n-api: handle weak no-finalizer refs correctly #34839
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
the
c++
addaleax
approved these changes
Aug 19, 2020
addaleax
reviewed
Aug 19, 2020
src/js_native_api_v8.cc
Outdated
There was a problem hiding this comment.
RefCount() is unsigned, so reference->RefCount() == 0 is always true here, right?
There was a problem hiding this comment.
That's true. This can be simplified to the second half of the &&.
gabrielschulhof
force-pushed
the
n-api-fix-delete-after-weaken
branch
from
e9c66de to
7a20fc8
Compare
|
@addaleax I removed the always-true condition and I also updated the comment above the function to include an explanation of the new condition (i.e. that we want to delete when the ref is weak but has no finalizer). |
devsnek
approved these changes
Aug 19, 2020
When deleting a weak reference that has no finalizer we must not defer deletion until the non-existent finalizer gets called. Fixes: nodejs#34731 Signed-off-by: Gabriel Schulhof <[email protected]>
gabrielschulhof
force-pushed
the
n-api-fix-delete-after-weaken
branch
from
7a20fc8 to
2a25930
Compare
|
Added Signed-off-by header. |
jasnell
approved these changes
Aug 19, 2020
|
Hmmm ... CI is failing, but the logs are truncated, so I can't see what the failure was. |
|
Resumed as: https://ci.nodejs.org/job/node-test-pull-request/32860/ ✔️ |
Trott
approved these changes
Aug 21, 2020
Trott
pushed a commit
that referenced
this pull request
Aug 21, 2020
When deleting a weak reference that has no finalizer we must not defer deletion until the non-existent finalizer gets called. Fixes: #34731 Signed-off-by: Gabriel Schulhof <[email protected]> PR-URL: #34839 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
|
Landed in acd423b |
This was referenced Aug 22, 2020
BethGriggs
pushed a commit
that referenced
this pull request
Aug 24, 2020
When deleting a weak reference that has no finalizer we must not defer deletion until the non-existent finalizer gets called. Fixes: #34731 Signed-off-by: Gabriel Schulhof <[email protected]> PR-URL: #34839 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
11 tasks
Merged
danielleadams
pushed a commit
that referenced
this pull request
Aug 25, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
9 tasks
danielleadams
pushed a commit
that referenced
this pull request
Aug 26, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
danielleadams
pushed a commit
that referenced
this pull request
Aug 26, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
danielleadams
pushed a commit
that referenced
this pull request
Aug 26, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
10 tasks
danielleadams
pushed a commit
that referenced
this pull request
Aug 27, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
BethGriggs
pushed a commit
that referenced
this pull request
Aug 27, 2020
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
addaleax
pushed a commit
that referenced
this pull request
Sep 22, 2020
When deleting a weak reference that has no finalizer we must not defer deletion until the non-existent finalizer gets called. Fixes: #34731 Signed-off-by: Gabriel Schulhof <[email protected]> PR-URL: #34839 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
addaleax
pushed a commit
that referenced
this pull request
Sep 22, 2020
When deleting a weak reference that has no finalizer we must not defer deletion until the non-existent finalizer gets called. Fixes: #34731 Signed-off-by: Gabriel Schulhof <[email protected]> PR-URL: #34839 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Merged
gabrielschulhof
pushed a commit
to gabrielschulhof/node
that referenced
this pull request
Nov 2, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: nodejs#34731
Refs: nodejs#34839
Refs: nodejs#35620
Refs: nodejs#35777
Fixes: nodejs#35778
Signed-off-by: Gabriel Schulhof <[email protected]>
4 tasks
gabrielschulhof
pushed a commit
that referenced
this pull request
Nov 5, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: #34731
Refs: #34839
Refs: #35620
Refs: #35777
Fixes: #35778
Signed-off-by: Gabriel Schulhof <[email protected]>
PR-URL: #35933
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Zeyu Yang <[email protected]>
danielleadams
pushed a commit
that referenced
this pull request
Nov 9, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: #34731
Refs: #34839
Refs: #35620
Refs: #35777
Fixes: #35778
Signed-off-by: Gabriel Schulhof <[email protected]>
PR-URL: #35933
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Zeyu Yang <[email protected]>
BethGriggs
pushed a commit
that referenced
this pull request
Dec 9, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: #34731
Refs: #34839
Refs: #35620
Refs: #35777
Fixes: #35778
Signed-off-by: Gabriel Schulhof <[email protected]>
PR-URL: #35933
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Zeyu Yang <[email protected]>
BethGriggs
pushed a commit
that referenced
this pull request
Dec 10, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: #34731
Refs: #34839
Refs: #35620
Refs: #35777
Fixes: #35778
Signed-off-by: Gabriel Schulhof <[email protected]>
PR-URL: #35933
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Zeyu Yang <[email protected]>
BethGriggs
pushed a commit
that referenced
this pull request
Dec 15, 2020
Currently, a reference is being unlinked from the list of references
tracked by the environment when `v8impl::Reference::Delete` is called.
This causes a leak when deletion must be deferred because the finalizer
hasn't yet run, but the finalizer does not run because environment
teardown is in progress, and so no more gc runs will happen, and the
`FinalizeAll` run that happens during environment teardown does not
catch the reference because it's no longer in the list. The test below
will fail when running with ASAN:
```
./node ./test/node-api/test_worker_terminate_finalization/test.js
```
OTOH if, to address the above leak, we make a special case to not
unlink a reference during environment teardown, we run into a
situation where the reference gets deleted by
`v8impl::Reference::Delete` but does not get unlinked because it's
environment teardown time. This leaves a stale pointer in the linked
list which will result in a use-after-free in `FinalizeAll` during
environment teardown. The test below will fail if we make the above
change:
```
./node -e "require('./test/node-api/test_instance_data/build/Release/test_ref_then_set.node');"
```
Thus, we unlink a reference precisely when we destroy it – in its
destructor.
Refs: #34731
Refs: #34839
Refs: #35620
Refs: #35777
Fixes: #35778
Signed-off-by: Gabriel Schulhof <[email protected]>
PR-URL: #35933
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Zeyu Yang <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When deleting a weak reference that has no finalizer we must not defer
deletion until the non-existent finalizer gets called.
Fixes: #34731
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes