worker: fix nullptr deref after MessagePort deser failure

addaleax · MylesBorins · commit 4f28da883fbd · 2018-12-25T02:35:55.000-05:00
This would previously always have crashed when deserializing a `MessagePort` fails, because there was always at least one `nullptr` entry in the vector. PR-URL: #25076 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
diff --git a/src/node_messaging.cc b/src/node_messaging.cc
@@ -90,7 +90,8 @@ MaybeLocal<Value> Message::Deserialize(Environment* env,
     if (ports[i] == nullptr) {
       for (MessagePort* port : ports) {
         // This will eventually release the MessagePort object itself.
-        port->Close();
+        if (port != nullptr)
+          port->Close();
       }
       return MaybeLocal<Value>();
     }
diff --git a/test/parallel/test-worker-messageport-transfer-terminate.js b/test/parallel/test-worker-messageport-transfer-terminate.js
@@ -0,0 +1,18 @@
+// Flags: --experimental-worker
+'use strict';
+require('../common');
+const { Worker, MessageChannel } = require('worker_threads');
+
+// Check the interaction of calling .terminate() while transferring
+// MessagePort objects; in particular, that it does not crash the process.
+
+for (let i = 0; i < 10; ++i) {
+  const w = new Worker(
+    "require('worker_threads').parentPort.on('message', () => {})",
+    { eval: true });
+  setImmediate(() => {
+    const port = new MessageChannel().port1;
+    w.postMessage({ port }, [ port ]);
+    w.terminate();
+  });
+}

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,8 @@ MaybeLocal<Value> Message::Deserialize(Environment* env,`
`90`	`90`	`if (ports[i] == nullptr) {`
`91`	`91`	`for (MessagePort* port : ports) {`
`92`	`92`	`// This will eventually release the MessagePort object itself.`
`93`		`- port->Close();`
	`93`	`+ if (port != nullptr)`
	`94`	`+ port->Close();`
`94`	`95`	`}`
`95`	`96`	`return MaybeLocal<Value>();`
`96`	`97`	`}`