Closed Bug 84082 Opened 24 years ago Closed 24 years ago

Javascript call Java and Java callback to Javascript crashes the browser

Categories

(Core Graveyard :: Java: Live Connect, defect)

x86
Windows NT
defect
Not set
normal

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 46518

People

(Reporter: xiaobin.lu, Assigned: xiaobin.lu)

References

Details

Attachments

(3 files)

Javascript call Java resume to work after 82034, Java call Javascript resumes to work after 77600, however, Javascript call Java and then Java call back crashes the browser.
Attached file A simple testcase
Attached file Testcase in zip format
I posted the testcase both in binary format ( the first) and text format ( the second). Please use MSIE to open the testcase. I tried to using NS4.75 to open the testcase and it seems not working.
For some reason, I am unable to unzip attachment id=37105. I tried WinZip on WinNT, gunzip on Cygwin/WinNT, and gunzip on Linux. I keep getting errors in each case -
Sorry for inconvinience! I will post the testcase in some external webserver so your guys can access it.
Attached file The testcase
I was able to decompress the latest attachment (id=37253) successfully on Cygwin/WinNT by using tar -xzf on it... When I try 'test.html' in NN4.7, it works perfectly. But when I try it with any recent Mozilla build, I crash as soon as I hit "Run Test": 00000000() _js_LookupProperty(JSContext * 0x0382f4c0, JSObject * 0x02ca1278, long 71717568, JSObject * * 0x0012d994, JSProperty * * 0x0012d988, const char * 0x00e32a28, unsigned int 2335) line 2182 + 24 bytes js_GetProperty(JSContext * 0x0382f4c0, JSObject * 0x02ca1270, long 71717568, long * 0x0012e524) line 2335 + 35 bytes js_Interpret(JSContext * 0x0382f4c0, long * 0x0012e6dc) line 2535 + 1998 bytes js_Invoke(JSContext * 0x0382f4c0, unsigned int 1, unsigned int 2) line 824 + 13 bytes js_InternalInvoke(JSContext * 0x0382f4c0, JSObject * 0x02ca1218, long 46797344, unsigned int 0, unsigned int 1, long * 0x0012e8b4, long * 0x0012e804) line 896 + 20 bytes JS_CallFunctionValue(JSContext * 0x0382f4c0, JSObject * 0x02ca1218, long 46797344, unsigned int 1, long * 0x0012e8b4, long * 0x0012e804) line 3320 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0382feb0, void * 0x02ca1218, void * 0x02ca1220, unsigned int 1, void * 0x0012e8b4, int * 0x0012e8b0, int 0) line 934 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04499c10, nsIDOMEvent * 0x04491494) line 139 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04499b90, nsIDOMEvent * 0x04491494, nsIDOMEventTarget * 0x04182250, unsigned int 4, unsigned int 7) line 1119 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04499c60, nsIPresContext * 0x04ff3bb0, nsEvent * 0x0012f340, nsIDOMEvent * * 0x0012f040, nsIDOMEventTarget * 0x04182250, unsigned int 7, nsEventStatus * 0x0012f718) line 1285 + 36 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0449eb20, nsIPresContext * 0x04ff3bb0, nsEvent * 0x0012f340, nsIDOMEvent * * 0x0012f040, unsigned int 1, nsEventStatus * 0x0012f718) line 1674 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0449eb20, nsIPresContext * 0x04ff3bb0, nsEvent * 0x0012f340, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f718) line 1078 + 29 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f340, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f718) line 5513 + 47 bytes PresShell::HandleEventWithTarget(PresShell * const 0x04fda050, nsEvent * 0x0012f340, nsIFrame * 0x02d6ae64, nsIContent * 0x0449eb20, unsigned int 1, nsEventStatus * 0x0012f718) line 5486 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const 0x03bc8e30, nsIPresContext * 0x04ff3bb0, nsMouseEvent * 0x0012f824, nsEventStatus * 0x0012f718) line 2463 + 61 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x03bc8e38, nsIPresContext * 0x04ff3bb0, nsEvent * 0x0012f824, nsIFrame * 0x02d6ae64, nsEventStatus * 0x0012f718, nsIView * 0x0446f7b0) line 1548 + 28 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f824, nsIView * 0x0446f7b0, unsigned int 1, nsEventStatus * 0x0012f718) line 5533 + 43 bytes PresShell::HandleEvent(PresShell * const 0x04fda054, nsIView * 0x0446f7b0, nsGUIEvent * 0x0012f824, nsEventStatus * 0x0012f718, int 0, int & 1) line 5440 + 25 bytes nsView::HandleEvent(nsView * const 0x0446f7b0, nsGUIEvent * 0x0012f824, unsigned int 8, nsEventStatus * 0x0012f718, int 0, int & 1) line 377 nsView::HandleEvent(nsView * const 0x0446ff70, nsGUIEvent * 0x0012f824, unsigned int 8, nsEventStatus * 0x0012f718, int 0, int & 1) line 350 nsView::HandleEvent(nsView * const 0x04fde390, nsGUIEvent * 0x0012f824, unsigned int 28, nsEventStatus * 0x0012f718, int 1, int & 1) line 350 nsViewManager::DispatchEvent(nsViewManager * const 0x04fde520, nsGUIEvent * 0x0012f824, nsEventStatus * 0x0012f718) line 2051 HandleEvent(nsGUIEvent * 0x0012f824) line 68 nsWindow::DispatchEvent(nsWindow * const 0x0446a394, nsGUIEvent * 0x0012f824, nsEventStatus & nsEventStatus_eIgnore) line 712 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f824) line 733 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4195 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4442 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 3604556, long * 0x0012fc2c) line 3166 + 24 bytes nsWindow::WindowProc(HWND__ * 0x003b02fe, unsigned int 514, unsigned int 0, long 3604556) line 979 + 27 bytes USER32! 77e71820()
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is the Java plug-in I am using on WinNT with Mozilla: File name: D:\mozilla\dist\WIN32_D.OBJ\bin\plugins\NPOJI600.dll Java Plug-in 1.3.0_01 for Netscape Navigator (DLL Helper) Mime Type Description Suffixes Enabled application/x-java-vm Java Virtual Machine for Netscape 6.x Yes
This smells like the problem fixed in bug #82034. Please get that patch and verify. The crash is happening on a call to a NULL function pointer called resolve.
Depends on: 82034
I filed this bug with latest trunk with fix for 77600, 82034. So I don't think it is same problem as 82034. Actually the problem is to make it work, I need to grant all the permissions in my java policy file which is not supposed to be like that.
I have finished a debug WinNT Mozilla build 2001-06-05. Also, I downloaded the WinNT binary 2001060509 from the ftp server. Both come one day after the fix for bug 82034 was checked in. With each build, the browser no longer crashes when I click the "Run Test" button in Test.html; but then again, NOTHING happens. No alertbox comes up. No errors appear in the JavaScript console. In the Java Console all I see is the message Calling getWIndow() .... which appears as soon as I load Test.html. When I click the "Run Test" button, no further message appears in the Java Console or the Mozilla debug console. The onClick handler of the "Run Test" button is document.callLCApplet.callAlert() When I type that in as a javascript:URL and hit enter, I get this message in the Mozilla debug console: Error loading URL javascript: document.callLCApplet.callAlert() : 2152924149
That same error number (2152924149) also occurs in these bugs: bug 83799 bug 83981
You need to apply patch of 77600 to reproduce the problem.
OK, but I was testing Patrick's idea at 2001-06-05 17:40 above: > This smells like the problem fixed in bug 82034. Please get that patch > and verify. The crash is happening on a call to a NULL function pointer > called resolve.
Blocks: 59447
Applied patch for 77600, tested on today's trunk and I got a crash. The stack trace looks like: NTDLL! 77f7629c() jsj_HashJavaObject(const void * 0x0086f7c0, void * 0x03dee530) line 76 + 18 bytes jsj_WrapJavaObject(JSContext * 0x03aa1520, const JNINativeInterface_ * * 0x03dee530, _jobject * 0x0086f7c0, _jobject * 0x0086f7c4) line 129 + 13 bytes jsj_ConvertJavaObjectToJSValue(JSContext * 0x03aa1520, const JNINativeInterface_ * * 0x03dee530, _jobject * 0x0086f7c0, long * 0x1bf48030) line 861 + 21 bytes nsCLiveconnect::Call(nsCLiveconnect * const 0x03dea880, JNIEnv_ * 0x03dee530, long 469010784, const unsigned short * 0x00871780, long 8, _jobjectArray * 0x0086f624, void * * 0x00000000, int 0, nsISupports * 0x026f3dd0, _jobject * * 0x0012c984) line 449 + 27 bytes CJSCallDispatcher::Dispatch(JSObject_CallInfo * 0x026f11c0) line 370 + 58 bytes CJSCallDispatcher::Run(CJSCallDispatcher * const 0x026f1180) line 981 + 39 bytes The reason is there is some exception occured during a call to java.lang.System.identifyHashcode. The exception is: java.security.AccessControlException: access denied (java.lang.RuntimePermission getProtectionDomain) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.Class.getProtectionDomain(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller(SecureInvocation. java:420) at sun.plugin.liveconnect.SecureInvocation.CallMethod(SecureInvocation.java:262) at sun.plugin.javascript.navig5.JSObject.JSObjectGetMember(Native Method) at sun.plugin.javascript.navig5.JSObject.getMember(JSObject.java:181) at JavaToJS.getMemberTest(JavaToJS.java:299) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(SecureInvocation.java:585) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(SecureInvocation.java:276) java.security.AccessControlException: access denied (java.lang.RuntimePermission getProtectionDomain) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.Class.getProtectionDomain(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller(SecureInvocation. java:420) at sun.plugin.liveconnect.SecureInvocation.CallMethod(SecureInvocation.java:262) at sun.plugin.javascript.navig5.JSObject.JSObjectGetMember(Native Method) at sun.plugin.javascript.navig5.JSObject.getMember(JSObject.java:181) at JavaToJS.getMemberTest(JavaToJS.java:299) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(SecureInvocation.java:585) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(SecureInvocation.java:276) By the way, grant all permission in java.policy file solves the problem.
Reassign!
Assignee: beard → xiaobin.lu
On the Mac, I don't crash when I hit the "Run Test" button, but the first time the applet is run, the value of TestApplet.win is null, so the call to TestApplet.callAlert() fails with a NullPointerException. If I hit reload, the second time around, the call to JSObject.getWindow(this) works. Evidently there is some kind of race condition when initializing the applet the first time.
*** This bug has been marked as a duplicate of 46518 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
The reason I marked this bug as dup of 46518 is 46518 contains more issues than this bug. In other words, it is just one problem of 46518.
Marking Verified Duplicate -
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: