Bug 857580 - Fix breakpoint trampoline to store a NULL stub pointer. r=djvj

js/src/ion/IonFrames.cpp

@@ -698,10 +698,10 @@ MarkBaselineStubFrame(JSTracer *trc, const IonFrameIterator &frame)
     JS_ASSERT(frame.type() == IonFrame_BaselineStub);
     IonBaselineStubFrameLayout *layout = (IonBaselineStubFrameLayout *)frame.fp();
 
-    ICStub *stub = layout->stubPtr();
+    if (ICStub *stub = layout->maybeStubPtr()) {
-    JS_ASSERT(ICStub::CanMakeCalls(stub->kind()));
+        JS_ASSERT(ICStub::CanMakeCalls(stub->kind()));
-
+        stub->trace(trc);
-    stub->trace(trc);
+    }
 }
 
 void

js/src/ion/arm/IonFrames-arm.h

@@ -183,7 +183,7 @@ class IonBaselineStubFrameLayout : public IonCommonFrameLayout
         return -int(2 * sizeof(void *));
     }
 
-    inline ICStub *stubPtr() {
+    inline ICStub *maybeStubPtr() {
         uint8_t *fp = reinterpret_cast<uint8_t *>(this);
         return *reinterpret_cast<ICStub **>(fp + reverseOffsetOfStubPtr());
     }

js/src/ion/arm/Trampoline-arm.cpp

@@ -779,7 +779,10 @@ IonRuntime::generateDebugTrapHandler(JSContext *cx)
     masm.mov(r11, scratch1);
     masm.subPtr(Imm32(BaselineFrame::Size()), scratch1);
 
-    // Call the HandleDebugTrap VM function.
+    // Enter a stub frame and call the HandleDebugTrap VM function. Ensure
+    // the stub frame has a NULL ICStub pointer, since this pointer is marked
+    // during GC.
+    masm.movePtr(ImmWord((void *)NULL), BaselineStubReg);
     EmitEnterStubFrame(masm, scratch2);
 
     IonCompartment *ion = cx->compartment->ionCompartment();

js/src/ion/shared/IonFrames-x86-shared.h

@@ -428,7 +428,7 @@ class IonBaselineStubFrameLayout : public IonCommonFrameLayout
         return -int(2 * sizeof(void *));
     }
 
-    inline ICStub *stubPtr() {
+    inline ICStub *maybeStubPtr() {
         uint8_t *fp = reinterpret_cast<uint8_t *>(this);
         return *reinterpret_cast<ICStub **>(fp + reverseOffsetOfStubPtr());
     }

js/src/ion/x64/Trampoline-x64.cpp

@@ -683,7 +683,10 @@ IonRuntime::generateDebugTrapHandler(JSContext *cx)
     masm.mov(rbp, scratch2);
     masm.subPtr(Imm32(BaselineFrame::Size()), scratch2);
 
-    // Call the HandleDebugTrap VM function.
+    // Enter a stub frame and call the HandleDebugTrap VM function. Ensure
+    // the stub frame has a NULL ICStub pointer, since this pointer is marked
+    // during GC.
+    masm.movePtr(ImmWord((void *)NULL), BaselineStubReg);
     EmitEnterStubFrame(masm, scratch3);
 
     IonCompartment *ion = cx->compartment->ionCompartment();

js/src/ion/x86/Trampoline-x86.cpp

@@ -709,7 +709,10 @@ IonRuntime::generateDebugTrapHandler(JSContext *cx)
     masm.mov(ebp, scratch2);
     masm.subPtr(Imm32(BaselineFrame::Size()), scratch2);
 
-    // Call the HandleDebugTrap VM function.
+    // Enter a stub frame and call the HandleDebugTrap VM function. Ensure
+    // the stub frame has a NULL ICStub pointer, since this pointer is marked
+    // during GC.
+    masm.movePtr(ImmWord((void *)NULL), BaselineStubReg);
     EmitEnterStubFrame(masm, scratch3);
 
     IonCompartment *ion = cx->compartment->ionCompartment();

js/src/jit-test/tests/baseline/bug857580.js

@@ -0,0 +1,13 @@
+gczeal(2);
+var g = newGlobal('new-compartment');
+var dbg = new Debugger(g);
+dbg.onNewScript = function(script) {
+    fscript = script.getChildScripts()[0];
+}
+g.eval("function f(x) { arguments[0] = 3; return x }");
+fscript.setBreakpoint(0, {hit:function(frame) {
+    assertEq(frame.eval('x').return, 1);
+    gc();
+    return {return:42};
+}});
+assertEq(g.f(1), 42);