Bug 1884746 - Relax assertion when transferring unique IDs after nursery collection r=jandem

We can have duplicates of the same cell in the Nursery::cellsWithUid_ vector,
e.g. if we repeatedly try to add a unique ID but fail half way through due to
OOM. That could lead to triggering this assertion than the target of an ID
trasfer doesn't already have an ID. However when this happens the source of the
transfer has already had the ID removed.

This case is handled by HashMap::rekeyAs, called from rekeyIfMoved in the
following line, as it first looks up the source cell in the map and does
nothing if it's not present.

The fix is to relax the assertion.

Differential Revision: https://phabricator.services.mozilla.com/D204364

js/src/gc/StableCellHasher-inl.h

@@ -137,7 +137,7 @@ inline void TransferUniqueId(Cell* tgt, Cell* src) {
   MOZ_ASSERT(src->zone() == tgt->zone());
 
   Zone* zone = tgt->zone();
-  MOZ_ASSERT(!zone->uniqueIds().has(tgt));
+  MOZ_ASSERT_IF(zone->uniqueIds().has(src), !zone->uniqueIds().has(tgt));
   zone->uniqueIds().rekeyIfMoved(src, tgt);
 }
 

js/src/jit-test/tests/gc/bug-1884746.js

@@ -0,0 +1,7 @@
+var x = newGlobal().Int8Array;
+for (let i = 0; i < 2; i++) {
+  function f() {}
+  oomTest(function() {
+    new x().__proto__ = f;
+  });
+}