[sandbox] Fix two deserializer issues when sandbox is enabled

When the sandbox is enabled, an empty ArrayBuffer does not have a nullptr backing store but instead points to a special EmptyBackingStore pseudo-object inside the sandbox. This then requires special handling during deserialization. This CL fixes two cases where this was not done correctly, which caused some crashes when --stress-snapshot is active. Bug: v8:10391 Change-Id: I412adace229b979b317864a3e8c12ed4c601b850 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716480Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#81297}

[sandbox] Fix two deserializer issues when sandbox is enabled
When the sandbox is enabled, an empty ArrayBuffer does not have a nullptr backing store but instead points to a special EmptyBackingStore pseudo-object inside the sandbox. This then requires special handling during deserialization. This CL fixes two cases where this was not done correctly, which caused some crashes when --stress-snapshot is active. Bug: v8:10391 Change-Id: I412adace229b979b317864a3e8c12ed4c601b850 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716480Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#81297}
9d3a645b · Samuel Groß · V8 LUCI CQ · 69bb334f · 9d3a645b
Commit 9d3a645b authored Jun 21, 2022 by Samuel Groß Committed by V8 LUCI CQ Jun 22, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 8 deletions

deserializer.cc src/snapshot/deserializer.cc +15 -8

No files found.
--- a/src/snapshot/deserializer.cc
+++ b/src/snapshot/deserializer.cc
@@ -373,12 +373,19 @@ void Deserializer<IsolateT>::PostProcessNewJSReceiver(
    auto data_view = JSDataView::cast(raw_obj);
    auto buffer = JSArrayBuffer::cast(data_view.buffer());
    void* backing_store = EmptyBackingStoreBuffer();
-    uint32_t store_index = buffer.GetBackingStoreRefForDeserialization();
-    if (store_index != kEmptyBackingStoreRefSentinel) {
-      // The backing store of the JSArrayBuffer has not been correctly restored
-      // yet, as that may trigger GC. The backing_store field currently contains
-      // a numbered reference to an already deserialized backing store.
-      backing_store = backing_stores_[store_index]->buffer_start();
+    // At this point, the backing store may already have been set if this is an
+    // empty ArrayBuffer (see the IsJSArrayBuffer case below). In that case,
+    // the backing store ref/index is no longer valid so explicitly check here
+    // if the buffer is empty before using the store index.
+    if (buffer.backing_store() != EmptyBackingStoreBuffer()) {
+      uint32_t store_index = buffer.GetBackingStoreRefForDeserialization();
+      if (store_index != kEmptyBackingStoreRefSentinel) {
+        // The backing store of the JSArrayBuffer has not been correctly
+        // restored yet, as that may trigger GC. The backing_store field
+        // currently contains a numbered reference to an already deserialized
+        // backing store.
+        backing_store = backing_stores_[store_index]->buffer_start();
+      }
    }
    data_view.set_data_pointer(
        main_thread_isolate(),
@@ -394,8 +401,8 @@ void Deserializer<IsolateT>::PostProcessNewJSReceiver(
      uint32_t store_index =
          typed_array.GetExternalBackingStoreRefForDeserialization();
      auto backing_store = backing_stores_[store_index];
-      void* start = backing_store ? backing_store->buffer_start()
-                                  : EmptyBackingStoreBuffer();
+      void* start = backing_store ? backing_store->buffer_start() : nullptr;
+      if (!start) start = EmptyBackingStoreBuffer();
      typed_array.SetOffHeapDataPtr(main_thread_isolate(), start,
                                    typed_array.byte_offset());
    }