Bug 725733 - Fix crash in ScriptAnalysis::addTypeBarrier with Debugger. r=billm.

--HG-- extra : rebase_source : eb7726d3857bb4e0f89a7f669fb2791415979e86
2024-09-13 09:24:08 -07:00 · 2012-05-03 14:37:35 -05:00 · 2012-05-03 14:37:35 -05:00 · 59f1d8880d
commit 59f1d8880d
parent eeeffea415
4 changed files with 21 additions and 11 deletions
--- a/js/src/jit-test/tests/debug/bug-725733.js
+++ b/js/src/jit-test/tests/debug/bug-725733.js
@ -0,0 +1,9 @@
+// |jit-test| mjitalways
+// Adding a debuggee must leave its scripts in a safe state.
+
+var g = newGlobal('new-compartment');
+g.eval(
+    "function f(x) { return {q: x}; }\n" +
+    "var n = f('').q;\n");
+var dbg = new Debugger(g);
+g.eval("f(0)");
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@ -615,17 +615,19 @@ JSCompartment::updateForDebugMode(FreeOp *fop)
    else if (hasScriptsOnStack())
        return;

-    /*
-     * Discard JIT code and bytecode analyses for any scripts that change
-     * debugMode.
-     */
    for (gc::CellIter i(this, gc::FINALIZE_SCRIPT); !i.done(); i.next()) {
        JSScript *script = i.get<JSScript>();
-        if (script->debugMode != enabled) {
-            mjit::ReleaseScriptCode(fop, script);
-            script->clearAnalysis();
-            script->debugMode = enabled;
-        }
+        mjit::ReleaseScriptCode(fop, script);
+        script->debugMode = enabled;
+    }
+
+    // Discard JIT code and bytecode analysis for all scripts in this
+    // compartment. Because !hasScriptsOnStack(), it suffices to do a garbage
+    // collection cycle or to finish the ongoing GC cycle. The necessary
+    // cleanup happens in JSCompartment::sweep.
+    if (!rt->gcRunning) {
+        PrepareCompartmentForGC(this);
+        GC(rt, GC_NORMAL, gcreason::DEBUG_MODE_GC);
    }
 #endif
 }
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@ -610,7 +610,7 @@ SizeOfJSContext();
    D(TOO_MUCH_MALLOC)                          \
    D(ALLOC_TRIGGER)                            \
    D(DEBUG_GC)                                 \
-    D(UNUSED2) /* was SHAPE */                  \
+    D(DEBUG_MODE_GC)                            \
    D(UNUSED3) /* was REFILL */                 \
                                                \
    /* Reasons from Firefox */                  \
--- a/js/src/jsgcinlines.h
+++ b/js/src/jsgcinlines.h
@ -399,7 +399,6 @@ class GCCompartmentsIter {
        end = rt->compartments.end();
        if (!(*it)->isCollecting())
            next();
-        JS_ASSERT(it < end);
    }

    bool done() const { return it == end; }