Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parcel 2.12.0 malloc(): corrupted top size in Node 22.7.0 #54573

Closed
aminya opened this issue Aug 26, 2024 · 33 comments · Fixed by #55261
Closed

Parcel 2.12.0 malloc(): corrupted top size in Node 22.7.0 #54573

aminya opened this issue Aug 26, 2024 · 33 comments · Fixed by #55261
Labels
confirmed-bug Issues with confirmed bugs. regression Issues related to regressions. v8 engine Issues and PRs related to the V8 dependency. v22.x v22.x Issues that can be reproduced on v22.x or PRs targeting the v22.x-staging branch.

Comments

@aminya
Copy link

aminya commented Aug 26, 2024
edited
Loading

Version

22.7.0

Platform

Linux 6.8.0-40-generic #40~22.04.3-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 30 17:30:19 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Mirror of parcel-bundler/parcel#9926
More information available in parcel-bundler/parcel#9926

🐛 bug report

In Node 22.7.0 (not older versions), parcel now fails with this error

pnpm exec parcel build --target html ./src/browser/index.html
malloc(): corrupted top size

I get more info here:
https://github.com/aminya/assemblyscript-template/actions/runs/10531888327/job/29184908856#step:7:51

(node:2304) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Building...
Bundling...
node: malloc.c:4302: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Aborted (core dumped)

gdb stacktrace

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736297170496) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140736297170496) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140736297170496, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7a78476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7a5e7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7abf676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c11b77 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7ad6cfc in malloc_printerr (str=str@entry=0x7ffff7c14bc0 "malloc(): invalid size (unsorted)") at ./malloc/malloc.c:5664
#7  0x00007ffff7ada0dc in _int_malloc (av=av@entry=0x7fffb4000030, bytes=bytes@entry=32) at ./malloc/malloc.c:4002
#8  0x00007ffff7adb139 in __GI___libc_malloc (bytes=32) at ./malloc/malloc.c:3329
#9  0x00007ffff7e1998c in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x000000000153c25a in void std::vector<v8::internal::Handle<v8::internal::Map>, std::allocator<v8::internal::Handle<v8::internal::Map> > >::_M_realloc_insert<v8::internal::Handle<v8::internal::Map> >(__gnu_cxx::__normal_iterator<v8::internal::Handle<v8::internal::Map>*, std::vector<v8::internal::Handle<v8::internal::Map>, std::allocator<v8::internal::Handle<v8::internal::Map> > > >, v8::internal::Handle<v8::internal::Map>&&) ()
#11 0x0000000001657468 in v8::internal::FeedbackNexus::ExtractMaps(std::vector<v8::internal::Handle<v8::internal::Map>, std::allocator<v8::internal::Handle<v8::internal::Map> > >*) const ()
#12 0x00000000015338ab in v8::internal::IC::ShouldRecomputeHandler(v8::internal::Handle<v8::internal::String>) ()
#13 0x0000000001533a6d in v8::internal::IC::UpdateState(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) ()
#14 0x0000000001542f82 in v8::internal::Runtime_LoadIC_Miss(int, unsigned long*, v8::internal::Isolate*) ()
#15 0x00007fffb3eac576 in ?? ()
#16 0x00000ce90ed0dce9 in ?? ()
#17 0x00007fffb8ff9870 in ?? ()
#18 0x0000000000000006 in ?? ()
#19 0x00007fffb8ff9910 in ?? ()
#20 0x00007fff94078390 in ?? ()
#21 0x0000033539ecf0f9 in ?? ()
#22 0x0000000000000016 in ?? ()
#23 0x0000199a69633c89 in ?? ()
#24 0x00002c28e4701669 in ?? ()
#25 0x000000649af40069 in ?? ()
#26 0x000039fef53b8f69 in ?? ()
#27 0x00000ff4c39d1739 in ?? ()
#28 0x000001f59ce09539 in ?? ()
#29 0x00002c28e4701669 in ?? ()
#30 0x0000033539ecf0f9 in ?? ()
#31 0x0000198fae9bec01 in ?? ()
#32 0x0000296284423d31 in ?? ()
#33 0x0000000000000002 in ?? ()
#34 0x000019efcfd8a149 in ?? ()
#35 0x00000ff4c39d1451 in ?? ()
#36 0x00007fffb8ff9978 in ?? ()
#37 0x00007fff9407810a in ?? ()
#38 0x000000649af40069 in ?? ()
#39 0x000039fef53b8e89 in ?? ()
#40 0x000019efcfd8a2a9 in ?? ()
#41 0x000019efcfd8a149 in ?? ()
#42 0x000000649af40069 in ?? ()
#43 0x0000033539ecefc9 in ?? ()
#44 0x0000198fae9bedd9 in ?? ()
#45 0x0000296284423c29 in ?? ()
#46 0x0000000000000002 in ?? ()
#47 0x000019efcfd8a361 in ?? ()
#48 0x000019efcfd8a1b1 in ?? ()
#49 0x00007fffb8ff9a00 in ?? ()
#50 0x00007fff940e2065 in ?? ()
#51 0x000000649af40069 in ?? ()
#52 0x000039fef53b8e89 in ?? ()
#53 0x000000649af40069 in ?? ()
#54 0x000000649af40069 in ?? ()
#55 0x000019efcfd8a361 in ?? ()
#56 0x000019efcfd8a181 in ?? ()
#57 0x00000ff4c39d1451 in ?? ()
#58 0x000000649af40069 in ?? ()
#59 0x000039fef53b8e89 in ?? ()
#60 0x00002292dbc81659 in ?? ()
#61 0x00003372a19e0339 in ?? ()
#62 0x0000296284423ad9 in ?? ()
#63 0x0000000000000003 in ?? ()
#64 0x00000ff4c39d1839 in ?? ()
#65 0x000019efcfd8a1b1 in ?? ()
#66 0x00007fffb8ff9a78 in ?? ()
#67 0x00007fff94113fdd in ?? ()
#68 0x000000649af40069 in ?? ()
#69 0x000039fef53b8e89 in ?? ()
#70 0x000019efcfd8a149 in ?? ()
#71 0x000000649af40069 in ?? ()
#72 0x000019efcfd8a149 in ?? ()
#73 0x000000649af40069 in ?? ()
#74 0x00000ff4c39d1839 in ?? ()
#75 0x00000cb215a4a059 in ?? ()
#76 0x00003372a19e0369 in ?? ()
#77 0x0000296284423a31 in ?? ()
#78 0x0000000000000002 in ?? ()
#79 0x00000ff4c39d18b9 in ?? ()
#80 0x00000ff4c39d1451 in ?? ()
#81 0x00007fffb8ff9ae0 in ?? ()
#82 0x00007fffb3e0d8de in ?? ()
#83 0x000000649af40069 in ?? ()
#84 0x000039fef53b8e89 in ?? ()
#85 0x00000ff4c39d1701 in ?? ()
#86 0x00000ff4c39d18b9 in ?? ()
#87 0x000039fef53b8e89 in ?? ()
#88 0x000000649af40069 in ?? ()
#89 0x0000004f00000000 in ?? ()
#90 0x00002a8d5a8248d9 in ?? ()
#91 0x0000000000000002 in ?? ()
#92 0x00000ff4c39d1959 in ?? ()
#93 0x00000ff4c39d1451 in ?? ()
#94 0x00007fffb8ff9c30 in ?? ()
#95 0x00007fffb3e0d8de in ?? ()
#96 0x000000649af40069 in ?? ()
#97 0x000039fef53b8d81 in ?? ()
#98 0x000000649af40069 in ?? ()
#99 0x000000649af40069 in ?? ()
#100 0x000000649af40069 in ?? ()
#101 0x000039fef53b8711 in ?? ()
#102 0x000039fef53b8169 in ?? ()
#103 0x000000649af40c69 in ?? ()
#104 0xffffffff00000000 in ?? ()
#105 0xffffffff00000000 in ?? ()
#106 0x000000649af400d9 in ?? ()
#107 0x000023964e0c19c9 in ?? ()
#108 0x000039fef53b8d81 in ?? ()
#109 0x00000ff4c39d1959 in ?? ()
#110 0x000039fef53b8711 in ?? ()
#111 0x00000cb215a67cf1 in ?? ()
#112 0x000000649af40069 in ?? ()
#113 0x000000649af40069 in ?? ()
#114 0x000000649af40069 in ?? ()
#115 0x000000649af40069 in ?? ()
#116 0x000000649af40069 in ?? ()
#117 0x000000649af40069 in ?? ()
#118 0x000039fef53b8169 in ?? ()
#119 0x0000000200000000 in ?? ()
#120 0x000000649af40069 in ?? ()
#121 0x000000649af40069 in ?? ()
#122 0x000000649af40069 in ?? ()
#123 0x000000649af40069 in ?? ()
#124 0x000039fef53b8919 in ?? ()
#125 0x000039fef53b88e1 in ?? ()
#126 0x000000649af40069 in ?? ()
#127 0x000039fef53b8149 in ?? ()
#128 0x000039fef53b8101 in ?? ()
#129 0x000039fef53b8889 in ?? ()
#130 0x000000649af40069 in ?? ()
#131 0x000004a700000000 in ?? ()
#132 0x0000296284424a51 in ?? ()
#133 0x0000000000000002 in ?? ()
#134 0x00000f524b10a5c1 in ?? ()
#135 0x000039fef53b8711 in ?? ()
#136 0x00007fffb8ff9c88 in ?? ()
#137 0x00007fffb3e0d8de in ?? ()
#138 0x00002292dbc9b329 in ?? ()
#139 0x000039fef53b7ff1 in ?? ()
#140 0x00000f524b10a5c1 in ?? ()
#141 0x000000649af40069 in ?? ()
#142 0x0000006700000000 in ?? ()
#143 0x00002962844246a1 in ?? ()
#144 0x0000000000000002 in ?? ()
#145 0x00000f524b10a519 in ?? ()
#146 0x00000cb215a67cf1 in ?? ()
#147 0x00007fffb8ff9ce8 in ?? ()
#148 0x00007fffb3e0d8de in ?? ()
#149 0x00002292dbc9b329 in ?? ()
#150 0x000039fef53b7ff1 in ?? ()
#151 0x00002292dbc9b329 in ?? ()
#152 0x00000f524b10a519 in ?? ()
#153 0x000000649af40069 in ?? ()
#154 0x0000004700000000 in ?? ()
#155 0x00002962844245f9 in ?? ()
#156 0x0000000000000002 in ?? ()
#157 0x00003d11bf0eab99 in ?? ()
#158 0x00003d11bf0eb0e9 in ?? ()
#159 0x00007fffb8ff9d58 in ?? ()
#160 0x00007fffb3e0d8de in ?? ()
#161 0x00003d11bf0e9d51 in ?? ()
#162 0x000039fef53b7ff1 in ?? ()
#163 0x00001d7decf7e341 in ?? ()
#164 0x000039fef53b7ff1 in ?? ()
#165 0x000000649af40069 in ?? ()
#166 0x00003d11bf0eab99 in ?? ()
#167 0x000000649af40069 in ?? ()
#168 0x0000005500000000 in ?? ()
#169 0x0000296284423859 in ?? ()
#170 0x0000000000000002 in ?? ()
#171 0x000015cdba928f41 in ?? ()
#172 0x00000cb215a6a5d1 in ?? ()
#173 0x00007fffb8ff9db8 in ?? ()
#174 0x00007fffb3e0d8de in ?? ()
#175 0x00003d11bf0e9d51 in ?? ()
#176 0x000039fef53b7ff1 in ?? ()
#177 0x00003d11bf0e9d51 in ?? ()
#178 0x000015cdba928f41 in ?? ()
#179 0x000000649af40069 in ?? ()
#180 0x0000004700000000 in ?? ()
#181 0x00002962844237c9 in ?? ()
#182 0x0000000000000002 in ?? ()
#183 0x00003d11bf0eb0b1 in ?? ()
#184 0x00003d11bf0ecc19 in ?? ()
#185 0x00007fffb8ff9e80 in ?? ()
#186 0x00007fff9408662e in ?? ()
#187 0x00000cb215a6b139 in ?? ()
#188 0x000039fef53b7ff1 in ?? ()
#189 0x000000649af40069 in ?? ()
#190 0x000039fef53b7ff1 in ?? ()
#191 0x00000cb215a6b139 in ?? ()
#192 0x00003d11bf0eb0b1 in ?? ()
#193 0x000001f59ce1b8f9 in ?? ()
#194 0x000039fef53b8219 in ?? ()
#195 0x00000cb215a6b291 in ?? ()
#196 0x000000649af40069 in ?? ()
#197 0x000000649af40069 in ?? ()
#198 0x000000649af40069 in ?? ()
#199 0x00003d11bf0eb0b1 in ?? ()
#200 0x000039fef53b7ff1 in ?? ()
#201 0x000039fef53b82a1 in ?? ()
#202 0x000000649af40069 in ?? ()
#203 0x000039fef53b8269 in ?? ()
#204 0x000022c20de14ce1 in ?? ()
#205 0x00002bfc6ece6d29 in ?? ()
#206 0x000008c202f8e109 in ?? ()
#207 0x0000000000000004 in ?? ()
#208 0x00000cb215a6b329 in ?? ()
#209 0x000039fef53b8219 in ?? ()
#210 0x00007fffb8ff9f28 in ?? ()
#211 0x00007fffb3e0d8de in ?? ()
#212 0x00000cb215a6b139 in ?? ()
#213 0x000039fef53b7ff1 in ?? ()
#214 0x000000649af47c21 in ?? ()
#215 0x000000649af40069 in ?? ()
#216 0x000000649af40069 in ?? ()
#217 0x000000649af47c21 in ?? ()
#218 0x000039fef53b7ff1 in ?? ()
#219 0x00000cb215a6b139 in ?? ()
#220 0x00000cb215a6b329 in ?? ()
#221 0x000001f59ce2a8c9 in ?? ()
#222 0x000028972d731ec9 in ?? ()
#223 0x000000649af40069 in ?? ()
#224 0x000000649af40069 in ?? ()
#225 0x000000649af40069 in ?? ()
#226 0x0000006900000000 in ?? ()
#227 0x000017362fc04a19 in ?? ()
#228 0x0000000000000004 in ?? ()
#229 0x000001f59ce2a889 in ?? ()
#230 0x000001f59ce2a8c9 in ?? ()
#231 0x00007fffb8ff9f68 in ?? ()
#232 0x00007fffb3e0b4dc in ?? ()
#233 0x00000cb215a6b139 in ?? ()
#234 0x000039fef53b7ff1 in ?? ()
#235 0x000000649af40069 in ?? ()
#236 0x000000649af47c21 in ?? ()
#237 0x000001f59ce2a889 in ?? ()
#238 0x000000000000002c in ?? ()
#239 0x00007fffb8ff9fd0 in ?? ()
#240 0x00007fffb3e0b203 in ?? ()
#241 0x0000000000000000 in ?? ()

🎛 Configuration (.babelrc, package.json, cli command)

https://github.com/aminya/assemblyscript-template/tree/453edd38314835246c692319b6ae53c430a8010f

  "html": "./dist/index.html",
  "targets": {
    "html": {
      "context": "browser",
      "engines": {
        "browsers": "Chrome 76"
      }
    }
  }

💻 Code Sample

https://github.com/aminya/assemblyscript-template/tree/453edd38314835246c692319b6ae53c430a8010f

🌍 Your Environment

Software Version(s)
Parcel 2.12.0
Node 22.7.0
npm/Yarn pnpm 9.7
Operating System KDE Ubuntu 22.04

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

There should not be a difference between Node 22.6.0 and 22.7.0

What do you see instead?

Segfault in 22.7.0

Additional information

No response
@aminya aminya mentioned this issue Aug 26, 2024
Closed
@RedYetiDev
Copy link
Member

RedYetiDev commented Aug 26, 2024
edited
Loading

I found the function that triggers this error in Nodejs. It seems it was changed last week in a commit to update V8:

nodejs/node@4f1c27a/deps/v8/src/ic/ic.cc#L251 (blame)

This is where the error actually happens: nodejs/node@4f1c27a/deps/v8/src/objects/feedback-vector.cc#L1125 (blame)

Reported it upstream: nodejs/node#54573

Quote from @aminya in the other thread. CC @nodejs/v8

While we wait for them to respond, do you happen to have a reproduction without the use of dependencies like parcel?

If not, could you run the same code with the NODE_DEBUG=* environment variable, and provide the output?

@RedYetiDev RedYetiDev added v8 engine Issues and PRs related to the V8 dependency. regression Issues related to regressions. v22.x v22.x Issues that can be reproduced on v22.x or PRs targeting the v22.x-staging branch. labels Aug 26, 2024
@aminya
Copy link
Author

aminya commented Aug 26, 2024
edited
Loading

No, I don't have a simpler reproduction. Parcel also uses Nodejs Add-on API, so @devongovett should be able to help add a reproduction with a debug build of Parcel

@RedYetiDev
Copy link
Member

No worries!

A few things to help narrow this down:

  1. NODE_DEBUG=* will enable debug logging in Node.js, could you try running the same command with that in your environment?
  2. If parcel has a debug logging system, It'd really help to narrow down where this is coming from.

@aminya
Copy link
Author

aminya commented Aug 26, 2024
edited
Loading

Here's the log with NODE_DEBUG=*

node ./node_modules/parcel/bin/parcel.js

errors.log

Looks like Parcel's caching code triggers this.

@[email protected]_@[email protected]_@[email protected]_/node_modules/@parcel/cache/lib/FSCache.js]

https://github.com/parcel-bundler/parcel/blob/0e08d8c69243e104aaba52c2393d528bb6872450/packages/core/cache/src/FSCache.js

This was referenced Aug 29, 2024
Closed
Merged
@krishnan-chandra krishnan-chandra mentioned this issue Aug 30, 2024
Merged
@devongovett
Copy link
Contributor

I get errors in v8::internal::StringTable::OffHeapStringHashSet::KeyIsMatch. These occur in multiple different call stacks, e.g. in napi_set_named_property:

* thread #13, stop reason = EXC_BAD_ACCESS (code=1, address=0xa5fa)
  * frame #0: 0x000000010077e3f4 node`bool v8::internal::StringTable::OffHeapStringHashSet::KeyIsMatch<v8::internal::Isolate, v8::internal::SequentialStringKey<unsigned char> >(v8::internal::Isolate*, v8::internal::SequentialStringKey<unsigned char>*, v8::internal::Tagged<v8::internal::Object>) + 32
    frame #1: 0x000000010077b0ac node`v8::internal::Handle<v8::internal::String> v8::internal::StringTable::LookupKey<v8::internal::SequentialStringKey<unsigned char>, v8::internal::Isolate>(v8::internal::Isolate*, v8::internal::SequentialStringKey<unsigned char>*) + 128
    frame #2: 0x000000010045f640 node`v8::internal::FactoryBase<v8::internal::Factory>::InternalizeString(v8::base::Vector<unsigned char const>, bool) + 176
    frame #3: 0x000000010046fbdc node`v8::internal::Factory::InternalizeUtf8String(v8::base::Vector<char const>) + 76
    frame #4: 0x00000001002dc950 node`v8::String::NewFromUtf8(v8::Isolate*, char const*, v8::NewStringType, int) + 128
    frame #5: 0x0000000100094210 node`napi_set_named_property + 208
    frame #6: 0x00000001194c5130 parcel-node-bindings.darwin-arm64.node`napi::js_values::_$LT$impl$u20$napi..js_values..object..JsObject$GT$::set_named_property::h5084994e2531749c + 88
    frame #7: 0x00000001194d0e34 parcel-node-bindings.darwin-arm64.node`parcel_resolver::_::_$LT$impl$u20$serde..ser..Serialize$u20$for$u20$parcel_resolver..Resolution$GT$::serialize::h904a07a7bb6368f1 + 392
    frame #8: 0x00000001194bccc4 parcel-node-bindings.darwin-arm64.node`parcel_node_bindings::resolver::Resolver::resolve_result_to_js::h68ad0611506b3f03 + 488
    frame #9: 0x00000001194cb620 parcel-node-bindings.darwin-arm64.node`parcel_node_bindings::resolver::__napi_impl_helper__Resolver__1::__napi__resolve::h830643ec2ac2f150 + 648

Or in the v8.deserialize API:

  * frame #0: 0x000000010077e308 node`bool v8::internal::StringTable::OffHeapStringHashSet::KeyIsMatch<v8::internal::Isolate, v8::internal::InternalizedStringKey>(v8::internal::Isolate*, v8::internal::InternalizedStringKey*, v8::internal::Tagged<v8::internal::Object>) + 28
    frame #1: 0x000000010077d2f4 node`v8::internal::Handle<v8::internal::String> v8::internal::StringTable::LookupKey<v8::internal::InternalizedStringKey, v8::internal::Isolate>(v8::internal::Isolate*, v8::internal::InternalizedStringKey*) + 132
    frame #2: 0x000000010077d0e8 node`v8::internal::StringTable::LookupString(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>) + 324
    frame #3: 0x000000010079c148 node`v8::internal::ValueDeserializer::ReadJSObjectProperties(v8::internal::Handle<v8::internal::JSObject>, v8::internal::SerializationTag, bool) + 604
    frame #4: 0x000000010079894c node`v8::internal::ValueDeserializer::ReadJSObject() + 268
    frame #5: 0x0000000100797674 node`v8::internal::ValueDeserializer::ReadObjectInternal() + 820
    frame #6: 0x000000010079725c node`v8::internal::ValueDeserializer::ReadObject() + 64
    frame #7: 0x000000010079c440 node`v8::internal::ValueDeserializer::ReadJSObjectProperties(v8::internal::Handle<v8::internal::JSObject>, v8::internal::SerializationTag, bool) + 1364
    frame #8: 0x000000010079894c node`v8::internal::ValueDeserializer::ReadJSObject() + 268
    frame #9: 0x0000000100797674 node`v8::internal::ValueDeserializer::ReadObjectInternal() + 820
    frame #10: 0x000000010079725c node`v8::internal::ValueDeserializer::ReadObject() + 64
    frame #11: 0x000000010079c1f8 node`v8::internal::ValueDeserializer::ReadJSObjectProperties(v8::internal::Handle<v8::internal::JSObject>, v8::internal::SerializationTag, bool) + 780
    frame #12: 0x000000010079894c node`v8::internal::ValueDeserializer::ReadJSObject() + 268
    frame #13: 0x0000000100797674 node`v8::internal::ValueDeserializer::ReadObjectInternal() + 820
    frame #14: 0x000000010079725c node`v8::internal::ValueDeserializer::ReadObject() + 64
    frame #15: 0x000000010079c440 node`v8::internal::ValueDeserializer::ReadJSObjectProperties(v8::internal::Handle<v8::internal::JSObject>, v8::internal::SerializationTag, bool) + 1364
    frame #16: 0x000000010079894c node`v8::internal::ValueDeserializer::ReadJSObject() + 268
    frame #17: 0x0000000100797674 node`v8::internal::ValueDeserializer::ReadObjectInternal() + 820
    frame #18: 0x000000010079725c node`v8::internal::ValueDeserializer::ReadObject() + 64
    frame #19: 0x000000010079718c node`v8::internal::ValueDeserializer::ReadObjectWrapper() + 32
    frame #20: 0x00000001002cc358 node`v8::ValueDeserializer::ReadValue(v8::Local<v8::Context>) + 268
    frame #21: 0x0000000100172e70 node`node::serdes::DeserializerContext::ReadValue(v8::FunctionCallbackInfo<v8::Value> const&) + 100
    frame #22: 0x0000000100d4f118 node`Builtins_CallApiCallbackGeneric + 184

Or just in the parser:

  * frame #0: 0x000000010077caf8 node`v8::internal::OffHeapHashTableBase<v8::internal::StringTable::OffHeapStringHashSet>::RehashInto(v8::internal::PtrComprCageBase, v8::internal::StringTable::OffHeapStringHashSet*) + 124
    frame #1: 0x000000010077b340 node`v8::internal::StringTable::EnsureCapacity(v8::internal::PtrComprCageBase, int) + 268
    frame #2: 0x000000010077b104 node`v8::internal::Handle<v8::internal::String> v8::internal::StringTable::LookupKey<v8::internal::SequentialStringKey<unsigned char>, v8::internal::Isolate>(v8::internal::Isolate*, v8::internal::SequentialStringKey<unsigned char>*) + 216
    frame #3: 0x00000001002f07fc node`void v8::internal::AstValueFactory::Internalize<v8::internal::Isolate>(v8::internal::Isolate*) + 152
    frame #4: 0x00000001007a468c node`v8::internal::Parser::ParseFunction(v8::internal::Isolate*, v8::internal::ParseInfo*, v8::internal::Handle<v8::internal::SharedFunctionInfo>) + 1688
    frame #5: 0x00000001007c51c0 node`v8::internal::parsing::ParseFunction(v8::internal::ParseInfo*, v8::internal::Handle<v8::internal::SharedFunctionInfo>, v8::internal::Isolate*, v8::internal::parsing::ReportStatisticsMode) + 276
    frame #6: 0x000000010035c14c node`v8::internal::Compiler::Compile(v8::internal::Isolate*, v8::internal::Handle<v8::internal::SharedFunctionInfo>, v8::internal::Compiler::ClearExceptionFlag, v8::internal::IsCompiledScope*, v8::internal::CreateSourcePositions) + 828
    frame #7: 0x000000010035ca88 node`v8::internal::Compiler::Compile(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Compiler::ClearExceptionFlag, v8::internal::IsCompiledScope*) + 236
    frame #8: 0x000000010085b230 node`v8::internal::Runtime_CompileLazy(int, unsigned long*, v8::internal::Isolate*) + 136

Could this be a v8 bug? The stack traces above make me think it isn't specific Parcel's native addons.

@RedYetiDev RedYetiDev added the node-api Issues and PRs related to the Node-API. label Aug 31, 2024
@RedYetiDev
Copy link
Member

CC @nodejs/v8 @nodejs/node-api

@devongovett
Copy link
Contributor

It appears that worker_threads may also be involved here. I cannot reproduce when I disable multi-threading in Parcel. Haven't managed to produce a smaller reproduction yet unfortunately...

@RedYetiDev
Copy link
Member

👋 Hey, v22.8.0 was just released, is this reproducible in that version?

@wtfnukee
Copy link

wtfnukee commented Sep 4, 2024
edited
Loading

I have same error while building project made with npx create-instantsearch-app

$ npm start

> [email protected] start
> parcel index.html --port 3000

(node:57375) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Server running at http://localhost:3000
⠸ Building favicon.png...
malloc(): invalid size (unsorted)
Aborted (core dumped)

It still works at 22.6

@aminya
Copy link
Author

aminya commented Sep 4, 2024

👋 Hey, v22.8.0 was just released, is this reproducible in that version?

Yes, the parcel builds still fail on Node 22.8.0

@LeoniePhiline
Copy link

I can confirm this is reproducible on Node 22.8.

@RedYetiDev
Copy link
Member

Haven't managed to produce a smaller reproduction yet unfortunately...

Hey, does anyone happen to have a smaller reproduction?

@mischnic
Copy link
Contributor

mischnic commented Sep 8, 2024

I just got a similar error message with Parcel but on Node 20.17 on macOS:

node(2214,0x7ff8463907c0) malloc: Incorrect checksum for freed object 0x7fee87078e00: probably modified after being freed.
Corrupt value: 0x5b00000000000002
node(2214,0x7ff8463907c0) malloc: *** set a breakpoint in malloc_error_break to debug
/bin/sh: line 1:  2214 Abort trap: 6           parcel build src/index.html --public-url ./ --dist-dir build

@joyeecheung
Copy link
Member

The stacktraces in #54573 (comment) seems to suggest that it might be a more generic bug - maybe some kind of memory corruption - but it is difficult to tell what's going on without a minimal reproduction that doesn't use third-party dependencies.

martijnversluis added a commit to bettermusic/ChordSheetJS that referenced this issue Sep 20, 2024
@martijnversluis
Test with NodeJS 22.6
06fe402 
NodeJS >= 22.7 causes an build error:

nodejs/node#54573
martijnversluis added a commit to bettermusic/ChordSheetJS that referenced this issue Sep 20, 2024
@martijnversluis @dependabot
Update from upstream (#805)
b29e181 
* Bump tsx from 4.17.0 to 4.18.0 (martijnversluis#1321)

Bumps [tsx](https://github.com/privatenumber/tsx) from 4.17.0 to 4.18.0.
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.17.0...v4.18.0)

---
updated-dependencies:
- dependency-name: tsx
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump ts-jest from 29.2.4 to 29.2.5 (martijnversluis#1323)

Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 29.2.4 to 29.2.5.
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](kulshekhar/ts-jest@v29.2.4...v29.2.5)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump eslint from 9.9.0 to 9.9.1 (martijnversluis#1320)

Bumps [eslint](https://github.com/eslint/eslint) from 9.9.0 to 9.9.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v9.9.0...v9.9.1)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @eslint/js from 9.9.0 to 9.9.1 (martijnversluis#1322)

Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.9.0 to 9.9.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/commits/v9.9.1/packages/js)

---
updated-dependencies:
- dependency-name: "@eslint/js"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puppeteer from 23.1.1 to 23.2.1 (martijnversluis#1329)

Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 23.1.1 to 23.2.1.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/release-please-config.json)
- [Commits](puppeteer/puppeteer@puppeteer-v23.1.1...puppeteer-v23.2.1)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump tsx from 4.18.0 to 4.19.0 (martijnversluis#1325)

Bumps [tsx](https://github.com/privatenumber/tsx) from 4.18.0 to 4.19.0.
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.18.0...v4.19.0)

---
updated-dependencies:
- dependency-name: tsx
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump typescript-eslint from 8.2.0 to 8.3.0 (martijnversluis#1326)

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.2.0 to 8.3.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.3.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump eslint-plugin-jest from 28.8.0 to 28.8.2 (martijnversluis#1331)

Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 28.8.0 to 28.8.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](jest-community/eslint-plugin-jest@v28.8.0...v28.8.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @types/node from 22.5.0 to 22.5.2 (martijnversluis#1330)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.5.0 to 22.5.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @typescript-eslint/parser from 8.2.0 to 8.4.0 (martijnversluis#1333)

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 8.2.0 to 8.4.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.4.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @babel/cli from 7.24.8 to 7.25.6 (martijnversluis#1337)

Bumps [@babel/cli](https://github.com/babel/babel/tree/HEAD/packages/babel-cli) from 7.24.8 to 7.25.6.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.25.6/packages/babel-cli)

---
updated-dependencies:
- dependency-name: "@babel/cli"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump typescript-eslint from 8.3.0 to 8.4.0 (martijnversluis#1336)

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.3.0 to 8.4.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.4.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puppeteer from 23.2.1 to 23.2.2 (martijnversluis#1335)

Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 23.2.1 to 23.2.2.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/release-please-config.json)
- [Commits](puppeteer/puppeteer@puppeteer-v23.2.1...puppeteer-v23.2.2)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @types/node from 22.5.2 to 22.5.4 (martijnversluis#1341)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.5.2 to 22.5.4.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump eslint-plugin-import from 2.29.1 to 2.30.0 (martijnversluis#1340)

Bumps [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) from 2.29.1 to 2.30.0.
- [Release notes](https://github.com/import-js/eslint-plugin-import/releases)
- [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md)
- [Commits](import-js/eslint-plugin-import@v2.29.1...v2.30.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-import
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puppeteer from 23.2.2 to 23.3.0 (martijnversluis#1339)

Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 23.2.2 to 23.3.0.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/release-please-config.json)
- [Commits](puppeteer/puppeteer@puppeteer-v23.2.2...puppeteer-v23.3.0)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump eslint from 9.9.1 to 9.10.0 (martijnversluis#1345)

Bumps [eslint](https://github.com/eslint/eslint) from 9.9.1 to 9.10.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v9.9.1...v9.10.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @eslint/js from 9.9.1 to 9.10.0 (martijnversluis#1344)

Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.9.1 to 9.10.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/commits/v9.10.0/packages/js)

---
updated-dependencies:
- dependency-name: "@eslint/js"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump eslint-plugin-jest from 28.8.2 to 28.8.3 (martijnversluis#1343)

Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 28.8.2 to 28.8.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](jest-community/eslint-plugin-jest@v28.8.2...v28.8.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @typescript-eslint/parser from 8.4.0 to 8.5.0 (martijnversluis#1348)

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 8.4.0 to 8.5.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.5.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump tsx from 4.19.0 to 4.19.1 (martijnversluis#1350)

Bumps [tsx](https://github.com/privatenumber/tsx) from 4.19.0 to 4.19.1.
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.19.0...v4.19.1)

---
updated-dependencies:
- dependency-name: tsx
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump typescript from 5.5.4 to 5.6.2 (martijnversluis#1349)

Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.5.4 to 5.6.2.
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](microsoft/TypeScript@v5.5.4...v5.6.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump husky from 9.1.5 to 9.1.6 (martijnversluis#1352)

Bumps [husky](https://github.com/typicode/husky) from 9.1.5 to 9.1.6.
- [Release notes](https://github.com/typicode/husky/releases)
- [Commits](typicode/husky@v9.1.5...v9.1.6)

---
updated-dependencies:
- dependency-name: husky
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @types/node from 22.5.4 to 22.5.5 (martijnversluis#1351)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.5.4 to 22.5.5.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puppeteer from 23.3.0 to 23.3.1 (martijnversluis#1356)

Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 23.3.0 to 23.3.1.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/release-please-config.json)
- [Commits](puppeteer/puppeteer@puppeteer-v23.3.0...puppeteer-v23.3.1)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump @typescript-eslint/parser from 8.5.0 to 8.6.0 (martijnversluis#1355)

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 8.5.0 to 8.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.6.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump puppeteer from 23.3.1 to 23.4.0 (martijnversluis#1357)

Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 23.3.1 to 23.4.0.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/release-please-config.json)
- [Commits](puppeteer/puppeteer@puppeteer-v23.3.1...puppeteer-v23.4.0)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump typescript-eslint from 8.4.0 to 8.6.0 (martijnversluis#1353)

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.4.0 to 8.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.6.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump jsdoc-to-markdown from 8.0.3 to 9.0.1 (martijnversluis#1342)

* Bump jsdoc-to-markdown from 8.0.3 to 9.0.1

Bumps [jsdoc-to-markdown](https://github.com/jsdoc2md/jsdoc-to-markdown) from 8.0.3 to 9.0.1.
- [Release notes](https://github.com/jsdoc2md/jsdoc-to-markdown/releases)
- [Commits](jsdoc2md/jsdoc-to-markdown@v8.0.3...v9.0.1)

---
updated-dependencies:
- dependency-name: jsdoc-to-markdown
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add updated README

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Martijn Versluis <[email protected]>

* Bump @typescript-eslint/eslint-plugin from 7.17.0 to 8.6.0 (martijnversluis#1354)

* Bump @typescript-eslint/eslint-plugin from 7.17.0 to 8.6.0

Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 7.17.0 to 8.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.6.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Redo ESLint configuration

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Martijn Versluis <[email protected]>

* Test with NodeJS 22.6

NodeJS >= 22.7 causes an build error:

nodejs/node#54573

* Do not build on branch push

* Replace all NodeJS 22.x with 22.6

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@folknor folknor mentioned this issue Sep 23, 2024
Closed
@devongovett
Copy link
Contributor

I've reduced at least one of these cases down to a simple reproduction. It requires two typed arrays which are serialized using v8.serialize, and it crashes during v8.deserialize.

let v8 = require('v8');

let data = {
  nodes: new Uint32Array(451),
  edges: new Uint32Array(1155)
};

v8.deserialize(v8.serialize(data));

On macOS with Node v22.9.0 I get:

node(28671,0x1ef3ff240) malloc: Incorrect checksum for freed object 0x134848210: probably modified after being freed.
Corrupt value: 0x0
node(28671,0x1ef3ff240) malloc: *** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Output from lldb:

* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x000000018ac8a600 libsystem_kernel.dylib`__pthread_kill + 8
    frame #1: 0x000000018acc2f70 libsystem_pthread.dylib`pthread_kill + 288
    frame #2: 0x000000018abcf908 libsystem_c.dylib`abort + 128
    frame #3: 0x000000018aad967c libsystem_malloc.dylib`malloc_vreport + 896
    frame #4: 0x000000018ab014a8 libsystem_malloc.dylib`malloc_zone_error + 100
    frame #5: 0x000000018aae5f90 libsystem_malloc.dylib`free_list_checksum_botch + 40
    frame #6: 0x000000018aad2874 libsystem_malloc.dylib`small_free_list_remove_ptr_no_clear + 960
    frame #7: 0x000000018aacfe68 libsystem_malloc.dylib`free_small + 580
    frame #8: 0x00000001005b80f8 node`v8::internal::BackingStore::~BackingStore() + 328
    frame #9: 0x00000001002f142c node`std::__1::__shared_ptr_pointer<v8::internal::BackingStore*, std::__1::default_delete<v8::internal::BackingStore>, std::__1::allocator<v8::internal::BackingStore>>::__on_zero_shared() + 20
    frame #10: 0x00000001004321a8 node`v8::internal::ArrayBufferSweeper::~ArrayBufferSweeper() + 200
    frame #11: 0x00000001004a5948 node`v8::internal::Heap::TearDown() + 480
    frame #12: 0x000000010040a4b4 node`v8::internal::Isolate::Deinit() + 892
    frame #13: 0x000000010040a060 node`v8::internal::Isolate::Delete(v8::internal::Isolate*) + 168
    frame #14: 0x000000010012ad24 node`node::NodeMainInstance::~NodeMainInstance() + 76
    frame #15: 0x00000001000ac0bc node`node::Start(int, char**) + 724

@bnoordhuis
Copy link
Member

Looks like a legit bug. With v22.9.0 under valgrind on linux:

==1208870== Invalid write of size 1                                                                                                                            
==1208870==    at 0x6A94A13: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)                                                              
==1208870==    by 0xF3C7D5: node::Buffer::(anonymous namespace)::SlowCopy(v8::FunctionCallbackInfo<v8::Value> const&) (in /home/bnoordhuis/bin/node)           
==1208870==    by 0x1D4F5E1: Builtins_CallApiCallbackGeneric (in /home/bnoordhuis/bin/node)                                                                    
==1208870==    by 0x1D4D8DD: Builtins_InterpreterEntryTrampoline (in /home/bnoordhuis/bin/node)                                                                
==1208870==    by 0x1D4B4DB: Builtins_JSEntryTrampoline (in /home/bnoordhuis/bin/node)                                                                         
==1208870==    by 0x1D4B202: Builtins_JSEntry (in /home/bnoordhuis/bin/node)                                                                                   
==1208870==    by 0x139F142: v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) (in /home/bnoordhuis/bin/node)                                                                                                                                     
==1208870==    by 0x13A00B4: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (in /home/bnoordhuis/bin/node)                                                                   
==1208870==    by 0x12505A5: v8::Object::CallAsFunction(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) (in /home/bnoordhuis/bin/node)                                                                                                                                                              
==1208870==    by 0x1035357: node::serdes::DeserializerContext::ReadHostObject(v8::Isolate*) (in /home/bnoordhuis/bin/node)                                    
==1208870==    by 0x178890F: v8::internal::ValueDeserializer::ReadHostObject() (in /home/bnoordhuis/bin/node)                                                  
==1208870==    by 0x17912E3: v8::internal::ValueDeserializer::ReadObjectInternal() (in /home/bnoordhuis/bin/node)                                              
==1208870==  Address 0x2a37d26c is 0 bytes after a block of size 4,620 alloc'd
==1208870==    at 0x6A8A899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1208870==    by 0xE73905: node::NodeArrayBufferAllocator::Allocate(unsigned long) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1484424: v8::internal::Heap::AllocateExternalBackingStore(std::function<void* (unsigned long)> const&, unsigned long) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x15D2C2E: v8::internal::BackingStore::Allocate(v8::internal::Isolate*, unsigned long, v8::internal::SharedFlag, v8::internal::InitializedFlag) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1299AC6: v8::internal::(anonymous namespace)::ConstructBuffer(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::InitializedFlag) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x129B23E: v8::internal::Builtin_ArrayBufferConstructor(int, unsigned long*, v8::internal::Isolate*) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1DEC3B5: Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4A88E: Builtins_JSBuiltinsConstructStub (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1EA2A1C: Builtins_CreateTypedArray (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1DD877A: Builtins_TypedArrayConstructor (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4E3BB: Builtins_InterpreterPushArgsThenFastConstructFunction (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1EE22A8: Builtins_ConstructHandler (in /home/bnoordhuis/bin/node)
...
==1208870==  Address 0x2a341f62 is 1 bytes after a block of size 6,513 alloc'd
==1208870==    at 0x6A8FCD3: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1208870==    by 0x1787590: v8::internal::ValueSerializer::ExpandBuffer(unsigned long) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1787717: v8::internal::ValueSerializer::WriteRawBytes(void const*, unsigned long) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x103646C: node::serdes::SerializerContext::WriteRawBytes(v8::FunctionCallbackInfo<v8::Value> const&) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4F5E1: Builtins_CallApiCallbackGeneric (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4D8DD: Builtins_InterpreterEntryTrampoline (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4B4DB: Builtins_JSEntryTrampoline (in /home/bnoordhuis/bin/node)
==1208870==    by 0x1D4B202: Builtins_JSEntry (in /home/bnoordhuis/bin/node)
==1208870==    by 0x139F142: v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x13A00B4: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x12505A5: v8::Object::CallAsFunction(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) (in /home/bnoordhuis/bin/node)
==1208870==    by 0x10351DB: node::serdes::SerializerContext::WriteHostObject(v8::Isolate*, v8::Local<v8::Object>) (in /home/bnoordhuis/bin/node)

@bnoordhuis bnoordhuis added the confirmed-bug Issues with confirmed bugs. label Sep 28, 2024
@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 2, 2024
edited
Loading

I did a git bisect and found that 9f8f26e (#54087) is the first faulty commit

Asan log

Compiled with ./configure --debug --enable-asan --v8-lite-mode --ninja.

=================================================================
==940543==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x523000014e71 at pc 0x5c456d061247 bp 0x7ffea8486770 sp 0x7ffea8485f30
READ of size 6449 at 0x523000014e71 thread T0
    #0 0x5c456d061246 in __asan_memmove (/git/nodejs/node/out/Debug/node+0x6461246) (BuildId: 78039db21b075505da13c25549fe81d89b95ea50)
    #1 0x5c456d4b8386 in node::Buffer::(anonymous namespace)::SlowCopy(v8::FunctionCallbackInfo<v8::Value> const&) /git/nodejs/node/out/Debug/../../src/node_buffer.cc:590:3
    #2 0x5c4570440aa1 in Builtins_CallApiCallbackGeneric snapshot.cc

0x523000014e71 is located 0 bytes after 6513-byte region [0x523000013500,0x523000014e71)
allocated by thread T0 here:
    #0 0x5c456d063290 in realloc (/git/nodejs/node/out/Debug/node+0x6463290) (BuildId: 78039db21b075505da13c25549fe81d89b95ea50)
    #1 0x5c456f3bfc84 in v8::internal::ValueSerializer::ExpandBuffer(unsigned long) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:415:29
    #2 0x5c456f3bec0d in v8::internal::ValueSerializer::ReserveRawBytes(unsigned long) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:400:10
    #3 0x5c456f3bec0d in v8::internal::ValueSerializer::WriteRawBytes(void const*, unsigned long) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:390:7
    #4 0x5c456d82af08 in node::serdes::SerializerContext::WriteRawBytes(v8::FunctionCallbackInfo<v8::Value> const&) /git/nodejs/node/out/Debug/../../src/node_serdes.cc:282:20
    #5 0x5c4570440aa1 in Builtins_CallApiCallbackGeneric snapshot.cc
    #6 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #7 0x5c457043bfdb in Builtins_JSEntryTrampoline snapshot.cc
    #8 0x5c457043bd02 in Builtins_JSEntry snapshot.cc
    #9 0x5c456e469f41 in v8::internal::GeneratedCode<unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, long, unsigned long**>::Call(unsigned long, unsigned long, unsigned long, unsigned long, long, unsigned long**) /git/nodejs/node/out/Debug/../../deps/v8/src/execution/simulator.h:178:12
    #10 0x5c456e469f41 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) /git/nodejs/node/out/Debug/../../deps/v8/src/execution/execution.cc:418:22
    #11 0x5c456e4686f4 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) /git/nodejs/node/out/Debug/../../deps/v8/src/execution/execution.cc:504:10
    #12 0x5c456de6de00 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) /git/nodejs/node/out/Debug/../../deps/v8/src/api/api.cc:5485:7
    #13 0x5c456d829726 in node::serdes::SerializerContext::WriteHostObject(v8::Isolate*, v8::Local<v8::Object>) /git/nodejs/node/out/Debug/../../src/node_serdes.cc:160:43
    #14 0x5c456d829878 in non-virtual thunk to node::serdes::SerializerContext::WriteHostObject(v8::Isolate*, v8::Local<v8::Object>) /git/nodejs/node/out/Debug/../../src/node_serdes.cc
    #15 0x5c456f3c6057 in v8::internal::ValueSerializer::WriteHostObject(v8::internal::Handle<v8::internal::JSObject>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:1200:18
    #16 0x5c456f3cb359 in v8::internal::ValueSerializer::WriteJSArrayBufferView(v8::internal::Tagged<v8::internal::JSArrayBufferView>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:1006:12
    #17 0x5c456f3c23cc in v8::internal::ValueSerializer::WriteJSReceiver(v8::internal::Handle<v8::internal::JSReceiver>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:645:14
    #18 0x5c456f3c0e6b in v8::internal::ValueSerializer::WriteObject(v8::internal::Handle<v8::internal::Object>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:502:14
    #19 0x5c456f3c69bf in v8::internal::ValueSerializer::WriteJSObject(v8::internal::Handle<v8::internal::JSObject>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:706:10
    #20 0x5c456f3c2146 in v8::internal::ValueSerializer::WriteJSReceiver(v8::internal::Handle<v8::internal::JSReceiver>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:622:16
    #21 0x5c456f3c0dc3 in v8::internal::ValueSerializer::WriteObject(v8::internal::Handle<v8::internal::Object>) /git/nodejs/node/out/Debug/../../deps/v8/src/objects/value-serializer.cc:509:16
    #22 0x5c456de451cf in v8::ValueSerializer::WriteValue(v8::Local<v8::Context>, v8::Local<v8::Value>) /git/nodejs/node/out/Debug/../../deps/v8/src/api/api.cc:3527:45
    #23 0x5c456d829c28 in node::serdes::SerializerContext::WriteValue(v8::FunctionCallbackInfo<v8::Value> const&) /git/nodejs/node/out/Debug/../../src/node_serdes.cc:191:24
    #24 0x5c4570440aa1 in Builtins_CallApiCallbackGeneric snapshot.cc
    #25 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #26 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #27 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #28 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #29 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #30 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc
    #31 0x5c457043ecdd in Builtins_InterpreterEntryTrampoline snapshot.cc

SUMMARY: AddressSanitizer: heap-buffer-overflow (/git/nodejs/node/out/Debug/node+0x6461246) (BuildId: 78039db21b075505da13c25549fe81d89b95ea50) in __asan_memmove
Shadow bytes around the buggy address:
  0x523000014b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x523000014c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x523000014c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x523000014d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x523000014d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x523000014e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x523000014e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x523000014f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x523000014f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x523000015000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x523000015080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==940543==ABORTING

@bnoordhuis
Copy link
Member

cc @ronag

@ronag
Copy link
Member

ronag commented Oct 2, 2024

Can someone who can reproduce check if the following fixes the issue?

diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index ad6b794cf5d..6b2551c72fe 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -568,6 +568,9 @@ void StringSlice(const FunctionCallbackInfo<Value>& args) {
 void SlowCopy(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
+  THROW_AND_RETURN_UNLESS_BUFFER(env, args[0]);
+  THROW_AND_RETURN_UNLESS_BUFFER(env, args[1]);
+
   ArrayBufferViewContents<char> source(args[0]);
   SPREAD_BUFFER_ARG(args[1].As<Object>(), target);
 
@@ -575,6 +578,11 @@ void SlowCopy(const FunctionCallbackInfo<Value>& args) {
   const auto source_start = args[3]->Uint32Value(env->context()).ToChecked();
   const auto to_copy = args[4]->Uint32Value(env->context()).ToChecked();
 
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[2], 0, &target_start));
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[3], 0, &source_start));
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[4], source.length(),
+                                          &source_end));
+
   memmove(target_data + target_start, source.data() + source_start, to_copy);
   args.GetReturnValue().Set(to_copy);
 }

@yellows111
Copy link

I found this reproduction example interesting. Here are some other reproductions, any lower number than these work fine. Higher are crashes.
v8.deserialize(v8.serialize({a: new Int32Array(1024)}))
v8.deserialize(v8.serialize({b: new Int16Array(8192)}))
v8.deserialize(v8.serialize({c: new Uint32Array(1024)}))
v8.deserialize(v8.serialize({d: new Uint16Array(8192)}))

no bug with (Ui|I)nt8Arrays, only multibytes, from what I can tell.

@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 2, 2024

@ronag The changes in SlowCopy didn't compile (from current HEAD or that first failing commit). I've never coded in here before, but I tried changing the patch to:

diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index cd51d9acf9..77fb90e0e3 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -569,12 +569,20 @@ void StringSlice(const FunctionCallbackInfo<Value>& args) {
 void SlowCopy(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
+  THROW_AND_RETURN_UNLESS_BUFFER(env, args[0]);
+  THROW_AND_RETURN_UNLESS_BUFFER(env, args[1]);
+
   ArrayBufferViewContents<char> source(args[0]);
   SPREAD_BUFFER_ARG(args[1].As<Object>(), target);
 
-  const auto target_start = args[2]->Uint32Value(env->context()).ToChecked();
-  const auto source_start = args[3]->Uint32Value(env->context()).ToChecked();
-  const auto to_copy = args[4]->Uint32Value(env->context()).ToChecked();
+  size_t target_start = args[2]->Uint32Value(env->context()).ToChecked();
+  size_t source_start = args[3]->Uint32Value(env->context()).ToChecked();
+  size_t to_copy = args[4]->Uint32Value(env->context()).ToChecked();
+
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[2], 0, &target_start));
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[3], 0, &source_start));
+  THROW_AND_RETURN_IF_OOB(ParseArrayIndex(env, args[4], source.length(),
+                                         &to_copy));
 
   memmove(target_data + target_start, source.data() + source_start, to_copy);
   args.GetReturnValue().Set(to_copy);

but it still causes a crash in the same place.

@ronag
Copy link
Member

ronag commented Oct 3, 2024
edited
Loading

@joyeecheung any insights? I don't understand how Buffer even comes into the picture here... e.g. v8.deserialize(v8.serialize({a: new Int32Array(1024)}))

@ronag
Copy link
Member

ronag commented Oct 3, 2024

but it still causes a crash in the same place.

@ramidzkh the same crash?

@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 3, 2024

Yes. Maybe it's because memmove is being passed the end offset and not the length?

@targos
Copy link
Member

targos commented Oct 3, 2024

@ronag v8.serialize({a: new Int32Array(1024)}) returns a Buffer instance

@ronag
Copy link
Member

ronag commented Oct 3, 2024
edited
Loading

How? Buffer is not part of v8.

@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 3, 2024

Found it. copy comes from internalBinding('buffer').

node/lib/v8.js

Lines 370 to 374 in b2161d3

const buffer_copy = Buffer.allocUnsafe(byteLength);
copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
return new ctor(buffer_copy.buffer,
buffer_copy.byteOffset,
byteLength / BYTES_PER_ELEMENT);

@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 3, 2024 

diff --git a/lib/v8.js b/lib/v8.js
index b687d8709c..a0145d0588 100644
--- a/lib/v8.js
+++ b/lib/v8.js
@@ -368,7 +368,7 @@ class DefaultDeserializer extends Deserializer {
     }
     // Copy to an aligned buffer first.
     const buffer_copy = Buffer.allocUnsafe(byteLength);
-    copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
+    this.buffer.copy(buffer_copy, 0, byteOffset, byteOffset + byteLength);
     return new ctor(buffer_copy.buffer,
                     buffer_copy.byteOffset,
                     byteLength / BYTES_PER_ELEMENT);

this seems like enough to stop it from crashing??

@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 4, 2024
edited
Loading

I think this is a proper fix (unsure about pathological or malformed inputs):

diff --git a/lib/v8.js b/lib/v8.js
index b687d8709c..b506d96139 100644
--- a/lib/v8.js
+++ b/lib/v8.js
@@ -368,7 +368,7 @@ class DefaultDeserializer extends Deserializer {
     }
     // Copy to an aligned buffer first.
     const buffer_copy = Buffer.allocUnsafe(byteLength);
-    copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength);
+    copy(this.buffer, buffer_copy, 0, byteOffset, byteLength);
     return new ctor(buffer_copy.buffer,
                     buffer_copy.byteOffset,
                     byteLength / BYTES_PER_ELEMENT);

I tried running the tests and I'm failing a few, but they don't seem to be related to this? Might just be timing issues tbh.

-[16:22|% 100|+ 4193|-  17]: Done
+[16:12|% 100|+ 4195|-  15]: Done
 
 Failed tests:
-out/Debug/node /git/nodejs/node/test/parallel/test-child-process-advanced-serialization.js
-out/Debug/node /git/nodejs/node/test/parallel/test-cli-node-options.js
 out/Debug/node --expose-internals --no-warnings --allow-natives-syntax /git/nodejs/node/test/parallel/test-debug-v8-fast-api.js
-out/Debug/node --expose-internals /git/nodejs/node/test/parallel/test-v8-serdes.js
 out/Debug/node /git/nodejs/node/test/parallel/test-worker-memory.js
 out/Debug/node /git/nodejs/node/test/parallel/test-worker-init-failure.js
+out/Debug/node /git/nodejs/node/test/parallel/test-worker-http2-stream-terminate.js
 out/Debug/node /git/nodejs/node/test/parallel/test-worker-stack-overflow.js
 out/Debug/node /git/nodejs/node/test/parallel/test-worker-stack-overflow-stack-size.js
 out/Debug/node /git/nodejs/node/test/wpt/test-encoding.js
 out/Debug/node /git/nodejs/node/test/wpt/test-performance-timeline.js
 out/Debug/node /git/nodejs/node/test/wpt/test-streams.js
 out/Debug/node /git/nodejs/node/test/wpt/test-url.js
 out/Debug/node /git/nodejs/node/test/wpt/test-user-timing.js
 out/Debug/node /git/nodejs/node/test/wpt/test-webcrypto.js
 out/Debug/node /git/nodejs/node/test/sequential/test-single-executable-application-empty.js
 out/Debug/node /git/nodejs/node/test/sequential/test-worker-fshandles-error-on-termination.js
 out/Debug/node /git/nodejs/node/test/sequential/test-worker-fshandles-open-close-on-termination.js

@ronag
Copy link
Member

ronag commented Oct 4, 2024

I think using buffer.copy is the proper fix. Would you mind opening a PR?

ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag
fix: out of bounds copy
500e5e4 
Fixes: nodejs#54573
ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag
fix: out of bounds copy
f66394a 
Fixes: nodejs#54573
@ronag ronag mentioned this issue Oct 4, 2024
Merged
ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag
buffer: out of bounds copy
3fe04a8 
Fixes: nodejs#54573
@ramidzkh
Copy link
Contributor

ramidzkh commented Oct 4, 2024

You seem to have much more experience in this domain, take it from here :)

ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag
buffer: out of bounds copy
e3b5ae3 
Fixes: nodejs#54573
ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag
v8: out of bounds copy
c716656 
Fixes: nodejs#54573
ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag @ramidzkh
v8: out of bounds copy
7332ad1 
Fixes: nodejs#54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
ronag added a commit to nxtedition/node that referenced this issue Oct 4, 2024
@ronag @ramidzkh
v8: out of bounds copy
3d3950f 
Fixes: nodejs#54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
@mhdawson mhdawson removed the node-api Issues and PRs related to the Node-API. label Oct 4, 2024
ronag added a commit to nxtedition/node that referenced this issue Oct 5, 2024
@ronag @ramidzkh
v8: out of bounds copy
0d57b24 
Fixes: nodejs#54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
ronag added a commit to nxtedition/node that referenced this issue Oct 5, 2024
@ronag @ramidzkh
v8: out of bounds copy
5c04ef2 
Fixes: nodejs#54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
ronag added a commit to nxtedition/node that referenced this issue Oct 5, 2024
@ronag @ramidzkh
v8: out of bounds copy
dd44a41 
Fixes: nodejs#54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
nodejs-github-bot pushed a commit that referenced this issue Oct 7, 2024
@ronag @ramidzkh
v8: out of bounds copy
deb5eff 
Fixes: #54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
PR-URL: #55261
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
@louh louh mentioned this issue Oct 8, 2024
Merged
@sneridagh sneridagh mentioned this issue Oct 9, 2024
Open
9 tasks
aduh95 pushed a commit that referenced this issue Oct 9, 2024
@ronag @ramidzkh @aduh95
v8: out of bounds copy
ea7aaf3 
Fixes: #54573

Co-authored-by: ronag <[email protected]>
Co-authored-by: ramidzkh <[email protected]>
PR-URL: #55261
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed-bug Issues with confirmed bugs. regression Issues related to regressions. v8 engine Issues and PRs related to the V8 dependency. v22.x v22.x Issues that can be reproduced on v22.x or PRs targeting the v22.x-staging branch.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

v8: out of bounds copy nxtedition/node
17 participants
@devongovett @bnoordhuis @targos @ronag @joyeecheung @mischnic @mhdawson @aminya @ramidzkh @LeoniePhiline @yellows111 @RedYetiDev @wtfnukee and others