[symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs

syg · V8 LUCI CQ · commit 1fada6b36f8d · 2022-10-11T14:55:03.000Z
Bug: chromium:1372500, v8:12947 Fixed: chromium:1372500 Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586 Reviewed-by: Anton Bikineev <bikineev@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#83632}
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
@@ -3479,7 +3479,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
     };
     HeapObject target = HeapObject::cast(weak_cell.target());
     if (!non_atomic_marking_state()->IsBlackOrGrey(target)) {
-      DCHECK(!target.IsUndefined());
+      DCHECK(target.CanBeHeldWeakly());
       // The value of the WeakCell is dead.
       JSFinalizationRegistry finalization_registry =
           JSFinalizationRegistry::cast(weak_cell.finalization_registry());
@@ -3501,6 +3501,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
 
     HeapObject unregister_token = weak_cell.unregister_token();
     if (!non_atomic_marking_state()->IsBlackOrGrey(unregister_token)) {
+      DCHECK(unregister_token.CanBeHeldWeakly());
       // The unregister token is dead. Remove any corresponding entries in the
       // key map. Multiple WeakCell with the same token will have all their
       // unregister_token field set to undefined when processing the first
@@ -3509,7 +3510,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
       JSFinalizationRegistry finalization_registry =
           JSFinalizationRegistry::cast(weak_cell.finalization_registry());
       finalization_registry.RemoveUnregisterToken(
-          JSReceiver::cast(unregister_token), isolate(),
+          unregister_token, isolate(),
           JSFinalizationRegistry::kKeepMatchedCellsInRegistry,
           gc_notify_updated_slot);
     } else {
diff --git a/test/mjsunit/harmony/regress/regress-crbug-1372500.js b/test/mjsunit/harmony/regress/regress-crbug-1372500.js
@@ -0,0 +1,14 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-symbol-as-weakmap-key --expose-gc
+
+// Register an object in a FinalizationRegistry with a Symbol as the unregister
+// token.
+let fr = new FinalizationRegistry(function () {});
+(function register() {
+  fr.register({}, "holdings", Symbol('unregisterToken'));
+})();
+// The unregister token should be dead, trigger its collection.
+gc();
