Bug 1252453: make Debugger::slowPathOnLogAllocationSite apply a read barrier to Debugger objects. r=terrence

--HG-- extra : rebase_source : f2a64416c31366999f8d17e0795007380dbf742f extra : amend_source : a2fbc17e6c80b675ec727e6f456327842016761a
2016-03-07 17:21:29 -08:00 · 2016-03-07 17:21:29 -08:00 · 228eb7525f
--- a/js/src/jit-test/tests/debug/bug1252453.js
+++ b/js/src/jit-test/tests/debug/bug1252453.js
@ -0,0 +1,21 @@
+// |jit-test| --no-threads
+
+lfcode = new Array();
+gczeal(8,2);
+lfcode.push(`
+const root = newGlobal();
+const dbg = new Debugger;
+const wrappedRoot = dbg.addDebuggee(root);
+dbg.memory.trackingAllocationSites = 1;
+root.eval("(" + function immediate() { '_'  << foo } + "())");
+`);
+file = lfcode.shift();
+loadFile(file);
+function loadFile(lfVarx) {
+    try {
+        function newFunc(x) Function(x)();
+        newFunc(lfVarx)();
+    } catch (lfVare) {
+        print(lfVare)
+    }
+}
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@ -1941,6 +1941,11 @@ Debugger::slowPathOnLogAllocationSite(JSContext* cx, HandleObject obj, HandleSav
    // Debuggers, and globals only hold their Debuggers weakly.
    Rooted<GCVector<JSObject*>> activeDebuggers(cx, GCVector<JSObject*>(cx));
    for (Debugger** dbgp = dbgs.begin(); dbgp < dbgs.end(); dbgp++) {
+        // Since we're pulling these Debugger objects out of the GlobalObject's
+        // debugger array, which holds them only weakly, we need to let the
+        // incremental GC know that a possibly previously unreachable Debugger
+        // object just became reachable.
+        InternalBarrierMethods<JSObject*>::readBarrier((*dbgp)->object);
        if (!activeDebuggers.append((*dbgp)->object))
            return false;
    }