Heap snapshot crash on v14.x

[legendecas]

Version

v14.19.1

Platform

all

Subsystem

v8 engine

What steps will reproduce the bug?

Run the following script:

function that() {
  const p = new Promise(resolve => {
    setTimeout(resolve, 1);
  });
  Promise.all([p]); // <= The key problem here, it created a PromiseAllResolveElementContext which crashes the HeapSnapshotGenerator
}
that();

const v8 = require('v8');
const fs = require('fs');
const stream = fs.createWriteStream('./node.heapsnapshot');
v8.getHeapSnapshot().pipe(stream);

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior?

No crashes.

What do you see instead?

The program crashed with SIGSEGV.

Additional information

Node.js v16.x doesn't have this problem. So I'd think we may need to find the v8 commit that fixed the problem and backport it to v14.x.

[legendecas]

It seems we already have a series of heap snapshot crashes on v14.x. And their crash backtrace is similar to the one in the OP:

• SIGSEGV on v8.getHeapSnapshot() #38961
• Segmentation Fault When Creating Heap Snapshot #39258
• Crash when in inspector take a heap snapshot #37878
• Taking snapshot crashes Worker thread when taken during bootstrap #37069

[legendecas]

I can confirm the problem can be fixed by a small v8 patch: https://chromium-review.googlesource.com/c/v8/v8/+/2277806

[legendecas]

V8 bug tracking the problem: https://bugs.chromium.org/p/v8/issues/detail?id=10629

[legendecas]

Closing as #42637 has landed.