Closed
Bug 291522
Opened 20 years ago
Closed 15 years ago
calling document.close from JSObject crashes [@ MSVCRT.DLL - JS_HashTableAdd ]
Categories
(Core Graveyard :: Java: Live Connect, defect)
Core Graveyard
Java: Live Connect
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: kai, Unassigned)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(5 files, 2 obsolete files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050311 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050311 Firefox/1.0.1
String newHTML="Hello world!";
JSObject window = JSObject.getWindow(this);
String[] args = {newHTML};
JSObject document = (JSObject)window.getMember("document");
document.call("write", args);
document.call("close", null); // why does that crash my browser?
This crashes FireFox 1.0.1/Sun Java plugin 1.4.2.06 on SuSE Linux 9.2 as well as
Firefix 1.0.2/Sun Java plugin 1.5.0.02 on Windows XP SP2. It works with Internet
Explorer on Windows XP SP2.
The attached source also contains a workaround: call document.write() and
document.close() from the Javascript function replaceHTML() which gets called
from the Java Applet.
Reproducible: Always
Steps to Reproduce:
Click on the applet in the attached web page.
Actual Results:
Firefox crashes.
Expected Results:
The HTML on the displayed page should have been replaced.
|
||
Comment 4•20 years ago
|
||
In Attachment 181573 [details] I´ve replaced "JavaScriptApplet.jar" with the URL of Attachment 181574 [details], https://bugzilla.mozilla.org/attachment.cgi?id=181574 <applet code="JavaScriptApplet.class" archive="https://bugzilla.mozilla.org/attachment.cgi?id=181574" width="100" height="20" mayscript> </applet> wfm tested locally Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050418 will retest after upload and comment if testcase fails.
sorry, the first JAR I uploaded contained the workaround :-(
Attachment #181574 -
Attachment is obsolete: true
Attachment #181573 -
Attachment is obsolete: true
|
|
||
Comment 7•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050418 I didn´t want to come back, but testing my testcase here it is: Talkback TB5287391W http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB5287391W MSVCRT.DLL + 0xad3e (0x7800ad3e) MSVCRT.DLL + 0x954b (0x7800954b) MSVCRT.DLL + 0x14cf (0x780014cf) JS_HashTableAdd [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jshash.c, line 269] _createJSDObject [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/jsd/jsd_obj.c, line 130] jsd_ObjectHook [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/jsd/jsd_obj.c, line 171] js_NewObject [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 1946] js_NewFunction [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsfun.c, line 1903] js_DefineFunction [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsfun.c, line 1965] JS_DefineFunction [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3186] JS_DefineFunctions [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3168] js_InitObjectClass [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 1713] InitFunctionAndObjectClasses [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 1140] JS_ResolveStandardClass [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 1422] SafeGlobalResolve [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcthreadcontext.cpp, line 126] js_LookupPropertyWithFlags [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2568] js_LookupProperty [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2426] js_GetProperty [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2711] XPCWrappedNativeScope::SetGlobal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 190] XPCWrappedNativeScope::XPCWrappedNativeScope [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 161] nsXPConnect::InitClasses [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 435] nsXPConnect::InitClassesWithNewWrappedGlobal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 493] nsJSContext::InitContext [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1527] NS_CreateScriptContext [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2175] nsDOMScriptObjectFactory::NewScriptContext [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMScriptObjectFactory.cpp, line 103] nsDocShell::GetInterface [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 383] nsWebShell::GetInterface [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp, line 259] nsCOMPtr_base::assign_from_helper [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/build/nsCOMPtr.cpp, line 150] nsAppShellService::RegisterTopLevelWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 473] nsAppShellService::CreateTopLevelWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 240] nsXULWindow::CreateNewChromeWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 1706] nsXULWindow::CreateNewWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 1683] nsAppStartup::CreateChromeWindow2 [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 884] nsWindowWatcher::OpenWindowJS [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 623] nsWindowWatcher::OpenWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 465] nsPromptService::DoDialog [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 634] nsPromptService::Alert [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 133] nsPrompt::Alert [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/windowwatcher/src/nsPrompt.cpp, line 209] nsGlobalWindow::Alert [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp, line 2420] XPTC_InvokeByIndex [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2065] XPC_WN_CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1287] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1320] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 3601] js_Execute [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1551] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3739] nsJSContext::EvaluateString [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1035] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp, line 723] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp, line 629] nsScriptLoader::ProcessScriptElement [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp, line 575] nsHTMLScriptElement::MaybeProcessScript [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 665] nsHTMLScriptElement::BindToTree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456] nsGenericElement::AppendChildTo [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2707] HTMLContentSink::ProcessSCRIPTTag [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4173] HTMLContentSink::AddLeaf [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3055] HTMLContentSink::AddHeadContent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3006] CNavDTD::AddHeadLeaf [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3667] CNavDTD::HandleToken [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 938] CNavDTD::BuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 461] nsParser::BuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/src/nsParser.cpp, line 2
|
||
Updated•20 years ago
|
|
||
Comment 8•19 years ago
|
||
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20060502 BonEcho/2.0a1 Half confirmed? It doesn't crash my browser, but it does lock it up. strace says it's in poll(), WFIW.
|
|
||
Comment 9•19 years ago
|
||
Here's a stack trace grabbed from gdb. Doesn't seem to share anything with the above TB stack, though.
|
||
Comment 10•18 years ago
|
||
I can't reproduce the bug on Solaris with Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1) Gecko/20061211 Firefox/2.0 and Java 1.6.0 if I download the test case to a local directory. The test case in the attachment will hang the browser. It's related to the link for "archive". A dialog shows that the web site's certificate cannot be verified (Name: bugzilla.mozilla.org).
|
||
Comment 11•18 years ago
|
||
I can see exactly the symptom described by Alfred with JRE 6.0 b105, but can no longer see the problem with JRE 6.0_u2 b1 or later. That is, the applet loaded fine and the call from Java->JS works well whether the JavaScriptApplet.jar is archived via https or on local system. A fix (Sun bug ID 6521732) which was putbacked in JRE 6.0_u2 b1 has likely resolved this problem. Alfred, to confirm my finding, can you please download latest 6.0_u2 build from here http://javaweb.sfbay.sun.com/jcg/NightlyBuilds/update.int/6u2/archived/2007-04-16.6u2/ for your test platform and see if the problem also goes away with this build for you as well. Thank you.
|
|
||
Comment 12•18 years ago
|
||
Danielle, I tried the 1.6.0u2 build on Solaris x86/SPARC. Both of them work well and Firefox doesn't hang any more. I think the bug has been fixed in this build:) Thanks! I notice that when hovering the mouse above the plugin area and clicking, Firefox will still hang. Anyway, this should be a separate issue.
|
|
||
Comment 13•18 years ago
|
||
Thanks, Alfred. I do not see the hang you refer to. However, when JavaScriptApplet.jar is archived locally, after the test has been carried out successfully once (i.e, "click me" to do J-JS and Applet's ThreadGroup is joined by closing on applet window), I have problem reloading the page (and reloading the applet) by clicking page refresh. The browser would appear as if it's busily trying to reload the page, but not hang. If you go to a different URL then click back to reload this JavaScriptApplet test, the applet will load fine and J-JS click will work again. I do not see this problem when JavaScriptApplet.jar is archived via https. However, this is a separate issue. I will file a Java bug to work on this problem.
|
|
||
Comment 14•18 years ago
|
||
mozilla bug 291522 should be closed. Sun java bug 6550436 has been filed to address the applet reload issue.
|
|
||
Comment 15•18 years ago
|
||
Danielle, forgot to mention, the hang is caused by the following steps: 1. Load the testcase attached. 2. Select "no" in the "Warning - Security" dialog. 3. Hover over the plugin area(It notifies me that the Applet JavaScriptApplet notinited in the status bar) and right click to bring up the Java context menu. Actual result: Firefox hangs. It works pretty well when I choose "yes" and click on "click me".
|
||
Comment 16•15 years ago
|
||
(In reply to comment #14) > mozilla bug 291522 should be closed. > > Sun java bug 6550436 has been filed to address the applet reload issue. http://bugs.sun.com/view_bug.do?bug_id=6550436 was closed not reproducible both testcase files WFM Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a1pre) Gecko/20100110 Minefield/3.7a1pre (.NET CLR 3.5.30729)
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
|
||
Updated•13 years ago
|
Crash Signature: [@ MSVCRT.DLL - JS_HashTableAdd ]
You need to log in
before you can comment on or make changes to this bug.
Description
•