deps: V8: backport ea0719b8ed08

joyeecheung · codebytere · commit 8f8269299974 · 2020-06-18T09:57:14.000-07:00
Original commit message: [snapshot] Do not defer ArrayBuffers during snapshotting ArrayBuffer instances are serialized by first re-assigning a index to the backing store field, then serializing the object, and then storing the actual backing store address again (and the same for the ArrayBufferExtension). If serialization of the object itself is deferred, the real backing store address is written into the snapshot, which cannot be processed when deserializing, leading to a crash. This fixes this by not deferring ArrayBuffer serialization and adding a DCHECK for the crash that previously occurred. Change-Id: Id9bea8268061bd0770cde7bfeb6695248978f994 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144123 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#67114} Refs: v8/v8@ea0719b PR-URL: #33300 Refs: v8/v8@bb9f0c2 Refs: v8/v8@22014de Refs: #17058 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.17',
+    'v8_embedder_string': '-node.18',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/snapshot/deserializer.h b/deps/v8/src/snapshot/deserializer.h
@@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer {
   }
 
   std::shared_ptr<BackingStore> backing_store(size_t i) {
+    DCHECK_LT(i, backing_stores_.size());
     return backing_stores_[i];
   }
 
diff --git a/deps/v8/src/snapshot/serializer-common.cc b/deps/v8/src/snapshot/serializer-common.cc
@@ -125,7 +125,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) {
 }
 
 bool SerializerDeserializer::CanBeDeferred(HeapObject o) {
-  return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray();
+  // ArrayBuffer instances are serialized by first re-assigning a index
+  // to the backing store field, then serializing the object, and then
+  // storing the actual backing store address again (and the same for the
+  // ArrayBufferExtension). If serialization of the object itself is deferred,
+  // the real backing store address is written into the snapshot, which cannot
+  // be processed when deserializing.
+  return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() &&
+         !o.IsJSArrayBuffer();
 }
 
 void SerializerDeserializer::RestoreExternalReferenceRedirectors(

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer {`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`std::shared_ptr<BackingStore> backing_store(size_t i) {`
	`110`	`+ DCHECK_LT(i, backing_stores_.size());`
`110`	`111`	`return backing_stores_[i];`
`111`	`112`	`}`
`112`	`113`
Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) {`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`bool SerializerDeserializer::CanBeDeferred(HeapObject o) {`
`128`		`- return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray();`
	`128`	`+ // ArrayBuffer instances are serialized by first re-assigning a index`
	`129`	`+ // to the backing store field, then serializing the object, and then`
	`130`	`+ // storing the actual backing store address again (and the same for the`
	`131`	`+ // ArrayBufferExtension). If serialization of the object itself is deferred,`
	`132`	`+ // the real backing store address is written into the snapshot, which cannot`
	`133`	`+ // be processed when deserializing.`
	`134`	`+ return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() &&`
	`135`	`+ !o.IsJSArrayBuffer();`
`129`	`136`	`}`
`130`	`137`
`131`	`138`	`void SerializerDeserializer::RestoreExternalReferenceRedirectors(`