diff options
| author | Anna Henningsen <anna@addaleax.net> | 2020-10-12 15:01:58 +0200 |
|---|---|---|
| committer | Michaël Zasso <targos@protonmail.com> | 2020-11-15 16:47:26 +0100 |
| commit | 0eb2528acddd59c8c48aa90c3364a244f29d1f77 (patch) | |
| tree | 0339af3e615866ea7c29998f608b5250bfac0aa6 /deps/v8/src/api | |
| parent | f4fc099080e482cc96f7cf61368e51dcd16c054a (diff) | |
| download | node-new-0eb2528acddd59c8c48aa90c3364a244f29d1f77.tar.gz | |
deps: V8: cherry-pick 3176bfd447a9
Original commit message:
[heap-profiler] Fix crash when a snapshot deleted while taking one
Fix a crash/hang that occurred when deleting a snapshot during the
GC that is part of taking another one.
Specifically, when deleting the only other snapshot in such
a situation, the `v8::HeapSnapshot::Delete()` method sees that there
is only one (complete) snapshot at that point, and decides that it is
okay to perform “delete all snapshots” instead of just deleting
the requested one. That resets the internal string lookup table
of the heap profiler, but the new snapshot that is currently in
progress still holds references to the old string lookup table,
leading to a use-after-free segfault or infinite loop.
Fix this by guarding against resetting the string table while
another heap snapshot is being taken, and add a test that would
crash before this fix.
This can be triggered in Node.js by repeatedly calling
`v8.getHeapSnapshot()`, which provides heap snapshots as weakly
held host objects.
Change-Id: If9ac3728bf79114000982f1e7bb05e8034299e3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2464823
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70445}
Refs: https://github.com/v8/v8/commit/3176bfd447a909fa9608687fe3eabcf62ec7b2eb
PR-URL: https://github.com/nodejs/node/pull/35612
Refs: https://github.com/nodejs/node/issues/35559
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Diffstat (limited to 'deps/v8/src/api')
| -rw-r--r-- | deps/v8/src/api/api.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/deps/v8/src/api/api.cc b/deps/v8/src/api/api.cc index b49ad728a8..c27db3e7b8 100644 --- a/deps/v8/src/api/api.cc +++ b/deps/v8/src/api/api.cc @@ -10870,7 +10870,8 @@ static i::HeapSnapshot* ToInternal(const HeapSnapshot* snapshot) { void HeapSnapshot::Delete() { i::Isolate* isolate = ToInternal(this)->profiler()->isolate(); - if (isolate->heap_profiler()->GetSnapshotsCount() > 1) { + if (isolate->heap_profiler()->GetSnapshotsCount() > 1 || + isolate->heap_profiler()->IsTakingSnapshot()) { ToInternal(this)->Delete(); } else { // If this is the last snapshot, clean up all accessory data as well. |