419818 - Crash when doing a typeof java == "object" via JS [@ NP_GetEntryPoints] [@ ns4xPluginInstance::InitializePlugin]

Status: RESOLVED FIXED

(Core Graveyard :: Java: OJI, defect)

Description

[Frank Wein [:mcsmurf]]

To reproduce:
0. Install the new Java SE 6 Update 10 plugin, see https://jdk6.dev.java.net/plugin2/
1. Open attached testcase
2. Watch it crash

This bug is probably a plugin bug, I file it here for cross-reference. I also filed a report on this in the http://bugs.sun.com database, it is waiting for triage/bug number.

Stacktrace:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2f0 6da32c53 npjp2!NP_GetEntryPoints+0x33d
0012e32c 6da31ee2 npjp2!Java_sun_plugin2_main_server_MozillaBrowserService_getBrowserAuthentication+0x1b9
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\gkplugin.dll
0012e34c 025333a6 npjp2!NP_Shutdown+0x4b
0012e414 0253288a gkplugin!ns4xPluginInstance::InitializePlugin(class nsIPluginInstancePeer * peer = 0x0614e670)+0x446 [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp @ 1096]
0012e420 025462ad gkplugin!ns4xPluginInstance::Initialize(class nsIPluginInstancePeer * peer = 0x0614e670)+0x3a [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp @ 869]
0012e82c 0254571a gkplugin!nsPluginHostImpl::TrySetUpPluginInstance(char * aMimeType = 0x02584b9c "application/x-java-vm", class nsIURI * aURL = 0x00000000, class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x99d [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 4076]
0012e884 025545df gkplugin!nsPluginHostImpl::SetUpPluginInstance(char * aMimeType = 0x02584b9c "application/x-java-vm", class nsIURI * aURL = 0x00000000, class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x4a [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 3880]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\gklayout.dll
0012e8e0 01cea0cc gkplugin!nsPluginHostImpl::InstantiateDummyJavaPlugin(class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x6f [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 6888]
0012e948 01cc8d15 gklayout!nsGlobalWindow::InitJavaProperties(void)+0x11c [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsglobalwindow.cpp @ 5589]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\xpc3250.dll
0012eba0 03ba62a4 gklayout!nsWindowSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x00dc3e58, struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long id = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ecc8, int * _retval = 0x0012ec24)+0x18f5 [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsdomclassinfo.cpp @ 6139]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\js3250.dll
0012ecd0 00504c79 xpc3250!XPC_WN_Helper_NewResolve(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long idval = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ed3c)+0x264 [f:\mozilla\tree-cvsmo\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1068]
0012ed48 0050552b js3250!js_LookupPropertyWithFlags(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long id = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ed7c, struct JSProperty ** propp = 0x0012ed6c)+0x389 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsobj.c @ 3291]
0012ed88 004e4874 js3250!js_FindPropertyHelper(struct JSContext * cx = 0x054258f8, long id = 74776644, struct JSObject ** objp = 0x0012f324, struct JSObject ** pobjp = 0x0012f3a8, struct JSProperty ** propp = 0x0012f310, struct JSPropCacheEntry ** entryp = 0x0012f148)+0x5b [f:\mozilla\tree-cvsmo\mozilla\js\src\jsobj.c @ 3405]
0012f3ec 004d435c js3250!js_Interpret(struct JSContext * cx = 0x054258f8, unsigned char * pc = 0x042c737b ";", long * result = 0x0012f424)+0xf774 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsinterp.c @ 4748]
0012f488 0048c167 js3250!js_Execute(struct JSContext * cx = 0x054258f8, struct JSObject * chain = 0x06bb1200, struct JSScript * script = 0x042c7320, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x0012f4e8)+0x29c [f:\mozilla\tree-cvsmo\mozilla\js\src\jsinterp.c @ 1649]
0012f4ac 01d01934 js3250!JS_ExecuteScript(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, struct JSScript * script = 0x042c7320, long * rval = 0x0012f4e8)+0x57 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsapi.c @ 4823]
0012f500 01c9698f gklayout!nsJSContext::ExecuteScript(void * aScriptObject = 0x06d432a0, void * aScopeObject = 0x06bb1200, class nsAString_internal * aRetValue = 0x00000000, int * aIsUndefined = 0x00000000)+0x134 [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsjsenvironment.cpp @ 1666]
0012f528 01c96b62 gklayout!nsXULDocument::ExecuteScript(class nsIScriptContext * aContext = 0x053fcce8, void * aScriptObject = 0x06d432a0)+0xcf [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 3436]
0012f560 01c9520b gklayout!nsXULDocument::ExecuteScript(class nsXULPrototypeScript * aScript = 0x06127b10)+0x1c2 [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 3459]
0012f640 01c8e8f6 gklayout!nsXULDocument::ResumeWalk(void)+0x56b [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 2912]

Comment 1

[Frank Wein [:mcsmurf]]

Attachment: Testcase (crashes browser)

Comment 2

[Frank Wein [:mcsmurf]]

Attachment: Testcase 2 (does not crash)

This is basically the same testcase, just as HTML. This one does not crash the browser.

Comment 3

[Frank Wein [:mcsmurf]]

BTW: One use case where this occurs is when you launch ChatZilla in SeaMonkey.

Comment 4

[Frank Wein [:mcsmurf]]

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6669444
Bug in the Sun Bug Database

Comment 6

[danielle.pham]

I tried on WinXP with latest nightly build of FF3 and 6u10 b23 (from: https://jdk6.dev.java.net/6u10ea.html#Download). 
All worked fine for me, whether the 'typeof java == "object"' is invoked from an XUL (XML) or HTML page.
In the javacrash testcase, if I add:

alert("HAS_JAVA = " + jsenv.HAS_JAVA);

to the script, I see "TRUE" when Java is installed and "FALSE" when Java is uninstalled. This correct result is seen with both 6u10's new Java Plugin (NPRuntime based) as well as the old OJI Plugin.

Please retry using:
- Latest nightly FF3:  http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
- Latest 6u10 from https://jdk6.dev.java.net/6u10ea.html#Download (b23 is latest today).

Also, try both with the online or offline installer as well as the kernel installer of 6u10.
If the problem persists, please let know which installer that you use.
Thanks.

Comment 7

[danielle.pham]

There's a recent fix in Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=405357) related to LiveConnect operation.
Therefore, it's strongly recommended that you use latest build of FF3 when operating with Java.

Comment 8

[danielle.pham]

Looking at Sun CR 6669444, looks like this bug has been fixed in 6u10 b21 by Ken Russell.
So please, try latest 6u10.

Comment 9

[Frank Wein [:mcsmurf]]

You're right, it no longer crashes with the latest plugin update.

Comment 10

[Dennis Jacobfeuerborn]

After updating to the 6u10 b23 build I no longer get the crash I reported in bug 433869 .

Comment 11

[danielle.pham]

great! thanks.