Running the debug/Source-invisible.js jit-test with GC zeal 14,21 fails: Assertion failure: useSameScript || !fun->isInterpretedLazy(), at js/src/jsfun.cpp:2169 Exit code: -11 FAIL - debug/Source-invisible.js Originally found in try pushes on Windows builds with the patches from bug 1155618 applied, although this is a pre-existing issue.

This is not related to compacting GC after all as it reproduces with zeal 2,21: Program received signal SIGSEGV, Segmentation fault. 0x0000000000bb7040 in js::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, fun=fun@entry=..., parent=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT4_BACKGROUND, newKindArg=newKindArg@entry=js::GenericObject, proto=...) at /home/jon/clone/dev/js/src/jsfun.cpp:2169 2169 MOZ_ASSERT(useSameScript || !fun->isInterpretedLazy()); (gdb) bt #0 0x0000000000bb7040 in js::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, fun=fun@entry=..., parent=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT4_BACKGROUND, newKindArg=newKindArg@entry=js::GenericObject, proto=...) at /home/jon/clone/dev/js/src/jsfun.cpp:2169 #1 0x0000000000ae6a79 in CloneFunctionObject (cx=cx@entry=0x7ffff651b330, funobj=..., funobj@entry=..., dynamicScope=...) at /home/jon/clone/dev/js/src/jsapi.cpp:3320 #2 0x0000000000ae6d7a in JS::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, funobj=..., funobj@entry=..., scopeChain=...) at /home/jon/clone/dev/js/src/jsapi.cpp:3339 #3 0x0000000000454d8d in Clone (cx=0x7ffff651b330, argc=<optimised out>, vp=0x7ffff4a02148) at /home/jon/clone/dev/js/src/shell/js.cpp:2596 #4 0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0x454a40 <Clone(JSContext*, unsigned int, jsval*)>, args=...) at /home/jon/clone/dev/js/src/jscntxtinlines.h:235 #5 0x0000000000687592 in js::Invoke (cx=0x7ffff651b330, args=..., construct=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:727 #6 0x000000000068139d in Interpret (cx=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:2955 #7 0x0000000000687040 in js::RunScript (cx=cx@entry=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:677 #8 0x0000000000691a88 in js::ExecuteKernel (cx=cx@entry=0x7ffff651b330, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_INDIRECT_EVAL, evalInFrame=..., evalInFrame@entry=..., result=0x7fffffffcc28) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:902 #9 0x000000000058da74 in EvalKernel (cx=cx@entry=0x7ffff651b330, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=pc@entry=0x0) at /home/jon/clone/dev/js/src/builtin/Eval.cpp:365 #10 0x000000000058e197 in js::IndirectEval (cx=0x7ffff651b330, argc=<optimised out>, vp=<optimised out>) at /home/jon/clone/dev/js/src/builtin/Eval.cpp:489 #11 0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0x58e100 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jon/clone/dev/js/src/jscntxtinlines.h:235 #12 0x0000000000687592 in js::Invoke (cx=cx@entry=0x7ffff651b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:727 #13 0x00000000006891dc in js::Invoke (cx=cx@entry=0x7ffff651b330, thisv=..., fval=..., argc=<optimised out>, argv=0x7ffff4a020b0, rval=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:783 #14 0x0000000000bf95db in js::DirectProxyHandler::call (this=this@entry=0x1a85ac0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff651b330, proxy=..., proxy@entry=..., args=...) at /home/jon/clone/dev/js/src/proxy/DirectProxyHandler.cpp:77 #15 0x0000000000c00122 in js::CrossCompartmentWrapper::call (this=0x1a85ac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff651b330, wrapper=..., args=...) at /home/jon/clone/dev/js/src/proxy/CrossCompartmentWrapper.cpp:289 #16 0x0000000000c0c892 in js::Proxy::call (cx=cx@entry=0x7ffff651b330, proxy=proxy@entry=..., args=...) at /home/jon/clone/dev/js/src/proxy/Proxy.cpp:391 #17 0x0000000000c0c94f in js::proxy_Call (cx=0x7ffff651b330, argc=<optimised out>, vp=<optimised out>) at /home/jon/clone/dev/js/src/proxy/Proxy.cpp:697 #18 0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0xc0c8c0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jon/clone/dev/js/src/jscntxtinlines.h:235 #19 0x0000000000687766 in js::Invoke (cx=0x7ffff651b330, args=..., construct=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:720 #20 0x000000000068139d in Interpret (cx=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:2955 #21 0x0000000000687040 in js::RunScript (cx=cx@entry=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:677 #22 0x0000000000691a88 in js::ExecuteKernel (cx=cx@entry=0x7ffff651b330, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=0x0) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:902 #23 0x00000000006940cb in js::Execute (cx=cx@entry=0x7ffff651b330, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:942 #24 0x0000000000ad8fef in ExecuteScript (cx=cx@entry=0x7ffff651b330, obj=..., scriptArg=..., rval=rval@entry=0x0) at /home/jon/clone/dev/js/src/jsapi.cpp:4159 #25 0x0000000000ad917b in JS_ExecuteScript (cx=cx@entry=0x7ffff651b330, scriptArg=..., scriptArg@entry=...) at /home/jon/clone/dev/js/src/jsapi.cpp:4181 #26 0x00000000004259ab in RunFile (compileOnly=false, file=0x7ffff4b5b000, filename=0x7fffffffeb7b "/home/jon/clone/dev/js/src/jit-test/tests/debug/Source-invisible.js", cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:468 #27 Process (cx=cx@entry=0x7ffff651b330, filename=0x7fffffffeb7b "/home/jon/clone/dev/js/src/jit-test/tests/debug/Source-invisible.js", forceTTY=forceTTY@entry=false) at /home/jon/clone/dev/js/src/shell/js.cpp:598 #28 0x000000000043b183 in ProcessArgs (op=0x7fffffffe580, cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:5777 #29 Shell (envp=<optimised out>, op=0x7fffffffe580, cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:6068 #30 main (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>) at /home/jon/clone/dev/js/src/shell/js.cpp:6390

The problem seems to be that in CloneFunctionObject() we try delazify the script to soon. If the script is not lazy at this point it can become lazy if NewObjectWithClassProto() causes a GC and then the assertion fails. The attached patch fixes the issue. Jan does this look like this is the right approach here?

Comment on attachment 8602213 [details] [diff] [review] bug1161968-lazy-assertion Review of attachment 8602213 [details] [diff] [review]: ----------------------------------------------------------------- Looks good.