Bug 1137341 - Don't allow GC to observe cross compartment prototype pointers for object groups r=terrence a=abillings

js/src/jit-test/tests/gc/bug-1137341.js

@@ -0,0 +1,8 @@
+if (helperThreadCount() == 0)
+   quit();
+
+schedulegc(this);
+startgc(0, "shrinking");
+var g = newGlobal();
+g.offThreadCompileScript('debugger;', {});
+g.runOffThreadScript();

js/src/vm/HelperThreads.cpp

@@ -13,6 +13,7 @@
 #include "prmjtime.h"
 
 #include "frontend/BytecodeCompiler.h"
+#include "gc/GCInternals.h"
 #include "jit/IonBuilder.h"
 #include "vm/Debugger.h"
 #include "vm/TraceLogging.h"
@@ -900,11 +901,15 @@ GlobalHelperThreadState::finishParseTask(JSContext *maybecx, JSRuntime *rt, void
     // Point the prototypes of any objects in the script's compartment to refer
     // to the corresponding prototype in the new compartment. This will briefly
     // create cross compartment pointers, which will be fixed by the
-    // MergeCompartments call below.
+    // MergeCompartments call below.  It's not safe for a GC to observe this
+    // state, so finish any ongoing GC first and assert that we can't trigger
+    // another one.
+    gc::AutoFinishGC finishGC(rt);
     for (gc::ZoneCellIter iter(parseTask->cx->zone(), gc::FINALIZE_OBJECT_GROUP);
          !iter.done();
          iter.next())
     {
+        JS::AutoAssertNoAlloc noAlloc(rt);
         ObjectGroup *group = iter.get<ObjectGroup>();
         TaggedProto proto(group->proto());
         if (!proto.isObject())