disallow left-trim fast path when sampling heap profiler is active

ofrobots · Commit bot · commit 2837cb387b4c · 2016-04-13T15:11:21.000Z
Left trimming assumes that nobody other than the JSArray has a reference to the backing store. Sampling heap profiler may profile the backing store and keep a reference too it. This reference was never updated on a left-trim, causing a crash. R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com BUG= Review URL: https://codereview.chromium.org/1885723002 Cr-Commit-Position: refs/heads/master@{#35449}
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
@@ -3075,6 +3075,9 @@ void Heap::CreateFillerObjectAt(Address addr, int size,
 bool Heap::CanMoveObjectStart(HeapObject* object) {
   if (!FLAG_move_object_start) return false;
 
+  // Sampling heap profiler may have a reference to the object.
+  if (isolate()->heap_profiler()->is_sampling_allocations()) return false;
+
   Address address = object->address();
 
   if (lo_space()->Contains(object)) return false;
diff --git a/src/profiler/heap-profiler.h b/src/profiler/heap-profiler.h
@@ -32,6 +32,7 @@ class HeapProfiler {
 
   bool StartSamplingHeapProfiler(uint64_t sample_interval, int stack_depth);
   void StopSamplingHeapProfiler();
+  bool is_sampling_allocations() { return !sampling_heap_profiler_.is_empty(); }
   AllocationProfile* GetAllocationProfile();
 
   void StartHeapObjectsTracking(bool track_allocations);
diff --git a/test/cctest/test-heap-profiler.cc b/test/cctest/test-heap-profiler.cc
@@ -3040,3 +3040,28 @@ TEST(SamplingHeapProfilerApiAllocation) {
 
   heap_profiler->StopSamplingHeapProfiler();
 }
+
+TEST(SamplingHeapProfilerLeftTrimming) {
+  v8::HandleScope scope(v8::Isolate::GetCurrent());
+  LocalContext env;
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+
+  // Suppress randomness to avoid flakiness in tests.
+  v8::internal::FLAG_sampling_heap_profiler_suppress_randomness = true;
+
+  heap_profiler->StartSamplingHeapProfiler(64);
+
+  CompileRun(
+      "for (var j = 0; j < 500; ++j) {\n"
+      "  var a = [];\n"
+      "  for (var i = 0; i < 5; ++i)\n"
+      "      a[i] = i;\n"
+      "  for (var i = 0; i < 3; ++i)\n"
+      "      a.shift();\n"
+      "}\n");
+
+  CcTest::heap()->CollectGarbage(v8::internal::NEW_SPACE);
+  // Should not crash.
+
+  heap_profiler->StopSamplingHeapProfiler();
+}
