commit 6e1cfb8bbf744c2d804bd54d078d0381fcdccf37
parent cbafe46ac95f3bcf447133018a7f388f61585fe5
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Sat, 6 Dec 2025 09:13:01 +0000
Bug 2002646 - Fix assertion that didn't take account of moving GC r=sfink
When the trace hook is called during moving GC both the object and its shape
can be forwarded so it's not safe to call IsDeadProxyObject. The simplest thing
is to skip this check in moving GC.
Differential Revision: https://phabricator.services.mozilla.com/D275204
Diffstat:
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/js/src/debugger/Debugger.cpp b/js/src/debugger/Debugger.cpp
@@ -457,8 +457,10 @@ Breakpoint::Breakpoint(Debugger* debugger, HandleObject wrappedDebugger,
}
void Breakpoint::trace(JSTracer* trc) {
- MOZ_ASSERT(!IsDeadProxyObject(wrappedDebugger));
+ MOZ_ASSERT_IF(trc->kind() != JS::TracerKind::Moving,
+ !IsDeadProxyObject(wrappedDebugger));
TraceEdge(trc, &wrappedDebugger, "breakpoint owner");
+
TraceEdge(trc, &handler, "breakpoint handler");
}
diff --git a/js/src/jit-test/tests/debug/bug-2002646.js b/js/src/jit-test/tests/debug/bug-2002646.js
@@ -0,0 +1,8 @@
+var x = newGlobal({ newCompartment: true });
+Debugger(x).onDebuggerStatement = function (y) {
+ y.script.setBreakpoint(y.script.getLineOffsets(1)[0], {
+ hit: function () {},
+ });
+};
+x.eval("function* g() { debugger; return; };g().next()");
+relazifyFunctions();
