Bug 1157382 - Fix possible data race caused by accessing the mark bits of cells in another runtime r=terrence

js/public/HeapAPI.h

@@ -222,6 +222,8 @@ class JS_FRIEND_API(GCCellPtr)
         return reinterpret_cast<uintptr_t>(asCell());
     }
 
+    bool mayBeOwnedByOtherRuntime() const;
+
   private:
     uintptr_t checkedCast(void* p, JSGCTraceKind traceKind) {
         js::gc::Cell* cell = static_cast<js::gc::Cell*>(p);
@@ -365,6 +367,8 @@ GCThingIsMarkedGray(GCCellPtr thing)
 {
     if (js::gc::IsInsideNursery(thing.asCell()))
         return false;
+    if (thing.mayBeOwnedByOtherRuntime())
+        return false;
     return js::gc::detail::CellIsMarkedGray(thing.asCell());
 }
 

js/src/jsgc.cpp

@@ -6984,6 +6984,13 @@ JS::GCCellPtr::outOfLineKind() const
     return MapAllocToTraceKind(asCell()->asTenured().getAllocKind());
 }
 
+bool
+JS::GCCellPtr::mayBeOwnedByOtherRuntime() const
+{
+    return (isString() && toString()->isPermanentAtom()) ||
+           (isSymbol() && toSymbol()->isWellKnownSymbol());
+}
+
 #ifdef JSGC_HASH_TABLE_CHECKS
 void
 js::gc::CheckHashTablesAfterMovingGC(JSRuntime* rt)