[heap, objects] NativeContext::retained_maps might be uninitialized

When a GC happens during context deserialization,
NativeContext::retained_maps might be uninitialized and not store a
WeakArrayList but Smi 0.

Bug: v8:12198
Change-Id: I03c1dfaa013c47907af67bb13b9277d67ca5ffae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3259662Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77692}

src/diagnostics/objects-debug.cc

@@ -616,6 +616,7 @@ void Context::ContextVerify(Isolate* isolate) {
 
 void NativeContext::NativeContextVerify(Isolate* isolate) {
   ContextVerify(isolate);
+  CHECK(retained_maps() == Smi::zero() || retained_maps().IsWeakArrayList());
   CHECK_EQ(length(), NativeContext::NATIVE_CONTEXT_SLOTS);
   CHECK_EQ(kVariableSizeSentinel, map().instance_size());
 }

src/heap/heap.cc

@@ -6122,7 +6122,9 @@ void Heap::AddRetainedMap(Handle<NativeContext> context, Handle<Map> map) {
   if (map->is_in_retained_map_list()) {
     return;
   }
-  Handle<WeakArrayList> array(context->retained_maps(), isolate());
+
+  Handle<WeakArrayList> array(WeakArrayList::cast(context->retained_maps()),
+                              isolate());
   if (array->IsFull()) {
     CompactRetainedMaps(*array);
   }
@@ -6823,7 +6825,7 @@ std::vector<WeakArrayList> Heap::FindAllRetainedMaps() {
   Object context = native_contexts_list();
   while (!context.IsUndefined(isolate())) {
     NativeContext native_context = NativeContext::cast(context);
-    result.push_back(native_context.retained_maps());
+    result.push_back(WeakArrayList::cast(native_context.retained_maps()));
     context = native_context.next_context_link();
   }
   return result;

src/heap/object-stats.cc

@@ -1053,8 +1053,11 @@ void ObjectStatsCollectorImpl::RecordVirtualCodeDetails(Code code) {
 void ObjectStatsCollectorImpl::RecordVirtualContext(Context context) {
   if (context.IsNativeContext()) {
     RecordObjectStats(context, NATIVE_CONTEXT_TYPE, context.Size());
-    RecordSimpleVirtualObjectStats(context, context.retained_maps(),
-                                   ObjectStats::RETAINED_MAPS_TYPE);
+    if (context.retained_maps().IsWeakArrayList()) {
+      RecordSimpleVirtualObjectStats(
+          context, WeakArrayList::cast(context.retained_maps()),
+          ObjectStats::RETAINED_MAPS_TYPE);
+    }
 
   } else if (context.IsFunctionContext()) {
     RecordObjectStats(context, FUNCTION_CONTEXT_TYPE, context.Size());

src/objects/contexts.h

@@ -357,7 +357,7 @@ enum ContextLookupFlags {
   V(WEAKMAP_GET_INDEX, JSFunction, weakmap_get)                                \
   V(WEAKMAP_DELETE_INDEX, JSFunction, weakmap_delete)                          \
   V(WEAKSET_ADD_INDEX, JSFunction, weakset_add)                                \
-  V(RETAINED_MAPS, WeakArrayList, retained_maps)                               \
+  V(RETAINED_MAPS, Object, retained_maps)                                      \
   V(OSR_CODE_CACHE_INDEX, WeakFixedArray, osr_code_cache)
 
 #include "torque-generated/src/objects/contexts-tq.inc"