Skip to content

Commit

Permalink
deps: V8: backport ea0719b8ed08
Browse files Browse the repository at this point in the history
Original commit message:

    [snapshot] Do not defer ArrayBuffers during snapshotting

    ArrayBuffer instances are serialized by first re-assigning a index
    to the backing store field, then serializing the object, and then
    storing the actual backing store address again (and the same for the
    ArrayBufferExtension). If serialization of the object itself is deferred,
    the real backing store address is written into the snapshot, which cannot be
    processed when deserializing, leading to a crash.

    This fixes this by not deferring ArrayBuffer serialization and adding a DCHECK
    for the crash that previously occurred.

    Change-Id: Id9bea8268061bd0770cde7bfeb6695248978f994
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144123
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Reviewed-by: Dan Elphick <delphick@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#67114}

Refs: v8/v8@ea0719b

PR-URL: #33300
Refs: v8/v8@bb9f0c2
Refs: v8/v8@22014de
Refs: #17058
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
  • Loading branch information
joyeecheung authored and codebytere committed Jun 30, 2020
1 parent 54a2f3d commit d07e7b8
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 2 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.17',
'v8_embedder_string': '-node.18',

##### V8 defaults for Node.js #####

Expand Down
1 change: 1 addition & 0 deletions deps/v8/src/snapshot/deserializer.h
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer {
}

std::shared_ptr<BackingStore> backing_store(size_t i) {
DCHECK_LT(i, backing_stores_.size());
return backing_stores_[i];
}

Expand Down
9 changes: 8 additions & 1 deletion deps/v8/src/snapshot/serializer-common.cc
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) {
}

bool SerializerDeserializer::CanBeDeferred(HeapObject o) {
return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray();
// ArrayBuffer instances are serialized by first re-assigning a index
// to the backing store field, then serializing the object, and then
// storing the actual backing store address again (and the same for the
// ArrayBufferExtension). If serialization of the object itself is deferred,
// the real backing store address is written into the snapshot, which cannot
// be processed when deserializing.
return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() &&
!o.IsJSArrayBuffer();
}

void SerializerDeserializer::RestoreExternalReferenceRedirectors(
Expand Down

0 comments on commit d07e7b8

Please sign in to comment.