commit 1472b1400f28006c2e1c1dcfaf900542532b9c7a
parent 71cfba671800c2293de64f8c2e3fd390f9c050d3
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 12 Nov 2025 10:31:08 +0000
Bug 1999501 - Relax assertion about symbols being the only gray things possible in the atoms zone r=jandem
We can now store JitCode in the atoms zone for shared self hosting code. This
patch therefore relaxes the assertion that symbols are the only things in the
atoms zone encountered during gray unmarking.
Differential Revision: https://phabricator.services.mozilla.com/D272212
Diffstat:
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp
@@ -2906,13 +2906,14 @@ void UnmarkGrayTracer::onChild(JS::GCCellPtr thing, const char* name) {
Zone* zone = tenured.zoneFromAnyThread();
// As well as updating the mark bits, we may need to update the color in the
- // atom marking bitmap to record that |sourceZone| now has a black edge to
- // |thing|.
+ // atom marking bitmap for symbols to record that |sourceZone| now has a black
+ // edge to |thing|.
if (zone->isAtomsZone() && sourceZone) {
- MOZ_ASSERT(tenured.is<JS::Symbol>());
GCRuntime* gc = &runtime()->gc;
- JS::Symbol* symbol = tenured.as<JS::Symbol>();
- gc->atomMarking.maybeUnmarkGrayAtomically(sourceZone, symbol);
+ if (tenured.is<JS::Symbol>()) {
+ JS::Symbol* symbol = tenured.as<JS::Symbol>();
+ gc->atomMarking.maybeUnmarkGrayAtomically(sourceZone, symbol);
+ }
}
// If the cell is in a zone whose mark bits are being cleared, then it will
diff --git a/js/src/jit-test/tests/gc/bug-1999501.js b/js/src/jit-test/tests/gc/bug-1999501.js
@@ -0,0 +1,11 @@
+// |jit-test| --setpref=experimental.self_hosted_cache=true
+
+a = `
+ b = newGlobal().evaluate("grayRoot()");
+ b += undefined;
+ gc();
+`;
+for (let i = 0; i < 20; ++i) {
+ evaluate("");
+ evaluate(a);
+}
