New issue
Advanced search Search tips

Issue 796145 link

Starred by 1 user
Status: Assigned
Owner:
mlippautz@chromium.org
Cc:
yukishiino@chromium.org
lfg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug

Blocked on:
issue 843903


Sign in to add a comment

Wrapper-tracing for on-stack objects is not supported.

Project Member Reported by yukishiino@chromium.org, Dec 19 2017 
Wrapper-tracing does not trace on-stack objects, so if the on-stack objects are not referenced from any other object, they will be (unintentionally) collected.

Here is an example pseudo code.

  class CallbackFunction : GarbageCollected<CallbackFunction> {
    // TraceWrapperV8Reference is a weak v8::Persistent.
    TraceWrapperV8Reference<v8::Function> v8_function_;
  };

  class DOMObject : GarbageCollected<DOMObject> {
    using id_type_d = int;
    HeapHashMap<id_type_t,
                TraceWrapperMember<CallbackFunction>> callback_function_set_;
  };

  DOMObject::InvokeCallback(id_type_t id) {
    // |Take| removes the callback function from the set, and returns it.
    auto callback = callback_function_set_.Take(id);

    // At this moment, |callback| is NOT a member of |callback_function_set_|.
    // Hence, |callback| is not a target of wrapper-tracing.  No one prevents
    // |callback->v8_function_| from being collected by V8 GC.

    callback.Invoke(args...);  // |v8_function_| might be already gone...  crash!
  }

Actual cases (crashes) are found at: Issue 792604

As of today, this issue is expected to be fixed with the coming unified GC and we don't have a plan to support wrapper-tracing for on-stack objects so far.  This issue was filed mostly just for a record.
Project Member

Comment 1 by sheriffbot@chromium.org, Dec 19

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 2 by lfg@chromium.org, Dec 19

Blockedon: 843903
Owner: mlippautz@chromium.org
Michael, is this still relevant at the current state of unified gc? Should we keep this bug open?

Comment 3 by mlippautz@chromium.org, Dec 19

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Status: Assigned (was: Untriaged)
This should be supported out of the box with unified gc. It will not be called wrapper tracing though :)

We can keep it as assigned to me for tracking purposes but this will essentially be resolved the moment we turn on unified gc.

Comment 4 by lfg@chromium.org, Dec 19

Labels: -Hotlist-Recharge-Cold

Sign in to add a comment