worker: fix crash when SharedArrayBuffer outlives creating thread

Keep a reference to the `ArrayBuffer::Allocator` alive for at least as long as a `SharedArrayBuffer` allocated by it lives. Refs: https://github.com/nodejs/node/pull/28788 Fixes: https://github.com/nodejs/node/issues/28777 Fixes: https://github.com/nodejs/node/issues/28773 PR-URL: https://github.com/nodejs/node/pull/29190 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2019-08-18 00:05:48 +02:00 · 2019-08-18 00:05:48 +02:00 · 119c4ccf0e
commit 119c4ccf0e
parent bdf07f4317
6 changed files with 83 additions and 9 deletions
--- a/src/node_worker.cc
+++ b/src/node_worker.cc
@ -59,6 +59,7 @@ Worker::Worker(Environment* env,
      per_isolate_opts_(per_isolate_opts),
      exec_argv_(exec_argv),
      platform_(env->isolate_data()->platform()),
      array_buffer_allocator_(ArrayBufferAllocator::Create()),
      start_profiler_idle_notifier_(env->profiler_idle_notifier_started()),
      thread_id_(Environment::AllocateThreadId()),
      env_vars_(env->env_vars()) {
@ -102,17 +103,20 @@ bool Worker::is_stopped() const {
  return stopped_;
 }
 std::shared_ptr<ArrayBufferAllocator> Worker::array_buffer_allocator() {
  return array_buffer_allocator_;
 }
 // This class contains data that is only relevant to the child thread itself,
 // and only while it is running.
 // (Eventually, the Environment instance should probably also be moved here.)
 class WorkerThreadData {
 public:
  explicit WorkerThreadData(Worker* w)
-    : w_(w),
+    : w_(w) {
      array_buffer_allocator_(ArrayBufferAllocator::Create()) {
    CHECK_EQ(uv_loop_init(&loop_), 0);
-    Isolate* isolate = NewIsolate(array_buffer_allocator_.get(), &loop_);
+    Isolate* isolate = NewIsolate(w->array_buffer_allocator_.get(), &loop_);
    CHECK_NOT_NULL(isolate);
    {
@ -124,7 +128,7 @@ class WorkerThreadData {
      isolate_data_.reset(CreateIsolateData(isolate,
                                            &loop_,
                                            w_->platform_,
-                                            array_buffer_allocator_.get()));
+                                            w->array_buffer_allocator_.get()));
      CHECK(isolate_data_);
      if (w_->per_isolate_opts_)
        isolate_data_->set_options(std::move(w_->per_isolate_opts_));
@ -166,7 +170,6 @@ class WorkerThreadData {
 private:
  Worker* const w_;
  uv_loop_t loop_;
  std::unique_ptr<ArrayBufferAllocator> array_buffer_allocator_;
  DeleteFnPtr<IsolateData, FreeIsolateData> isolate_data_;
  friend class Worker;
--- a/src/node_worker.h
+++ b/src/node_worker.h
@ -41,6 +41,7 @@ class Worker : public AsyncWrap {
  SET_SELF_SIZE(Worker)
  bool is_stopped() const;
  std::shared_ptr<ArrayBufferAllocator> array_buffer_allocator();
  static void New(const v8::FunctionCallbackInfo<v8::Value>& args);
  static void CloneParentEnvVars(
@ -59,6 +60,7 @@ class Worker : public AsyncWrap {
  std::vector<std::string> argv_;
  MultiIsolatePlatform* platform_;
  std::shared_ptr<ArrayBufferAllocator> array_buffer_allocator_;
  v8::Isolate* isolate_ = nullptr;
  bool start_profiler_idle_notifier_;
  uv_thread_t tid_;
--- a/src/sharedarraybuffer_metadata.cc
+++ b/src/sharedarraybuffer_metadata.cc
@ -1,7 +1,9 @@
 #include "sharedarraybuffer_metadata.h"
 #include "base_object-inl.h"
 #include "memory_tracker-inl.h"
 #include "node_errors.h"
 #include "node_worker.h"
 #include "util-inl.h"
 #include <utility>
@ -91,8 +93,16 @@ SharedArrayBufferMetadata::ForSharedArrayBuffer(
    return nullptr;
  }
  // If the SharedArrayBuffer is coming from a Worker, we need to make sure
  // that the corresponding ArrayBuffer::Allocator lives at least as long as
  // the SharedArrayBuffer itself.
  worker::Worker* w = env->worker_context();
  std::shared_ptr<v8::ArrayBuffer::Allocator> allocator =
      w != nullptr ? w->array_buffer_allocator() : nullptr;
  SharedArrayBuffer::Contents contents = source->Externalize();
-  SharedArrayBufferMetadataReference r(new SharedArrayBufferMetadata(contents));
+  SharedArrayBufferMetadataReference r(
      new SharedArrayBufferMetadata(contents, allocator));
  if (r->AssignToSharedArrayBuffer(env, context, source).IsNothing())
    return nullptr;
  return r;
@ -114,8 +124,9 @@ Maybe<bool> SharedArrayBufferMetadata::AssignToSharedArrayBuffer(
 }
 SharedArrayBufferMetadata::SharedArrayBufferMetadata(
-    const SharedArrayBuffer::Contents& contents)
+    const SharedArrayBuffer::Contents& contents,
-  : contents_(contents) { }
+    std::shared_ptr<v8::ArrayBuffer::Allocator> allocator)
  : contents_(contents), allocator_(allocator) { }
 SharedArrayBufferMetadata::~SharedArrayBufferMetadata() {
  contents_.Deleter()(contents_.Data(),
--- a/src/sharedarraybuffer_metadata.h
+++ b/src/sharedarraybuffer_metadata.h
@ -46,7 +46,9 @@ class SharedArrayBufferMetadata
  SharedArrayBufferMetadata(const SharedArrayBufferMetadata&) = delete;
 private:
-  explicit SharedArrayBufferMetadata(const v8::SharedArrayBuffer::Contents&);
+  SharedArrayBufferMetadata(
      const v8::SharedArrayBuffer::Contents&,
      std::shared_ptr<v8::ArrayBuffer::Allocator>);
  // Attach a lifetime tracker object with a reference count to `target`.
  v8::Maybe<bool> AssignToSharedArrayBuffer(
@ -55,6 +57,7 @@ class SharedArrayBufferMetadata
      v8::Local<v8::SharedArrayBuffer> target);
  v8::SharedArrayBuffer::Contents contents_;
  std::shared_ptr<v8::ArrayBuffer::Allocator> allocator_;
 };
 }  // namespace worker
--- a/test/parallel/test-worker-arraybuffer-zerofill.js
+++ b/test/parallel/test-worker-arraybuffer-zerofill.js
@ -0,0 +1,33 @@
 'use strict';
 require('../common');
 const assert = require('assert');
 const { Worker } = require('worker_threads');
 // Make sure that allocating uninitialized ArrayBuffers in one thread does not
 // affect the zero-initialization in other threads.
 const w = new Worker(`
 const { parentPort } = require('worker_threads');
 function post() {
  const uint32array = new Uint32Array(64);
  parentPort.postMessage(uint32array.reduce((a, b) => a + b));
 }
 setInterval(post, 0);
 `, { eval: true });
 function allocBuffers() {
  Buffer.allocUnsafe(32 * 1024 * 1024);
 }
 const interval = setInterval(allocBuffers, 0);
 let messages = 0;
 w.on('message', (sum) => {
  assert.strictEqual(sum, 0);
  if (messages++ === 100) {
    clearInterval(interval);
    w.terminate();
  }
 });
--- a/test/parallel/test-worker-sharedarraybuffer-from-worker-thread.js
+++ b/test/parallel/test-worker-sharedarraybuffer-from-worker-thread.js
@ -0,0 +1,22 @@
 'use strict';
 const common = require('../common');
 const assert = require('assert');
 const { Worker } = require('worker_threads');
 // Regression test for https://github.com/nodejs/node/issues/28777
 // Make sure that SharedArrayBuffers created in Worker threads are accessible
 // after the creating thread ended.
 const w = new Worker(`
 const { parentPort } = require('worker_threads');
 const sharedArrayBuffer = new SharedArrayBuffer(4);
 parentPort.postMessage(sharedArrayBuffer);
 `, { eval: true });
 let sharedArrayBuffer;
 w.once('message', common.mustCall((message) => sharedArrayBuffer = message));
 w.once('exit', common.mustCall(() => {
  const uint8array = new Uint8Array(sharedArrayBuffer);
  uint8array[0] = 42;
  assert.deepStrictEqual(uint8array, new Uint8Array([42, 0, 0, 0]));
 }));