worker: fix race condition in node_messaging.cc

`AddToIncomingQueue()` relies on `owner_` only being modified with `mutex_` being locked, but in these two places, that didn’t happen. Modify them to use `Detach()` instead, which has the same effect as setting `owner_ = nullptr` here, but does it with proper locking. This race condition probably only shows up in practice when Node.js is compiled in debug mode, because the compiler eliminates the duplicate load in `AddToIncomingQueue()` when compiling with optimizations enabled. PR-URL: #33429 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
nodejs · Jun 7, 2020 · 4776746 · 4776746
1 parent eb9417a
commit 4776746
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/src/node_messaging.cc b/src/node_messaging.cc
@@ -494,8 +494,7 @@ void MessagePortData::Disentangle() {
 }
 
 MessagePort::~MessagePort() {
-  if (data_)
-    data_->owner_ = nullptr;
+  if (data_) Detach();
 }
 
 MessagePort::MessagePort(Environment* env,
@@ -692,10 +691,9 @@ void MessagePort::OnMessage() {
 void MessagePort::OnClose() {
   Debug(this, "MessagePort::OnClose()");
   if (data_) {
-    data_->owner_ = nullptr;
-    data_->Disentangle();
+    // Detach() returns move(data_).
+    Detach()->Disentangle();
   }
-  data_.reset();
 }
 
 std::unique_ptr<MessagePortData> MessagePort::Detach() {