Closed Bug 1600017 Opened 10 months ago Closed 10 months ago

Assertion failure: index <= initialLength, at js/src/builtin/FinalizationGroupObject.cpp:594

Categories

(Core :: JavaScript: GC, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox72 --- fixed

People

(Reporter: anba, Assigned: jonco)

Details

Attachments

(1 file)

The following test case asserts with index <= initialLength.

var group = new FinalizationGroup(x => {
  if (target1 === null) {
      return;
  }

  target1 = null;

  gc();

  print("targets:", [...x]); // consume
});

var target1 = {};
group.register(target1, "target1");

var target2 = {};
group.register(target2, "target2");

target2 = null;

gc();

When skimming through the spec proposal, it doesn't look like there's a restriction that additional empty cells can't be added to finalizationGroup.[[Cells]] during iteration. In which case the assertion simply needs to be changed from MOZ_ASSERT(index <= initialLength) to MOZ_ASSERT(index <= holdings->length())?

Nice find!

Assignee: nobody → jcoppeard
Priority: -- → P1
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7818d673556f
Fix assertion in FinalizationGroupObject::cleanupQueuedHoldings to take account of the fact that holdings can be added during cleanup r=anba
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.