tools · 791d521438eba2dae16a67d09ddba5f1d22531ce · Linshizhi / V8

[inspector] Fix crash due to misuse of embedder fields. · 7e2f1108

Benedikt Meurer authored Jan 26, 2021

The contract between V8 and Blink is that embedder fields belong to
Blink, at least when the object has two or more of them. Now we had 2-3
embedder fields used by the debug proxies and that was confusing Blink,
since it expects the first slot to hold an aligned pointer in that case
and we had a HeapObject reference stored there.

This is a quickfix, which avoids internal fields completely for the
context extension proxy (using interceptors on the prototype instead)
and changes the named proxies to store the name table under a private
symbol instead of using a second internal field.

A proper but way more involved fix is to introduce a proper instance
type here and use space in the header instead of misusing embedder
fields.

Fixed: chromium:1170283
Bug: chromium:1159402
Change-Id: I6c4bbe2fe88fef29a6b9946708588245efbbe72b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2649033
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72323}

7e2f1108

Name	Last commit	Last update
..
blink_tests		Loading commit data...
cfi		Loading commit data...
clusterfuzz		Loading commit data...
cppgc		Loading commit data...
debug_helper		Loading commit data...
dev		Loading commit data...
gcmole		Loading commit data...
generate_shim_headers		Loading commit data...
heap-stats		Loading commit data...
ignition		Loading commit data...
jsfunfuzz		Loading commit data...
link_clicker.extension		Loading commit data...
mb		Loading commit data...
memory		Loading commit data...
msan		Loading commit data...
ninja		Loading commit data...
node		Loading commit data...
perf		Loading commit data...
profview		Loading commit data...
release		Loading commit data...
sanitizers		Loading commit data...
snapshot		Loading commit data...
system-analyzer		Loading commit data...
testrunner		Loading commit data...
toolchain		Loading commit data...
torque		Loading commit data...
tracing/proto-converter		Loading commit data...
turbolizer		Loading commit data...
ubsan		Loading commit data...
unittests		Loading commit data...
v8.xcodeproj		Loading commit data...
v8windbg		Loading commit data...
valgrind/asan		Loading commit data...
vim		Loading commit data...
visual_studio		Loading commit data...
wasm		Loading commit data...
wasm-compilation-hints		Loading commit data...
zone-stats		Loading commit data...
BUILD.gn		Loading commit data...
DEPS		Loading commit data...
Makefile.tags		Loading commit data...
OWNERS		Loading commit data...
PRESUBMIT.py		Loading commit data...
SourceMap.js		Loading commit data...
__init__.py		Loading commit data...
adb-d8.py		Loading commit data...
android-build.sh		Loading commit data...
android-ll-prof.sh		Loading commit data...
android-run.py		Loading commit data...
android-sync.sh		Loading commit data...
arguments.js		Loading commit data...
arguments.mjs		Loading commit data...
avg.py		Loading commit data...
bash-completion.sh		Loading commit data...
bigint-tester.py		Loading commit data...
callstats-from-telemetry.sh		Loading commit data...
callstats.html		Loading commit data...
callstats.py		Loading commit data...
callstats.py.vpython		Loading commit data...
callstats_groups.py		Loading commit data...
check-inline-includes.sh		Loading commit data...
check-static-initializers.sh		Loading commit data...
check-unused-bailouts.sh		Loading commit data...
check-unused-symbols.sh		Loading commit data...
codemap.js		Loading commit data...
codemap.mjs		Loading commit data...
collect_deprecation_stats.sh		Loading commit data...
compare-table-gen.js		Loading commit data...
compare_torque_output.py		Loading commit data...
consarray.js		Loading commit data...
consarray.mjs		Loading commit data...
cpu.sh		Loading commit data...
cross_build_gcc.sh		Loading commit data...
csvparser.js		Loading commit data...
csvparser.mjs		Loading commit data...
deprecation_stats.py		Loading commit data...
detect-builtins.js		Loading commit data...
disasm.py		Loading commit data...
draw_instruction_graph.sh		Loading commit data...
dump-cpp.py		Loading commit data...
dumpcpp-driver.mjs		Loading commit data...
dumpcpp.mjs		Loading commit data...
eval_gc_nvp.py		Loading commit data...
eval_gc_time.sh		Loading commit data...
find-commit-for-patch.py		Loading commit data...
find_depot_tools.py		Loading commit data...
freebsd-tick-processor		Loading commit data...
fuzz-harness.sh		Loading commit data...
gc-nvp-to-csv.py		Loading commit data...
gc-nvp-trace-processor.py		Loading commit data...
gc_nvp_common.py		Loading commit data...
gdb-v8-support.py		Loading commit data...
gdbinit		Loading commit data...
gen-inlining-tests.py		Loading commit data...
gen-keywords-gen-h.py		Loading commit data...
gen-postmortem-metadata.py		Loading commit data...
gen-v8-gn.py		Loading commit data...
generate-builtins-tests.py		Loading commit data...
generate-header-include-checks.py		Loading commit data...
generate-runtime-call-stats.py		Loading commit data...
generate-ten-powers.scm		Loading commit data...
get_landmines.py		Loading commit data...
grokdump.py		Loading commit data...
ic-processor		Loading commit data...
ic-processor-driver.mjs		Loading commit data...
index.html		Loading commit data...
inspect-d8.js		Loading commit data...
linux-tick-processor		Loading commit data...
ll_prof.py		Loading commit data...
lldb_commands.py		Loading commit data...
locs.py		Loading commit data...
logreader.js		Loading commit data...
logreader.mjs		Loading commit data...
mac-nm		Loading commit data...
mac-tick-processor		Loading commit data...
objdump-v8		Loading commit data...
parse-processor		Loading commit data...
parse-processor-driver.mjs		Loading commit data...
parse-processor.html		Loading commit data...
parse-processor.mjs		Loading commit data...
perf-compare.py		Loading commit data...
predictable_wrapper.py		Loading commit data...
profile.js		Loading commit data...
profile.mjs		Loading commit data...
profile_view.js		Loading commit data...
profile_view.mjs		Loading commit data...
regexp-sequences.py		Loading commit data...
run-clang-tidy.py		Loading commit data...
run-llprof.sh		Loading commit data...
run-num-fuzzer.py		Loading commit data...
run-perf.sh		Loading commit data...
run-tests.py		Loading commit data...
run-wasm-api-tests.py		Loading commit data...
run.py		Loading commit data...
run_perf.py		Loading commit data...
shell-utils.h		Loading commit data...
sourcemap.mjs		Loading commit data...
splaytree.js		Loading commit data...
splaytree.mjs		Loading commit data...
stats-viewer.py		Loading commit data...
test262-results-parser.js		Loading commit data...
tick-processor.html		Loading commit data...
tickprocessor-driver.js		Loading commit data...
tickprocessor-driver.mjs		Loading commit data...
tickprocessor.js		Loading commit data...
tickprocessor.mjs		Loading commit data...
try_perf.py		Loading commit data...
turbolizer-perf.py		Loading commit data...
update-object-macros-undef.py		Loading commit data...
v8_presubmit.py		Loading commit data...
v8heapconst.py		Loading commit data...
whitespace.txt		Loading commit data...
windbg.js		Loading commit data...
windows-tick-processor.bat		Loading commit data...
wpr.wprp		Loading commit data...