Closed Bug 274226 Opened 20 years ago Closed 20 years ago

1.8a5 crashes on plesk 7.5 reloaded admin screen [@ GetPropertyTreeChild]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 244470

People

(Reporter: mgabriel, Assigned: brendan)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

Crash data (Linux)
5.50 KB, text/plain
Details
Testcase (Bugzilla is too slow - save it to a file first)
109.60 KB, text/html
Details
different stack I got by reloading the test page rapidly
7.37 KB, text/plain
Details
reproduceable: TB2489458W, TB2489427G, TB2489257H, TB2489251Q official demo doesnt crash, but shows these js errors: Error: Error in parsing value for property 'height'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css Line: 72 Error: Error in parsing value for property 'height'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css Line: 72 Error: Expected end of value for property but found '1'. Error in parsing value for property 'border-right'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css Line: 16 Error: Expected end of value for property but found '1'. Error in parsing value for property 'border-left'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css Line: 17 Error: Expected end of value for property but found '1'. Error in parsing value for property 'border-bottom'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css Line: 18 Error: Error in parsing value for property 'cursor'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css Line: 282 Error: Unknown property 'behavior'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/tabs.css Line: 2 Error: Error in parsing value for property 'display'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/tabs.css Line: 10 Error: Error in parsing value for property 'height'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css Line: 72 Error: Error in parsing value for property 'cursor'. Declaration dropped. Source File: http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/left/layout.css Line: 38 official demo at: http://plesk75.demo.sw-soft.com:8443/ login: admin pass: plesk
The left frame seems to be the cause of the crash: http://plesk75.demo.sw-soft.com:8443/left.php3 I think this javascript is causing the crash, somehow: http://plesk75.demo.sw-soft.com:8443/javascript/conhelp.js.php I think this looks similar as what causes the crash at bug 244470.
Depends on: 244470
Assignee: general → general
Component: General → JavaScript Engine
Keywords: crash
OS: Windows 2000 → All
Product: Mozilla Application Suite → Core
QA Contact: general → pschwartau
Summary: 1.8a5 crashes on plesk 7.5 reloaded admin screen → 1.8a5 crashes on plesk 7.5 reloaded admin screen [@ GetPropertyTreeChild]
Keywords: testcase
Attachment #168526 - Attachment description: Testcase → Testcase (Bugzilla is too slow - save it to a file first)
testcase win32 TB2492447M
And another stack (I didn't save) also showed 0x27, stored in four bytes, overwriting legitimate (JSScript.atomMap.vector) data. I don't know where the bug is, but it's not in jsscope.c. Taking, I'll purify later today. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
The talkback cited in comment 4 (TB2492447M) looks like the other stack I saw where 0x27 had been stored into script->atomMap.vector[99], apparently a wild store like the one that Mats debugged. Looking at the other talkbacks cited in comment 0 now.... /be
One of the four reports cited in comment 0, TB2489427G, is not in JS: ntdll.dll + 0x4c8e1 (0x778cc8e1) ntdll.dll + 0x4c774 (0x778cc774) MSVCRT.DLL + 0x1e00 (0x78001e00) ??3@YAXPAX@Z nsHttpHeaderArray::Clear [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpHeaderArray.cpp, line 240] nsHttpResponseHead::Reset [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpResponseHead.cpp, line 468] nsHttpResponseHead::~nsHttpResponseHead [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpResponseHead.h, line 63] nsHttpChannel::~nsHttpChannel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 132] nsHttpChannel::`scalar deleting destructor' nsHttpChannel::Release [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2787] nsCOMPtr_base::assign_with_AddRef [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/build/nsCOMPtr.cpp, line 90] nsInputStreamPump::OnInputStreamReady [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 342] 0x06697d80 Heap corruption, wild pointer store -- and this bug just turned up. The '\'' skidmark is interesting too. Debugging more.... /be
I can't get this to happen now that I've patched bug 244470. If anyone else can, please reopen. /be *** This bug has been marked as a duplicate of 244470 ***
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
should it work in 2004121406 trunk ? cause TB2557468H ... cant load my version with that funnily, there is a onwer mismatch of the ssl cert and mozilla warns me and doesnt load the page, heh
let's think about this a bit bug 244470 comment 21 was written at 2004-12-14 13:28 PDT you're using a build from 2004 12 14 06 PDT which is what,... oh, 7 hrs before his comment was written.
Crash Signature: [@ GetPropertyTreeChild]
A testcase for this bug was already added in the original bug (bug 244470).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: