disallow left-trim fast path when sampling heap profiler is active

disallow left-trim fast path when sampling heap profiler is active

Left trimming assumes that nobody other than the JSArray has a reference to the
backing store. Sampling heap profiler may profile the backing store and keep a
reference too it. This reference was never updated on a left-trim, causing a
crash.

R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com
BUG=

Committed: https://crrev.com/2837cb387b4cd3ef42bfd4da6712137fd3837db6
Cr-Commit-Position: refs/heads/master@{#35449}

[Hannes Payer (out of office), 2016-04-13 13:32:30]

LGTM, one nit

https://codereview.chromium.org/1885723002/diff/1/test/cctest/test-heap-profi...
File test/cctest/test-heap-profiler.cc (right):

https://codereview.chromium.org/1885723002/diff/1/test/cctest/test-heap-profi...
test/cctest/test-heap-profiler.cc:3062: // Should not crash.
Don't you need to call GC to crash? Why does it crash right now?

[ofrobots, 2016-04-13 14:34:29]

On 2016/04/13 13:32:30, Hannes Payer wrote:
> LGTM, one nit
> 
>
https://codereview.chromium.org/1885723002/diff/1/test/cctest/test-heap-profi...
> File test/cctest/test-heap-profiler.cc (right):
> 
>
https://codereview.chromium.org/1885723002/diff/1/test/cctest/test-heap-profi...
> test/cctest/test-heap-profiler.cc:3062: // Should not crash.
> Don't you need to call GC to crash? Why does it crash right now?

The test case naturally triggers a scavenge which ends up crashing. An explicit
scavenge would be better indeed. Interestingly enough the crash only occurs on a
scavenge and not on a full gc.

I will update the test to manually trigger the scavenge.

[ofrobots, 2016-04-13 14:37:27]

The CQ bit was checked by ofrobots@google.com

[ofrobots, 2016-04-13 14:37:28]

The patchset sent to the CQ was uploaded after l-g-t-m from hpayer@chromium.org
Link to the patchset: https://codereview.chromium.org/1885723002/#ps20001
(title: "explicitly trigger a scavenge in the test")

[commit-bot: I haz the power, 2016-04-13 14:37:38]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1885723002/20001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1885723002/20001

[commit-bot: I haz the power, 2016-04-13 15:11:11]

Committed patchset #2 (id:20001)

[commit-bot: I haz the power, 2016-04-13 15:11:33]

Description was changed from

==========
disallow left-trim fast path when sampling heap profiler is active

Left trimming assumes that nobody other than the JSArray has a reference to the
backing store. Sampling heap profiler may profile the backing store and keep a
reference too it. This reference was never updated on a left-trim, causing a
crash.

R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com
BUG=
==========

to

==========
disallow left-trim fast path when sampling heap profiler is active

Left trimming assumes that nobody other than the JSArray has a reference to the
backing store. Sampling heap profiler may profile the backing store and keep a
reference too it. This reference was never updated on a left-trim, causing a
crash.

R=alph@chromium.org, hpayer@chromium.org, mattloring@google.com
BUG=

Committed: https://crrev.com/2837cb387b4cd3ef42bfd4da6712137fd3837db6
Cr-Commit-Position: refs/heads/master@{#35449}
==========

[commit-bot: I haz the power, 2016-04-13 15:11:34]

Patchset 2 (id:??) landed as
https://crrev.com/2837cb387b4cd3ef42bfd4da6712137fd3837db6
Cr-Commit-Position: refs/heads/master@{#35449}