Bug 1161968 - Fix assertion failure in CloneFunctionObject() if script gets relazified r=jandem
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 07 May 2015 10:14:40 +0100
changeset 274116 ceadd609623b36aed16dd02e54bd876d600515cf
parent 274115 522f3549ec5b993c809486dc3dbe9fa7da0c7c00
child 274117 29f691ba32226459b66ac3b924bbcebefa34b299
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1161968
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1161968 - Fix assertion failure in CloneFunctionObject() if script gets relazified r=jandem
js/src/jit-test/tests/gc/bug-1161968.js
js/src/jsfun.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1161968.js
@@ -0,0 +1,15 @@
+// This test case is a simplified version of debug/Source-invisible.js.
+
+if (!'gczeal' in this)
+    quit();
+
+gczeal(2,21);
+
+var gi = newGlobal();
+gi.eval('function f() {}');
+
+var gv = newGlobal();
+gv.f = gi.f;
+gv.eval('f = clone(f);');
+
+var dbg = new Debugger;
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -2126,23 +2126,16 @@ js::CloneFunctionObject(JSContext* cx, H
                         NewObjectKind newKindArg /* = GenericObject */,
                         HandleObject proto)
 {
     MOZ_ASSERT(parent);
     MOZ_ASSERT(!fun->isBoundFunction());
 
     bool useSameScript = CloneFunctionObjectUseSameScript(cx->compartment(), fun, parent);
 
-    JSScript::AutoDelazify funScript(cx);
-    if (!useSameScript && fun->isInterpretedLazy()) {
-        funScript = fun;
-        if (!funScript)
-            return nullptr;
-    }
-
     NewObjectKind newKind = useSameScript ? newKindArg : SingletonObject;
     RootedObject cloneProto(cx, proto);
     if (!cloneProto && fun->isStarGenerator()) {
         cloneProto = GlobalObject::getOrCreateStarGeneratorFunctionPrototype(cx, cx->global());
         if (!cloneProto)
             return nullptr;
     }
 #ifdef DEBUG
@@ -2157,16 +2150,23 @@ js::CloneFunctionObject(JSContext* cx, H
                realParent->isUnqualifiedVarObj());
 #endif
     JSObject* cloneobj = NewObjectWithClassProto(cx, &JSFunction::class_, cloneProto,
                                                  allocKind, newKind);
     if (!cloneobj)
         return nullptr;
     RootedFunction clone(cx, &cloneobj->as<JSFunction>());
 
+    JSScript::AutoDelazify funScript(cx);
+    if (!useSameScript && fun->isInterpretedLazy()) {
+        funScript = fun;
+        if (!funScript)
+            return nullptr;
+    }
+
     MOZ_ASSERT(useSameScript || !fun->isInterpretedLazy());
 
     uint16_t flags = fun->flags() & ~JSFunction::EXTENDED;
     if (allocKind == AllocKind::FUNCTION_EXTENDED)
         flags |= JSFunction::EXTENDED;
 
     clone->setArgCount(fun->nargs());
     clone->setFlags(flags);