Fix crash in FinalizationRegistry when the observed object is GC'd

quickjs-ng / quickjs

QuickJS, the Next Generation: a mighty JavaScript engine

MIT License

691 stars 66 forks source link

Fix crash in FinalizationRegistry when the observed object is GC'd #371

Closed saghul closed 2 months ago

saghul commented 2 months ago

In the pathological case shown in https://github.com/quickjs-ng/quickjs/issues/367 both the object and the registry will be destroyed as part of the GC phase of JS_FreeRuntime. When the GC sweep happens it's possible we are holding on to a corpse so avoid calling the registry callback in that case.

This is similar to how Weak{Map,Set} deal with iterators being freed as part of a cycle.

Fixes: https://github.com/quickjs-ng/quickjs/issues/367

saghul commented 2 months ago

LGTM, I think, but a question: doesn't held_value turn into JS_UNDEFINED when it's collected?

Not quite. It's still an object, but it has no shape and in the next phase it will be freed.