Bug 1701859 - Don't release script counts for scripts with Baseline code. r=nbp

Differential Revision: https://phabricator.services.mozilla.com/D110377
2021-03-31 11:24:46 +00:00 · 2021-03-31 11:24:46 +00:00 · 9408355c3c
--- a/js/src/gc/Zone.cpp
+++ b/js/src/gc/Zone.cpp
@ -924,10 +924,17 @@ void Zone::clearScriptCounts(Realm* realm) {
  // ScriptCounts entries of the given realm.
  for (auto i = scriptCountsMap->modIter(); !i.done(); i.next()) {
    BaseScript* script = i.get().key();
-    if (script->realm() == realm) {
-      script->clearHasScriptCounts();
-      i.remove();
+    if (script->realm() != realm) {
+      continue;
    }
+    // We can't destroy the ScriptCounts yet if the script has Baseline code,
+    // because Baseline code bakes in pointers to the counters. The ScriptCounts
+    // will be destroyed in Zone::discardJitCode when discarding the JitScript.
+    if (script->hasBaselineScript()) {
+      continue;
+    }
+    script->clearHasScriptCounts();
+    i.remove();
  }
 }

--- a/js/src/jit-test/tests/debug/bug1701859.js
+++ b/js/src/jit-test/tests/debug/bug1701859.js
@ -0,0 +1,20 @@
+// |jit-test| --fast-warmup
+var dbgGlobal1 = newGlobal({ newCompartment: true });
+for (var i = 0; i < 25; ++i) {
+  try {
+    var dbg = new dbgGlobal1.Debugger;
+    dbg.addDebuggee(this);
+    dbg.collectCoverageInfo = true;
+
+    var dbgGlobal2 = newGlobal({ newCompartment: true });
+    dbgGlobal2.debuggeeGlobal = this;
+    dbgGlobal2.eval("(" + function () { new Debugger(debuggeeGlobal); } + ")();");
+
+    dbg.removeDebuggee(this);
+    dbg = null;
+
+    if ((i % 10) === 0) {
+      gc();
+    }
+  } catch (ex) {}
+}