Commits on Oct 12, 2020

1. deps: V8: cherry-pick 3176bfd447a9 …

   Original commit message:
   
       [heap-profiler] Fix crash when a snapshot deleted while taking one
   
       Fix a crash/hang that occurred when deleting a snapshot during the
       GC that is part of taking another one.
   
       Specifically, when deleting the only other snapshot in such
       a situation, the `v8::HeapSnapshot::Delete()` method sees that there
       is only one (complete) snapshot at that point, and decides that it is
       okay to perform “delete all snapshots” instead of just deleting
       the requested one. That resets the internal string lookup table
       of the heap profiler, but the new snapshot that is currently in
       progress still holds references to the old string lookup table,
       leading to a use-after-free segfault or infinite loop.
   
       Fix this by guarding against resetting the string table while
       another heap snapshot is being taken, and add a test that would
       crash before this fix.
   
       This can be triggered in Node.js by repeatedly calling
       `v8.getHeapSnapshot()`, which provides heap snapshots as weakly
       held host objects.
   
       Change-Id: If9ac3728bf79114000982f1e7bb05e8034299e3c
       Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2464823
       Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
       Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
       Cr-Commit-Position: refs/heads/master@{#70445}
   
   Refs: v8/v8@3176bfd

   

   addaleax committed Oct 12, 2020
   Copy the full SHA

   0c43862 View commit details

   Browse the repository at this point in the history

2. test: add regression test for v8.getHeapSnapshot() crash …

   Fixes: nodejs#35559

   

   addaleax committed Oct 12, 2020
   Copy the full SHA

   4fbf127 View commit details

   Browse the repository at this point in the history