From 88aa4e0d256859cce5b5bbac9af3c03189b18194 Mon Sep 17 00:00:00 2001 From: Gabriel Schulhof Date: Mon, 2 Nov 2020 15:06:23 -0800 Subject: [PATCH] n-api: unlink reference during its destructor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, a reference is being unlinked from the list of references tracked by the environment when `v8impl::Reference::Delete` is called. This causes a leak when deletion must be deferred because the finalizer hasn't yet run, but the finalizer does not run because environment teardown is in progress, and so no more gc runs will happen, and the `FinalizeAll` run that happens during environment teardown does not catch the reference because it's no longer in the list. The test below will fail when running with ASAN: ``` ./node ./test/node-api/test_worker_terminate_finalization/test.js ``` OTOH if, to address the above leak, we make a special case to not unlink a reference during environment teardown, we run into a situation where the reference gets deleted by `v8impl::Reference::Delete` but does not get unlinked because it's environment teardown time. This leaves a stale pointer in the linked list which will result in a use-after-free in `FinalizeAll` during environment teardown. The test below will fail if we make the above change: ``` ./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');" ``` Thus, we unlink a reference precisely when we destroy it – in its destructor. Refs: https://github.com/nodejs/node/issues/34731 Refs: https://github.com/nodejs/node/pull/34839 Refs: https://github.com/nodejs/node/issues/35620 Refs: https://github.com/nodejs/node/issues/35777 Fixes: https://github.com/nodejs/node/issues/35778 Signed-off-by: Gabriel Schulhof PR-URL: https://github.com/nodejs/node/pull/35933 Reviewed-By: Rich Trott Reviewed-By: Michael Dawson Reviewed-By: Zeyu Yang --- src/js_native_api_v8.cc | 3 ++- test/node-api/test_worker_terminate_finalization/test.js | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/js_native_api_v8.cc b/src/js_native_api_v8.cc index 3b8a5ff51b54ab..e7a16401369f42 100644 --- a/src/js_native_api_v8.cc +++ b/src/js_native_api_v8.cc @@ -220,6 +220,8 @@ class RefBase : protected Finalizer, RefTracker { finalize_hint); } + virtual ~RefBase() { Unlink(); } + inline void* Data() { return _finalize_data; } @@ -240,7 +242,6 @@ class RefBase : protected Finalizer, RefTracker { // the finalizer and _delete_self is set. In this case we // know we need to do the deletion so just do it. static inline void Delete(RefBase* reference) { - reference->Unlink(); if ((reference->RefCount() != 0) || (reference->_delete_self) || (reference->_finalize_ran)) { diff --git a/test/node-api/test_worker_terminate_finalization/test.js b/test/node-api/test_worker_terminate_finalization/test.js index 171a32b812334f..937079968f722a 100644 --- a/test/node-api/test_worker_terminate_finalization/test.js +++ b/test/node-api/test_worker_terminate_finalization/test.js @@ -1,11 +1,9 @@ 'use strict'; const common = require('../../common'); -// TODO(addaleax): Run this test once it stops failing under ASAN/valgrind. // Refs: https://github.com/nodejs/node/issues/34731 // Refs: https://github.com/nodejs/node/pull/35777 // Refs: https://github.com/nodejs/node/issues/35778 -common.skip('Reference management in N-API leaks memory'); const { Worker, isMainThread } = require('worker_threads');