[ext-code-space][heap] Fix EvacuateRecordOnlyVisitor

... which was using incorrect cage base value for reading map field.

Drive-by: fix CodeDataContainer verifier - the value returned by
code().InstructionStart() might not always be equal to cached code
entry point value when shared pointer compression cage is enabled.

Bug: v8:11880, chromium:1291299
Change-Id: I1338717095a9a1ad2c056f0af0181eabaef88431
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3420308Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78815}

src/diagnostics/objects-debug.cc

@@ -1022,8 +1022,33 @@ void CodeDataContainer::CodeDataContainerVerify(Isolate* isolate) {
       CHECK_EQ(code().kind(), kind());
       CHECK_EQ(code().builtin_id(), builtin_id());
 #endif  // V8_EXTERNAL_CODE_SPACE
-      CHECK_EQ(code().InstructionStart(), code_entry_point());
       CHECK_EQ(code().code_data_container(kAcquireLoad), *this);
+
+      // Ensure the cached code entry point corresponds to the Code object
+      // associated with this CodeDataContainer.
+#ifdef V8_COMPRESS_POINTERS_IN_SHARED_CAGE
+      if (V8_SHORT_BUILTIN_CALLS_BOOL) {
+        if (code().InstructionStart() == code_entry_point()) {
+          // Most common case, all good.
+        } else {
+          // When shared pointer compression cage is enabled and it has the
+          // embedded code blob copy then the Code::InstructionStart() might
+          // return address of the remapped builtin regardless of whether the
+          // builtins copy exsisted when the code_entry_point value was cached
+          // in the CodeDataContainer (see Code::OffHeapInstructionStart()).
+          // So, do a reverse Code object lookup via code_entry_point value to
+          // ensure it corresponds to the same Code object associated with this
+          // CodeDataContainer.
+          Code the_code = isolate->heap()->GcSafeFindCodeForInnerPointer(
+              code_entry_point());
+          CHECK_EQ(the_code, code());
+        }
+      } else {
+        CHECK_EQ(code().InstructionStart(), code_entry_point());
+      }
+#else
+      CHECK_EQ(code().InstructionStart(), code_entry_point());
+#endif  // V8_COMPRESS_POINTERS_IN_SHARED_CAGE
     }
   }
 }

src/heap/mark-compact.cc

@@ -1824,19 +1824,41 @@ class EvacuateOldSpaceVisitor final : public EvacuateVisitorBase {
 
 class EvacuateRecordOnlyVisitor final : public HeapObjectVisitor {
  public:
-  explicit EvacuateRecordOnlyVisitor(Heap* heap) : heap_(heap) {}
+  explicit EvacuateRecordOnlyVisitor(Heap* heap)
+      : heap_(heap)
+#ifdef V8_COMPRESS_POINTERS
+        ,
+        cage_base_(heap->isolate())
+#endif  // V8_COMPRESS_POINTERS
+  {
+  }
+
+  // The pointer compression cage base value used for decompression of all
+  // tagged values except references to Code objects.
+  V8_INLINE PtrComprCageBase cage_base() const {
+#ifdef V8_COMPRESS_POINTERS
+    return cage_base_;
+#else
+    return PtrComprCageBase{};
+#endif  // V8_COMPRESS_POINTERS
+  }
 
   inline bool Visit(HeapObject object, int size) override {
     RecordMigratedSlotVisitor visitor(heap_->mark_compact_collector(),
                                       &heap_->ephemeron_remembered_set_);
-    DCHECK_IMPLIES(V8_EXTERNAL_CODE_SPACE_BOOL, !IsCodeSpaceObject(object));
-    PtrComprCageBase cage_base = GetPtrComprCageBase(object);
-    object.IterateBodyFast(cage_base, &visitor);
+    Map map = object.map(cage_base());
+    // Instead of calling object.IterateBodyFast(cage_base(), &visitor) here
+    // we can shortcut and use the precomputed size value passed to the visitor.
+    DCHECK_EQ(object.SizeFromMap(map), size);
+    object.IterateBodyFast(map, size, &visitor);
     return true;
   }
 
  private:
   Heap* heap_;
+#ifdef V8_COMPRESS_POINTERS
+  const PtrComprCageBase cage_base_;
+#endif  // V8_COMPRESS_POINTERS
 };
 
 bool MarkCompactCollector::IsUnmarkedHeapObject(Heap* heap, FullObjectSlot p) {