Reviewers: Søren Gjesse, Description: Merge r5391 into 2.2 branch.
This patch fixes a memory overrun issue in CPU profiler. This looks like a final fix for the crbug/51919. Please review this at http://codereview.chromium.org/3338001/show SVN Base: http://v8.googlecode.com/svn/branches/2.2/ Affected files: M src/cpu-profiler.cc M src/version.cc Index: src/cpu-profiler.cc =================================================================== --- src/cpu-profiler.cc (revision 5392) +++ src/cpu-profiler.cc (working copy) @@ -235,8 +235,19 @@ const TickSampleEventRecord* rec = TickSampleEventRecord::cast(ticks_buffer_.StartDequeue()); if (rec == NULL) return !ticks_from_vm_buffer_.IsEmpty(); - if (rec->order == dequeue_order) { - generator_->RecordTickSample(rec->sample); + // Make a local copy of tick sample record to ensure that it won't + // be modified as we are processing it. This is possible as the + // sampler writes w/o any sync to the queue, so if the processor + // will get far behind, a record may be modified right under its + // feet. + TickSampleEventRecord record = *rec; + if (record.order == dequeue_order) { + // A paranoid check to make sure that we don't get a memory overrun + // in case of frames_count having a wild value. + if (record.sample.frames_count < 0 + || record.sample.frames_count >= TickSample::kMaxFramesCount) + record.sample.frames_count = 0; + generator_->RecordTickSample(record.sample); ticks_buffer_.FinishDequeue(); } else { return true; Index: src/version.cc =================================================================== --- src/version.cc (revision 5392) +++ src/version.cc (working copy) @@ -35,7 +35,7 @@ #define MAJOR_VERSION 2 #define MINOR_VERSION 2 #define BUILD_NUMBER 24 -#define PATCH_LEVEL 20 +#define PATCH_LEVEL 21 #define CANDIDATE_VERSION false // Define SONAME to have the SCons build the put a specific SONAME into the -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
