Fix FinalizationRegistry refcounting bug (#656)

bnoordhuis · web-flow · commit 9c5c441744bf · 2024-11-07T09:12:34.000+01:00
Introduced in commit 61c8fe6 from last month that moved the callback into the job queue: 1. It leaked `fre->held_val` when no job was enqueued 2. It fumbled the reference count when enqueuing; JS_EnqueueJob already takes care of incrementing and decrementing it Reverts commit 0a70623 from earlier today because that didn't turn out to be a complete fix. Fixes: #648
diff --git a/quickjs.c b/quickjs.c
@@ -2107,6 +2107,8 @@ void JS_FreeRuntime(JSRuntime *rt)
     }
 #endif
 
+    assert(list_empty(&rt->gc_obj_list));
+
     /* free the classes */
     for(i = 0; i < rt->class_count; i++) {
         JSClass *cl = &rt->class_array[i];
@@ -2239,9 +2241,6 @@ void JS_FreeRuntime(JSRuntime *rt)
     }
 #endif
 
-    // FinalizationRegistry finalizers have run, no objects should remain
-    assert(list_empty(&rt->gc_obj_list));
-
     {
         JSMallocState *ms = &rt->malloc_state;
         rt->mf.js_free(ms->opaque, rt);
@@ -54985,9 +54984,7 @@ static const JSClassShortDef js_finrec_class_def[] = {
 
 static JSValue js_finrec_job(JSContext *ctx, int argc, JSValue *argv)
 {
-    JSValue ret = JS_Call(ctx, argv[0], JS_UNDEFINED, 1, &argv[1]);
-    JS_FreeValue(ctx, argv[1]);
-    return ret;
+    return JS_Call(ctx, argv[0], JS_UNDEFINED, 1, &argv[1]);
 }
 
 void JS_AddIntrinsicWeakRef(JSContext *ctx)
@@ -55078,6 +55075,7 @@ static void reset_weak_ref(JSRuntime *rt, JSWeakRefRecord **first_weak_ref)
                 args[1] = fre->held_val;
                 JS_EnqueueJob(frd->ctx, js_finrec_job, 2, args);
             }
+            JS_FreeValueRT(rt, fre->held_val);
             JS_FreeValueRT(rt, fre->token);
             js_free_rt(rt, fre);
             break;
diff --git a/tests/bug648.js b/tests/bug648.js
@@ -0,0 +1,13 @@
+/*---
+negative:
+  phase: runtime
+  type: Error
+---*/
+let finrec = new FinalizationRegistry(v => {})
+let object = {object:"object"}
+finrec.register(object, {held:"held"}, {token:"token"})
+object = undefined
+// abrupt termination should not leak |held|
+// unfortunately only shows up in qjs, not run-test262,
+// but still good to have a regression test
+throw Error("ok")

Original file line number	Diff line number	Diff line change
`@@ -2107,6 +2107,8 @@ void JS_FreeRuntime(JSRuntime *rt)`
`2107`	`2107`	`}`
`2108`	`2108`	`#endif`
`2109`	`2109`
	`2110`	`+ assert(list_empty(&rt->gc_obj_list));`
	`2111`	`+`
`2110`	`2112`	`/* free the classes */`
`2111`	`2113`	`for(i = 0; i < rt->class_count; i++) {`
`2112`	`2114`	`JSClass *cl = &rt->class_array[i];`
`@@ -2239,9 +2241,6 @@ void JS_FreeRuntime(JSRuntime *rt)`
`2239`	`2241`	`}`
`2240`	`2242`	`#endif`
`2241`	`2243`
`2242`		`- // FinalizationRegistry finalizers have run, no objects should remain`
`2243`		`- assert(list_empty(&rt->gc_obj_list));`
`2244`		`-`
`2245`	`2244`	`{`
`2246`	`2245`	`JSMallocState *ms = &rt->malloc_state;`
`2247`	`2246`	`rt->mf.js_free(ms->opaque, rt);`
`@@ -54985,9 +54984,7 @@ static const JSClassShortDef js_finrec_class_def[] = {`
`54985`	`54984`
`54986`	`54985`	`static JSValue js_finrec_job(JSContext ctx, int argc, JSValue argv)`
`54987`	`54986`	`{`
`54988`		`- JSValue ret = JS_Call(ctx, argv[0], JS_UNDEFINED, 1, &argv[1]);`
`54989`		`- JS_FreeValue(ctx, argv[1]);`
`54990`		`- return ret;`
	`54987`	`+ return JS_Call(ctx, argv[0], JS_UNDEFINED, 1, &argv[1]);`
`54991`	`54988`	`}`
`54992`	`54989`
`54993`	`54990`	`void JS_AddIntrinsicWeakRef(JSContext *ctx)`
`@@ -55078,6 +55075,7 @@ static void reset_weak_ref(JSRuntime rt, JSWeakRefRecord *first_weak_ref)`
`55078`	`55075`	`args[1] = fre->held_val;`
`55079`	`55076`	`JS_EnqueueJob(frd->ctx, js_finrec_job, 2, args);`
`55080`	`55077`	`}`
	`55078`	`+ JS_FreeValueRT(rt, fre->held_val);`
`55081`	`55079`	`JS_FreeValueRT(rt, fre->token);`
`55082`	`55080`	`js_free_rt(rt, fre);`
`55083`	`55081`	`break;`