inspector: avoid v8::String allocation in fromStringView

staylor · staylor · commit fc9444f0ecc2 · 2026-05-09T17:44:11.000-04:00
fromStringView() was round-tripping the inspector StringView through v8::String::NewFromOneByte / NewFromTwoByte just to use Utf8Value for the UTF-16 to UTF-8 conversion. That allocation is into V8's managed heap, which is forbidden during certain V8 internal phases -- most notably weak callbacks during garbage collection. The concrete failure path that motivated this fix: v8::internal::HeapAllocator::AllocateRaw (debug check) v8::String::NewFromOneByte fromStringView v8_inspector__Channel__IMPL::sendResponse v8_crdtp::DomainDispatcher::sendResponse v8_inspector::EvaluateCallback::sendFailure v8_inspector::PromiseHandlerTracker::sendFailure v8_inspector::PromiseHandlerTracker::discard v8::internal::GlobalHandles::InvokeFirstPassWeakCallbacks v8::internal::Heap::PerformGarbageCollection V8 invokes inspector callbacks (specifically PromiseHandlerTracker::discard, which sends a failure response for a stale Runtime.evaluate) from inside GC's first-pass weak-callbacks phase. Sending the response goes through this helper; the v8::String::NewFromOneByte allocation then trips AllowHeapAllocation::IsAllowed() and aborts the process in debug builds (in release builds it's undefined behavior, since allocations during weak callbacks can corrupt the heap walk). The conversion doesn't actually need V8 at all -- it's just bytes in, UTF-8 bytes out. Use the same approach allocString() already uses (the call site immediately below this one in the file): direct construction of std::string for the 8-bit case, v8_inspector::UTF16ToUTF8 for the 16-bit case. v8_inspector::UTF16ToUTF8 is a pure host-side helper that doesn't touch the V8 heap. The isolate parameter is kept for API compatibility but is no longer referenced. Reproduces with lightpanda-io/browser#2407 (puppeteer-core repro against any iframe-heavy page that runs Web Workers; the inspector keeps a Runtime.evaluate callback alive past the worker / page lifetime, GC eventually fires the discard, and the v8::String allocation aborts the process). With this change, the same 25-iteration back-to-back stress test runs to completion without the V8 fatal.
diff --git a/src/binding.cpp b/src/binding.cpp
@@ -2440,14 +2440,35 @@ static inline v8_inspector::StringView toStringView(const std::string &str) {
 }
 
 static inline std::string fromStringView(v8::Isolate* isolate, const v8_inspector::StringView stringView) {
-  int length = static_cast<int>(stringView.length());
-  v8::Local<v8::String> message = (
-        stringView.is8Bit()
-          ? v8::String::NewFromOneByte(isolate, stringView.characters8(), v8::NewStringType::kNormal, length)
-          : v8::String::NewFromTwoByte(isolate, stringView.characters16(), v8::NewStringType::kNormal, length)
-      ).ToLocalChecked();
-  v8::String::Utf8Value result(isolate, message);
-  return *result;
+  // Convert the inspector StringView to UTF-8 *without* allocating a
+  // v8::String. The previous implementation round-tripped through
+  // v8::String::NewFromOneByte / NewFromTwoByte (just to use Utf8Value
+  // for the conversion), which calls into V8's heap allocator. That is
+  // forbidden during certain V8 internal phases -- in particular,
+  // weak callbacks during garbage collection, where V8's
+  // PromiseHandlerTracker can invoke EvaluateCallback::sendFailure,
+  // which lands in Channel::sendResponse, which calls this helper.
+  // Allocating in that context trips AllowHeapAllocation::IsAllowed()
+  // and aborts the process in debug builds (in release builds the
+  // allocation is undefined behavior).
+  //
+  // The 8-bit case can be a direct memcpy; the 16-bit case uses
+  // v8_inspector::UTF16ToUTF8 (a pure host-side helper that doesn't
+  // touch the V8 heap) -- the same path allocString() uses.
+  //
+  // The `isolate` parameter is preserved for API compatibility but is
+  // no longer needed.
+  (void)isolate;
+  if (stringView.is8Bit()) {
+    return std::string(
+      reinterpret_cast<const char*>(stringView.characters8()),
+      stringView.length()
+    );
+  }
+  return v8_inspector::UTF16ToUTF8(
+    reinterpret_cast<const char16_t*>(stringView.characters16()),
+    stringView.length()
+  );
 }
 
 /// Allocates a string as utf8 on the allocator without \0 terminator, for use in Zig.
