Closed Bug 485055 Opened 15 years ago Closed 12 years ago

JS_GetScopeChain() fails

Categories

(Core :: JavaScript Engine, defect)

1.9.1 Branch
x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: johnjbarton, Unassigned)

Details

(Whiteboard: [firebug-p3])

This is from Firebug 
Issue 1603:  	 script panel not updating properly in debugger
http://code.google.com/p/fbug/issues/detail?id=1603

What is actually happening is that a Firebug call to array.sort() is triggering a jsd FunctionCall hook. The hook calls JS_GetScopeChain() which fails, causing a error message which is incorrect.

The correct error message would be "JSContext has no scope chain!".
Flags: blocking1.9.1?
The out of memory error message is bogus, the actual error message is this one from line 1330 in xpcwrappednativejsops.cpp, XPC_WN_JSOp_ThisObject:

    JSObject *scope = JS_GetScopeChain(cx);
    if(!scope)
    {
>>>>    XPCThrower::Throw(NS_ERROR_FAILURE, cx);
        return nsnull;
    }
Here is the call stack

 	jsd3250.dll!jsds_ErrorHookProc(JSDContext * jsdc=0x01948f20, JSContext * cx=0x0335a3f0, const char * message=0x00545090, JSErrorReport * report=0x0012d100, void * callerdata=0x00000000)  Line 583	C++
 	jsd3250.dll!jsd_DebugErrorHook(JSContext * cx=0x0335a3f0, const char * message=0x00545090, JSErrorReport * report=0x0012d100, void * closure=0x01948f20)  Line 354 + 0x17 bytes	C
 	js3250.dll!js_ReportOutOfMemory(JSContext * cx=0x0335a3f0)  Line 1047 + 0x22 bytes	C++
 	js3250.dll!JS_ReportOutOfMemory(JSContext * cx=0x0335a3f0)  Line 5802 + 0x9 bytes	C++
 	xpc3250.dll!XPCThrower::BuildAndThrowException(JSContext * cx=0x0335a3f0, unsigned int rv=2147500037, const char * sz=0x014ff040)  Line 260 + 0xa bytes	C++
 	xpc3250.dll!XPCThrower::Throw(unsigned int rv=2147500037, JSContext * cx=0x0335a3f0)  Line 57 + 0x11 bytes	C++
>	xpc3250.dll!XPC_WN_JSOp_ThisObject(JSContext * cx=0x0335a3f0, JSObject * obj=0x03cf2a80)  Line 1330 + 0xe bytes	C++
 	js3250.dll!js_ComputeGlobalThis(JSContext * cx=0x0335a3f0, int lazy=1, int * argv=0x0a86343c)  Line 836 + 0x23 bytes	C++
 	js3250.dll!js_ComputeThis(JSContext * cx=0x0335a3f0, int lazy=1, int * argv=0x0a86343c)  Line 873 + 0x11 bytes	C++
 	js3250.dll!JS_GetFrameThis(JSContext * cx=0x0335a3f0, JSStackFrame * fp=0x0012d364)  Line 1136 + 0x12 bytes	C++
 	jsd3250.dll!jsd_NewThreadState(JSDContext * jsdc=0x01948f20, JSContext * cx=0x0335a3f0, JSStackFrame * caller=0x00000000)  Line 144 + 0xe bytes	C
 	jsd3250.dll!jsd_CallCallHook(JSDContext * jsdc=0x01948f20, JSContext * cx=0x0335a3f0, unsigned int type=2, int (JSDContext *, JSDThreadState *, unsigned int, void *)* hook=0x01b62350, void * hookData=0x00000000)  Line 215 + 0x15 bytes	C
 	jsd3250.dll!_callHook(JSDContext * jsdc=0x01948f20, JSContext * cx=0x0335a3f0, JSStackFrame * fp=0x0012d364, int before=1, unsigned int type=2, int (JSDContext *, JSDThreadState *, unsigned int, void *)* hook=0x01b62350, void * hookData=0x00000000)  Line 253 + 0x19 bytes	C
 	jsd3250.dll!jsd_FunctionCallHook(JSContext * cx=0x0335a3f0, JSStackFrame * fp=0x0012d364, int before=1, int * ok=0x00000000, void * closure=0x01948f20)  Line 287 + 0x28 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0335a3f0, unsigned int argc=2, int * vp=0x0a863434, unsigned int flags=0)  Line 1287 + 0x1f bytes	C++
 	js3250.dll!sort_compare(void * arg=0x0012d4ec, const void * a=0x0bafd6a8, const void * b=0x0bafd6ac, int * result=0x0012d478)  Line 1835 + 0x11 bytes	C++
 	js3250.dll!js_MergeSort(void * src=0x0bafd6a8, unsigned int nel=3, unsigned int elsize=4, int (void *, const void *, const void *, int *)* cmp=0x00435660, void * arg=0x0012d4ec, void * tmp=0x0bafd6b4)  Line 1754 + 0x13 bytes	C++
 	js3250.dll!array_sort(JSContext * cx=0x0335a3f0, unsigned int argc=1, int * vp=0x0a863418)  Line 2097 + 0x1c bytes	C++
 	js3250.dll!js_Interpret(JSContext * cx=0x0335a3f0)  Line 5007 + 0x17 bytes	C++
Maybe related to bug 469492
Whiteboard: [firebug-p1]
I may be able to work around this bug.  I assume that the call hook here is Firebug's single step hook which should not be in place at this point. Removing the hook depends upon detecting that the step-into is no longer meaningful.
The out of memory message comes because ThrowExceptionObject also calls getScopeChain() which fails again. The return from ThrowExceptionObject is not success and the caller says "most likely out of memory".
Unfortunately the function call hook is hitting in firebug's net.js:

functionHook TYPE_FUNCTION_CALL stepMode = STEP_INTO hookFrameCount=2 stepFrameCount=1 chrome://firebug/content/net.js

So I think what is happening is that the (invisible) top-level function of the compilation unit is returning, but that does not trigger TYPE_FUNCTION_RETURN which would normally unhook the debugger. Its possible that TYPE_TOPLEVEL_END is triggered, but we avoid using that because we know it crashes Firefox (or so goes the lore).
The TYPE_TOPLEVEL_END is not sent from jsd.

Nevertheless I fixed this problem for Firebug, in a way that makes sense for Firebug.  This is still a bug but it won't stop us from shipping Firebug 1.4.
No longer blocks: 453978
Flags: blocking1.9.1?
Whiteboard: [firebug-p1] → [firebug-p3]
Looks like Bug 489378 -  Stack overflow in XPCThrower crashes Firebug FBTest
linked bug (Issue 1603) is marked fixed. Can we close this?.
(In reply to comment #9)
> linked bug (Issue 1603) is marked fixed. Can we close this?.

I worked around this bug to close issue 1603, so no.
JS_GetScopeChain has been removed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.