Bug 1600238 - Finalize FinalizationGroup objects in the foreground to avoid depdendency on when holdings objects are finalized r=sfink

The holdings objects can be foreground or background finalized, but HeapPtr's destructor depends on the referent's arena to have not been released. Making FinalizationGroups foreground finalized achieves this.

Differential Revision: https://phabricator.services.mozilla.com/D55302

--HG--
extra : moz-landing-system : lando

js/src/builtin/FinalizationGroupObject.cpp

@@ -154,10 +154,13 @@ inline void FinalizationRecordVectorObject::remove(
 ///////////////////////////////////////////////////////////////////////////
 // FinalizationGroupObject
 
+// Bug 1600300: FinalizationGroupObject is foreground finalized so that HeapPtr
+// destructors never see referents with released arenas. When this is fixed we
+// may be able to make this background finalized again.
 const JSClass FinalizationGroupObject::class_ = {
     "FinalizationGroup",
     JSCLASS_HAS_CACHED_PROTO(JSProto_FinalizationGroup) |
-        JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_BACKGROUND_FINALIZE,
+        JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_FOREGROUND_FINALIZE,
     &classOps_, &classSpec_};
 
 const JSClass FinalizationGroupObject::protoClass_ = {

js/src/jit-test/tests/gc/bug-1600238.js

@@ -0,0 +1,23 @@
+// |jit-test| --enable-weak-refs
+
+gczeal(0);
+newGlobal();
+nukeAllCCWs();
+function f() {
+    global = newGlobal({
+        newCompartment: true
+    });
+    try {
+        return global.eval("new FinalizationGroup(function(){})");
+    } catch (e) {
+        if (e instanceof TypeError && e.message.includes('dead')) {
+            // Creating a new CCW to the global fails with
+            // --more-compartments option.
+            quit();
+        }
+        throw e;
+    }
+}
+g = f();
+g.register({}, {}, {});
+startgc();