From: yangguo <yangguo@chromium.org>
Date: Fri, 19 Jun 2015 09:07:23 +0000 (-0700)
Subject: Serializer: do not miss outdated contexts if they are serialized deferred.
X-Git-Tag: upstream/4.7.83~1904
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f6b71512ea8a99f0882a2997f5ba600bea6e8752;p=platform%2Fupstream%2Fv8.git

Serializer: do not miss outdated contexts if they are serialized deferred.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1189183002

Cr-Commit-Position: refs/heads/master@{#29136}
---

diff --git a/src/snapshot/serialize.cc b/src/snapshot/serialize.cc
index 980e4997d..660551f86 100644
--- a/src/snapshot/serialize.cc
+++ b/src/snapshot/serialize.cc
@@ -621,8 +621,8 @@ MaybeHandle<Object> Deserializer::DeserializePartial(
   Object* root;
   Object* outdated_contexts;
   VisitPointer(&root);
-  VisitPointer(&outdated_contexts);
   DeserializeDeferredObjects();
+  VisitPointer(&outdated_contexts);
 
   // There's no code deserialized here. If this assert fires then that's
   // changed and logging should be added to notify the profiler et al of the
@@ -1399,8 +1399,8 @@ void PartialSerializer::Serialize(Object** o) {
     back_reference_map()->AddGlobalProxy(context->global_proxy());
   }
   VisitPointer(o);
-  SerializeOutdatedContextsAsFixedArray();
   SerializeDeferredObjects();
+  SerializeOutdatedContextsAsFixedArray();
   Pad();
 }
 
diff --git a/test/cctest/test-serialize.cc b/test/cctest/test-serialize.cc
index 896233054..6089e43db 100644
--- a/test/cctest/test-serialize.cc
+++ b/test/cctest/test-serialize.cc
@@ -702,6 +702,57 @@ TEST(PerIsolateSnapshotBlobs) {
 }
 
 
+static void SerializationFunctionTemplate(
+    const v8::FunctionCallbackInfo<v8::Value>& args) {
+  args.GetReturnValue().Set(args[0]);
+}
+
+
+TEST(PerIsolateSnapshotBlobsOutdatedContextWithOverflow) {
+  DisableTurbofan();
+
+  const char* source1 =
+      "var o = {};"
+      "(function() {"
+      "  function f1(x) { return f2(x) instanceof Array; }"
+      "  function f2(x) { return foo.bar(x); }"
+      "  o.a = f2.bind(null);"
+      "  o.b = 1;"
+      "  o.c = 2;"
+      "  o.d = 3;"
+      "  o.e = 4;"
+      "})();\n";
+
+  const char* source2 = "o.a(42)";
+
+  v8::StartupData data = v8::V8::CreateSnapshotDataBlob(source1);
+
+  v8::Isolate::CreateParams params;
+  params.snapshot_blob = &data;
+  params.array_buffer_allocator = CcTest::array_buffer_allocator();
+
+  v8::Isolate* isolate = v8::Isolate::New(params);
+  {
+    v8::Isolate::Scope i_scope(isolate);
+    v8::HandleScope h_scope(isolate);
+
+    v8::Local<v8::ObjectTemplate> global = v8::ObjectTemplate::New(isolate);
+    v8::Local<v8::ObjectTemplate> property = v8::ObjectTemplate::New(isolate);
+    v8::Local<v8::FunctionTemplate> function =
+        v8::FunctionTemplate::New(isolate, SerializationFunctionTemplate);
+    property->Set(isolate, "bar", function);
+    global->Set(isolate, "foo", property);
+
+    v8::Local<v8::Context> context = v8::Context::New(isolate, NULL, global);
+    delete[] data.data;  // We can dispose of the snapshot blob now.
+    v8::Context::Scope c_scope(context);
+    v8::Local<v8::Value> result = CompileRun(source2);
+    CHECK(v8_str("42")->Equals(result));
+  }
+  isolate->Dispose();
+}
+
+
 TEST(PerIsolateSnapshotBlobsWithLocker) {
   DisableTurbofan();
   v8::Isolate::CreateParams create_params;