From 999e0bb4842ec0e8a11158ed21c8506236d06c9b Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Wed, 6 Dec 2017 16:13:08 -0800
Subject: [PATCH] #438: M1371908 (gc-JS)

---
 js/src/jit-test/tests/gc/bug-1371908.js |  6 ++++++
 js/src/jit-test/tests/gc/bug1146213.js  | 21 +++++++++++++++++++++
 js/src/jsgc.cpp                         |  6 +++++-
 js/src/vm/HelperThreads.cpp             |  8 +++++---
 4 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1371908.js
 create mode 100644 js/src/jit-test/tests/gc/bug1146213.js

diff --git a/js/src/jit-test/tests/gc/bug-1371908.js b/js/src/jit-test/tests/gc/bug-1371908.js
new file mode 100644
index 000000000..da4540459
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1371908.js
@@ -0,0 +1,6 @@
+if (helperThreadCount() === 0)
+    quit();
+offThreadCompileScript("");
+startgc(0);
+runOffThreadScript();
+
diff --git a/js/src/jit-test/tests/gc/bug1146213.js b/js/src/jit-test/tests/gc/bug1146213.js
new file mode 100644
index 000000000..14ca08827
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug1146213.js
@@ -0,0 +1,21 @@
+if (!("setGCCallback" in this &&
+      "schedulegc" in this &&
+      "gcslice" in this &&
+      "newGlobal" in this &&
+      "helperThreadCount" in this))
+{
+    quit();
+}
+
+if (helperThreadCount() == 0)
+    quit();
+
+setGCCallback({
+  action: "majorGC",
+});
+schedulegc(this)
+gcslice(3)
+var lfGlobal = newGlobal();
+lfGlobal.offThreadCompileScript("");
+lfGlobal.runOffThreadScript();
+
diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index cf3612d41..73a2169a5 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -6845,7 +6845,11 @@ gc::MergeCompartments(JSCompartment* source, JSCompartment* target)
 
     JSRuntime* rt = source->runtimeFromMainThread();
 
-    AutoPrepareForTracing prepare(rt, SkipAtoms);
+    MOZ_ASSERT(!source->zone()->wasGCStarted());
+    MOZ_ASSERT(!target->zone()->wasGCStarted());
+    JS::AutoAssertOnGC nogc(rt);
+
+    AutoTraceSession session(rt);
 
     // Cleanup tables and other state in the source compartment that will be
     // meaningless after merging into the target compartment.
diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
index ab2b789f0..564f90b8d 100644
--- a/js/src/vm/HelperThreads.cpp
+++ b/js/src/vm/HelperThreads.cpp
@@ -1103,11 +1103,13 @@ GlobalHelperThreadState::mergeParseTaskCompartment(JSRuntime* rt, ParseTask* par
                                                    Handle<GlobalObject*> global,
                                                    JSCompartment* dest)
 {
+    // Finish any ongoing incremental GC that may affect the destination zone.
+    if (JS::IsIncrementalGCInProgress(rt) && dest->zone()->wasGCStarted())
+        JS::FinishIncrementalGC(rt, JS::gcreason::API);
+
     // After we call LeaveParseTaskZone() it's not safe to GC until we have
     // finished merging the contents of the parse task's compartment into the
-    // destination compartment.  Finish any ongoing incremental GC first and
-    // assert that no allocation can occur.
-    gc::AutoFinishGC finishGC(rt);
+    // destination compartment.
     JS::AutoAssertNoAlloc noAlloc(rt);
 
     LeaveParseTaskZone(rt, parseTask);