src: fix crash on FSReqPromise destructor

santigimeno · targos · commit 0f6d19489a6d · 2022-07-12T07:41:55.000+02:00
We are deciding whether to end `fs` promises by checking `can_call_into_js()` whereas in the `FSReqPromise` destructor we're using the `is_stopping()` check. Though this may look as semantically correct it has issues because though both values are modified before termination on `Environment::ExitEnv()` and both are atomic they are not syncronized together so it may happen that when reaching the destructor `call_into_js` may be set to `false` whereas `is_stopping` remains `false` causing the crash. Fix this by checking with `can_call_into_js()` also in the destructor. Fixes: #43499 PR-URL: #43533 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/node_file-inl.h b/src/node_file-inl.h
@@ -159,7 +159,7 @@ FSReqPromise<AliasedBufferT>::~FSReqPromise() {
   // Validate that the promise was explicitly resolved or rejected but only if
   // the Isolate is not terminating because in this case the promise might have
   // not finished.
-  if (!env()->is_stopping()) CHECK(finished_);
+  CHECK_IMPLIES(!finished_, !env()->can_call_into_js());
 }
 
 template <typename AliasedBufferT>

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ FSReqPromise<AliasedBufferT>::~FSReqPromise() {`
`159`	`159`	`// Validate that the promise was explicitly resolved or rejected but only if`
`160`	`160`	`// the Isolate is not terminating because in this case the promise might have`
`161`	`161`	`// not finished.`
`162`		`- if (!env()->is_stopping()) CHECK(finished_);`
	`162`	`+ CHECK_IMPLIES(!finished_, !env()->can_call_into_js());`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`template <typename AliasedBufferT>`