Function 'Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*)' has unrooted 'fun' of type 'JSFunction*' live across GC call 'void js::AutoCompartment::AutoCompartment(js::ExclusiveContext*, JSObject*)' at js/src/vm/Debugger.cpp:105 js/src/vm/Debugger.cpp:106: Call(4,5, __temp_2 := fun*.getOrCreateScript(cx*)) GC Function: void js::AutoCompartment::AutoCompartment(js::ExclusiveContext*, JSObject*) void js::ExclusiveContext::enterCompartment(JSCompartment*) void JSContext::wrapPendingException() uint8 JSCompartment::wrap(JSContext*, class JS::MutableHandle<JS::Value>, class JS::Handle<JSObject*>) uint8 JSCompartment::wrap(JSContext*, JSString**) JSFlatString* js_NewStringCopyN(js::ExclusiveContext*, uint16*, uint64) [with js::AllowGC allowGC = (js::AllowGC)1u; jschar = char16_t; size_t = long unsigned int] String-inl.h:JSInlineString* js::NewShortString(js::ExclusiveContext*, JS::TwoByteChars) [with js::AllowGC allowGC = (js::AllowGC)1u] String-inl.h:JSInlineString* js::NewShortString(js::ExclusiveContext*, JS::StableTwoByteChars) [with js::AllowGC allowGC = (js::AllowGC)1u] JSShortString* JSShortString::new_(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u] JSShortString* js_NewGCShortString(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u] JSShortString* js::gc::NewGCThing(js::ThreadSafeContext*, uint32, uint64, uint32) [with T = JSShortString; js::AllowGC allowGC = (js::AllowGC)1u; size_t = long unsigned int] void js::gc::RunDebugGC(JSContext*) void js::MinorGC(JSRuntime*, uint32) GC Function 'Debugger.cpp:JSScript* GetOrCreateFunctionScript(JSContext*, JSFunction*)' has unrooted 'fun' of type 'JSFunction*' live across GC call 'Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*)' at js/src/vm/Debugger.cpp:115 js/src/vm/Debugger.cpp:115: Assume(8,10, !__temp_3*, false) js/src/vm/Debugger.cpp:117: Call(10,11, return := fun*.nonLazyScript()) GC Function: Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*) JSScript* JSFunction::getOrCreateScript(JSContext*) uint8 JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, class JS::Handle<JSFunction*>) uint8 JSRuntime::cloneSelfHostedFunctionScript(JSContext*, class JS::Handle<js::PropertyName*>, class JS::Handle<JSFunction*>) JSScript* js::CloneScript(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSFunction*>, const class JS::Handle<JSScript*>, uint32) JSObject* js::CloneObjectLiteral(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSObject*>) JSObject* js::NewReshapedObject(JSContext*, class JS::Handle<js::types::TypeObject*>, JSObject*, uint32, class JS::Handle<js::Shape*>, uint32) Shape.cpp:js::UnownedBaseShape* GetOrLookupUnownedBaseShape(js::ExclusiveContext*, js::StackBaseShape*) [with js::ExecutionMode mode = (js::ExecutionMode)0u; typename js::ExecutionModeTraits<mode>::ExclusiveContextType = js::ExclusiveContext*] js::UnownedBaseShape* js::BaseShape::getUnowned(js::ExclusiveContext*, js::StackBaseShape*) js::BaseShape* js_NewGCBaseShape(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u] js::BaseShape* js::gc::NewGCThing(js::ThreadSafeContext*, uint32, uint64, uint32) [with T = js::BaseShape; js::AllowGC allowGC = (js::AllowGC)1u; size_t = long unsigned int] void js::gc::RunDebugGC(JSContext*) void js::MinorGC(JSRuntime*, uint32) GC

Patch to root JSFunction pointer.

Comment on attachment 8340311 [details] [diff] [review] fix-debugger-hazards Review of attachment 8340311 [details] [diff] [review]: ----------------------------------------------------------------- Sad that we can't just do asRooted<JSFunction> or something, but oh well.

Already fixed by Terrence in bug 945360.