commit f63f7b1b9fba13a93b98ca96c189e378f4452202
parent 49e3f5f68eb9f0f36cd960ed95297a485adfdf30
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Mon, 20 Oct 2025 14:49:42 +0000
Bug 1995038 - Fix over-eager assertion in CanCheckGrayBits r=sfink
The previous patches made us do this check more often (not just if the cell was
actually marked gray). This means we're also calling it for shared atoms which
may be in a different runtime so the runtime check can fail. We can skip this
check for atoms if they are marked black, as shared atoms will be.
Differential Revision: https://phabricator.services.mozilla.com/D269204
Diffstat:
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/js/src/gc/GC.cpp b/js/src/gc/GC.cpp
@@ -5488,6 +5488,12 @@ JS_PUBLIC_API bool js::gc::detail::CanCheckGrayBits(const TenuredCell* cell) {
MOZ_ASSERT(cell);
+ JS::Zone* zone = cell->zoneFromAnyThread();
+ if (zone->isAtomsZone() && cell->isMarkedBlack()) {
+ // This could be a shared atom in the parent runtime. Skip this check.
+ return true;
+ }
+
auto* runtime = cell->runtimeFromAnyThread();
MOZ_ASSERT(CurrentThreadCanAccessRuntime(runtime));
@@ -5495,8 +5501,6 @@ JS_PUBLIC_API bool js::gc::detail::CanCheckGrayBits(const TenuredCell* cell) {
return false;
}
- JS::Zone* zone = cell->zone();
-
if (runtime->gc.isIncrementalGCInProgress() && !zone->wasGCStarted()) {
return false;
}
