Cancel EnqueueMicrotask of FinalizationGroup on detached contexts
MicrotaskQueue associated to Context may be null after DetachGlobal, and triggering FinalizationGroup clean up on the detached context causes a crash. This CL fixes the crash by cancelling the clean up on such a context. Bug: chromium:937784 Change-Id: I57883ae0caf6c6bb35e482e441b6e09e921d9def Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552500 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#60931}
This commit is contained in:
parent
8034b0568b
commit
b5baf76f77
@ -1026,7 +1026,8 @@ void Heap::GarbageCollectionEpilogue() {
|
||||
Handle<FinalizationGroupCleanupJobTask> task =
|
||||
isolate()->factory()->NewFinalizationGroupCleanupJobTask(
|
||||
finalization_group);
|
||||
context->microtask_queue()->EnqueueMicrotask(*task);
|
||||
MicrotaskQueue* microtask_queue = context->microtask_queue();
|
||||
if (microtask_queue) microtask_queue->EnqueueMicrotask(*task);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
22
test/mjsunit/harmony/weakrefs/cleanup-on-detached-realm.js
Normal file
22
test/mjsunit/harmony/weakrefs/cleanup-on-detached-realm.js
Normal file
@ -0,0 +1,22 @@
|
||||
// Copyright 2019 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --harmony-weak-refs --expose-gc --noincremental-marking
|
||||
|
||||
let r = Realm.create();
|
||||
let FG = Realm.eval(r, "FinalizationGroup");
|
||||
Realm.detachGlobal(r);
|
||||
|
||||
let fg = new FG(()=> {
|
||||
assertUnreachable();
|
||||
});
|
||||
|
||||
(() => {
|
||||
let object = {};
|
||||
fg.register(object, {});
|
||||
|
||||
// object goes out of scope.
|
||||
})();
|
||||
|
||||
gc();
|
Loading…
Reference in New Issue
Block a user