jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-04-30 23:56:58 +00:00
Code Issues Actions 19 Packages Projects Releases Wiki Activity
c712dd284b
node/test/addons/null-buffer-neuter/binding.cc
Anna Henningsen c1ee70ec16
buffer,n-api: release external buffers from BackingStore callback 
Release `Buffer` and `ArrayBuffer` instances that were created through
our addon APIs and have finalizers attached to them only after V8 has
called the deleter callback passed to the `BackingStore`, instead of
relying on our own GC callback(s).

This fixes the following race condition:

1. Addon code allocates pointer P via `malloc`.
2. P is passed into `napi_create_external_buffer` with a finalization
   callback which calls `free(P)`. P is inserted into V8’s global array
   buffer table for tracking.
3. The finalization callback is executed on GC. P is freed and returned
   to the allocator. P is not yet removed from V8’s global array
   buffer table. (!)
4. Addon code attempts to allocate memory once again. The allocator
   returns P, as it is now available.
5. P is passed into `napi_create_external_buffer`. P still has not been
   removed from the v8 global array buffer table.
6. The world ends with `Check failed: result.second`.

Since our API contract is to call the finalizer on the JS thread on
which the `ArrayBuffer` was created, but V8 may call the `BackingStore`
deleter callback on another thread, fixing this requires posting
a task back to the JS thread.

Refs: https://github.com/nodejs/node/issues/32463#issuecomment-625877175
Fixes: https://github.com/nodejs/node/issues/32463

PR-URL: https://github.com/nodejs/node/pull/33321
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-05-16 12:15:07 +02:00

42 lines
867 B
C++
Raw Blame History

#include <node.h>
#include <node_buffer.h>
#include <v8.h>
#include <assert.h>
static int alive;
static void FreeCallback(char* data, void* hint) {
assert(data == nullptr);
alive--;
}
void IsAlive(const v8::FunctionCallbackInfo<v8::Value>& args) {
args.GetReturnValue().Set(alive);
}
void Run(const v8::FunctionCallbackInfo<v8::Value>& args) {
v8::Isolate* isolate = args.GetIsolate();
alive++;
{
v8::HandleScope scope(isolate);
v8::Local<v8::Object> buf = node::Buffer::New(
isolate,
nullptr,
0,
FreeCallback,
nullptr).ToLocalChecked();
char* data = node::Buffer::Data(buf);
assert(data == nullptr);
}
}
void init(v8::Local<v8::Object> exports) {
NODE_SET_METHOD(exports, "run", Run);
NODE_SET_METHOD(exports, "isAlive", IsAlive);
}
NODE_MODULE(NODE_GYP_MODULE_NAME, init)
Reference in New Issue View Git Blame Copy Permalink