Fix a breakpoint GC bug found by billm. See bug 677386 comment 8, first paragraph. r=billm on IRC.

js/src/jit-test/tests/debug/breakpoint-gc-03.js

@@ -0,0 +1,25 @@
+// |jit-test| debug
+// The GC can cope with old and new breakpoints at the same position.
+
+// This is a regression test for a bug Bill McCloskey found just by looking at
+// the source code. See bug 677386 comment 8. Here we're testing that the trap
+// string is correctly marked. (The silly expression for the trap string is to
+// ensure that it isn't constant-folded; it's harder to get a compile-time
+// constant to be GC'd.)
+
+var g = newGlobal('new-compartment');
+g.eval("var d = 0;\n" +
+       "function f() { return 'ok'; }\n" +
+       "trap(f, 0, Array(17).join('\\n') + 'd++;');\n");
+
+var dbg = new Debugger;
+var gw = dbg.addDebuggee(g);
+var fw = gw.getOwnPropertyDescriptor("f").value;
+var bp = {hits: 0, hit: function (frame) { this.hits++; }};
+fw.script.setBreakpoint(0, bp);
+
+gc();
+
+g.f();
+assertEq(g.d, 1);
+assertEq(bp.hits, 1);

js/src/jscompartment.cpp

@@ -814,7 +814,7 @@ JSCompartment::markBreakpointsIteratively(JSTracer *trc)
         // Mark jsdbgapi state if any. But if we know the scriptObject, put off
         // marking trap state until we know the scriptObject is live.
         if (site->trapHandler &&
-            (!site->scriptObject || IsAboutToBeFinalized(cx, site->scriptObject)))
+            (!site->scriptObject || !IsAboutToBeFinalized(cx, site->scriptObject)))
         {
             if (site->trapClosure.isMarkable() &&
                 IsAboutToBeFinalized(cx, site->trapClosure.toGCThing()))