disallow left-trim fast path when sampling heap profiler is active

Left trimming assumes that nobody other than the JSArray has a reference to the backing store. Sampling heap profiler may profile the backing store and keep a reference too it. This reference was never updated on a left-trim, causing a crash. R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com BUG= Review URL: https://codereview.chromium.org/1885723002 Cr-Commit-Position: refs/heads/master@{#35449}

disallow left-trim fast path when sampling heap profiler is active
Left trimming assumes that nobody other than the JSArray has a reference to the backing store. Sampling heap profiler may profile the backing store and keep a reference too it. This reference was never updated on a left-trim, causing a crash. R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com BUG= Review URL: https://codereview.chromium.org/1885723002 Cr-Commit-Position: refs/heads/master@{#35449}
2837cb38 · ofrobots · Commit bot · 98401b84 · 2837cb38 · 2837cb38
Commit 2837cb38 authored Apr 13, 2016 by ofrobots Committed by Commit bot Apr 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 0 deletions

heap.cc src/heap/heap.cc +3 -0

heap-profiler.h src/profiler/heap-profiler.h +1 -0

test-heap-profiler.cc test/cctest/test-heap-profiler.cc +25 -0

No files found.
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3075,6 +3075,9 @@ void Heap::CreateFillerObjectAt(Address addr, int size,
 bool Heap::CanMoveObjectStart(HeapObject* object) {
  if (!FLAG_move_object_start) return false;

+  // Sampling heap profiler may have a reference to the object.
+  if (isolate()->heap_profiler()->is_sampling_allocations()) return false;
+
  Address address = object->address();

  if (lo_space()->Contains(object)) return false;

--- a/src/profiler/heap-profiler.h
+++ b/src/profiler/heap-profiler.h
@@ -32,6 +32,7 @@ class HeapProfiler {

  bool StartSamplingHeapProfiler(uint64_t sample_interval, int stack_depth);
  void StopSamplingHeapProfiler();
+  bool is_sampling_allocations() { return !sampling_heap_profiler_.is_empty(); }
  AllocationProfile* GetAllocationProfile();

  void StartHeapObjectsTracking(bool track_allocations);

--- a/test/cctest/test-heap-profiler.cc
+++ b/test/cctest/test-heap-profiler.cc
@@ -3040,3 +3040,28 @@ TEST(SamplingHeapProfilerApiAllocation) {

  heap_profiler->StopSamplingHeapProfiler();
 }
+
+TEST(SamplingHeapProfilerLeftTrimming) {
+  v8::HandleScope scope(v8::Isolate::GetCurrent());
+  LocalContext env;
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+
+  // Suppress randomness to avoid flakiness in tests.
+  v8::internal::FLAG_sampling_heap_profiler_suppress_randomness = true;
+
+  heap_profiler->StartSamplingHeapProfiler(64);
+
+  CompileRun(
+      "for (var j = 0; j < 500; ++j) {\n"
+      "  var a = [];\n"
+      "  for (var i = 0; i < 5; ++i)\n"
+      "      a[i] = i;\n"
+      "  for (var i = 0; i < 3; ++i)\n"
+      "      a.shift();\n"
+      "}\n");
+
+  CcTest::heap()->CollectGarbage(v8::internal::NEW_SPACE);
+  // Should not crash.
+
+  heap_profiler->StopSamplingHeapProfiler();
+}