271280 - Crash in online lc2 suite - [@ FindConstructor] OBJ_IS_NATIVE

Status: VERIFIED FIXED

(Core Graveyard :: Java: Live Connect, defect)

Description

[Bob Clary [:bc] (inactive)]

Crash running the online version of the javascript test suite for the lc2 suite
for Mozilla 1.7.5 and Firefox 1.0 but not Mozilla 1.7.3 or Mozilla trunk.
Although this doesn't have in obvious live connect code, filing here to start with.

Steps to reproduce:

1. <http://bclary.com/2004/10/03/js-tests/menu.html>
2. select all for lc2
3. click execute test list

Result Crash

Stack

NTDLL! 7c901230()
FindConstructor(JSContext * 0x03ee6108, JSObject * 0x00000000, const char *
0x00b9f0b8, long * 0x0012ed88) line 1952 + 63 bytes
GetClassPrototype(JSContext * 0x03ee6108, JSObject * 0x02d5d478, const char *
0x00b9f0b8, JSObject * * 0x0012edf0) line 3587 + 21 bytes
js_NewObject(JSContext * 0x03ee6108, JSClass * 0x00b9f0d0 prop_iterator_class,
JSObject * 0x00000000, JSObject * 0x02d5d478) line 1845 + 23 bytes
js_Interpret(JSContext * 0x03ee6108, long * 0x0012f600) line 1901 + 23 bytes
js_Execute(JSContext * 0x03ee6108, JSObject * 0x03ee3500, JSScript * 0x032bf078,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f718) line 1159 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03ee6108, JSObject * 0x03ee3500,
JSPrincipals * 0x01f6502c, const unsigned short * 0x0401ef38, unsigned int 3867,
const char * 0x03de0540, unsigned int 1, long * 0x0012f718) line 3649 + 25 bytes
nsJSContext::EvaluateString(const nsAString & {...}, void * 0x03ee3500,
nsIPrincipal * 0x01f65028, const char * 0x03de0540, unsigned int 1, const char *
0x00b89430, nsAString & {...}, int * 0x0012f764) line 946 + 67 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03ce35b8, const nsString
& {...}) line 660
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03ce35b8) line 573 + 22 bytes
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x04015bf4,
nsIStreamLoader * 0x03dd7b88, nsISupports * 0x03ce35b8, unsigned int 0, unsigned
int 4294967295, const char * 0x03fa8e84) line 897
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03dd7b8c, nsIRequest *
0x03ddbf30, nsISupports * 0x03ce35b8, unsigned int 0) line 144
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03a1d4a8,
nsIRequest * 0x03ddbf30, nsISupports * 0x03ce35b8, unsigned int 0) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03ddbf38, nsIRequest *
0x03ad00f0, nsISupports * 0x00000000, unsigned int 0) line 3653
nsInputStreamPump::OnStateStop() line 499
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03ad00f4,
nsIAsyncInputStream * 0x03acfed4) line 339 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03f173a4) line 119
PL_HandleEvent(PLEvent * 0x03f173a4) line 673 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a26538) line 608 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00ec0212, unsigned int 49378, unsigned int 0,
long 10642744) line 1414 + 9 bytes
USER32! 77d48709()
USER32! 77d487eb()
USER32! 77d489a5()
USER32! 77d489e8()
nsAppShell::Run(nsAppShell * const 0x00a48da8) line 135
nsAppShellService::Run(nsAppShellService * const 0x00a48b08) line 524
main1(int 1, char * * 0x002e2638, nsISupports * 0x00a10430) line 1303 + 32 bytes
main(int 1, char * * 0x002e2638) line 1781 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32

Comment 1

[timeless]

e4x stuff?

Comment 2

[Brendan Eich [:brendan]]

timeless: what do you mean?  FindConstructor is now js_FindConstructor, but do
you know something more, or are you just guessing?

Bob, what version of the source was used to get the code that crashed with the
stack shown in comment 0?

/be

Comment 3

[Kyle Yuan]

(In reply to comment #0)
> Crash running the online version of the javascript test suite for the lc2 suite
> for Mozilla 1.7.5 and Firefox 1.0 but not Mozilla 1.7.3 or Mozilla trunk.

So it's a regression between 1.7.3 and 1.7.5?

I can see the crash in a 1.7 branch build, the failed code is
JS_ASSERT(OBJ_IS_NATIVE(obj))
the obj here is a JavaArray. 

Bob, any chance I can see the source code of the test case? The crash happens
between testcase 2 and testcase 3. So I need look into array-002.js and
array-003.js.

Comment 4

[Bob Clary [:bc] (inactive)]

Brendan, I pulled and built 1.7 branch yesterday afternoon to get the stack.

Kyle, You can browse the tests at <http://bclary.com/2004/10/03/js-tests/lc2/>,
but you can unselect the first three tests and it will still crash. The problem
might be in either <http://bclary.com/2004/10/03/js-tests/lc2/shell.js> or
<http://bclary.com/2004/10/03/js-tests/lc2/browser.js> as well.

Comment 5

[Kyle Yuan]

Bob, your site returned 403 when I tried to download the js files. Can you
adjust the site settings or send the files directly to me?

Comment 6

[Bob Clary [:bc] (inactive)]

Kyle, you should be able to view the directory and files via Mozilla with ease.
This is the recommended approach if you only want to look at a few files. I have
added <http://bclary.com/2004/10/03/js-tests.zip> so you can download the full
test library but it weighs about 3MB.

You may have gotten a 403 due to your attempted use of a banned bot. I blocked
access to spider/bots Java/* and wget/* due to a) their brain-dead methods of
parsing documents and issuing bad requests and b) some people's abuse of my
limited bandwidth. 

Comment 7

[Kyle Yuan]

Attachment: simplified test case

var byte_array = ( new java.lang.String("hello") ).getBytes();
for ( p in byte_array ) {   //<-- this will crah mozilla1.7
 ...
}

Comment 8

[Kyle Yuan]

Attachment: stole the fix of js_NewObject from trunk

The problem is when we create a new object that wraps JavaArray
(http://lxr.mozilla.org/seamonkey/source/js/src/liveconnect/jsj_JavaObject.c#201),
we failed to get the parent field set correctly due to this logic
(http://lxr.mozilla.org/mozilla1.7/source/js/src/jsobj.c#1861)
So next time, when we create a new object based on this JavaArray wrapper, in
http://lxr.mozilla.org/mozilla1.7/source/js/src/jsobj.c#1942, we can't get the
parent of the JavaArray wrapper.

Merging the v3.156 & v3.172 changes of js_NewObject solve the problem. But I
don't really understand the rationale of the fix. Brendan?

Comment 9

[Brendan Eich [:brendan]]

Comment on attachment 167599 [details] [diff] [review]
stole the fix of js_NewObject from trunk 

Yeah, that's the ticket.  I'll let other drivers deliberate on 1.7.5 vs. .6.

/be

Comment 10

[Kyle Yuan]

Brendan, I dropped this line off whem porting the patch  -
http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#1804, because |reserveSlots
 is not defined in 1.7 branch. Is that a problem?

Comment 11

[Brendan Eich [:brendan]]

Kyle: not a problem, you did the right thing.

/be

Comment 12

[Johnny Stenback (:jst)]

Comment on attachment 167599 [details] [diff] [review]
stole the fix of js_NewObject from trunk 

sr=jst

Comment 13

[Asa Dotzler [:asa]]

Comment on attachment 167599 [details] [diff] [review]
stole the fix of js_NewObject from trunk 

1.7.5 has shipped. Moving request to 1.7.6.

Comment 14

[timeless]

kyle: what's the status on this?

Comment 15

[Kyle Yuan]

still wating for driver's approval for 1.7 branch.

Comment 16

[Asa Dotzler [:asa]]

Comment on attachment 167599 [details] [diff] [review]
stole the fix of js_NewObject from trunk 

a=asa for checkin to the 1.7 branch for 1.7.6

Comment 17

[Kyle Yuan]

fixed in 1.7 branch.

Comment 18

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Should this have the fixed-aviary1.0.1 keyword? Looks like brendan checked this
in on Jan 29

Comment 19

[Jay Patel [:jay]]

Verified Fixed with 2/21 Aviary 1.0.1 and Mozilla 1.7.6 builds.  Testcase no
longer crashes.   I will keep an eye on Talkback data once the releases go out
as well.