diff options
author | Peter Marshall <petermarshall@chromium.org> | 2018-11-09 13:06:07 +0100 |
---|---|---|
committer | Michaƫl Zasso <targos@protonmail.com> | 2018-12-06 15:25:45 +0100 |
commit | e36e9dde38caf3517890da2265e6dd9f127abe72 (patch) | |
tree | abbc9148d312c733e32761f29b5ee1cd6ad491ca /deps/v8/src | |
parent | 0e090768de1844c493013d5e99bd903928aff2ab (diff) | |
download | android-node-v8-e36e9dde38caf3517890da2265e6dd9f127abe72.tar.gz android-node-v8-e36e9dde38caf3517890da2265e6dd9f127abe72.tar.bz2 android-node-v8-e36e9dde38caf3517890da2265e6dd9f127abe72.zip |
deps: cherry-pick b87d408 from upstream V8
Original commit message:
[heap-profiler] Fix a use-after-free when snapshots are deleted
If a caller starts the sampling heap profiler and takes a snapshot,
and then deletes the snapshot before the sampling has completed, a
use-after-free will occur on the StringsStorage pointer.
The same issue applies for StartTrackingHeapObjects which shares the
same StringsStorage object.
Bug: v8:8373
Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
Reviewed-on: https://chromium-review.googlesource.com/c/1301477
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57114}
PR-URL: https://github.com/nodejs/node/pull/24272
Refs:
https://github.com/v8/v8/commit/b87d408f65b9ab49a4d199e850d2358995deaeb2
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Diffstat (limited to 'deps/v8/src')
-rw-r--r-- | deps/v8/src/profiler/heap-profiler.cc | 9 | ||||
-rw-r--r-- | deps/v8/src/profiler/heap-profiler.h | 2 |
2 files changed, 10 insertions, 1 deletions
diff --git a/deps/v8/src/profiler/heap-profiler.cc b/deps/v8/src/profiler/heap-profiler.cc index 0978e76cff..58a8f3851f 100644 --- a/deps/v8/src/profiler/heap-profiler.cc +++ b/deps/v8/src/profiler/heap-profiler.cc @@ -23,9 +23,14 @@ HeapProfiler::~HeapProfiler() = default; void HeapProfiler::DeleteAllSnapshots() { snapshots_.clear(); - names_.reset(new StringsStorage()); + MaybeClearStringsStorage(); } +void HeapProfiler::MaybeClearStringsStorage() { + if (snapshots_.empty() && !sampling_heap_profiler_ && !allocation_tracker_) { + names_.reset(new StringsStorage()); + } +} void HeapProfiler::RemoveSnapshot(HeapSnapshot* snapshot) { snapshots_.erase( @@ -126,6 +131,7 @@ bool HeapProfiler::StartSamplingHeapProfiler( void HeapProfiler::StopSamplingHeapProfiler() { sampling_heap_profiler_.reset(); + MaybeClearStringsStorage(); } @@ -159,6 +165,7 @@ void HeapProfiler::StopHeapObjectsTracking() { ids_->StopHeapObjectsTracking(); if (allocation_tracker_) { allocation_tracker_.reset(); + MaybeClearStringsStorage(); heap()->RemoveHeapObjectAllocationTracker(this); } } diff --git a/deps/v8/src/profiler/heap-profiler.h b/deps/v8/src/profiler/heap-profiler.h index acbdc6aa7a..1e3527765e 100644 --- a/deps/v8/src/profiler/heap-profiler.h +++ b/deps/v8/src/profiler/heap-profiler.h @@ -92,6 +92,8 @@ class HeapProfiler : public HeapObjectAllocationTracker { v8::PersistentValueVector<v8::Object>* objects); private: + void MaybeClearStringsStorage(); + Heap* heap() const; // Mapping from HeapObject addresses to objects' uids. |