Browser crash with repeated JSObject calls

RESOLVED INCOMPLETE

Status

Core Graveyard
Java: Live Connect
--
critical
RESOLVED INCOMPLETE
14 years ago
6 years ago

People

(Reporter: sujith babu, Assigned: Alfred Peng)

Tracking

({crash, stackwanted})

Trunk
x86
All
crash, stackwanted

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Build Identifier: Mozilla/5.0

I have an applet that tries to read a no of JSObjects (approximately 1000 to 
1100) in its init method. I need to initialize the applet based on a request 
Parameter whose value is coming from a select box. When I initialize the applet 
one after the other (I have to do this and this is not done for fanciful 
testing), after 4-5 iterations the mozilla browser crashes. The 1st 3-4 
iterations will initialize the applet well. But from the 4rth of 5th iteration, 
mozilla crashes. This is happening in both mozilla 1.5 and mozilla 1.7 and for 
both the jre versions 1.4.2_05 and 1.4.2_02 (Sun jres). I am using Red hat 
linux 9.0. 

Mozilla crash was occurring at the native code of the getValue method of the 
JSObject. That is, crashing was occurring at the native code outside JVM. It 
was seen that this problem was occurring at the various points in the code 
where the JSObject were being read.

In the directory  /usr/local/mozilla/plugins I have a link named  
libjavaplugin_oji.so -> /usr/java/j2re1.4.2_05/plugin/i386/ns610-
gcc32/libjavaplugin_oji.so. I guess this is what was needed instead of copying 
the whole of libjavaplugin_oji.so.
Also, I have done the maximum performance enhancement to avoid reading the 
JSObjects as much as possible.

But at the same time the crash not is occurring in IE. (I am using IE version 
6.0). 

This is the exception stack trace.

An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : 11 occurred at PC=0x42073499
Function=__libc_free+0x49
Library=/lib/tls/libc.so.6

Current Java thread:
        at sun.plugin.javascript.navig5.JSObject.JSObjectGetMember(Native 
Method)
        at sun.plugin.javascript.navig5.JSObject.getMember(JSObject.java:169)
        at com.wincor_nixdorf.tplinux.webapp.storemgnt.kps.KBDimension.<init>
(KBDimension.java:279)
        at com.wincor_nixdorf.tplinux.webapp.storemgnt.kps.keyboard.initKeyboard
(keyboard.java:1376)
        at com.wincor_nixdorf.tplinux.webapp.storemgnt.kps.keyboard.init
(keyboard.java:61)
        at sun.applet.AppletPanel.run(AppletPanel.java:353)
        at java.lang.Thread.run(Thread.java:534)

Dynamic libraries:
08048000-0804b000 r-xp 00000000 03:02 
2040960    /usr/java/j2sdk1.4.2_02/jre/bin/java_vm
0804b000-0804c000 rw-p 00002000 03:02 
2040960    /usr/java/j2sdk1.4.2_02/jre/bin/java_vm
40000000-40015000 r-xp 00000000 03:02 897623     /lib/ld-2.3.2.so
40015000-40016000 rw-p 00014000 03:02 897623     /lib/ld-2.3.2.so
40017000-4001f000 r-xp 00000000 03:02 
1273680    /usr/java/j2sdk1.4.2_02/jre/lib/i386/native_threads/libhpi.so
4001f000-40020000 rw-p 00007000 03:02 
1273680    /usr/java/j2sdk1.4.2_02/jre/lib/i386/native_threads/libhpi.so
40020000-40024000 rw-s 00000000 03:02 1192004    /tmp/hsperfdata_tux/8649
40024000-40027000 r--s 00000000 03:02 
261315     /usr/java/j2sdk1.4.2_02/jre/lib/ext/dnsns.jar
40027000-40031000 r-xp 00000000 03:02 522266     /lib/tls/libpthread-0.29.so
40031000-40032000 rw-p 0000a000 03:02 522266     /lib/tls/libpthread-0.29.so
40034000-40036000 r-xp 00000000 03:02 897634     /lib/libdl-2.3.2.so
40036000-40037000 rw-p 00002000 03:02 897634     /lib/libdl-2.3.2.so
40038000-40432000 r-xp 00000000 03:02 
637112     /usr/java/j2sdk1.4.2_02/jre/lib/i386/client/libjvm.so
40432000-4044e000 rw-p 003f9000 03:02 
637112     /usr/java/j2sdk1.4.2_02/jre/lib/i386/client/libjvm.so
40460000-40472000 r-xp 00000000 03:02 897638     /lib/libnsl-2.3.2.so
40472000-40473000 rw-p 00011000 03:02 897638     /lib/libnsl-2.3.2.so
40475000-40496000 r-xp 00000000 03:02 522264     /lib/tls/libm-2.3.2.so
40496000-40497000 rw-p 00020000 03:02 522264     /lib/tls/libm-2.3.2.so
40497000-404a4000 r--s 00000000 03:02 
261318     /usr/java/j2sdk1.4.2_02/jre/lib/ext/ldapsec.jar
404a4000-404a5000 r-xp 00000000 03:02 
2236040    /usr/X11R6/lib/X11/locale/lib/common/xlcUTF8Load.so.2
404a5000-404a6000 rw-p 00000000 03:02 
2236040    /usr/X11R6/lib/X11/locale/lib/common/xlcUTF8Load.so.2
404a7000-404b2000 r-xp 00000000 03:02 897644     /lib/libnss_files-2.3.2.so
404b2000-404b3000 rw-p 0000a000 03:02 897644     /lib/libnss_files-2.3.2.so
404b3000-404c3000 r-xp 00000000 03:02 
2285790    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libverify.so
404c3000-404c5000 rw-p 0000f000 03:02 
2285790    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libverify.so
404c5000-404e5000 r-xp 00000000 03:02 
2285777    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjava.so
404e5000-404e7000 rw-p 0001f000 03:02 
2285777    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjava.so
404e7000-404fb000 r-xp 00000000 03:02 
2285791    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libzip.so
404fb000-404fe000 rw-p 00013000 03:02 
2285791    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libzip.so
404fe000-41e96000 r--s 00000000 03:02 
147841     /usr/java/j2sdk1.4.2_02/jre/lib/rt.jar
41ee0000-41ef6000 r--s 00000000 03:02 
147839     /usr/java/j2sdk1.4.2_02/jre/lib/sunrsasign.jar
41ef6000-41fd1000 r--s 00000000 03:02 
147834     /usr/java/j2sdk1.4.2_02/jre/lib/jsse.jar
41fd1000-41fe2000 r--s 00000000 03:02 
147833     /usr/java/j2sdk1.4.2_02/jre/lib/jce.jar
42000000-4212e000 r-xp 00000000 03:02 522262     /lib/tls/libc-2.3.2.so
4212e000-42131000 rw-p 0012e000 03:02 522262     /lib/tls/libc-2.3.2.so
42133000-4268c000 r--s 00000000 03:02 
147832     /usr/java/j2sdk1.4.2_02/jre/lib/charsets.jar
4268c000-42866000 r--s 00000000 03:02 
147807     /usr/java/j2sdk1.4.2_02/jre/lib/plugin.jar
4caf2000-4ccf2000 r--p 00000000 03:02 473377     /usr/lib/locale/locale-archive
4cef2000-4cfae000 r--s 00000000 03:02 
261319     /usr/java/j2sdk1.4.2_02/jre/lib/ext/localedata.jar
4cfae000-4cfca000 r--s 00000000 03:02 
261321     /usr/java/j2sdk1.4.2_02/jre/lib/ext/sunjce_provider.jar
4cfca000-4d295000 r-xp 00000000 03:02 
2285751    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libawt.so
4d295000-4d2ab000 rw-p 002ca000 03:02 
2285751    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libawt.so
4d2d0000-4d323000 r-xp 00000000 03:02 
2285785    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libmlib_image.so
4d323000-4d324000 rw-p 00052000 03:02 
2285785    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libmlib_image.so
4d324000-4d32a000 r--s 00000000 03:02 114445     /usr/lib/gconv/gconv-
modules.cache
4d32a000-4d332000 r-xp 00000000 03:02 
1387372    /usr/X11R6/lib/libXcursor.so.1.0
4d332000-4d333000 rw-p 00007000 03:02 
1387372    /usr/X11R6/lib/libXcursor.so.1.0
4d334000-4d33b000 r-xp 00000000 03:02 1387388    /usr/X11R6/lib/libXp.so.6.2
4d33b000-4d33c000 rw-p 00006000 03:02 1387388    /usr/X11R6/lib/libXp.so.6.2
4d33c000-4d38a000 r-xp 00000000 03:02 1387396    /usr/X11R6/lib/libXt.so.6.0
4d38a000-4d38e000 rw-p 0004d000 03:02 1387396    /usr/X11R6/lib/libXt.so.6.0
4d38e000-4d39b000 r-xp 00000000 03:02 1387374    /usr/X11R6/lib/libXext.so.6.4
4d39b000-4d39c000 rw-p 0000c000 03:02 1387374    /usr/X11R6/lib/libXext.so.6.4
4d39c000-4d3a0000 r-xp 00000000 03:02 1387398    /usr/X11R6/lib/libXtst.so.6.1
4d3a0000-4d3a1000 rw-p 00004000 03:02 1387398    /usr/X11R6/lib/libXtst.so.6.1
4d3a1000-4d47d000 r-xp 00000000 03:02 1387364    /usr/X11R6/lib/libX11.so.6.2
4d47d000-4d480000 rw-p 000db000 03:02 1387364    /usr/X11R6/lib/libX11.so.6.2
4d480000-4d488000 r-xp 00000000 03:02 1387362    /usr/X11R6/lib/libSM.so.6.0
4d488000-4d489000 rw-p 00007000 03:02 1387362    /usr/X11R6/lib/libSM.so.6.0
4d489000-4d49d000 r-xp 00000000 03:02 1387358    /usr/X11R6/lib/libICE.so.6.3
4d49d000-4d49e000 rw-p 00013000 03:02 1387358    /usr/X11R6/lib/libICE.so.6.3
4d4a0000-4d4b2000 r-xp 00000000 03:02 
2285754    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjavaplugin_jni.so
4d4b2000-4d4b4000 rw-p 00011000 03:02 
2285754    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjavaplugin_jni.so
4d4c8000-4d582000 r-xp 00000000 03:02 
2285755    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libfontmanager.so
4d582000-4d59c000 rw-p 000b9000 03:02 
2285755    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libfontmanager.so
4d5ad000-4d5b4000 r-xp 00000000 03:02 
1387394    /usr/X11R6/lib/libXrender.so.1.2
4d5b4000-4d5b5000 rw-p 00006000 03:02 
1387394    /usr/X11R6/lib/libXrender.so.1.2
4d5b5000-4d5d1000 r-xp 00000000 03:02 
2236038    /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2
4d5d1000-4d5d3000 rw-p 0001c000 03:02 
2236038    /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2
4dc53000-4dc63000 r-xp 00000000 03:02 
2285787    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libnet.so
4dc63000-4dc64000 rw-p 0000f000 03:02 
2285787    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libnet.so
4dc64000-4dc7f000 r-xp 00000000 03:02 
2285753    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libdcpr.so
4dc7f000-4dc92000 rw-p 0001a000 03:02 
2285753    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libdcpr.so
4dc92000-4dcc9000 r-xp 00000000 03:02 
2285782    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjpeg.so
4dcc9000-4dcca000 rw-p 00036000 03:02 
2285782    /usr/java/j2sdk1.4.2_02/jre/lib/i386/libjpeg.so
4dcca000-4dcd4000 rw-s 00000000 00:04 118554633  /SYSV00000000 (deleted)
4ddf2000-4de03000 r--s 00000000 03:02 
768036     /home/tplinux/.java/deployment/cache/javapi/v1.0/jar/kps.jar;jsession
id=4AFAABF8F7F89B67D797210A479C65A0-10f76516-4a20c58d.zip

Heap at VM Abort:
Heap
 def new generation   total 1088K, used 1035K [0x44910000, 0x44a30000, 
0x44df0000)
  eden space 1024K,  98% used [0x44910000, 0x44a0cfa0, 0x44a10000)
  from space 64K,  36% used [0x44a20000, 0x44a25d78, 0x44a30000)
  to   space 64K,   0% used [0x44a10000, 0x44a10000, 0x44a20000)
 tenured generation   total 12708K, used 8887K [0x44df0000, 0x45a59000, 
0x48910000)
   the space 12708K,  69% used [0x44df0000, 0x4569dd78, 0x4569de00, 0x45a59000)
 compacting perm gen  total 5888K, used 5873K [0x48910000, 0x48ed0000, 
0x4c910000)
   the space 5888K,  99% used [0x48910000, 0x48ecc5a8, 0x48ecc600, 0x48ed0000)

Local Time = Wed Sep 15 15:21:57 2004
Elapsed Time = 1242
#
# The exception above was detected in native code outside the VM
#
# Java VM: Java HotSpot(TM) Client VM (1.4.2_02-b03 mixed mode)
#
# An error report file has been saved as hs_err_pid8649.log.
# Please refer to the file for further information.
#
INTERNAL ERROR on Browser End: Pipe closed during read? State may be corrupt
System error?:: Connection reset by peer



Reproducible: Always
Steps to Reproduce:
1. Write an applet that calls close to a thousand JSObjects getValue method.
2. Call that repeateddly
3. 

Actual Results:  
Then the browser crashes after some iterations (4to5)


Expected Results:  
The applet should be initialised properly.

This is happening in both mozilla 1.5 and mozilla 1.7 and for both the jre 
versions 1.4.2_05 and 1.4.2_02 (Sun jres).

Updated

13 years ago
Summary: Browser crash with repated JSObject calls → Browser crash with repeated JSObject calls

Comment 1

13 years ago
brendan: is it likely/possible that liveconnect isn't rooting an object it's
exposing to java and the object got gc'd?
Keywords: crash
Hardware: Other → PC
Timeless: Who knows?  We need a stack.  Was talkback sent?

/be

Comment 3

13 years ago
reporter: please install a mozilla.org talkback enabled build and crash again,
the run components/talkback and copy the incident id to this bug. thanks.

you could also build your own mozilla (make sure you don't --enable-strip.
personally i'd go for --disable-debug --disable-optimize, but you could pick
enables if you wanted to) of mozilla and use valgrind. this next bit is rebuilt
from memory...
export VALGRIND_OPTS=--num-callers=10 --error-limit=no --logfile-fd=3
./run-mozilla.sh `which valgrind` ./mozilla-bin
you'll eventually want to add something like:
 3> mozilla.valgrind 2> mozilla.stderr 1> mozilla.stdout
Keywords: stackwanted

Comment 4

13 years ago
*** Bug 285451 has been marked as a duplicate of this bug. ***

Comment 5

13 years ago
The bug 285451 that has been marked as a dupe of this bug was already confirmed
and its status was changed to new. The Talkback crash ID of that bug was:
4221939 and the page to reproduce it is:
http://telis.edugraf.ufsc.br/apliques/Giovani/quebrandoTudo/teste.html. So I
believe you do have a reason to set this bug to new.

Sorry for this, but I'd like to ask you to try to give some attention to the bug
because the application we develop depends upon this and we're obligated to use
IE, unfortunally. Besides that, this kind of situation is very common. So if you
can give us some idea on when this is going to be fixed I'd be grateful.
Kyle, could you look into this for 1.8b2?  I'll help get drivers approval if you
get a patch that fixes this bug attached.

/be
Assignee: live-connect → kyle.yuan
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 7

13 years ago
Reporter, jre 1.4.2 is buggy when doing liveconnect calls in applet's init
method. We fixed a bunch of bugs for this in jre 1.5. Could you upgrade to jre
1.5 and try again?

Giovani and Bob, I can not get mozilla crash using the testcase you provided,
neither on WinXP nor on Linux, with jre 1.5.0_01. The value in textbox can be
successfully increased to 999. Is there any special operation needed to make the
crash happen?

Comment 8

13 years ago
There is no additional operation to reproduce the crash. I'm using jre 1.5.0_2
under windows XP SP2 and it crashed when I opened it, it has counted until 39
then it has broken. 

I've downloaded the latest nightly build available on the Firefox's main
developer's page and it has crashed as well.

So, I've generated a new talkback on the latest nightly build. It's id is 4950682.
So this affects the 1.5 release of the Java plugin, and the crash is in caps
code.  Talkback link:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4950682

/be

Comment 10

13 years ago
This is a bug in java plugin and affect all version of jre1.5. I talked with the
java plugin developer and filed sun bug 6254466 for tracking this issue. The
root cause for bug 264062 is the same.

Comment 11

13 years ago
*** Bug 264062 has been marked as a duplicate of this bug. ***

Comment 12

13 years ago
*** Bug 272128 has been marked as a duplicate of this bug. ***

Comment 13

13 years ago
I was told that this bug should be fixed in Sun jre 1.5.0_04.

Comment 14

13 years ago
Awesome! But isn't there something that has to be done on Firefox side as well?
To my understanding it shouldn't be crashing if some plug-in misbehaves.

Comment 15

13 years ago
So far we can't prevent plugin crash from taking down firefox. That's bug 180946.

Comment 16

13 years ago
*** Bug 272969 has been marked as a duplicate of this bug. ***

Comment 17

13 years ago
Is this a duplicate of bug 209559?

Comment 18

13 years ago
*** Bug 294842 has been marked as a duplicate of this bug. ***

Comment 19

13 years ago
*** Bug 294842 has been marked as a duplicate of this bug. ***

Comment 20

13 years ago
Another affected Web page is at <URL:http://www.dot.ca.gov/traffic/>.  See
Talkback incident ##5950578.  See duplicate bug #294842 for details.  

This is also a problem with Windows 98SE.  I have changed the OS from "Linux" to
"All".  

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511
Java2 RTE 5 (1.5.0 v.1)
OS: Linux → All

Comment 21

13 years ago
mass reassign my bugs to Pete Zha.
Assignee: kyle.yuan → pete.zha

Comment 22

12 years ago
mass reassign to Alfred
Assignee: zhayupeng → alfred.peng

Comment 23

9 years ago
Tested with intel Mac running Mac OS X 10.4.11 with all current updates, and Camino nightly version 2.0b2pre (1.9.0.7pre 2009020512).

No crash; but the applet had problems working properly.  Attaching Activity Monitor sample from Camino while the applet was running

Comment 24

9 years ago
Created attachment 360940 [details]
Activity Monitor sample from Camino

Sample taken while applet on Caltrans URL was running.  Should have made that clear in the previous comment.
(In reply to comment #23)
> Tested with intel Mac running Mac OS X 10.4.11 with all current updates, and
> Camino nightly version 2.0b2pre (1.9.0.7pre 2009020512).
> 
> No crash; but the applet had problems working properly.

File a new bug and attach the activity monitor there. Don't hijack old bugs.

I'll let Alfred deal with this bug's status.

/be

Updated

7 years ago
Component: Java: Live Connect → Java: Live Connect
Product: Core → Core Graveyard

Comment 26

7 years ago
Testcases in comment 5 and comment 20 are no more available.
Is there any way to reproduce this bug?

Comment 27

7 years ago
Re comment #26:  

That is what happens when an actual error is reported and no attempt is made to correct it for more than six years after good test cases are presented.

Comment 28

6 years ago
Firefox code moved from custom Liveconnect code to the NPAPI/NPRuntime bridge a while back. Mass-closing the bugs in the liveconnect component which are likely invalid. If you believe that this bug is still relevant to modern versions of Firefox, please reopen it and move it the "Core" product, component "Plug-Ins".
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.