deps: V8: cherry-pick ea0719b8ed08

addaleax · joyeecheung · commit 18aa7fdd8c10 · 2020-04-22T04:19:46.000+08:00
Original commit message: [snapshot] Do not defer ArrayBuffers during snapshotting ArrayBuffer instances are serialized by first re-assigning a index to the backing store field, then serializing the object, and then storing the actual backing store address again (and the same for the ArrayBufferExtension). If serialization of the object itself is deferred, the real backing store address is written into the snapshot, which cannot be processed when deserializing, leading to a crash. This fixes this by not deferring ArrayBuffer serialization and adding a DCHECK for the crash that previously occurred. Change-Id: Id9bea8268061bd0770cde7bfeb6695248978f994 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144123 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#67114} Refs: v8/v8@ea0719b
diff --git a/deps/v8/src/snapshot/deserializer.h b/deps/v8/src/snapshot/deserializer.h
@@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer {
   }
 
   std::shared_ptr<BackingStore> backing_store(size_t i) {
+    DCHECK_LT(i, backing_stores_.size());
     return backing_stores_[i];
   }
 
diff --git a/deps/v8/src/snapshot/serializer-common.cc b/deps/v8/src/snapshot/serializer-common.cc
@@ -126,7 +126,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) {
 }
 
 bool SerializerDeserializer::CanBeDeferred(HeapObject o) {
-  return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray();
+  // ArrayBuffer instances are serialized by first re-assigning a index
+  // to the backing store field, then serializing the object, and then
+  // storing the actual backing store address again (and the same for the
+  // ArrayBufferExtension). If serialization of the object itself is deferred,
+  // the real backing store address is written into the snapshot, which cannot
+  // be processed when deserializing.
+  return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() &&
+         !o.IsJSArrayBuffer();
 }
 
 void SerializerDeserializer::RestoreExternalReferenceRedirectors(

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer {`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`std::shared_ptr<BackingStore> backing_store(size_t i) {`
	`110`	`+ DCHECK_LT(i, backing_stores_.size());`
`110`	`111`	`return backing_stores_[i];`
`111`	`112`	`}`
`112`	`113`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) {`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`bool SerializerDeserializer::CanBeDeferred(HeapObject o) {`
`129`		`- return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray();`
	`129`	`+ // ArrayBuffer instances are serialized by first re-assigning a index`
	`130`	`+ // to the backing store field, then serializing the object, and then`
	`131`	`+ // storing the actual backing store address again (and the same for the`
	`132`	`+ // ArrayBufferExtension). If serialization of the object itself is deferred,`
	`133`	`+ // the real backing store address is written into the snapshot, which cannot`
	`134`	`+ // be processed when deserializing.`
	`135`	`+ return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() &&`
	`136`	`+ !o.IsJSArrayBuffer();`
`130`	`137`	`}`
`131`	`138`
`132`	`139`	`void SerializerDeserializer::RestoreExternalReferenceRedirectors(`