Closed Bug 338014 Opened 18 years ago Closed 18 years ago

Weak reference stubs (nsJavaXPTCStubWeakRef) are not properly counted, causing java virtual machine crash

Categories

(Core Graveyard :: Java to XPCOM Bridge, defect)

Product:
Core Graveyard
Component:
Java to XPCOM Bridge
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 337675

People

(Reporter: ttudor, Assigned: jhpedemonte)

Details

Attachments

(1 file)

Patch for using stub->GetWeakReference()
3.78 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: 

nsJavaXPTCStubRefs are no always properly counted in their "parent" nsJavaXPTCStub. 

In both SetupParams (nsJavaWrapper.cpp, around line 738) and nsJavaXPTCStub::FinalizeParams (nsJavaXPTCStub.cpp, around line 1520) a weak reference is created by :

weakref = new nsJavaXPTCStubWeakRef(java_obj, stub);

stub->mWeakRefCount is not incremented. On the other hand when the weak reference pointed by weakref is destroyed, its destructor calls stub->ReleaseWeakRef (see nsJavaXPTCstubWeakRef.cpp) and decrements mWeakRefCount which can (and actually does) get negative. 

A proper mWeakRefCount is quite important as it is used for deciding whether to destroy a stub or not. A stub that has actually been destroyed but whose Destroy() method has never been called can cause virtual machine crashes (see additional information)

PROPOSED SOLUTION: 
instead of creating the weak reference through a
 
weakref = new nsJavaXPTCStubWeakRef(java_obj, stub);

use the GetNewReference method on the stub

stub->GetNewReference(&weakref);
(weakref must be a nsIWeakReference* and it should not be AddRefed as GetNewReference already does it).

 



Reproducible: Always




I've hit this problem while trying to understand why the Java VM (almost) always crashes seconds after termEmbedding() has been called. I've pinned down the crash to the fact that on FreeJavaGlobals() an invalid global reference was being freed.
Patch against the 1.8.0 branch. All new nsJavaXPTCStubWeakReference are (hopefully) replaced with stub->GetWeakReference().
I just attached a similar (but more complete) patch to bug 337675.  Please take a look and let me know if that patch works as well.

*** This bug has been marked as a duplicate of 337675 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: