Closed Bug 246224 Opened 16 years ago Closed 16 years ago

Mozilla crashes if a chrome app uses Live Connect [@ getScriptClassLoader]

Categories

(Core Graveyard :: Java: Live Connect, defect, critical)

x86
All
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kchristmas, Assigned: yuanyi21)

Details

(Keywords: crash, verified1.7, Whiteboard: fixed-aviary1.0)

Crash Data

Attachments

(4 files, 4 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608

If XUL application, that is installed in the Mozilla/chrome directory, accesses
the java plugin through javascript, Mozilla crashes.  This does not occur if the
XUL page is not in the chrome directory.

mozilla -chrome chrome://javatest/content/javatest.xul = crash
mozilla -chrome file:///c:/javatest/javatest.xul = works

this is the text of javatest.xul
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" >
	<box>
		<button label="click me" oncommand="var x = Packages.java.lang.String('Stupid
String'); var y = x.toString(); alert(y);"/>
	</box>
</window>

Reproducible: Always
Steps to Reproduce:
1. create a chrome application and install it in the chrome directory.  Will
crash if jar or files.
2. access java from javascript.
3.

Actual Results:  
Mozilla crashes

Expected Results:  
should have seen an alert.

currently running jdk 1.4.2_02 on windows xp.  Crashed when I tried jdk 1.5 beta
2 as well.
Stacktrace for this with a current cvs trunk debug build on win2k:
getScriptClassLoader(JNIEnv_ * 0x03c52798, _jobject * * 0x0012da28) line 116 +
24 bytes
ProxyFindClass(JNIEnv_ * 0x03c52798, const char * 0x03c52708) line 177 + 13 bytes
ProxyJNIEnv::FindClass(JNIEnv_ * 0x03c52798, const char * 0x03c52708) line 325 +
13 bytes
JavaPackage_resolve(JSContext * 0x038c15e8, JSObject * 0x03c3b0e0, long
0x0134ec94) line 202 + 16 bytes
_js_LookupProperty(JSContext * 0x038c15e8, JSObject * 0x03c3b0e0, long
0x02889a78, JSObject * * 0x0012dbac, JSProperty * * 0x0012db9c, const char *
0x014dcb30, unsigned int 0x00000a66) line 2518 + 42 bytes
js_GetProperty(JSContext * 0x038c15e8, JSObject * 0x03c3b0e0, long 0x02889a78,
long * 0x0012e3e0) line 2662 + 35 bytes
js_Interpret(JSContext * 0x038c15e8, long * 0x0012e580) line 3202 + 1831 bytes
js_Invoke(JSContext * 0x038c15e8, unsigned int 0x00000001, unsigned int
0x00000002) line 1301 + 13 bytes
js_InternalInvoke(JSContext * 0x038c15e8, JSObject * 0x03c3b7b8, long
0x03c3bf70, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012e78c,
long * 0x0012e788) line 1378 + 20 bytes
JS_CallFunctionValue(JSContext * 0x038c15e8, JSObject * 0x03c3b7b8, long
0x03c3bf70, unsigned int 0x00000001, long * 0x0012e78c, long * 0x0012e788) line
3631 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x03c3b7b8, JSObject * 0x03c3bf70,
unsigned int 0x00000001, long * 0x0012e78c, long * 0x0012e788) line 1267 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03c75990, nsIDOMEvent
* 0x03c525e8) line 174 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03c75a50,
nsIDOMEvent * 0x03c525e8, nsIDOMEventTarget * 0x03c52678, unsigned int
0x00000008, unsigned int 0x00000007) line 1460 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03c75938,
nsIPresContext * 0x03823138, nsEvent * 0x0012ed98, nsIDOMEvent * * 0x0012ed40,
nsIDOMEventTarget * 0x03c52678, unsigned int 0x00000007, nsEventStatus *
0x0012ede4) line 1555
nsXULElement::HandleDOMEvent(nsIPresContext * 0x03823138, nsEvent * 0x0012ed98,
nsIDOMEvent * * 0x0012ed40, unsigned int 0x00000007, nsEventStatus * 0x0012ede4)
line 2788
PresShell::HandleDOMEventWithTarget(PresShell * const 0x03c5ddf8, nsIContent *
0x03c75798, nsEvent * 0x0012ed98, nsEventStatus * 0x0012ede4) line 6109
nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x03823138, nsGUIEvent *
0x0012efe4) line 178
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x03cb1888,
nsIPresContext * 0x03823138, nsGUIEvent * 0x0012efe4, nsEventStatus *
0x0012f4d8) line 150
PresShell::HandleEventInternal(nsEvent * 0x0012efe4, nsIView * 0x00000000,
unsigned int 0x00000001, nsEventStatus * 0x0012f4d8) line 6073 + 39 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x03c5ddf8, nsEvent *
0x0012efe4, nsIFrame * 0x03cb1888, nsIContent * 0x03c75798, unsigned int
0x00000001, nsEventStatus * 0x0012f4d8) line 5984 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x03823138,
nsMouseEvent * 0x0012f700, nsEventStatus * 0x0012f4d8) line 2962 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x03823a98,
nsIPresContext * 0x03823138, nsEvent * 0x0012f700, nsIFrame * 0x03cb1888,
nsEventStatus * 0x0012f4d8, nsIView * 0x036ae740) line 1969 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f700, nsIView * 0x036ae740,
unsigned int 0x00000001, nsEventStatus * 0x0012f4d8) line 6081 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x03c5de6c, nsIView * 0x036ae740,
nsGUIEvent * 0x0012f700, nsEventStatus * 0x0012f4d8, int 0x00000001, int &
0x00000001) line 5922 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x036ae740, nsGUIEvent * 0x0012f700, int
0x00000001) line 2212
nsViewManager::DispatchEvent(nsViewManager * const 0x036ae590, nsGUIEvent *
0x0012f700, nsEventStatus * 0x0012f5d8) line 1952 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f700) line 79
nsWindow::DispatchEvent(nsWindow * const 0x03c533ac, nsGUIEvent * 0x0012f700,
nsEventStatus & nsEventStatus_eIgnore) line 1060 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f700) line 1081
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000,
nsPoint * 0x00000000) line 5204 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int
0x00000000, nsPoint * 0x00000000) line 5457
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long
0x00140021, long * 0x0012fc28) line 3953 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0027029c, unsigned int 0x00000202, unsigned int
0x00000000, long 0x00140021) line 1342 + 27 bytes
USER32! 77e01ef0()
USER32! 77e0204c()
USER32! 77e021af()
nsAppShellService::Run(nsAppShellService * const 0x01379e88) line 524
main1(int 0x00000001, char * * 0x00263f50, nsISupports * 0x01341008) line 1334 +
32 bytes
main(int 0x00000001, char * * 0x00263f50) line 1811 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e81af6()
OS: Windows XP → All
Summary: Mozilla crashes if a chrome app uses Live Connect → Mozilla crashes if a chrome app uses Live Connect [@ getScriptClassLoader]
Attached patch null check GetURI out param... (obsolete) — Splinter Review
Attachment #150662 - Flags: review?(caillon)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 150662 [details] [diff] [review]
null check GetURI out param...


What about merging

+		 if (NS_FAILED(rv)) return rv;
+		 if (!*result) return NS_ERROR_NOT_AVAILABLE;

into

+		 if (NS_SUCCEEDED(rv) && !*result) return
NS_ERROR_NOT_AVAILABLE;

?
Flags: blocking1.7+
serge: what about not doing that? you lose information about the failure by
doing it.
Status: NEW → ASSIGNED
(In reply to comment #7)
> serge: what about not doing that? you lose information about the failure by
> doing it.

Which information does the merging loose ?
(I'm sorry that I don't figure it out :-()
(In reply to comment #8)
> Which information does the merging loose ?
> (I'm sorry that I don't figure it out :-()

the rv that the function returned
Alright this patch makes Mozilla not crash and it also displays "Stupid String"
in the alert (the only difference between loaded from file:// and chrome:// is
that from file it displays as alert title [JavaScript Application] and from
chrome only Alert, but this is probably intended and not part of this bug).
(In reply to comment #9)
> (In reply to comment #8)
> > Which information does the merging loose ?
> > (I'm sorry that I don't figure it out :-()
> 
> the rv that the function returned

Oh ? I must be missing something !

The merged patch would be
{{
-                return principal->GetURI(result);
+                nsresult rv = principal->GetURI(result);
+		 if (NS_SUCCEEDED(rv) && !*result) return NS_ERROR_NOT_AVAILABLE;
+                return rv;
}}

Why would the |rv| value be changed by the |if| call ?
sorry, i'm a literalist, what you wrote was:

> What about merging
> +		 if (NS_FAILED(rv)) return rv;
> +		 if (!*result) return NS_ERROR_NOT_AVAILABLE;
> into
> +		 if (NS_SUCCEEDED(rv) && !*result) return
NS_ERROR_NOT_AVAILABLE;

you made no mention of the return that followed. you were not merging the lines
you specified. yes your change would be fine. please don't attach a new patch we
still need caillon to sign off on the design.

further there's no guarantee that someone won't decide to put code between the
if (...) return and the final return (although it's not very likely). while it
would be their responsibility to notice that the return is being used for both
success and failure, it isn't guaranteed that they would, and the result would
probably be as bad as the crash we have today. some optimizations just aren't
worth it, let the compiler/optimizer figure them out.
I will work with Kyle to resolve this issue ASAP.
Comment on attachment 150662 [details] [diff] [review]
null check GetURI out param...

I don't mind if you plant some assertions in getScriptCodebase() in addition to
your existing patch (which I don't mind that much).  But make sure you are not
running with the system principal before calling getScriptCodebase().
Attachment #150662 - Flags: review?(caillon) → review-
We've got a very small window (a couple of hours) to get a patch and reviews
here if this is going to make Mozilla 1.7.
actully, the entire ProxyFindClass function is totally unuseful. I'm going to
remove it. new patch is coming.
Attached patch get rid if ProxyClassLoader (obsolete) — Splinter Review
The ProxyFindClass relys on a java class netscape.oji.ProxyClassLoader to
lookup a class. But that class	is totally unsupported in modern jre. So we
don't need that function any more.
Assignee: timeless → kyle.yuan
Attachment #150662 - Attachment is obsolete: true
Comment on attachment 150662 [details] [diff] [review]
null check GetURI out param...


Based on an email from Christian,
this patch would become
{{
-		 return principal->GetURI(result);
+		 nsresult rv = principal->GetURI(result);
+		 if (NS_SUCCEEDED(rv) && !*result)
+		   return NS_ERROR_UNEXPECTED;
+		 return rv;
}}
(style and value error changes)

Kyle:
I'm posting it as a comment, since you are working on an new patch.
Please, see how it applies to what you are preparing.
Attachment #150741 - Flags: review?(Xiaobin.Lu)
(In reply to comment #18)
> (From update of attachment 150662 [details] [diff] [review])
> 
> Kyle:
> I'm posting it as a comment, since you are working on an new patch.
> Please, see how it applies to what you are preparing.

The answer is simple: irrelevant :->

***

Then, in your patch, you may want to remove the following variable too:
{{ <http://lxr.mozilla.org/mozilla/search?string=mInProxyFindClass>
/modules/oji/src/ProxyJNI.cpp, line 284 -- jbool mInProxyFindClass;
/modules/oji/src/ProxyJNI.cpp, line 1707 -- : mSecureEnv(secureEnv),
mContext(NULL), mInProxyFindClass(JNI_FALSE)
}}
Even though 'ProxyFindClass' may not supported in the current JRE, I think it 
still would be better to leave it as it is. It was added to support loading Java 
Package from cutomer website (See 77194).

Could anyone here point to me why 'FindClass' fails to find java.lang.String? I 
think we should nail down the root cause instead of add defensive check ( I am 
not saying it is not a right thing to do) or removing some unused code.
Xiaobin, the crash happened before FindClass tried to find java.lang.String.
JavaPackage_resolve gets called for every "dot", i.e. java. java.lang,
java.lang.String.

Serge, you are right. If we removed ProxyClassLoader, we should also remove
mInProxyFindClass.
(In reply to comment #20)
> Even though 'ProxyFindClass' may not supported in the current JRE, I think it 
> still would be better to leave it as it is. It was added to support loading Java 
> Package from cutomer website (See 77194).
> 

I can't imagine how it can help on this now. see
http://lxr.mozilla.org/seamonkey/source/modules/oji/src/ProxyClassLoader.cpp#125,
 do you think user will be able to successfully load
netscape.oji.ProxyClassLoader someday?
(In reply to comment #12)
> sorry, i'm a literalist, what you wrote was:
> 
> > What about merging
> > +		 if (NS_FAILED(rv)) return rv;
> > +		 if (!*result) return NS_ERROR_NOT_AVAILABLE;
> > into
> > +		 if (NS_SUCCEEDED(rv) && !*result) return
> NS_ERROR_NOT_AVAILABLE;
> 
> you made no mention of the return that followed.

Because I was not touching it.
(I guess that this is where all the confusion started :-<)

> you were not merging the lines you specified.

Were I not ?

> yes your change would be fine. please don't attach a new patch we
> still need caillon to sign off on the design.

"Done" :->

> further there's no guarantee that someone won't decide to put code between the
> if (...) return and the final return (although it's not very likely). while it
> would be their responsibility to notice that the return is being used for both
> success and failure, it isn't guaranteed that they would, and the result would
> probably be as bad as the crash we have today. some optimizations just aren't
> worth it, let the compiler/optimizer figure them out.

I understand; yet the optimizer does not help me to read the code.
Further, wouldn't a final |return NS_OK;| have been equivalent and much more
explicit ?
(But less likely to be optimized !? Oh well ;-()

Anyway...
Discussed with Xiaobin, we agree that to keep the change minimal, it's better
to comment out the (temporarily) unused code instead of remove them. 
This patch is for 1.7 branch only. Will do a better job on the trunk.
Attachment #150741 - Attachment is obsolete: true
Attachment #150756 - Flags: review?(Xiaobin.Lu)
Attachment #150741 - Flags: review?(Xiaobin.Lu)
Comment on attachment 150756 [details] [diff] [review]
patch for 1.7 branch

It will be better if we can add :

if (NS_FAILED(result))
  outClass = NULL;

return outClass;

I will approve this if make the above change or similar.
Attachment #150756 - Flags: review?(Xiaobin.Lu) → review+
Comment on attachment 150756 [details] [diff] [review]
patch for 1.7 branch

I'll do what Xiaobin said when I check it in.
Attachment #150756 - Flags: superreview?(jst)
Attachment #150756 - Flags: approval1.7?
Comment on attachment 150756 [details] [diff] [review]
patch for 1.7 branch

sr=jst
Attachment #150756 - Flags: superreview?(jst) → superreview+
Comment on attachment 150756 [details] [diff] [review]
patch for 1.7 branch

a=asa (on behalf of drivers) for checkin to 1.7
Attachment #150756 - Flags: approval1.7? → approval1.7+
fixedin 1.7 branch. will make a new patch for trunk.
Keywords: fixed1.7
It seems all blocking1.7+ bugs (including this one) are actually fixed in 1.7
branch. Do we really need the blocking1.7 flags, then?
(In reply to comment #30)
> It seems all blocking1.7+ bugs (including this one) are actually fixed in 1.7
> branch. Do we really need the blocking1.7 flags, then?

'fixed1.7' keyword means that 'blocking1.7+' has been dealt with:
the current situation is as it should be.

(Look at the related requests on the "Release-Status" page; which I don't have
the link at hand.)
Its http://www.mozilla.org/roadmap/release-status.html and I read it before
commenting. 

The document does not state explicitely whether blocking1.7+ flags should stay
or be removed after fixed1.7+ is set. However, the actual practice is to remove
them. At this moment there are only 5 left from 20+. So why leave the final five
misleading people about the progress towards the release?

Sorry for the spam.
 
(In reply to comment #32)
> However, the actual practice is to remove them.

Ah ? I was not aware of this.
(I guessed there was a sort of global 'blocking' flag (value and item) removal
after the release. My mistake.)

> At this moment there are only 5 left from 20+. So why leave the final five
> misleading people about the progress towards the release?

May be these should be checked/set 'verified1.7' before removing 'blocking1.7+' ??

Anyway, some of the drivers are in the CC list:
I'll let them comment on this issue from now.
Verified on Mozilla 1.7 branch. Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.7) Gecko/20040617. command-line and link for test case return the string.
Keywords: fixed1.7verified1.7
Whiteboard: fixed-aviary1.0
Attached patch patch for trunk (obsolete) — Splinter Review
Attachment #151409 - Flags: review?(Xiaobin.Lu)
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

ProxyJNI.cpp change looks good to me. I am not expert in JS security field. You
may need to find appropriate person to review the other change.
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

ProxyJNI.cpp change looks good to me. I am not expert in JS security field. You
may need to find appropriate person to review the other change.
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

ProxyJNI.cpp change looks good to me. I am not expert in JS security field. You
may need to find appropriate person to review the other change.
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

Okay, Chris, could you please review my change of getScriptCodebase?
Attachment #151409 - Flags: review?(Xiaobin.Lu) → review?(caillon)
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

I think that getScriptCodebase's caller should probably explicitly handle what
should happen if we are running with the system principal.  Perhaps that means
a better fix is removing getScriptCodebase entirely, since it only has the one
caller and moving the functionality in getScriptCodebase directly into the
caller.  What do you think, Kyle?
Comment on attachment 151409 [details] [diff] [review]
patch for trunk

Unsetting flag pending response.
Attachment #151409 - Flags: review?(caillon)
Attached patch patch for trunk (v2) (obsolete) — Splinter Review
removed the getScriptCodebase function, moved it into getScriptClassLoader, and
adjusted the code order - find netscape.oji.ProxyClassLoaderFactory first then
get the codebase - that can save much time because finding
netscape.oji.ProxyClassLoaderFactory will be always failed.
Attachment #151409 - Attachment is obsolete: true
sorry, the previous patch is wrong.
Attachment #152137 - Attachment is obsolete: true
Attachment #152138 - Flags: review?(caillon)
Comment on attachment 152138 [details] [diff] [review]
patch for trunk (v2)

>+    PRBool equals;
>+    rv = principal->Equals(sysprincipal, &equals);
>+    // Can't get URI from system principal
>+    if (NS_SUCCEEDED(rv) && equals)
>+        return NS_ERROR_FAILURE;

You return errors for failure everywhere except here.  if
nsIPrincipal::Equals() fails here, you will continue on.  That seems like you
want to do:

    if (NS_FAILED(rv)) return rv;
    if (equals) return NS_ERROR_FAILURE;


Is this something that support is desired for in the future?  If so, an XXX
comment may be in order.

r=caillon.
Attachment #152138 - Flags: review?(caillon) → review+
Comment on attachment 152138 [details] [diff] [review]
patch for trunk (v2)

I'll address caillon's comment when checkin.

> Is this something that support is desired for in the future?  If so, an XXX
comment may be in order.

As far as I know, the answer is no. netscape.oji.ProxyClassLoaderFactory will
likely not be supported in any subsequent (Sun) JREs.
Attachment #152138 - Flags: superreview?(jst)
Comment on attachment 152138 [details] [diff] [review]
patch for trunk (v2)

sr=jst
Attachment #152138 - Flags: superreview?(jst) → superreview+
Comment on attachment 152138 [details] [diff] [review]
patch for trunk (v2)

mozilla/modules/oji/src/ProxyClassLoader.cpp	1.16
Attachment #152138 - Attachment is obsolete: true
Comment on attachment 152138 [details] [diff] [review]
patch for trunk (v2)

I think you should mark the bug as FIXED rather than making this patch
obsolete.
Attachment #152138 - Attachment is obsolete: false
fix checked in by timeless.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
Crash Signature: [@ getScriptClassLoader]
You need to log in before you can comment on or make changes to this bug.