JDK-6289379 : LiveConnect Applet crashes on page reload
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 1.4.2
  • Priority: P3
  • Status: Closed
  • Resolution: Cannot Reproduce
  • OS: windows_nt
  • CPU: x86
  • Submitted: 2005-06-22
  • Updated: 2011-02-16
  • Resolved: 2006-08-03
Description
FULL PRODUCT VERSION :
java version "1.4.2_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_08-b03)
Java HotSpot(TM) Client VM (build 1.4.2_08-b03, mixed mode)

A DESCRIPTION OF THE PROBLEM :
The applet works fine till one tries to reload the page after few Java method calls from Javascript.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
If you click fill once and reload the page no problem. If you do several times, or if you click fill several times, and then reload the page, IE 6.0 crashes.


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
========  Hello.class  ========
import java.applet.Applet;
import java.awt.Graphics;
import netscape.javascript.*;

public class Hello extends Applet {

	private JSObject win;
	private JSObject doc;

	public void init() {
	}

	public void start() {
		win = JSObject.getWindow(this);
		doc =(JSObject) win.getMember("document");
	}
	
	//A set of 2 overloaded helper methods to create object array to pass
	// as the 2nd argument to doc.call(string,Object[]).
	public Object[] objArr(JSObject jso) {
		Object[] ret = {jso};
		return ret;
	}
	public Object[] objArr(String str) {
		Object[] ret = {str};
		return ret;
	}

	//This cretes a filled HTML Tag like <p>Hello</p> or
	//<i>world!</i>.
	public JSObject createFilledTag(String strTag, String strText) {
		JSObject 	fragDoc = (JSObject) doc.call("createDocumentFragment",null);
		JSObject tagEle = (JSObject) doc.call("createElement",objArr(strTag));
		JSObject tagTextEle = (JSObject)doc.call("createTextNode",objArr(strText));
		tagEle.call("appendChild",objArr(tagTextEle));
		fragDoc.call("appendChild",objArr(tagEle));
		return fragDoc;
	}

	//This method is called from javascript. It inserts
	//*** Hello World! ***" into the empty <p id="para"></p>
	//element
     public void setPara(String str) {
		JSObject paraEle = (JSObject) doc.call("getElementById", objArr(str));
		JSObject tmpEle = createFilledTag("b","*** Hello World! ***");
		paraEle.call("appendChild",objArr(tmpEle));
   }
}
======== hello.htm ========
<html>
<head>
<title> New Document </title>
<script>
function addElement() {
	app = document.getElementById("Hello");
	app.setPara("para");
}
</script>
</head>
<body>
<input type="button" onclick="addElement()" value="Fill"/>
<p id="para"></p>
<applet id="Hello" code="Hello.class" width="1" height="1" mayscript="true">
</applet>
</body>
</html>

---------- END SOURCE ----------
###@###.### 2005-06-22 15:24:32 GMT

Comments
EVALUATION Problem is no longer reproduceable with latest jre patches of 1.4.2.
03-08-2006

EVALUATION Problem is caused by improper release of reference count during LC activities. During ObjectTypeConverter::VariantToJobject, CDispatchWrapper::CreateInstance adds a reference to the COM interface. After the SetDispatch method, GetJavaDispatchClient method is invoked on CDispatchWrapper which eventually calls AddRef(). This adds one more reference to the same COM interface. The destructor of CDispatchWrapper is called at the end of ObjectTypeConverter::VariantToJobject. Since there are two references, only one reference will be removed and the CDispatchWrapper is not freed from memory. Still working on a solution.
03-10-2005

EVALUATION This needs at least package netscape.javascript. I'm getting available on http://wp.netscape.com/comprod/development_partners/plugin_api/index.html sdk and compiling Hello.java with classes included. Then I'm making html like in description and opening applet with IE6.0. After several pressings on Fill button messages "HW" appearing on screen. This works the same way in Mozilla. All this done under Windows2000. Should be mentioned how SDK organized: 1) jni.h from 1.26 97/01/27 (now JDK uses jni.h from 1.60 05/03/04) 2) sdk/classes/ contains zipped classes where java.awt, java.applet, java.lang etc exist. 3) sdk/classes/ contains their own sun/awt/windows classes like WToolkit, WFramePeer etc. 4) Stack from crash (see Comments) shows that access violation occur in mshtml.dll. ###@###.### 2005-06-30 11:08:14 GMT
30-06-2005