274226 - 1.8a5 crashes on plesk 7.5 reloaded admin screen [@ GetPropertyTreeChild]

Status: RESOLVED DUPLICATE of bug 244470

(Core :: JavaScript Engine, defect)

Description

[Michael Gabriel]

reproduceable:
TB2489458W, TB2489427G, TB2489257H, TB2489251Q

official demo doesnt crash, but shows these js errors:
Error: Error in parsing value for property 'height'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css
Line: 72
Error: Error in parsing value for property 'height'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css
Line: 72
Error: Expected end of value for property but found '1'.  Error in parsing value
for property 'border-right'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css
Line: 16
Error: Expected end of value for property but found '1'.  Error in parsing value
for property 'border-left'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css
Line: 17
Error: Expected end of value for property but found '1'.  Error in parsing value
for property 'border-bottom'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css
Line: 18
Error: Error in parsing value for property 'cursor'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/custom.css
Line: 282
Error: Unknown property 'behavior'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/tabs.css
Line: 2
Error: Error in parsing value for property 'display'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/main/tabs.css
Line: 10
Error: Error in parsing value for property 'height'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/general.css
Line: 72
Error: Error in parsing value for property 'cursor'.  Declaration dropped.
Source File:
http://plesk75.demo.sw-soft.com:8443/skins/winxp.new.compact/css/left/layout.css
Line: 38

official demo at:
http://plesk75.demo.sw-soft.com:8443/
login: admin
pass: plesk

Comment 1

[Martijn Wargers (dead)]

The left frame seems to be the cause of the crash:
http://plesk75.demo.sw-soft.com:8443/left.php3
I think this javascript is causing the crash, somehow:
http://plesk75.demo.sw-soft.com:8443/javascript/conhelp.js.php
I think this looks similar as what causes the crash at bug 244470.

Comment 2

[Mats Palmgren (inactive)]

Attachment: Crash data (Linux)

Comment 3

[Mats Palmgren (inactive)]

Attachment: Testcase (Bugzilla is too slow - save it to a file first)

Comment 4

[Michael Gabriel]

testcase win32 TB2492447M

Comment 5

[Brendan Eich [:brendan]]

Attachment: different stack I got by reloading the test page rapidly

And another stack (I didn't save) also showed 0x27, stored in four bytes,
overwriting legitimate (JSScript.atomMap.vector) data.	I don't know where the
bug is, but it's not in jsscope.c.  Taking, I'll purify later today.

/be

Comment 6

[Brendan Eich [:brendan]]

The talkback cited in comment 4 (TB2492447M) looks like the other stack I saw
where 0x27 had been stored into script->atomMap.vector[99], apparently a wild
store like the one that Mats debugged.  Looking at the other talkbacks cited in
comment 0 now....

/be

Comment 7

[Brendan Eich [:brendan]]

One of the four reports cited in comment 0, TB2489427G, is not in JS:

ntdll.dll + 0x4c8e1 (0x778cc8e1)
ntdll.dll + 0x4c774 (0x778cc774)
MSVCRT.DLL + 0x1e00 (0x78001e00)
??3@YAXPAX@Z
nsHttpHeaderArray::Clear 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpHeaderArray.cpp,
line 240]
nsHttpResponseHead::Reset 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpResponseHead.cpp,
line 468]
nsHttpResponseHead::~nsHttpResponseHead 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpResponseHead.h,
line 63]
nsHttpChannel::~nsHttpChannel 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 132]
nsHttpChannel::`scalar deleting destructor'
nsHttpChannel::Release 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 2787]
nsCOMPtr_base::assign_with_AddRef 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/build/nsCOMPtr.cpp,
line 90]
nsInputStreamPump::OnInputStreamReady 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 342]
0x06697d80

Heap corruption, wild pointer store -- and this bug just turned up.  The '\''
skidmark is interesting too.  Debugging more....

/be

Comment 8

[Brendan Eich [:brendan]]

I can't get this to happen now that I've patched bug 244470.  If anyone else
can, please reopen.

/be

*** This bug has been marked as a duplicate of 244470 ***

Comment 9

[Michael Gabriel]

should it work in 2004121406 trunk ?
cause TB2557468H ...
cant load my version with that funnily, there is a onwer mismatch of the ssl
cert and mozilla warns me and doesnt load the page, heh

Comment 10

[timeless]

let's think about this a bit
bug 244470 comment 21 was written at 2004-12-14 13:28 PDT
you're using a build from            2004 12 14 06    PDT

which is what,... oh, 7 hrs before his comment was written. 

Comment 11

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 244470).