"deserializer.readDouble()" results in an abort

[zyscoder]

• Version: v14.14.0
• Platform: Linux 5.8.0-38-generic The binary and long term compatibility with node #43~20.04.1-Ubuntu SMP Tue Jan 12 16:39:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Subsystem: deserializer.readDouble()

What steps will reproduce the bug?

Setup a node instance,

» node

and run the following javascript code.

new v8.Deserializer(new v8.Serializer().releaseBuffer()).readDouble()

Then an abort occurs.

How often does it reproduce? Is there a required condition?

This abort can always be triggered following the steps above.

What is the expected behavior?

If any error occurs, an exception or other similar error-reporting stuff should be thrown. There is no reason to abort the whole node process.

What do you see instead?

» node
> new v8.Deserializer(new v8.Serializer().releaseBuffer()).readDouble()
[1]    452627 segmentation fault (core dumped)  /path/to/node-v14.14.0/node
                                                                                                                                                                                                                                                 

Additional information

[EladKeyshawn]

Hey there ! 😄 I wanted to suggest a fix I'm not really sure about all the conventions
so I'd be happy if someone could check my PR: #38031

[aduh95]

I can reproduce on master.

[RaisinTen]

Should this remain open anymore? The fix for this seems to have landed already in v8 at https://chromium-review.googlesource.com/c/v8/v8/+/2801353.

[cjihrig]

I plan to open a PR to bring that commit into Node later today.