JDK-6669444 : Firefox crashes when doing a typeof=="object" check on an object
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u10
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-02-29
  • Updated: 2010-09-08
  • Resolved: 2008-05-28
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u10 b21Fixed
Related Reports
Relates :  
JDK-6675834 - (Nightly) : Some of the Liveconnect scenarios are making browser to hang when run with new Plug-in
Description
FULL PRODUCT VERSION :
java version "1.6.0_10-ea"
Java(TM) SE Runtime Environment (build 1.6.0_10-ea-b11)
Java HotSpot(TM) Client VM (build 11.0-b11, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Current Firefox trunk version or SeaMonkey trunk version

A DESCRIPTION OF THE PROBLEM :
With the following test case Firefox crashes. I believe the new Java plugin is to blame here:
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window
    orient="horizontal"
    xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

<script>
var jsenv = new Object();
jsenv.HAS_JAVA = (typeof java == "object");
</script>
</window>

If I execute this JS code within a normal HTML document, it does not crash. Within a XUL document it crashes.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Save the test case as javacrash.xul (the .xul extension is important here)
2. Open the test case in a current Firefox trunk build or beta version
3. Watch it crash

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Not crash.
ACTUAL -
It crashes ;-).

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Stacktrace from WinDBG:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2f0 6da32c53 npjp2!NP_GetEntryPoints+0x33d
0012e32c 6da31ee2 npjp2!Java_sun_plugin2_main_server_MozillaBrowserService_getBrowserAuthentication+0x1b9
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\gkplugin.dll
0012e34c 025333a6 npjp2!NP_Shutdown+0x4b
0012e414 0253288a gkplugin!ns4xPluginInstance::InitializePlugin(class nsIPluginInstancePeer * peer = 0x0614e670)+0x446 [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp @ 1096]
0012e420 025462ad gkplugin!ns4xPluginInstance::Initialize(class nsIPluginInstancePeer * peer = 0x0614e670)+0x3a [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp @ 869]
0012e82c 0254571a gkplugin!nsPluginHostImpl::TrySetUpPluginInstance(char * aMimeType = 0x02584b9c "application/x-java-vm", class nsIURI * aURL = 0x00000000, class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x99d [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 4076]
0012e884 025545df gkplugin!nsPluginHostImpl::SetUpPluginInstance(char * aMimeType = 0x02584b9c "application/x-java-vm", class nsIURI * aURL = 0x00000000, class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x4a [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 3880]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\gklayout.dll
0012e8e0 01cea0cc gkplugin!nsPluginHostImpl::InstantiateDummyJavaPlugin(class nsIPluginInstanceOwner * aOwner = 0x042c8e78)+0x6f [f:\mozilla\tree-cvsmo\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 6888]
0012e948 01cc8d15 gklayout!nsGlobalWindow::InitJavaProperties(void)+0x11c [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsglobalwindow.cpp @ 5589]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\components\xpc3250.dll
0012eba0 03ba62a4 gklayout!nsWindowSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x00dc3e58, struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long id = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ecc8, int * _retval = 0x0012ec24)+0x18f5 [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsdomclassinfo.cpp @ 6139]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite-debug\dist\bin\js3250.dll
0012ecd0 00504c79 xpc3250!XPC_WN_Helper_NewResolve(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long idval = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ed3c)+0x264 [f:\mozilla\tree-cvsmo\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1068]
0012ed48 0050552b js3250!js_LookupPropertyWithFlags(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, long id = 74776644, unsigned int flags = 4, struct JSObject ** objp = 0x0012ed7c, struct JSProperty ** propp = 0x0012ed6c)+0x389 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsobj.c @ 3291]
0012ed88 004e4874 js3250!js_FindPropertyHelper(struct JSContext * cx = 0x054258f8, long id = 74776644, struct JSObject ** objp = 0x0012f324, struct JSObject ** pobjp = 0x0012f3a8, struct JSProperty ** propp = 0x0012f310, struct JSPropCacheEntry ** entryp = 0x0012f148)+0x5b [f:\mozilla\tree-cvsmo\mozilla\js\src\jsobj.c @ 3405]
0012f3ec 004d435c js3250!js_Interpret(struct JSContext * cx = 0x054258f8, unsigned char * pc = 0x042c737b ";", long * result = 0x0012f424)+0xf774 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsinterp.c @ 4748]
0012f488 0048c167 js3250!js_Execute(struct JSContext * cx = 0x054258f8, struct JSObject * chain = 0x06bb1200, struct JSScript * script = 0x042c7320, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x0012f4e8)+0x29c [f:\mozilla\tree-cvsmo\mozilla\js\src\jsinterp.c @ 1649]
0012f4ac 01d01934 js3250!JS_ExecuteScript(struct JSContext * cx = 0x054258f8, struct JSObject * obj = 0x06bb1200, struct JSScript * script = 0x042c7320, long * rval = 0x0012f4e8)+0x57 [f:\mozilla\tree-cvsmo\mozilla\js\src\jsapi.c @ 4823]
0012f500 01c9698f gklayout!nsJSContext::ExecuteScript(void * aScriptObject = 0x06d432a0, void * aScopeObject = 0x06bb1200, class nsAString_internal * aRetValue = 0x00000000, int * aIsUndefined = 0x00000000)+0x134 [f:\mozilla\tree-cvsmo\mozilla\dom\src\base\nsjsenvironment.cpp @ 1666]
0012f528 01c96b62 gklayout!nsXULDocument::ExecuteScript(class nsIScriptContext * aContext = 0x053fcce8, void * aScriptObject = 0x06d432a0)+0xcf [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 3436]
0012f560 01c9520b gklayout!nsXULDocument::ExecuteScript(class nsXULPrototypeScript * aScript = 0x06127b10)+0x1c2 [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 3459]
0012f640 01c8e8f6 gklayout!nsXULDocument::ResumeWalk(void)+0x56b [f:\mozilla\tree-cvsmo\mozilla\content\xul\document\src\nsxuldocument.cpp @ 2912]

The log folder from the Java plugin was empty (I enabled logging before).

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
SUGGESTED FIX http://sa.sfbay.sun.com/projects/deployment_data/6u10/6669444.1 testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6669444/
16-03-2008
EVALUATION The test case uses a Firefox-specific kind of XML document which behaves slightly differently than normal web pages with respect to the Java Plug-In. Added more error checking to the native code which fetches the document base upon plugin initialization. Also revised this fix after the fix for 6675834.
16-03-2008