deps: V8: cherry-pick 3176bfd447a9

addaleax · MylesBorins · commit b8529a7104fb · 2020-10-14T16:24:46.000-04:00
Original commit message: [heap-profiler] Fix crash when a snapshot deleted while taking one Fix a crash/hang that occurred when deleting a snapshot during the GC that is part of taking another one. Specifically, when deleting the only other snapshot in such a situation, the `v8::HeapSnapshot::Delete()` method sees that there is only one (complete) snapshot at that point, and decides that it is okay to perform “delete all snapshots” instead of just deleting the requested one. That resets the internal string lookup table of the heap profiler, but the new snapshot that is currently in progress still holds references to the old string lookup table, leading to a use-after-free segfault or infinite loop. Fix this by guarding against resetting the string table while another heap snapshot is being taken, and add a test that would crash before this fix. This can be triggered in Node.js by repeatedly calling `v8.getHeapSnapshot()`, which provides heap snapshots as weakly held host objects. Change-Id: If9ac3728bf79114000982f1e7bb05e8034299e3c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2464823 Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#70445} Refs: v8/v8@3176bfd PR-URL: #35612 Refs: #35559 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.16',
+    'v8_embedder_string': '-node.17',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/api/api.cc b/deps/v8/src/api/api.cc
@@ -10745,7 +10745,8 @@ static i::HeapSnapshot* ToInternal(const HeapSnapshot* snapshot) {
 
 void HeapSnapshot::Delete() {
   i::Isolate* isolate = ToInternal(this)->profiler()->isolate();
-  if (isolate->heap_profiler()->GetSnapshotsCount() > 1) {
+  if (isolate->heap_profiler()->GetSnapshotsCount() > 1 ||
+      isolate->heap_profiler()->IsTakingSnapshot()) {
     ToInternal(this)->Delete();
   } else {
     // If this is the last snapshot, clean up all accessory data as well.
diff --git a/deps/v8/src/profiler/heap-profiler.cc b/deps/v8/src/profiler/heap-profiler.cc
@@ -18,7 +18,8 @@ namespace internal {
 HeapProfiler::HeapProfiler(Heap* heap)
     : ids_(new HeapObjectsMap(heap)),
       names_(new StringsStorage()),
-      is_tracking_object_moves_(false) {}
+      is_tracking_object_moves_(false),
+      is_taking_snapshot_(false) {}
 
 HeapProfiler::~HeapProfiler() = default;
 
@@ -28,7 +29,8 @@ void HeapProfiler::DeleteAllSnapshots() {
 }
 
 void HeapProfiler::MaybeClearStringsStorage() {
-  if (snapshots_.empty() && !sampling_heap_profiler_ && !allocation_tracker_) {
+  if (snapshots_.empty() && !sampling_heap_profiler_ && !allocation_tracker_ &&
+      !is_taking_snapshot_) {
     names_.reset(new StringsStorage());
   }
 }
@@ -66,6 +68,7 @@ HeapSnapshot* HeapProfiler::TakeSnapshot(
     v8::ActivityControl* control,
     v8::HeapProfiler::ObjectNameResolver* resolver,
     bool treat_global_objects_as_roots) {
+  is_taking_snapshot_ = true;
   HeapSnapshot* result = new HeapSnapshot(this, treat_global_objects_as_roots);
   {
     HeapSnapshotGenerator generator(result, control, resolver, heap());
@@ -78,6 +81,7 @@ HeapSnapshot* HeapProfiler::TakeSnapshot(
   }
   ids_->RemoveDeadEntries();
   is_tracking_object_moves_ = true;
+  is_taking_snapshot_ = false;
 
   heap()->isolate()->debug()->feature_tracker()->Track(
       DebugFeatureTracker::kHeapSnapshot);
@@ -138,10 +142,12 @@ void HeapProfiler::StopHeapObjectsTracking() {
   }
 }
 
-int HeapProfiler::GetSnapshotsCount() {
+int HeapProfiler::GetSnapshotsCount() const {
   return static_cast<int>(snapshots_.size());
 }
 
+bool HeapProfiler::IsTakingSnapshot() const { return is_taking_snapshot_; }
+
 HeapSnapshot* HeapProfiler::GetSnapshot(int index) {
   return snapshots_.at(index).get();
 }
diff --git a/deps/v8/src/profiler/heap-profiler.h b/deps/v8/src/profiler/heap-profiler.h
@@ -49,7 +49,8 @@ class HeapProfiler : public HeapObjectAllocationTracker {
 
   SnapshotObjectId PushHeapObjectsStats(OutputStream* stream,
                                         int64_t* timestamp_us);
-  int GetSnapshotsCount();
+  int GetSnapshotsCount() const;
+  bool IsTakingSnapshot() const;
   HeapSnapshot* GetSnapshot(int index);
   SnapshotObjectId GetSnapshotObjectId(Handle<Object> obj);
   SnapshotObjectId GetSnapshotObjectId(NativeObject obj);
@@ -93,6 +94,7 @@ class HeapProfiler : public HeapObjectAllocationTracker {
   std::unique_ptr<StringsStorage> names_;
   std::unique_ptr<AllocationTracker> allocation_tracker_;
   bool is_tracking_object_moves_;
+  bool is_taking_snapshot_;
   base::Mutex profiler_mutex_;
   std::unique_ptr<SamplingHeapProfiler> sampling_heap_profiler_;
   std::vector<std::pair<v8::HeapProfiler::BuildEmbedderGraphCallback, void*>>
diff --git a/deps/v8/test/cctest/test-heap-profiler.cc b/deps/v8/test/cctest/test-heap-profiler.cc
@@ -4126,3 +4126,40 @@ TEST(Bug8373_2) {
 
   heap_profiler->StopTrackingHeapObjects();
 }
+
+TEST(HeapSnapshotDeleteDuringTakeSnapshot) {
+  // Check that a heap snapshot can be deleted during GC while another one
+  // is being taken.
+
+  LocalContext env;
+  v8::HandleScope scope(env->GetIsolate());
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+  int gc_calls = 0;
+  v8::Global<v8::Object> handle;
+
+  {
+    struct WeakData {
+      const v8::HeapSnapshot* snapshot;
+      int* gc_calls;
+      v8::Global<v8::Object>* handle;
+    };
+    WeakData* data =
+        new WeakData{heap_profiler->TakeHeapSnapshot(), &gc_calls, &handle};
+
+    v8::HandleScope scope(env->GetIsolate());
+    handle.Reset(env->GetIsolate(), v8::Object::New(env->GetIsolate()));
+    handle.SetWeak(
+        data,
+        [](const v8::WeakCallbackInfo<WeakData>& data) {
+          std::unique_ptr<WeakData> weakdata{data.GetParameter()};
+          const_cast<v8::HeapSnapshot*>(weakdata->snapshot)->Delete();
+          ++*weakdata->gc_calls;
+          weakdata->handle->Reset();
+        },
+        v8::WeakCallbackType::kParameter);
+  }
+  CHECK_EQ(gc_calls, 0);
+
+  CHECK(ValidateSnapshot(heap_profiler->TakeHeapSnapshot()));
+  CHECK_EQ(gc_calls, 1);
+}

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,8 @@ namespace internal {`
`18`	`18`	`HeapProfiler::HeapProfiler(Heap* heap)`
`19`	`19`	`: ids_(new HeapObjectsMap(heap)),`
`20`	`20`	`names_(new StringsStorage()),`
`21`		`- is_tracking_object_moves_(false) {}`
	`21`	`+ is_tracking_object_moves_(false),`
	`22`	`+ is_taking_snapshot_(false) {}`
`22`	`23`
`23`	`24`	`HeapProfiler::~HeapProfiler() = default;`
`24`	`25`
`@@ -28,7 +29,8 @@ void HeapProfiler::DeleteAllSnapshots() {`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`void HeapProfiler::MaybeClearStringsStorage() {`
`31`		`- if (snapshots_.empty() && !sampling_heap_profiler_ && !allocation_tracker_) {`
	`32`	`+ if (snapshots_.empty() && !sampling_heap_profiler_ && !allocation_tracker_ &&`
	`33`	`+ !is_taking_snapshot_) {`
`32`	`34`	`names_.reset(new StringsStorage());`
`33`	`35`	`}`
`34`	`36`	`}`
`@@ -66,6 +68,7 @@ HeapSnapshot* HeapProfiler::TakeSnapshot(`
`66`	`68`	`v8::ActivityControl* control,`
`67`	`69`	`v8::HeapProfiler::ObjectNameResolver* resolver,`
`68`	`70`	`bool treat_global_objects_as_roots) {`
	`71`	`+ is_taking_snapshot_ = true;`
`69`	`72`	`HeapSnapshot* result = new HeapSnapshot(this, treat_global_objects_as_roots);`
`70`	`73`	`{`
`71`	`74`	`HeapSnapshotGenerator generator(result, control, resolver, heap());`
`@@ -78,6 +81,7 @@ HeapSnapshot* HeapProfiler::TakeSnapshot(`
`78`	`81`	`}`
`79`	`82`	`ids_->RemoveDeadEntries();`
`80`	`83`	`is_tracking_object_moves_ = true;`
	`84`	`+ is_taking_snapshot_ = false;`
`81`	`85`
`82`	`86`	`heap()->isolate()->debug()->feature_tracker()->Track(`
`83`	`87`	`DebugFeatureTracker::kHeapSnapshot);`
`@@ -138,10 +142,12 @@ void HeapProfiler::StopHeapObjectsTracking() {`
`138`	`142`	`}`
`139`	`143`	`}`
`140`	`144`
`141`		`-int HeapProfiler::GetSnapshotsCount() {`
	`145`	`+int HeapProfiler::GetSnapshotsCount() const {`
`142`	`146`	`return static_cast<int>(snapshots_.size());`
`143`	`147`	`}`
`144`	`148`
	`149`	`+bool HeapProfiler::IsTakingSnapshot() const { return is_taking_snapshot_; }`
	`150`	`+`
`145`	`151`	`HeapSnapshot* HeapProfiler::GetSnapshot(int index) {`
`146`	`152`	`return snapshots_.at(index).get();`
`147`	`153`	`}`