Cancel EnqueueMicrotask of FinalizationGroup on detached contexts

MicrotaskQueue associated to Context may be null after DetachGlobal, and triggering FinalizationGroup clean up on the detached context causes a crash. This CL fixes the crash by cancelling the clean up on such a context. Bug: chromium:937784 Change-Id: I57883ae0caf6c6bb35e482e441b6e09e921d9def Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552500 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#60931}
2019-04-05 14:55:17 +09:00 · 2019-04-05 14:55:17 +09:00 · b5baf76f77
commit b5baf76f77
parent 8034b0568b
2 changed files with 24 additions and 1 deletions
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@ -1026,7 +1026,8 @@ void Heap::GarbageCollectionEpilogue() {
      Handle<FinalizationGroupCleanupJobTask> task =
          isolate()->factory()->NewFinalizationGroupCleanupJobTask(
              finalization_group);
-      context->microtask_queue()->EnqueueMicrotask(*task);
+      MicrotaskQueue* microtask_queue = context->microtask_queue();
+      if (microtask_queue) microtask_queue->EnqueueMicrotask(*task);
    }
  }
 }
--- a/test/mjsunit/harmony/weakrefs/cleanup-on-detached-realm.js
+++ b/test/mjsunit/harmony/weakrefs/cleanup-on-detached-realm.js
@ -0,0 +1,22 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-weak-refs --expose-gc --noincremental-marking
+
+let r = Realm.create();
+let FG = Realm.eval(r, "FinalizationGroup");
+Realm.detachGlobal(r);
+
+let fg = new FG(()=> {
+  assertUnreachable();
+});
+
+(() => {
+  let object = {};
+  fg.register(object, {});
+
+  // object goes out of scope.
+})();
+
+gc();