Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 9b6512f

Browse filesBrowse files
Gabriel Schulhofdanielleadams
Gabriel Schulhof
authored and
danielleadams
committed
n-api: unlink reference during its destructor
Currently, a reference is being unlinked from the list of references tracked by the environment when `v8impl::Reference::Delete` is called. This causes a leak when deletion must be deferred because the finalizer hasn't yet run, but the finalizer does not run because environment teardown is in progress, and so no more gc runs will happen, and the `FinalizeAll` run that happens during environment teardown does not catch the reference because it's no longer in the list. The test below will fail when running with ASAN: ``` ./node ./test/node-api/test_worker_terminate_finalization/test.js ``` OTOH if, to address the above leak, we make a special case to not unlink a reference during environment teardown, we run into a situation where the reference gets deleted by `v8impl::Reference::Delete` but does not get unlinked because it's environment teardown time. This leaves a stale pointer in the linked list which will result in a use-after-free in `FinalizeAll` during environment teardown. The test below will fail if we make the above change: ``` ./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');" ``` Thus, we unlink a reference precisely when we destroy it – in its destructor. Refs: #34731 Refs: #34839 Refs: #35620 Refs: #35777 Fixes: #35778 Signed-off-by: Gabriel Schulhof <gabriel.schulhof@intel.com> PR-URL: #35933 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Zeyu Yang <himself65@outlook.com>
1 parent 1b277d9 commit 9b6512f
Copy full SHA for 9b6512f

File tree

Expand file treeCollapse file tree

2 files changed

+2
-3
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+2
-3
lines changed
Open diff view settings
Collapse file

‎src/js_native_api_v8.cc‎

Copy file name to clipboardExpand all lines: src/js_native_api_v8.cc
+2-1Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,8 @@ class RefBase : protected Finalizer, RefTracker {
220220
finalize_hint);
221221
}
222222

223+
virtual ~RefBase() { Unlink(); }
224+
223225
inline void* Data() {
224226
return _finalize_data;
225227
}
@@ -240,7 +242,6 @@ class RefBase : protected Finalizer, RefTracker {
240242
// the finalizer and _delete_self is set. In this case we
241243
// know we need to do the deletion so just do it.
242244
static inline void Delete(RefBase* reference) {
243-
reference->Unlink();
244245
if ((reference->RefCount() != 0) ||
245246
(reference->_delete_self) ||
246247
(reference->_finalize_ran)) {
Collapse file

‎test/node-api/test_worker_terminate_finalization/test.js‎

Copy file name to clipboardExpand all lines: test/node-api/test_worker_terminate_finalization/test.js
-2Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,9 @@
11
'use strict';
22
const common = require('../../common');
33

4-
// TODO(addaleax): Run this test once it stops failing under ASAN/valgrind.
54
// Refs: https://github.com/nodejs/node/issues/34731
65
// Refs: https://github.com/nodejs/node/pull/35777
76
// Refs: https://github.com/nodejs/node/issues/35778
8-
common.skip('Reference management in N-API leaks memory');
97

108
const { Worker, isMainThread } = require('worker_threads');
119

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.