Otherwise, I'll do it when I get back.

/be
To summarize: There are four JS files used in http://www.elf.org/pnglets/ 

Array.js
dataUrl.js
Pnglet.js
examples.js

I am not sure whether all the code from these files is needed. 
For example, I don't think  the function embedimages() in examples.js 
is ever called.

At any rate, there is an error in Pnglet.js in the way a new Array is 
instantiated:

 <SCRIPT language="JavaScript1.2"  src=../js/Pnglet.js >

        (Now look at this line in Pnglet.js) :
                            
        var active = new Array(0);     /* start with an empty active list */


The author means to create a new, empty array; i.e. with length 0.
However, version 1.2 instantiates arrays differently than other 
Netscape/Mozilla implementations of JavaScript. (see the HTML file I have 
attached which demonstrates this). In Netscape/Mozilla JavaScript 1.2, 
the above syntax creates an array of length 1, whose first element is 0. 
This creates problems later in the file Pnglet.js :

369  
370  	/* sort active edge list by active[j].x */
371  	active.sort(function(u,v) { return u.x <= v.x ? -1 : 1; });
372  
373     /* draw horizontal segments for scanline y */
374  	for (var j = 0; j < active.length; j += 2){/*draw horizontal segments */
375  	    /* span 'tween j & j+1 is inside, span tween j+1 & j+2 is outside */
376  	    var xl = Math.ceil(active[j].x+.5);     /* left end of span */
377  	    if (xl<0) xl = 0;
378  	    var xr = Math.floor(active[j+1].x-.5);  /* right end of span */
379  	    if (xr>this.width-1) xr = this.width-1;
380  	    if (xl<=xr)
381  	     this.horizontalLine(fillColor, xl, xr, y);/* draw pixels in span */
382  	     active[j].x += active[j].dx;	    /* increment edge coords */
383  	     active[j+1].x += active[j+1].dx;
384  	}


Our original problem occurred on line 371. The error was "u has no properties" 
(see entry at 2000-07-15 18:58). It occurred because of the unintended first 
element of the active[ ] array:  it is not an object; it has no "x" property.

The fix that rogerl has put in has stopped Mozilla from crashing on the program, 
and has brought us farther along, to line 378. This is what we now get when we 
load http://www.elf.org/pnglets/ :

      Error: active[ j + 1] has no properties
      Source File: http://www.elf.org/js/Pnglet.js
      line 378

Notice the loop increments the index j by 2, and tests the condition  
"j < active.length ". The error would not occur if the active[] array had an 
EVEN number of elements, say with indices 0,1,2,3. The index j would begin at 0, 
increment to 2, and then to 4, which does not pass the test. Inside the loop,
we could safely access both the elements active[j] and active[ j+1].

But because of the unintended element 0 at index 0, this array has an ODD number 
of elements, say with indices 0,1,2,3,4.  The index  j begins at 0, increments 
to 2, and then to 4, which passes the test. But then inside the loop we try to 
access the element with index j+1=5, which is undefined. Hence the error 
"active[ j + 1] has no properties"


There are two solutions to these problems. One is to replace the definition of 
the "active" Array with the following:

      var active = new Array();    (i.e. no "0" in the parentheses)

The other solution is NOT to set the "language" attribute in the <SCRIPT> tag to 
"JavaScript 1.2". There might be features specific to version 1.2 that the 
author intended to use; if not, the language attribute should simply be set to 
"JavaScript". 


Unfortunately, we still have not solved all the issues raised by this bug. If we 
do change the definition of the "active" array, we no longer get any errors in 
Mozilla in the JavaScript console. However, none of the pnglet images draw on 
the page, as they do in NN4.72

Of note is the following function in the file elements.js

 function install(name, value) {
        var p = new Pnglet(32, 32, 8);
        var black = p.color(0,0,0,0),
            red = p.color(255,0,0),
            green = p.color(0,255,0),
            blue = p.color(0,0,255),
            white = p.color(255,255,255);

        eval(value);
        pnglets[name] = p.output();

        if (document.images[name]) {
            if (nnMethod == 'javascriptUrl') 
                document.images[name].src = "javascript:pnglets."+name;


                            etc.


This sets the SRC attribute of an IMG element to a JavaScript URL.
For example, when debugging you find assignments like this:

      document.images[arc1].src = "javascript: pnglets.arc1"
      where in JavaScript,  pnglets.arc1 = ‘?PNG……(binary data)……….’


The author of the web page http://www.elf.org/pnglets mentions many problems
associated with assingnments like this. Anyone who works on this problem 
should read his comments! In the meantime, we are assigning to DOM Level 0
to get their analysis of what might be going wrong, and why the pnglet images
get drawn in NN4.72, but not in Mozilla.
Assignee: rogerl → jst
Status: REOPENED → NEW
Component: Javascript Engine → DOM Level 0
QA Contact: pschwartau → desale
Summary: crash in JS engine, called from Array.prototype.sort → pnglet images not getting drawn in Mozilla [WAS: crash in JS engine, called from Array.prototype.sort]
Note:

The discrepancy in the way JS 1.2 instantiates new Arrays does not occur 
on my Mac (OS9). Only on my Linux and WinNT boxes...  

Removing crash and js1.5 keywords now that this bug describes only what seem to 
be DOM level 0 and/or imglib bugs in computing PNG data via img.src=javascript: 
URL attribute setting.

/be
Keywords: crash, js1.5
Me thinks that we have a problem reading from javascript: URLs in many cases,
nominating for beta3 since this cuts down severely on the functionality offered
by javascript: URLs.
Status: NEW → ASSIGNED
Keywords: correctness, nsbeta3
Hardware: PC → All
Target Milestone: --- → M18
nsbeta3- for now...  Johnny, if you think that there is a more generic problem 
with JS urls not working properly, please file a separate bug.  Thanks!
Whiteboard: [nsbeta3-]
Argh, this needs more diagnosis before it can be nsbeta3-minused, I claim.  I'll
take it.

/be
Assignee: jst → brendan
Status: ASSIGNED → NEW
I'm a happy miser!
Status: NEW → ASSIGNED
Adding crash keyword to all open crash bugs that don't already have it...
Keywords: crash
Hello, I removed crash a few comments back, because this no longer crashes.  
Please don't add crash blindly based on Summary keyword match.  I'll remove the 
"was:" summary parenthetical.

/be
Keywords: crash
Summary: pnglet images not getting drawn in Mozilla [WAS: crash in JS engine, called from Array.prototype.sort] → pnglet images not getting drawn in Mozilla
I created a test setup where I made the following changes:
pnglet_test.html: removed unnecessary stuff for clarity.
pnglet.js: changed new Array(0) to new Array()
fixed initial loop values in the initialize functions
pnglet.js/examples.js: fixed image urls to point to images/ below pnglet_test.html

verified that it works in NN 4.72

tested with a debug build on win2000.

The page displays initially with broken images for the images/pixel.gif which
does not happen for NN. Then an Assertion fires:

NS_ENSURE_TRUE(globalOwner) failed: 'globalOwner' in
dom/src/jsurl/nsJSProtocolHandler.cpp line 114

attaching test setup.

I'm going to work on this for rtm.  The latest symptom (assertbotch) is bad.

/be
Keywords: nsbeta3rtm
Target Milestone: M18 → ---
Marking [rtm need info] since you are working on this.  Is there a patch in the 
offing anytime soon?  Is it time to let this go for the RTM?
Whiteboard: [nsbeta3-] → [nsbeta3-][rtm need info]
Keywords: rtmmozilla1.0
Whiteboard: [nsbeta3-][rtm need info] → [nsbeta3-]
Target Milestone: --- → mozilla0.9
Sorry, I didn't get time to figure out a fix.

/be
Keywords: dom0
spam to generate a bugzilla activity, the current target M0.9 is closing soon.
Slide.
Target Milestone: mozilla0.9 → mozilla0.9.1
Load-balancing.

/be
Target Milestone: mozilla0.9.1 → mozilla0.9.2
Target Milestone: mozilla0.9.2 → mozilla0.9.3
I don't know when I'll get to this, and I haven't retested the page lately --
maybe other fixes have cured its ills?

/be
Target Milestone: mozilla0.9.3 → mozilla0.9.5
Sigh.

/be
Target Milestone: mozilla0.9.5 → mozilla0.9.7
Perf/footprint work takes precedence.

/be
Target Milestone: mozilla0.9.7 → mozilla0.9.8
Anyone: are we still broken?
Target Milestone: mozilla0.9.8 → mozilla0.9.9
Still broken: when I load the site, I'm still getting the JS Console
error reported in the middle of Comment #27  above:

> The fix that rogerl has put in has stopped Mozilla from crashing on
> the program, and has brought us farther along, to line 378. This is
> what we now get when we load http://www.elf.org/pnglets/ :

>       Error: active[ j + 1] has no properties
>       Source File: http://www.elf.org/js/Pnglet.js
>       line 378
Look what a miserable owner I am for this bug. Plus, I'm not convinced it has
anything to do with core JS any longer.  Need a reduced testcase, bumping to
Future for now, and I'm begging for a better owner to take steal this bug!

/be
Target Milestone: mozilla0.9.9 → Future
WFM. Mozilla 1.1.b properly displays the pnglets on the referenced URL.

Glenn
wfm 2002080508 w2k ts
Whiteboard: [nsbeta3-]
Target Milestone: Future → ---
The site also WORKSFORME using Mozilla 1.0 branch 20020806xx WinNT.

When I load the site, I am no longer getting any errors in the
JS Console. While the page is loading, I scroll down and watch
all the images getting drawn dynamically. They all draw fine!

Resolving as WORKSFORME -
Status: ASSIGNED → RESOLVED
Closed: 20 years ago18 years ago
Resolution: --- → WORKSFORME
Marking Verified - thanks to all 
Status: RESOLVED → VERIFIED
Whiteboard: [js1.2]
You need to log in before you can comment on or make changes to this bug.