LibJS+LibGC: Run FinalizationRegistry cleanup host hook *after* GC

Before this change, it was possible for a second GC to get triggered in the middle of a first GC, due to allocations happening in the FinalizationRegistry cleanup host hook. To avoid this causing problems, we add a "post-GC task" mechanism and use that to invoke the host hook once all other GC activity is finished, and we've unset the "collecting garbage" flag. Note that the test included here only fails reliably when running with the -g flag (collect garbage after each allocation). Fixes #3051
Author: https://github.com/awesomekling Commit: 51a91771b8 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3342
2025-06-26 04:02:27 +00:00 · 2025-01-23 09:59:22 +01:00 · 2025-01-23 09:59:22 +01:00 · 51a91771b8 · 2025-01-23 11:11:21 +00:00
commit 51a91771b8
parent b7a554d1f2
4 changed files with 55 additions and 15 deletions
--- a/Libraries/LibJS/Runtime/FinalizationRegistry.cpp
+++ b/Libraries/LibJS/Runtime/FinalizationRegistry.cpp
@ -57,8 +57,13 @@ void FinalizationRegistry::remove_dead_cells(Badge<GC::Heap>)
        any_cells_were_removed = true;
        break;
    }
-    if (any_cells_were_removed)
-        vm().host_enqueue_finalization_registry_cleanup_job(*this);
+    if (any_cells_were_removed) {
+        // NOTE: We make a GC::Root here to ensure that the FinalizationRegistry stays alive
+        //       even if a subsequent GC is triggered before the callback has a chance to run.
+        heap().enqueue_post_gc_task([that = GC::make_root(this)]() {
+            that->vm().host_enqueue_finalization_registry_cleanup_job(*that);
+        });
+    }
 }

 // 9.13 CleanupFinalizationRegistry ( finalizationRegistry ), https://tc39.es/ecma262/#sec-cleanup-finalization-registry