fix(wall): break SIGPROF self-chain in signal handler install

[szegedi]

Summary

Fix infinite recursion in SignalHandler::HandleProfilerSignal observed under dd-trace-js + Node.js 20 on x86_64 Linux as ~430 stack frames of HandleProfilerSignal calling itself, with each frame paused right after the indirect callq *%r14 (i.e. the call to old_handler_func_).

Root cause

SignalHandler::Install() else-branch captures whatever was the previous SIGPROF disposition into old_handler_func_:

installed_ = (sigaction(SIGPROF, &sa, &old_handler_) == 0);
old_handler_func_.store(old_handler_.sa_sigaction, std::memory_order_relaxed);

If, at that moment, SIGPROF was already pointing at &HandleProfilerSignal while installed_ == false, we end up storing our own address into old_handler_func_, and the next signal delivery loops forever via:

auto old_handler = old_handler_func_.load(...);
if (!old_handler) return;
...
old_handler(sig, info, context);  // recurses into HandleProfilerSignal

The state (installed_ == false, SIGPROF == &HandleProfilerSignal) requires a non-pprof party to write &HandleProfilerSignal back into SIGPROF after our Restore() cleared installed_. Static analysis of single-instance pprof + v8 SIGPROF interaction (StartInternal always runs cpuProfiler_->Start — which is what may trigger V8's SignalHandler::IncreaseSamplerCount → V8.Install — before pprof.IncreaseUseCount) shows that V8's old_signal_handler_ can never end up holding &HandleProfilerSignal, because V8.Install only runs when V8's process-wide client_count_ transitions 0→1, and at that point pprof has not yet installed in this lifecycle. So V8.Restore can never write us back into SIGPROF.

The realistic trigger is therefore two copies of @datadog/pprof loaded in the same process (the dlopen-key for native addons is the file path, so a bundled copy under node_modules/dd-trace/node_modules/@datadog/pprof plus a top-level dep at node_modules/@datadog/pprof are two distinct instances with independent static state). With that, the sequence

A.Install      ; SIGPROF=A, installed_A=true,  pp_old_A=DEFAULT
B.Install      ; SIGPROF=B, installed_B=true,  pp_old_B=A
A.Restore      ; SIGPROF=DEFAULT, installed_A=false
B.Restore      ; SIGPROF=A,       installed_B=false   ← B writes A back
A.Install (2)  ; captures A as its own old_handler        ← self-loop

leaves A's old_handler_func_ pointing at A's own HandleProfilerSignal. A non-pprof third-party SIGPROF user that captured pprof while pprof was active and later restores it produces the same shape.

Fix

Refuse to chain to ourselves in the install path. If the captured previous disposition is &HandleProfilerSignal, store nullptr in old_handler_func_ so the handler's existing if (!old_handler) return; fast-path kicks in. The signal is dropped instead of recursing — same observable behavior the handler already has when SIGPROF was previously unhandled.

This is a strict improvement: in the two-instance case, the other loaded copy still chains to us once via its own old_handler_func_, but a single hop is harmless; only the self-loop runs away.

Test plan

• Builds cleanly with npm run build.
• Existing test suite still passes.
• Manual reproduction (multi-instance @datadog/pprof load and verify no recursion).

Jira: [PROF-14467]

[github-actions]

Overall package size

Self size: 2.01 MB
Deduped: 2.38 MB
No deduping: 2.38 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | pprof-format | 2.2.1 | 163.06 kB | 163.06 kB | | node-gyp-build | 4.8.3 | 13.81 kB | 13.81 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[nsavoire]

If old_handler_func_ is null then we won't be able to forward SIGPROF to v8 profiler and profiling won't work, maybe we should return an error in StartImpl (since this can only occur at profiler startup).

[szegedi]

Okay, this required some propagation of boolean flags, but you're right that it's the actual correct solution; thanks for catching it. The whole thing is weird – I saw it in a single crash report today, and I'm not sure how it can arise; working theory is that the customer somehow managed to run the profiler twice? I really don't know. Anyhow, let me know if this now makes sense. It's a bit more complicated now 😁

[szegedi]

We're capturing profileId_ in StartInternal() now so the rollback on line 914 has the right id to stop.