United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7174250 Calling JSObject.getMember(null) in an applet crashes the plugin and the browser
JDK-7174250 : Calling JSObject.getMember(null) in an applet crashes the plugin and the browser

Details
Type:
Bug
Submit Date:
2012-06-05
Status:
Closed
Updated Date:
2012-10-11
Project Name:
JDK
Resolved Date:
2012-06-20
Component:
deploy
OS:
windows_7
Sub-Component:
plugin
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:
Backport:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b22)
Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)

Java(TM) Platform SE 7 U4  10.4.0.22

ADDITIONAL OS VERSION INFORMATION :
Windows 7 64-bit [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 13.0 (32-bit)

A DESCRIPTION OF THE PROBLEM :
If an applet uses netscape.javascript.JSObject to interact with JavaScript/DOM objects in its host web page, but passes null to one of JSObject's methods where a property name is expected, the browser process will crash due to a null pointer dereference in jvm.dll.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Load an applet that calls netscape.javascript.JSObject.getMember(String) with a null member name argument.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method call gracefully returns null or throws an appropriate exception.
ACTUAL -
An access violation occurs in jvm.dll, terminating the browser process.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
public class CrashApplet extends java.applet.Applet {

    public void start() {
        netscape.javascript.JSObject.getWindow(this).getMember(null);
    }

}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Null-check "name" arguments before passing them to JSObject.

                                    

Comments
EVALUATION

No null value check in getMember()
                                     
2012-06-06
EVALUATION

Added sqe auto test case to cover this kind of issue:
http://sqe-rb.us.oracle.com/r/10411/

Also provided manual test link:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/stephen/deployment_stuff/do.NOT.remove.me/bugs/7174250/JSObjectInvalidArgsApplet.html

Java source code:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/stephen/deployment_stuff/do.NOT.remove.me/bugs/7174250/JSObjectInvalidArgsApplet.java
                                     
2012-06-08
According to the latest nightly report. The issue is not there:
http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=109682.ManualSubmit-1

Test case is:
 Java2JSTest::testJSObjectInvalidArgs
                                     
2012-10-11



Hardware and Software, Engineered to Work Together