Fix iterator (std::vector) invalidation during sampling heap profile retrieval

It is possible for JS objects to be allocated while we are retrieving the
profile. These JS objects can in turn end up getting sampled by the profiler.
Adding these to the profile data structures invalidates the iterators that
are presently in flight. This change prevents such concurrent modifications
from affecting the retrieve operation.

BUG=

Review URL: https://codereview.chromium.org/1735733002

Cr-Commit-Position: refs/heads/master@{#34298}

src/profiler/sampling-heap-profiler.cc

@@ -224,9 +224,15 @@ v8::AllocationProfile::Node* SamplingHeapProfiler::TranslateAllocationNode(
        script_name, node->script_id_, node->script_position_, line, column,
        std::vector<v8::AllocationProfile::Node*>(), allocations}));
   v8::AllocationProfile::Node* current = &profile->nodes().back();
-  for (auto child : node->children_) {
+  size_t child_len = node->children_.size();
+  // The children vector may have nodes appended to it during translation
+  // because the translation may allocate strings on the JS heap that have
+  // the potential to be sampled. We cache the length of the vector before
+  // iteration so that nodes appended to the vector during iteration are
+  // not processed.
+  for (size_t i = 0; i < child_len; i++) {
     current->children.push_back(
-        TranslateAllocationNode(profile, child, scripts));
+        TranslateAllocationNode(profile, node->children_[i], scripts));
   }
   return current;
 }

test/cctest/cctest.status

@@ -605,9 +605,6 @@
   # TODO(rmcilroy,4680): Test assert errors.
   'test-heap-profiler/HeapSnapshotSimd': [PASS, ['mode == debug', FAIL]],
   'test-api/InitializeDefaultIsolateOnSecondaryThread1': [PASS, ['mode == debug', FAIL]],
-
-  # TODO(rmcilroy,mattloring).
-  'test-heap-profiler/SamplingHeapProfiler': [PASS, ['mode == debug', SKIP]],
 }],
 
 ]