Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vm.compileFunction is crashing the node process with unknown error #27256

Closed
kalinkrustev opened this issue Apr 16, 2019 · 7 comments
Closed
Labels
confirmed-bug Issues with confirmed bugs. v8 engine Issues and PRs related to the V8 dependency. vm Issues and PRs related to the vm subsystem.

Comments

@kalinkrustev
Copy link

  • Version: 10.15.3
  • Platform: Windows 10
  • Subsystem: vm

The following simple script crashes the node process with no apparent reason:

const vm = require('vm');
console.log(process.version);
vm.compileFunction('return', ['ab'.replace('b', 'b'.repeat(12)).split('').join('')]);
console.log('compiled ok 1');
vm.compileFunction('return', ['ab'.replace('b', 'b'.repeat(11))]);
console.log('compiled ok 2');
try {
    vm.compileFunction('return', ['ab'.replace('b', 'b'.repeat(12))]); // crash here
    console.log('compiled ok 3');
} catch (e) { // no exception was caught
    console.error(e);
}

Output:

v10.15.3
compiled ok 1
compiled ok 2
@addaleax
Copy link
Member

This seems to have been fixed between v11.10.1 and v11.11.0, so it’s probably just a question of figuring out the bugfix and backporting it. I’ll try to bisect.

@addaleax addaleax added confirmed-bug Issues with confirmed bugs. v10.x vm Issues and PRs related to the vm subsystem. labels Apr 16, 2019
@kalinkrustev
Copy link
Author

I am curious to see the reason behind this. If you find the fix, can you please post a reference here?

@addaleax addaleax added v8 engine Issues and PRs related to the V8 dependency. and removed v10.x labels Apr 16, 2019
@addaleax
Copy link
Member

Ok, so, there are two issues here:

The crash is being addressed by 7b19893; in particular, 7b19893#diff-0cf206672499c2f86db4ffb0cc5b668bL1101 would previously have crashed, because there was no exception caught by the try_catch object (which lead to a nullptr dereference).

However, this does not actually work on newer released versions of Node.js, it just returns undefined instead of a compiled function. That seems like a V8 bug, which is fixed on Node.js master but not on Node v11.x; I’ll try to investigate a bit more.

@addaleax
Copy link
Member

Okay, digging a bit more: Until v8/v8@61f4c22, V8 assumed that the argument name string was not internally represented as a concatenated string. Apparently, V8 has a cutoff value here that decides whether the result of your string concatenation is internally represented as a contiguous block of memory, or as the concatenation of two or more contiguous blocks of memory. The “is this a valid identifier” check would simply fail in the latter case. This is fixed by the linked V8 commit.

It’s also not ideal that V8 doesn’t throw an exception in this case, which imo it should when returning an empty MaybeLocal<> from ScriptCompiler::CompileFunctionInContext()@hashseed Should that be added? I’d be happy to do so.

addaleax added a commit to addaleax/node that referenced this issue Apr 16, 2019
The differences to the original patch are the replacement of
`i::IsIdentifier...()` with `unicode_cache_.IsIdentifier...()`,
because the former is not available on Node.js v11.x, as well
as the omitted `no_gc` argument for `GetFlatContent()`.

Original commit message:

    Assume flat string when checking CompileFunctionInContext arguments.

    R=jkummerow@chromium.org

    Change-Id: I54c6137a3c6e14d4102188f154aa7216e7414dbc
    Reviewed-on: https://chromium-review.googlesource.com/c/1388533
    Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
    Commit-Queue: Yang Guo <yangguo@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#58562}

Refs: v8/v8@61f4c22
Fixes: nodejs#27256
@addaleax
Copy link
Member

#27259 should address the main issue here for v11.x, and could be backported to v10.x.

@hashseed
Copy link
Member

Yes. I think that it should throw an exception indeed, similar to other compile APIs.

codebytere pushed a commit that referenced this issue Apr 29, 2019
The differences to the original patch are the replacement of
`i::IsIdentifier...()` with `unicode_cache_.IsIdentifier...()`,
because the former is not available on Node.js v11.x, as well
as the omitted `no_gc` argument for `GetFlatContent()`.

Original commit message:

    Assume flat string when checking CompileFunctionInContext arguments.

    R=jkummerow@chromium.org

    Change-Id: I54c6137a3c6e14d4102188f154aa7216e7414dbc
    Reviewed-on: https://chromium-review.googlesource.com/c/1388533
    Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
    Commit-Queue: Yang Guo <yangguo@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#58562}

Refs: v8/v8@61f4c22
Fixes: #27256

PR-URL: #27259
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
@juanarbol
Copy link
Member

I'll proceed to close this issue, this seems to be fixed on Fermiun (LTS), and Dubnium is sadly no longer maintained.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed-bug Issues with confirmed bugs. v8 engine Issues and PRs related to the V8 dependency. vm Issues and PRs related to the vm subsystem.
Projects
None yet
Development

No branches or pull requests

4 participants