handle the case where the reference is not deleted in its destructor

Gabriel Schulhof · Gabriel Schulhof · commit 55cfe379a0ab · 2021-02-11T02:08:55.000Z
diff --git a/src/js_native_api_v8.cc b/src/js_native_api_v8.cc
@@ -281,10 +281,10 @@ class RefBase : protected Finalizer, RefTracker {
     // this is safe because if a request to delete the reference
     // is made in the finalize_callback it will defer deletion
     // to this block and set _delete_self to true
+    _finalize_ran = true;
+
     if (_delete_self || is_env_teardown) {
       Delete(this);
-    } else {
-      _finalize_ran = true;
     }
   }
 
diff --git a/test/js-native-api/test_reference_double_free/test.js b/test/js-native-api/test_reference_double_free/test.js
@@ -7,4 +7,5 @@ const { buildType } = require('../../common');
 
 const addon = require(`./build/${buildType}/test_reference_double_free`);
 
-{ new addon.MyObject(); }
+{ new addon.MyObject(true); }
+{ new addon.MyObject(false); }
diff --git a/test/js-native-api/test_reference_double_free/test_reference_double_free.c b/test/js-native-api/test_reference_double_free/test_reference_double_free.c
@@ -2,19 +2,41 @@
 #include <js_native_api.h>
 #include "../common.h"
 
+static size_t g_call_count = 0;
+
 static void Destructor(napi_env env, void* data, void* nothing) {
   napi_ref* ref = data;
   NODE_API_CALL_RETURN_VOID(env, napi_delete_reference(env, *ref));
   free(ref);
 }
 
+static void NoDeleteDestructor(napi_env env, void* data, void* hint) {
+  napi_ref* ref = data;
+  size_t* call_count = hint;
+
+  // This destructor must be called exactly once.
+  if ((*call_count) > 0) abort();
+  *call_count = ((*call_count) + 1);
+  free(ref);
+}
+
 static napi_value New(napi_env env, napi_callback_info info) {
-  size_t argc = 0;
-  napi_value js_this;
+  size_t argc = 1;
+  napi_value js_this, js_delete;
+  bool delete;
   napi_ref* ref = malloc(sizeof(*ref));
 
-  NODE_API_CALL(env, napi_get_cb_info(env, info, &argc, NULL, &js_this, NULL));
-  NODE_API_CALL(env, napi_wrap(env, js_this, ref, Destructor, NULL, ref)); 
+  NODE_API_CALL(env,
+      napi_get_cb_info(env, info, &argc, &js_delete, &js_this, NULL));
+  NODE_API_CALL(env, napi_get_value_bool(env, js_delete, &delete));
+
+  if (delete) {
+    NODE_API_CALL(env,
+        napi_wrap(env, js_this, ref, Destructor, NULL, ref));
+  } else {
+    NODE_API_CALL(env,
+        napi_wrap(env, js_this, ref, NoDeleteDestructor, &g_call_count, ref));
+  }
   NODE_API_CALL(env, napi_reference_ref(env, *ref, NULL));
 
   return js_this;

Original file line number	Diff line number	Diff line change
`@@ -281,10 +281,10 @@ class RefBase : protected Finalizer, RefTracker {`
`281`	`281`	`// this is safe because if a request to delete the reference`
`282`	`282`	`// is made in the finalize_callback it will defer deletion`
`283`	`283`	`// to this block and set _delete_self to true`
	`284`	`+ _finalize_ran = true;`
	`285`	`+`
`284`	`286`	`if (_delete_self \|\| is_env_teardown) {`
`285`	`287`	`Delete(this);`
`286`		`- } else {`
`287`		`- _finalize_ran = true;`
`288`	`288`	`}`
`289`	`289`	`}`
`290`	`290`