From 39cf996733026882137ded8ee62e3913f6a25926 Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Thu, 3 May 2012 14:37:35 -0500
Subject: [PATCH] Bug 725733 - Fix crash in ScriptAnalysis::addTypeBarrier with
 Debugger. r=billm.

--HG--
extra : rebase_source : eb7726d3857bb4e0f89a7f669fb2791415979e86
---
 js/src/jit-test/tests/debug/bug-725733.js |  9 +++++++++
 js/src/jscompartment.cpp                  | 20 +++++++++++---------
 js/src/jsfriendapi.h                      |  2 +-
 js/src/jsgcinlines.h                      |  1 -
 4 files changed, 21 insertions(+), 11 deletions(-)
 create mode 100644 js/src/jit-test/tests/debug/bug-725733.js

diff --git a/js/src/jit-test/tests/debug/bug-725733.js b/js/src/jit-test/tests/debug/bug-725733.js
new file mode 100644
index 000000000000..1353618aea41
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug-725733.js
@@ -0,0 +1,9 @@
+// |jit-test| mjitalways
+// Adding a debuggee must leave its scripts in a safe state.
+
+var g = newGlobal('new-compartment');
+g.eval(
+    "function f(x) { return {q: x}; }\n" +
+    "var n = f('').q;\n");
+var dbg = new Debugger(g);
+g.eval("f(0)");
diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
index a42fb10262e0..c8be5a0893ed 100644
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@@ -615,17 +615,19 @@ JSCompartment::updateForDebugMode(FreeOp *fop)
     else if (hasScriptsOnStack())
         return;
 
-    /*
-     * Discard JIT code and bytecode analyses for any scripts that change
-     * debugMode.
-     */
     for (gc::CellIter i(this, gc::FINALIZE_SCRIPT); !i.done(); i.next()) {
         JSScript *script = i.get<JSScript>();
-        if (script->debugMode != enabled) {
-            mjit::ReleaseScriptCode(fop, script);
-            script->clearAnalysis();
-            script->debugMode = enabled;
-        }
+        mjit::ReleaseScriptCode(fop, script);
+        script->debugMode = enabled;
+    }
+
+    // Discard JIT code and bytecode analysis for all scripts in this
+    // compartment. Because !hasScriptsOnStack(), it suffices to do a garbage
+    // collection cycle or to finish the ongoing GC cycle. The necessary
+    // cleanup happens in JSCompartment::sweep.
+    if (!rt->gcRunning) {
+        PrepareCompartmentForGC(this);
+        GC(rt, GC_NORMAL, gcreason::DEBUG_MODE_GC);
     }
 #endif
 }
diff --git a/js/src/jsfriendapi.h b/js/src/jsfriendapi.h
index 68889c365537..804630546bcc 100644
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@@ -610,7 +610,7 @@ SizeOfJSContext();
     D(TOO_MUCH_MALLOC)                          \
     D(ALLOC_TRIGGER)                            \
     D(DEBUG_GC)                                 \
-    D(UNUSED2) /* was SHAPE */                  \
+    D(DEBUG_MODE_GC)                            \
     D(UNUSED3) /* was REFILL */                 \
                                                 \
     /* Reasons from Firefox */                  \
diff --git a/js/src/jsgcinlines.h b/js/src/jsgcinlines.h
index d21fbe4dd0c1..27a90d9e4c2c 100644
--- a/js/src/jsgcinlines.h
+++ b/js/src/jsgcinlines.h
@@ -399,7 +399,6 @@ class GCCompartmentsIter {
         end = rt->compartments.end();
         if (!(*it)->isCollecting())
             next();
-        JS_ASSERT(it < end);
     }
 
     bool done() const { return it == end; }