From 928494dd0c34ee87c5970504cff52b25364f9c95 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 29 May 2024 09:27:28 +0000
Subject: [PATCH] Bug 1898473 - Don't access shared permanent atoms zone when
 marking symbols r=sfink

This is complaining that a worker runtime is accessing the shared permanent
atoms zone, which is owned by the main runtime. This is not a problem because we
only check the zone GC state here and the zone will never be collected while the
worker is running.

The patch adds a test to avoid the assertion failure.

Differential Revision: https://phabricator.services.mozilla.com/D211822
---
 js/src/gc/Marking.cpp                   | 3 ++-
 js/src/jit-test/tests/gc/bug-1898473.js | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1898473.js

diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp
index 6bec46940f2d..ca68b5b3865e 100644
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -1190,7 +1190,8 @@ bool js::GCMarker::mark(T* thing) {
 
   // Don't mark symbols if we're not collecting the atoms zone.
   if constexpr (std::is_same_v<T, JS::Symbol>) {
-    if (!thing->zone()->isGCMarkingOrVerifyingPreBarriers()) {
+    if (IsOwnedByOtherRuntime(runtime(), thing) ||
+        !thing->zone()->isGCMarkingOrVerifyingPreBarriers()) {
       return false;
     }
   }
diff --git a/js/src/jit-test/tests/gc/bug-1898473.js b/js/src/jit-test/tests/gc/bug-1898473.js
new file mode 100644
index 000000000000..4ac6f1ad4ab0
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1898473.js
@@ -0,0 +1,5 @@
+// |jit-test| skip-if: helperThreadCount() === 0
+evalInWorker(`
+  new FinalizationRegistry(Set).register(newGlobal())
+  gc()
+`);