Unexpected error with serialization and JS functions embedded in FunctionTemplate

[Peng-Yu Chen]

Hi all, :)

I'm playing with Chromium and some of its components (majorly Blink and V8) trying to add some interesting features. Unfortunately there's an unexpected error that has already cost me some time before seeking help here.

1. Brief Description

One of my attempts is to register an API function with another JS function embedded (as the optional "data" parameter when initializing a FunctionTemplate object). However I soon encountered errors with such practices when working with snapshots. (Snapshots are used by Blink by default when invoking V8).

The errors may be in different forms depending on the building option:

- When making a production build, the Chromium process would crash after a few seconds when being launched.

- When making a debug build (with v8_enable_debugging_features=true), the snapshot creation would fail.

(Please see below for detailed information on the errors.)

2. A Minimal Example

I managed to create a test case to reproduce the issue, which is attached as the "test_snapshot_function_data.diff" file.

The change was made on commit 408a0c7 (version 8.1.44) and shall work for also other recent versions.

- When launched in a production build, the test finishes properly. Please see the attached "test_outcome_prod.txt" file for further details.

- When launched in a debugging build, the test would fail when trying to create the snapshot (in "v8/src/snapshot/startup-serializer.cc" it says "JSFunction should be added through the context snapshot instead of the isolate snapshot"). Please see the attached "test_outcome_debug.txt" file for further details.

3. Crashes with Chromium

When trying to do the same thing (embedding a JS function within a FunctionTemplate, as illustrated in the "test_snapshot_function_data.diff" file) as part of the whole Chromium build, the debugging build wouldn't finish due to failure in creating the snapshot (same as in the "test_outcome_debug.txt" file), while the production build finishes successfully but leads to crashes when launching the browser.

The crash happens almost instantly (a few seconds) after launching the browser, and does not require any further action than launching the browser (therefore the inserted JS function is not launched at all). Please find in the attached "chromium_crash_log_prod.txt" file for the error logs.

4. Help Wanted

Can you please suggest whether the error happened because my approach was wrong? if yes, could you point the right way of achieving the same objective (to have a JS function embedded in a FunctionTemplate's "data" parameter for later use)?

Or did the error happen because of an issue of V8's? I'm rather unsure of this, thus I'd ask in the mailing list before trying to submit an issue.

Regards,

P. Chen

--

..for science, you monster.