From 82d4bd1aeb216f817b7fb7f8ad6c65ed1ca19121 Mon Sep 17 00:00:00 2001 From: Jon Coppeard Date: Mon, 2 Dec 2019 22:33:45 +0000 Subject: [PATCH] Bug 1600238 - Finalize FinalizationGroup objects in the foreground to avoid depdendency on when holdings objects are finalized r=sfink The holdings objects can be foreground or background finalized, but HeapPtr's destructor depends on the referent's arena to have not been released. Making FinalizationGroups foreground finalized achieves this. Differential Revision: https://phabricator.services.mozilla.com/D55302 --HG-- extra : moz-landing-system : lando --- js/src/builtin/FinalizationGroupObject.cpp | 5 ++++- js/src/jit-test/tests/gc/bug-1600238.js | 23 ++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 js/src/jit-test/tests/gc/bug-1600238.js diff --git a/js/src/builtin/FinalizationGroupObject.cpp b/js/src/builtin/FinalizationGroupObject.cpp index b623b227ff68..ff972b3ba77c 100644 --- a/js/src/builtin/FinalizationGroupObject.cpp +++ b/js/src/builtin/FinalizationGroupObject.cpp @@ -154,10 +154,13 @@ inline void FinalizationRecordVectorObject::remove( /////////////////////////////////////////////////////////////////////////// // FinalizationGroupObject +// Bug 1600300: FinalizationGroupObject is foreground finalized so that HeapPtr +// destructors never see referents with released arenas. When this is fixed we +// may be able to make this background finalized again. const JSClass FinalizationGroupObject::class_ = { "FinalizationGroup", JSCLASS_HAS_CACHED_PROTO(JSProto_FinalizationGroup) | - JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_BACKGROUND_FINALIZE, + JSCLASS_HAS_RESERVED_SLOTS(SlotCount) | JSCLASS_FOREGROUND_FINALIZE, &classOps_, &classSpec_}; const JSClass FinalizationGroupObject::protoClass_ = { diff --git a/js/src/jit-test/tests/gc/bug-1600238.js b/js/src/jit-test/tests/gc/bug-1600238.js new file mode 100644 index 000000000000..f021e54faf82 --- /dev/null +++ b/js/src/jit-test/tests/gc/bug-1600238.js @@ -0,0 +1,23 @@ +// |jit-test| --enable-weak-refs + +gczeal(0); +newGlobal(); +nukeAllCCWs(); +function f() { + global = newGlobal({ + newCompartment: true + }); + try { + return global.eval("new FinalizationGroup(function(){})"); + } catch (e) { + if (e instanceof TypeError && e.message.includes('dead')) { + // Creating a new CCW to the global fails with + // --more-compartments option. + quit(); + } + throw e; + } +} +g = f(); +g.register({}, {}, {}); +startgc();