From e36e9dde38caf3517890da2265e6dd9f127abe72 Mon Sep 17 00:00:00 2001
From: Peter Marshall <petermarshall@chromium.org>
Date: Fri, 9 Nov 2018 13:06:07 +0100
Subject: deps: cherry-pick b87d408 from upstream V8

Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: https://github.com/nodejs/node/pull/24272
Refs:
https://github.com/v8/v8/commit/b87d408f65b9ab49a4d199e850d2358995deaeb2
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
---
 deps/v8/test/cctest/test-heap-profiler.cc | 42 +++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'deps/v8/test/cctest/test-heap-profiler.cc')

diff --git a/deps/v8/test/cctest/test-heap-profiler.cc b/deps/v8/test/cctest/test-heap-profiler.cc
index 257ef1c723..f3c545fd83 100644
--- a/deps/v8/test/cctest/test-heap-profiler.cc
+++ b/deps/v8/test/cctest/test-heap-profiler.cc
@@ -3875,3 +3875,45 @@ TEST(WeakReference) {
   const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot();
   CHECK(ValidateSnapshot(snapshot));
 }
+
+TEST(Bug8373_1) {
+  LocalContext env;
+  v8::HandleScope scope(env->GetIsolate());
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+
+  heap_profiler->StartSamplingHeapProfiler(100);
+
+  heap_profiler->TakeHeapSnapshot();
+  // Causes the StringsStorage to be deleted.
+  heap_profiler->DeleteAllHeapSnapshots();
+
+  // Triggers an allocation sample that tries to use the StringsStorage.
+  for (int i = 0; i < 2 * 1024; ++i) {
+    CompileRun(
+        "new Array(64);"
+        "new Uint8Array(16);");
+  }
+
+  heap_profiler->StopSamplingHeapProfiler();
+}
+
+TEST(Bug8373_2) {
+  LocalContext env;
+  v8::HandleScope scope(env->GetIsolate());
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+
+  heap_profiler->StartTrackingHeapObjects(true);
+
+  heap_profiler->TakeHeapSnapshot();
+  // Causes the StringsStorage to be deleted.
+  heap_profiler->DeleteAllHeapSnapshots();
+
+  // Triggers an allocations that try to use the StringsStorage.
+  for (int i = 0; i < 2 * 1024; ++i) {
+    CompileRun(
+        "new Array(64);"
+        "new Uint8Array(16);");
+  }
+
+  heap_profiler->StopTrackingHeapObjects();
+}
-- 
cgit v1.2.3