V8 sampling profiler should switch to AsyncEnabledStateObserver |
||||
Issue descriptionSee Issue 610629 and https://codereview.chromium.org/1956323002/ for more context. TL;DR I think requires just a few lines patch to s/EnabledStateObserver/AsyncEnabledStateObserver/ + a weakptr factory in v8 sampling profiler. This is the problem: we recently found out that EnabledStateObserver is not safe to use if the observer is not indefinitely lived (i.e. if it gets destroyed at some point). The reason is that the EnabledStateObserver callbacks happen synchronously from the tracing side on the FILE thread. Nothing can prevent the observer to get destroyed on another thread at the same time. This indefinite observer lifetime is the case for most observers, but not all. The exceptions I found here are: 1. BlameContext, which has been fixed in https://codereview.chromium.org/1956333002/ 2. V8SamplingProfiler, which this bug is about The suggested fix is to switch V8SamplingProfiler to the new AsyncEnabledStateObserver. This new class guarantees that the OnTraceLog{Dis,En}abled are posted to the same thread where AddEnabledStateObserver was called. This prevents races on dtor. If I read the code correctly V8SamplingProfiler is destroyed together with the RenderThread (question: when does that happen? Is it only on renderer shutdown?). Also I do suspect that this is causing the DrMemory issues that have been suppressed in tools/valgrind/drmemory/suppressions_full.txt
,
May 11 2016
lpy@ do you want to take lead on that?
,
May 11 2016
sure.
,
May 11 2016
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3d1573d4df84687881d4cfe8e8dd6391b99f28e2 commit 3d1573d4df84687881d4cfe8e8dd6391b99f28e2 Author: lpy <lpy@chromium.org> Date: Thu May 12 15:59:43 2016 Change base class of V8SamplingProfiler to AsyncEnabledStateObserver. Currently V8SamplingProfiler is a subclass of EnabledStateObserver, however EnabledStateObserver is not thread safe becuase OnTraceLog{Dis,En}abled get called in different thread which will become a use-after-free case when observer gets deleted in another thread. This patch changes base class of V8SamplingProfiler to AsyncEnabledStateObserver since AsyncEnabledStateObserver will post these two calls to the same thread where observer was added. BUG= 611027 Review-Url: https://codereview.chromium.org/1967793004 Cr-Commit-Position: refs/heads/master@{#393260} [modify] https://crrev.com/3d1573d4df84687881d4cfe8e8dd6391b99f28e2/content/renderer/devtools/v8_sampling_profiler.cc [modify] https://crrev.com/3d1573d4df84687881d4cfe8e8dd6391b99f28e2/content/renderer/devtools/v8_sampling_profiler.h
,
May 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a8aadea34d0be53e35e32ab882fb675e7307d8a7 commit a8aadea34d0be53e35e32ab882fb675e7307d8a7 Author: lpy <lpy@chromium.org> Date: Sat May 14 00:10:38 2016 Add ThreadChecker for V8SamplingProfiler. V8SamplingProfiler is now a subclass of AsyncEnabledStateObserver, this patch adds a ThreadChecker in V8SamplingProfiler to ensure it gets called in the right thread. BUG= 611027 Review-Url: https://codereview.chromium.org/1975363002 Cr-Commit-Position: refs/heads/master@{#393698} [modify] https://crrev.com/a8aadea34d0be53e35e32ab882fb675e7307d8a7/content/renderer/devtools/v8_sampling_profiler.cc [modify] https://crrev.com/a8aadea34d0be53e35e32ab882fb675e7307d8a7/content/renderer/devtools/v8_sampling_profiler.h
,
May 14 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by fmea...@chromium.org
, May 11 2016