Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: cherry-pick b87d408 from upstream V8 #24272

Closed
wants to merge 1 commit into from

Conversation

@psmarshall
Copy link
Contributor

commented Nov 9, 2018

Original commit message:

[heap-profiler] Fix a use-after-free when snapshots are deleted

If a caller starts the sampling heap profiler and takes a snapshot, and
then deletes the snapshot before the sampling has completed, a
use-after-free will occur on the StringsStorage pointer.

The same issue applies for StartTrackingHeapObjects which shares the
same StringsStorage object.

Bug: v8:8373
Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
Reviewed-on: https://chromium-review.googlesource.com/c/1301477
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57114}

Refs: v8/v8@b87d408

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot, and
    then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

Refs: v8/v8@b87d408
@psmarshall

This comment has been minimized.

@psmarshall

This comment has been minimized.

Copy link
Contributor Author

commented Nov 9, 2018

The version number is bumped twice because I expect to land #23827 first

@cjihrig
cjihrig approved these changes Nov 9, 2018
@targos

This comment has been minimized.

Copy link
Member

commented Nov 9, 2018

Is this commit already on master ?

@psmarshall

This comment has been minimized.

Copy link
Contributor Author

commented Nov 9, 2018

It's in V8 7.2 so I guess not - should I just retarget it to master? We aren't merging it back in v8

@targos

This comment has been minimized.

Copy link
Member

commented Nov 9, 2018

should I just retarget it to master?

Yes, please. We will also have to take it in v11.x and it's easier to manage if the fix lands first on master.

@danbev
danbev approved these changes Nov 12, 2018
@danbev

This comment has been minimized.

Copy link
Member

commented Nov 12, 2018

I updated v8_embedder_string to -node.11 which seemed like the right thing to do.
Landed in a8847aa.

@danbev danbev closed this Nov 12, 2018

danbev added a commit that referenced this pull request Nov 12, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: #24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>

@targos targos removed the v10.x label Nov 12, 2018

@psmarshall

This comment has been minimized.

Copy link
Contributor Author

commented Nov 12, 2018

Thanks, the patch should apply cleanly to 10. This should also be backported to 8 if possible.

@richardlau

This comment has been minimized.

Copy link
Member

commented Nov 13, 2018

A bit late to this, but since the PR was not retargetted doesn't this mean it effectively landed without relevant CI runs?

@danbev

This comment has been minimized.

Copy link
Member

commented Nov 13, 2018

A bit late to this, but since the PR was not retargetted doesn't this mean it effectively landed without relevant CI runs?

Sorry about this, that was my fault. I read the comments a little too quickly and did not notice it was still targeted at v10.x-staging. If this is causing issues please let me know and I'll revert. Thanks

BridgeAR added a commit that referenced this pull request Nov 14, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: #24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@BridgeAR BridgeAR referenced this pull request Nov 14, 2018
kiyomizumia added a commit to kiyomizumia/node that referenced this pull request Nov 15, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: nodejs#24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
targos added a commit to targos/node that referenced this pull request Nov 20, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: nodejs#24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
targos added a commit to targos/node that referenced this pull request Dec 4, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: nodejs#24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
pull bot pushed a commit to shakir-abdo/node that referenced this pull request Dec 6, 2018
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: nodejs#24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
codebytere added a commit that referenced this pull request Jan 12, 2019
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: #24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
refack added a commit to refack/node that referenced this pull request Jan 14, 2019
deps: cherry-pick b87d408 from upstream V8
Original commit message:

    [heap-profiler] Fix a use-after-free when snapshots are deleted

    If a caller starts the sampling heap profiler and takes a snapshot,
    and then deletes the snapshot before the sampling has completed, a
    use-after-free will occur on the StringsStorage pointer.

    The same issue applies for StartTrackingHeapObjects which shares the
    same StringsStorage object.

    Bug: v8:8373
    Change-Id: I5d69d60d3f9465f9dd3b3bef107c204e0fda0643
    Reviewed-on: https://chromium-review.googlesource.com/c/1301477
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: Alexei Filippov <alph@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#57114}

PR-URL: nodejs#24272
Refs:
v8/v8@b87d408
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@codebytere codebytere referenced this pull request Jan 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.