OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2026-01-15 12:15:26 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

buffer,n-api: release external buffers from BackingStore callback

Browse Source 
Release `Buffer` and `ArrayBuffer` instances that were created through
our addon APIs and have finalizers attached to them only after V8 has
called the deleter callback passed to the `BackingStore`, instead of
relying on our own GC callback(s).

This fixes the following race condition:

1. Addon code allocates pointer P via `malloc`.
2. P is passed into `napi_create_external_buffer` with a finalization
   callback which calls `free(P)`. P is inserted into V8’s global array
   buffer table for tracking.
3. The finalization callback is executed on GC. P is freed and returned
   to the allocator. P is not yet removed from V8’s global array
   buffer table. (!)
4. Addon code attempts to allocate memory once again. The allocator
   returns P, as it is now available.
5. P is passed into `napi_create_external_buffer`. P still has not been
   removed from the v8 global array buffer table.
6. The world ends with `Check failed: result.second`.

Since our API contract is to call the finalizer on the JS thread on
which the `ArrayBuffer` was created, but V8 may call the `BackingStore`
deleter callback on another thread, fixing this requires posting
a task back to the JS thread.

Refs: https://github.com/nodejs/node/issues/32463#issuecomment-625877175
Fixes: https://github.com/nodejs/node/issues/32463

PR-URL: https://github.com/nodejs/node/pull/33321
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Anna Henningsen
2020-05-09 06:41:58 +02:00
parent e3462614db
commit c1ee70ec16
5 changed files with 108 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
test/node-api/test_buffer/test.js
View File

@@ -1,10 +1,10 @@
'use strict';
// Flags: --expose-gc
// Flags: --expose-gc --no-concurrent-array-buffer-freeing --no-concurrent-array-buffer-sweeping
const common = require('../../common');
const binding = require(`./build/${common.buildType}/test_buffer`);
const assert = require('assert');
const setImmediatePromise = require('util').promisify(setImmediate);
const tick = require('util').promisify(require('../../common/tick'));
(async function() {
assert.strictEqual(binding.newBuffer().toString(), binding.theText);
@@ -12,7 +12,7 @@ const setImmediatePromise = require('util').promisify(setImmediate);
console.log('gc1');
global.gc();
assert.strictEqual(binding.getDeleterCallCount(), 0);
await setImmediatePromise();
await tick(10);
assert.strictEqual(binding.getDeleterCallCount(), 1);
assert.strictEqual(binding.copyBuffer().toString(), binding.theText);
@@ -22,7 +22,7 @@ const setImmediatePromise = require('util').promisify(setImmediate);
buffer = null;
global.gc();
assert.strictEqual(binding.getDeleterCallCount(), 1);
await setImmediatePromise();
await tick(10);
console.log('gc2');
assert.strictEqual(binding.getDeleterCallCount(), 2);
})().then(common.mustCall());