Bug 1354480 - Sweep compartment's template literal map r=sfink

js/src/jit-test/tests/gc/bug-1354480.js

@@ -0,0 +1,10 @@
+// |jit-test| error: TypeError
+test = "function f(a) { return a } f`a$b`";
+evalWithCache(test, {});
+dbg = new Debugger();
+gczeal(9, 1);
+dbg.findScripts('January 0 0 is invalid');
+function evalWithCache(code, ctx) {
+    ctx.global = newGlobal();
+    evaluate(code, ctx)
+}

js/src/jsapi.cpp

@@ -1883,8 +1883,8 @@ JS_GlobalObjectTraceHook(JSTracer* trc, JSObject* global)
         return;
 
     // Trace the compartment for any GC things that should only stick around if
-    // we know the compartment is live.
-    global->compartment()->trace(trc);
+    // we know the global is live.
+    global->compartment()->traceGlobal(trc);
 
     if (JSTraceOp trace = global->compartment()->creationOptions().getTrace())
         trace(trc, global);

js/src/jscompartment.cpp

@@ -706,8 +706,12 @@ JSCompartment::traceIncomingCrossCompartmentEdgesForZoneGC(JSTracer* trc)
 }
 
 void
-JSCompartment::trace(JSTracer* trc)
+JSCompartment::traceGlobal(JSTracer* trc)
 {
+    // Trace things reachable from the compartment's global. Note that these
+    // edges must be swept too in case the compartment is live but the global is
+    // not.
+
     savedStacks_.trace(trc);
 
     // The template registry strongly holds everything in it by design and
@@ -829,6 +833,12 @@ JSCompartment::sweepSavedStacks()
     savedStacks_.sweep();
 }
 
+void
+JSCompartment::sweepTemplateLiteralMap()
+{
+    templateLiteralMap_.sweep();
+}
+
 void
 JSCompartment::sweepGlobalObject(FreeOp* fop)
 {

js/src/jscompartment.h

@@ -681,10 +681,10 @@ struct JSCompartment
      * This method traces data that is live iff we know that this compartment's
      * global is still live.
      */
-    void trace(JSTracer* trc);
+    void traceGlobal(JSTracer* trc);
     /*
      * This method traces JSCompartment-owned GC roots that are considered live
-     * regardless of whether the JSCompartment itself is still live.
+     * regardless of whether the compartment's global is still live.
      */
     void traceRoots(JSTracer* trc, js::gc::GCRuntime::TraceOrMarkRuntime traceOrMark);
     /*
@@ -707,6 +707,7 @@ struct JSCompartment
 
     void sweepCrossCompartmentWrappers();
     void sweepSavedStacks();
+    void sweepTemplateLiteralMap();
     void sweepGlobalObject(js::FreeOp* fop);
     void sweepSelfHostingScriptSource();
     void sweepJitCompartment(js::FreeOp* fop);

js/src/jsgc.cpp

@@ -2188,6 +2188,8 @@ GCRuntime::sweepZoneAfterCompacting(Zone* zone)
         c->objectGroups.sweep(fop);
         c->sweepRegExps();
         c->sweepSavedStacks();
+        c->sweepTemplateLiteralMap();
+        c->sweepVarNames();
         c->sweepGlobalObject(fop);
         c->sweepSelfHostingScriptSource();
         c->sweepDebugEnvironments();
@@ -2547,7 +2549,6 @@ GCRuntime::updateZonePointersToRelocatedCells(Zone* zone, AutoLockForExclusiveAc
 
         WeakMapBase::traceZone(zone, &trc);
         for (CompartmentsInZoneIter c(zone); !c.done(); c.next()) {
-            c->trace(&trc);
             if (c->watchpointMap)
                 c->watchpointMap->trace(&trc);
         }
@@ -5028,6 +5029,7 @@ SweepMiscTask::run()
 {
     for (GCCompartmentGroupIter c(runtime()); !c.done(); c.next()) {
         c->sweepSavedStacks();
+        c->sweepTemplateLiteralMap();
         c->sweepSelfHostingScriptSource();
         c->sweepNativeIterators();
     }