::findjsobjects doesn't work properly with V8 4.5.x

[misterdjules]

Even though I thought that #24 (which landed as 5a189dd) fixed mdb_v8's support for V8 4.5.x, it turns out that ::findjsobjects is still broken.

::findjsobjects misses a significant part of valid JavaScript objects:

[root@dev ~/mdb_v8]# node -p 'process.versions'
{ http_parser: '2.5.0',
  node: '4.0.0',
  v8: '4.5.103.30',
  uv: '1.7.3',
  zlib: '1.2.8',
  ares: '1.10.1-DEV',
  modules: '46',
  openssl: '1.0.2d' }
[root@dev ~/mdb_v8]# rm /var/cores/core.node.61936 
[root@dev ~/mdb_v8]# node -e 'function Foo() {}; var fooInstance = new Foo(); fooInstance.bar = 42; process.abort();'
Abort (core dumped)
[root@dev ~/mdb_v8]# mdb /var/cores/core.node.61939 
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> ::load /root/mdb_v8/build/ia32/mdb_v8.so
mdb_v8 version: 1.0.0 (dev)
V8 version: 4.5.103.30
Autoconfigured V8 support from target
C++ symbol demangling enabled
> ::findjsobjects -c Foo
> ::findjsobjects -p bar
> ::findjsobjects ! grep foo
> ::findjsobjects ! grep Foo
> ::findjsobjects ! grep bar
> 

However, when an object is created in a similar way, but without adding a property, ::findjsobjects is able to find it and filtering by constructor name also works as expected:

[root@dev ~/mdb_v8]# node -e 'function Foo() {}; var fooInstance = new Foo(); process.abort();'
Abort (core dumped)
[root@dev ~/mdb_v8]# mdb /var/cores/core.node.61936 
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> ::load /root/mdb_v8/build/ia32/mdb_v8.so
mdb_v8 version: 1.0.0 (dev)
V8 version: 4.5.103.30
Autoconfigured V8 support from target
C++ symbol demangling enabled
> ::findjsobjects -c Foo
9b07d541
> 

My theory so far is that the way an object's map is referenced from an object has changed. The constructor for an object used to be stored in the Map directly available from the object, but now one has to traverse the whole "transition tree" to find the original Map that contains some information about that object, including its constructor. The relevant upstream change seems to be https://codereview.chromium.org/950283002.

Before this issue is fixed, mdb_v8 1.0.0 will be pretty much unable to inspect objects on the heap.

#24 still had all tests passing because the changes in the tests that use ::findjsobjects (https://github.com/joyent/mdb_v8/pull/24/files#diff-76b702a3fc1358227ab75b86a1a39284R46 and https://github.com/joyent/mdb_v8/pull/24/files#diff-1f7f4b61869c469eb7471735f5412183R68) silently prevented the actual tests from running, which lead me to believe that they were passing. Moreover, when running manual tests, ::findjsobjects still found a significant number of objects, didn't output any garbage and in some cases found all objects so everything appeared to be working as expected. These tests will need to be fixed too.

[misterdjules]

I've made a bit of progress, and at least now I'm able to retrieve the constructor for all objects, and thus ::findjsobjects -c Foo now works in some cases where it was previously broken:

$ node -e 'function Foo() { this.someProp = "foo" }; var fooInstance = new Foo(); process.abort();'
Abort (core dumped)
$ mdb /var/cores/core.node-4.0-64.13400 
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> ::load /root/mdb_v8/build/amd64/mdb_v8.so
mdb_v8 version: 1.0.0 (dev)
V8 version: 4.5.103.30
Autoconfigured V8 support from target
C++ symbol demangling enabled
> ::findjsobjects -c Foo | ::findjsobjects | ::jsprint
{
    "someProp": "foo",
}
> 

However, it still fails in other cases. One of the failure cases that I found is the following:

$ node -e 'function Foo() {}; var fooInstance = new Foo(); fooInstance.my_buffer = new Buffer("foobarbaz"); process.abort();'
Abort (core dumped)
$ mdb /var/cores/core.node-4.0-64.13407 
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> ::load /root/mdb_v8/build/amd64/mdb_v8.so
mdb_v8 version: 1.0.0 (dev)
V8 version: 4.5.103.30
Autoconfigured V8 support from target
C++ symbol demangling enabled
> ::findjsobjects -c Foo
> ::findjsobjects -c Buffer
1788040f86b1
> ::findjsobjects -c Buffer | ::findjsobjects -r
1788040f86b1 is not referred to by a known object.
>

In other words, it seems that adding a property whose value is an instance of Buffer to any object breaks ::findjsobjects -c somehow.

::findjsobjects -p and access to properties' values is now also fixed. It was broken due to a typo in v8dbg_prop_index_mask and v8dbg_prop_index_shift.

However, as for ::findjsobjects -c, ::findjsobjects -p seems to be broken when using Buffer instances:

[root@dev ~/mdb_v8]# node -e 'function Foo() {}; var fooInstance = new Foo(); fooInstance.my_buffer = new Buffer("foobarbaz"); process.abort();'
Abort (core dumped)
[root@dev ~/mdb_v8]# mdb /var/cores/core.node-4.0-64.34992 
Loading modules: [ libumem.so.1 libc.so.1 ld.so.1 ]
> ::load /root/mdb_v8/build/amd64/mdb_v8.so
mdb_v8 version: 1.0.0 (dev)
V8 version: 4.5.103.30
Autoconfigured V8 support from target
C++ symbol demangling enabled
> ::findjsobjects -p my_buffer
>

I'm investigating these issues, but any hint or help would definitely be appreciated.

With my current changes, all tests but test/standalone/tst.postmortem_details.js succeed. Note that the tests now actually run as I reverted my previous changes that prevented them to run (See https://github.com/joyent/mdb_v8/compare/master...misterdjules:more-fixes-for-v8-4.x?expand=1#diff-1f7f4b61869c469eb7471735f5412183R68 and https://github.com/joyent/mdb_v8/compare/master...misterdjules:more-fixes-for-v8-4.x?expand=1#diff-76b702a3fc1358227ab75b86a1a39284R46).

[misterdjules]

#33 is a work in progress to fix this issue.