Bug 1787351 - Don't remove the atoms zone from the zones list until after we've marked everything black r=sfink

Iterating cells in the atoms zone will try to evict the nursery (it's empty in
this case) and if the appropriate zeal mode is set we will then try to check
the heap. This causes an assertion failure because the the zones list is
unexpectedly empty.

Doing things in a different order prevents this issue from arising.

Differential Revision: https://phabricator.services.mozilla.com/D155689

js/src/gc/GC.cpp

@@ -943,13 +943,10 @@ bool GCRuntime::freezeSharedAtomsZone() {
   MOZ_ASSERT(!atomsZone()->wasGCStarted());
   MOZ_ASSERT(!atomsZone()->needsIncrementalBarrier());
 
-  sharedAtomsZone_ = atomsZone();
-  zones().clear();
-
-  sharedAtomsZone_->arenas.clearFreeLists();
+  atomsZone()->arenas.clearFreeLists();
 
   for (auto kind : AllAllocKinds()) {
-    for (auto thing = sharedAtomsZone_->cellIterUnsafe<TenuredCell>(kind);
+    for (auto thing = atomsZone()->cellIterUnsafe<TenuredCell>(kind);
          !thing.done(); thing.next()) {
       TenuredCell* cell = thing.getCell();
       MOZ_ASSERT((cell->is<JSString>() &&
@@ -960,6 +957,9 @@ bool GCRuntime::freezeSharedAtomsZone() {
     }
   }
 
+  sharedAtomsZone_ = atomsZone();
+  zones().clear();
+
   UniquePtr<Zone> zone = MakeUnique<Zone>(rt, Zone::AtomsZone);
   if (!zone || !zone->init()) {
     return false;

js/src/jit-test/tests/gc/bug-1787351.js

@@ -0,0 +1 @@
+// |jit-test| --gc-zeal=15