Bug 1787351 - Don't remove the atoms zone from the zones list until a…

…fter we've marked everything black r=sfink Iterating cells in the atoms zone will try to evict the nursery (it's empty in this case) and if the appropriate zeal mode is set we will then try to check the heap. This causes an assertion failure because the the zones list is unexpectedly empty. Doing things in a different order prevents this issue from arising. Differential Revision: https://phabricator.services.mozilla.com/D155689
dothq · Aug 30, 2022 · c9be20d · c9be20d
1 parent 3189560
commit c9be20d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/js/src/gc/GC.cpp b/js/src/gc/GC.cpp
@@ -943,13 +943,10 @@ bool GCRuntime::freezeSharedAtomsZone() {
   MOZ_ASSERT(!atomsZone()->wasGCStarted());
   MOZ_ASSERT(!atomsZone()->needsIncrementalBarrier());
 
-  sharedAtomsZone_ = atomsZone();
-  zones().clear();
-
-  sharedAtomsZone_->arenas.clearFreeLists();
+  atomsZone()->arenas.clearFreeLists();
 
   for (auto kind : AllAllocKinds()) {
-    for (auto thing = sharedAtomsZone_->cellIterUnsafe<TenuredCell>(kind);
+    for (auto thing = atomsZone()->cellIterUnsafe<TenuredCell>(kind);
          !thing.done(); thing.next()) {
       TenuredCell* cell = thing.getCell();
       MOZ_ASSERT((cell->is<JSString>() &&
@@ -960,6 +957,9 @@ bool GCRuntime::freezeSharedAtomsZone() {
     }
   }
 
+  sharedAtomsZone_ = atomsZone();
+  zones().clear();
+
   UniquePtr<Zone> zone = MakeUnique<Zone>(rt, Zone::AtomsZone);
   if (!zone || !zone->init()) {
     return false;

diff --git a/js/src/jit-test/tests/gc/bug-1787351.js b/js/src/jit-test/tests/gc/bug-1787351.js
@@ -0,0 +1 @@
+// |jit-test| --gc-zeal=15