347598 - Digging deep into the "java" object makes Firefox and Java crash

Status: RESOLVED WONTFIX

(Core Graveyard :: Java: Live Connect, defect)

Description

[Jesse Ruderman]

Evaluating java.i.i.i.i....i (with about 2^14 i's) makes Firefox hang for a few minutes and then crash.

Thread 0 Crashed:
0   libclient.dylib           	0x9c0dfbfc jio_snprintf + 200008
1   libclient.dylib           	0x9c0df86c jio_snprintf + 199096
2   libclient.dylib           	0x9c0def34 jio_snprintf + 196736
3   libclient.dylib           	0x9c0de450 jio_snprintf + 193948
4   libclient.dylib           	0x9c0ddf14 jio_snprintf + 192608
5   libclient.dylib           	0x9c0ddd48 jio_snprintf + 192148
6   libclient.dylib           	0x9c116254 JVM_DoPrivileged + 6612
7   libclient.dylib           	0x9c1160cc JVM_DoPrivileged + 6220
8   com.netscape.MRJPlugin    	0x01f90bf8 StopJavaControlAsyncDrawing.eh + 20556
9   com.netscape.MRJPlugin    	0x01f9bdf8 StopJavaControlAsyncDrawing.eh + 66124
10  com.netscape.MRJPlugin    	0x01f6c6cc JavaMessageQueue::notify() + 196
11  <<00000000>> 	0x09647258 0 + 157577816
12  <<00000000>> 	0x09647050 0 + 157577296
13  <<00000000>> 	0x09572164 0 + 156705124
14  libclient.dylib           	0x9c10c3c8 jio_snprintf + 382228
15  libclient.dylib           	0x9c10c214 jio_snprintf + 381792
16  libclient.dylib           	0x9c12aeec JVM_MaxMemory + 9056
17  libclient.dylib           	0x9c172110 JVM_FindLoadedClass + 2676
18  JavaEmbeddingPlugin       	0x05c2f054 JEPDoLiveConnectProxy + 1576
19  com.netscape.MRJPlugin    	0x01f5eb24 JEPDoLiveConnectProxy + 124
20  com.netscape.MRJPlugin    	0x01f6dde0 CSecureEnv::sendMessageToJava(JavaMessage*) + 1908
21  com.netscape.MRJPlugin    	0x01f6f3d0 CSecureEnv::FindClass(char const*, _jclass**) + 96
22  org.mozilla.firefox       	0x00a54d7c ProxyJNIEnv::FindClass(JNIEnv_*, char const*) + 60
23  org.mozilla.firefox       	0x00843004 jsj_init_JavaMember + 628
24  libmozjs.dylib            	0x23047850 js_LookupPropertyWithFlags + 1216
25  libmozjs.dylib            	0x2304a244 js_GetProperty + 152
26  libmozjs.dylib            	0x23036504 js_Interpret + 28604
27  libmozjs.dylib            	0x2303d544 js_Execute + 580
28  libmozjs.dylib            	0x230059cc JS_EvaluateUCScriptForPrincipals + 88
...

Comment 1

[Jesse Ruderman]

Attachment: testcase

Comment 2

[Steven Michaud [:smichaud] (Retired)]

I'm able to reproduce this, but only on OS X Tiger (I tested on
10.4.7).  I'm not able to reproduce it on OS X 10.3.9.

I get a similar stack trace (on the main thread), though not an
identical one.  And in the Console (not the Java Console) I see many
occurrances (10 - 15) of the following string at the same time as the
crash:

"An irrecoverable stack overflow (bypassing yellow and red zones)."

This string is in libjvm.dylib (of Apple's JVM), and seems to
correspond to the string "An irrecoverable stack overflow has
occurred" in Sun's (other) JVMs.  So it looks like the JVM is
overflowing the browser's stack (on the main thread).

The code that crashes is called repeatedly (possibly hundreds of
times), but not (as far as I can tell) recursively -- so I don't know
why there's a stack overflow.

I also don't know why it only happens on OS X 10.4.X.  But the Java
Embedding Plugin (and consequently Apple's JVM) does more work on a
JavaScript-to-Java LiveConnect call on OS X 10.4.X than it does on OS
X 10.3.X or 10.2.8.  So that may have something to do with it.

I don't know what I'm going to be able to do about this.

(Browser event handler recursion doesn't seem to be involved here.)

Comment 3

[Steven Michaud [:smichaud] (Retired)]

My fix for bug 389597 also fixes this bug.

Comment 4

[Steven Michaud [:smichaud] (Retired)]

Smokey, this isn't a bug in the Java Embedding Plugin.

As my fix for bug 389597 shows, this is actually a side effect of a
bug in Mozilla.org's LiveConnect implementation.

Comment 5

[Jesse Ruderman]

Liveconnect is gone, so I guess this is worksforme or wontfix, depending on how you look at it.