Bug 1322420 - Trigger a read barrier when creating new reference to a compartment's lazy functions r=sfink a=dveditz

js/src/jit-test/tests/gc/bug-1322420.js

@@ -0,0 +1,8 @@
+options('strict_mode');
+var g1 = newGlobal();
+var g2 = newGlobal();
+var dbg = new Debugger();
+dbg.addDebuggee(g1);
+g1.eval('function f() {}');
+gczeal(9, 1);
+dbg.findScripts({});

js/src/jscompartment.cpp

@@ -1025,6 +1025,15 @@ AddLazyFunctionsForCompartment(JSContext* cx, AutoObjectVector& lazyFunctions, A
             continue;
         }
 
+        // This creates a new reference to an object that an ongoing incremental
+        // GC may find to be unreachable. Treat as if we're reading a weak
+        // reference and trigger the read barrier.
+        if (cx->zone()->needsIncrementalBarrier())
+            fun->readBarrier(fun);
+
+        // TODO: The above checks should be rolled into the cell iterator (see
+        // bug 1322971).
+
         if (fun->isInterpretedLazy()) {
             LazyScript* lazy = fun->lazyScriptOrNull();
             if (lazy && lazy->sourceObject() && !lazy->hasUncompiledEnclosingScript()) {