[snapshot] Dont defer ByteArray when serializing

jameslahm · V8 LUCI CQ · commit d69c7937c99d · 2022-08-08T10:34:12.000Z
JSTypedArray needs the base_pointer ByteArray immediately if it's on heap. JSTypedArray's base_pointer was initialized to Smi::uninitialized_deserialization_value at first when deserializing, and if base_pointer was deferred, we will mistakenly check JSTypedArray not on heap. Bug: v8:13149 Change-Id: I104c83ff9a2017de1c8071a9e116baa602f6977d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813068 Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: 王澳 <wangao.james@bytedance.com> Cr-Commit-Position: refs/heads/main@{#82254}
diff --git a/src/snapshot/deserializer.cc b/src/snapshot/deserializer.cc
@@ -380,6 +380,8 @@ void Deserializer<IsolateT>::PostProcessNewJSReceiver(
     }
   } else if (InstanceTypeChecker::IsJSTypedArray(instance_type)) {
     auto typed_array = JSTypedArray::cast(raw_obj);
+    // Note: ByteArray objects must not be deferred s.t. they are
+    // available here for is_on_heap(). See also: CanBeDeferred.
     // Fixup typed array pointers.
     if (typed_array.is_on_heap()) {
       typed_array.AddExternalPointerCompensationForDeserialization(
@@ -468,7 +470,10 @@ void Deserializer<IsolateT>::PostProcessNewObject(Handle<Map> map,
         // to |ObjectDeserializer::CommitPostProcessedObjects()|.
         new_allocation_sites_.push_back(Handle<AllocationSite>::cast(obj));
       } else {
-        DCHECK(CanBeDeferred(*obj));
+        // We dont defer ByteArray because JSTypedArray needs the base_pointer
+        // ByteArray immediately if it's on heap.
+        DCHECK(CanBeDeferred(*obj) ||
+               InstanceTypeChecker::IsByteArray(instance_type));
       }
     }
   }
diff --git a/src/snapshot/serializer-deserializer.cc b/src/snapshot/serializer-deserializer.cc
@@ -50,10 +50,13 @@ bool SerializerDeserializer::CanBeDeferred(HeapObject o) {
   // 3. JS objects with embedder fields cannot be deferred because the
   // serialize/deserialize callbacks need the back reference immediately to
   // identify the object.
+  // 4. ByteArray cannot be deferred as JSTypedArray needs the base_pointer
+  // ByteArray immediately if it's on heap.
   // TODO(leszeks): Could we defer string serialization if forward references
   // were resolved after object post processing?
   return !o.IsMap() && !o.IsInternalizedString() &&
-         !(o.IsJSObject() && JSObject::cast(o).GetEmbedderFieldCount() > 0);
+         !(o.IsJSObject() && JSObject::cast(o).GetEmbedderFieldCount() > 0) &&
+         !o.IsByteArray();
 }
 
 void SerializerDeserializer::RestoreExternalReferenceRedirector(
diff --git a/test/cctest/test-serialize.cc b/test/cctest/test-serialize.cc
@@ -4969,6 +4969,46 @@ UNINITIALIZED_TEST(SnapshotCreatorAnonClassWithKeep) {
   delete[] blob.data;
 }
 
+UNINITIALIZED_TEST(SnapshotCreatorDontDeferByteArrayForTypedArray) {
+  DisableAlwaysOpt();
+  v8::StartupData blob;
+  {
+    v8::SnapshotCreator creator;
+    v8::Isolate* isolate = creator.GetIsolate();
+    {
+      v8::HandleScope handle_scope(isolate);
+
+      v8::Local<v8::Context> context = v8::Context::New(isolate);
+      v8::Context::Scope context_scope(context);
+      CompileRun(
+          "const z = new Uint8Array(1);\n"
+          "class A { \n"
+          "  static x() { \n"
+          "  } \n"
+          "} \n"
+          "class B extends A {} \n"
+          "B.foo = ''; \n"
+          "class C extends B {} \n"
+          "class D extends C {} \n"
+          "class E extends B {} \n"
+          "function F() {} \n"
+          "Object.setPrototypeOf(F, D); \n");
+      creator.SetDefaultContext(context);
+    }
+
+    blob =
+        creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(blob.raw_size > 0 && blob.data != nullptr);
+  }
+  {
+    SnapshotCreator creator(nullptr, &blob);
+    v8::Isolate* isolate = creator.GetIsolate();
+    v8::HandleScope scope(isolate);
+    USE(v8::Context::New(isolate));
+  }
+  delete[] blob.data;
+}
+
 class V8_NODISCARD DisableLazySourcePositionScope {
  public:
   DisableLazySourcePositionScope()

Original file line number	Diff line number	Diff line change
`@@ -380,6 +380,8 @@ void Deserializer<IsolateT>::PostProcessNewJSReceiver(`
`380`	`380`	`}`
`381`	`381`	`} else if (InstanceTypeChecker::IsJSTypedArray(instance_type)) {`
`382`	`382`	`auto typed_array = JSTypedArray::cast(raw_obj);`
	`383`	`+ // Note: ByteArray objects must not be deferred s.t. they are`
	`384`	`+ // available here for is_on_heap(). See also: CanBeDeferred.`
`383`	`385`	`// Fixup typed array pointers.`
`384`	`386`	`if (typed_array.is_on_heap()) {`
`385`	`387`	`typed_array.AddExternalPointerCompensationForDeserialization(`
`@@ -468,7 +470,10 @@ void Deserializer<IsolateT>::PostProcessNewObject(Handle<Map> map,`
`468`	`470`	`// to \|ObjectDeserializer::CommitPostProcessedObjects()\|.`
`469`	`471`	`new_allocation_sites_.push_back(Handle<AllocationSite>::cast(obj));`
`470`	`472`	`} else {`
`471`		`- DCHECK(CanBeDeferred(*obj));`
	`473`	`+ // We dont defer ByteArray because JSTypedArray needs the base_pointer`
	`474`	`+ // ByteArray immediately if it's on heap.`
	`475`	`+ DCHECK(CanBeDeferred(*obj) \|\|`
	`476`	`+ InstanceTypeChecker::IsByteArray(instance_type));`
`472`	`477`	`}`
`473`	`478`	`}`
`474`	`479`	`}`