Node: Unknown problem

Created on 19 Jul 2016 · 12Comments · Source: nodejs/node

Version: 6.3
Platform: 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

After update from v0.10.13 to v6.3 I began to get random errors. Here is one of them:

*** Error in `node': free(): invalid size: 0x0000000003461aa0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7d053)[0x7f07fe175053]
node(_ZN2v88internal18ArrayBufferTracker8FreeDeadEb+0x55)[0xc43965]
node(_ZN2v88internal20MarkCompactCollector29EvacuateNewSpaceAndCandidatesEv+0xd6     )[0xc7f096]
node(_ZN2v88internal20MarkCompactCollector14CollectGarbageEv+0x29)[0xc80479]
node(_ZN2v88internal4Heap11MarkCompactEv+0x6d)[0xc5e86d]
node(_ZN2v88internal4Heap24PerformGarbageCollectionENS0_16GarbageCollectorENS_15     GCCallbackFlagsE+0x4b0)[0xc5eec0]
node(_ZN2v88internal4Heap14CollectGarbageENS0_16GarbageCollectorEPKcS4_NS_15GCCa     llbackFlagsE+0x142)[0xc5f1b2]
node(_ZN2v88internal4Heap15HandleGCRequestEv+0x84)[0xc603b4]
node(_ZN2v88internal10StackGuard16HandleInterruptsEv+0x31c)[0xc1434c]
node(_ZN2v88internal18Runtime_StackGuardEiPPNS0_6ObjectEPNS0_7IsolateE+0x45)[0xe     30fa5]
[0x2cd81bf0961b]
======= Memory map: ========
00400000-01aa1000 r-xp 00000000 09:02 3153277                            /usr/lo     cal/bin/node
01ca0000-01ca1000 r--p 016a0000 09:02 3153277                            /usr/lo     cal/bin/node
01ca1000-01cba000 rw-p 016a1000 09:02 3153277                            /usr/lo     cal/bin/node
01cba000-01ccd000 rw-p 00000000 00:00 0
0332b000-03ab2000 rw-p 00000000 00:00 0                                  [heap]
ed2000000-ed2100000 rw-p 00000000 00:00 0
1880900000-1880a00000 rw-p 00000000 00:00 0
357fe00000-357ff00000 rw-p 00000000 00:00 0
401dd00000-401de00000 rw-p 00000000 00:00 0
45da500000-45da600000 rw-p 00000000 00:00 0
4cb8600000-4cb8700000 rw-p 00000000 00:00 0
5649c00000-5649d00000 rw-p 00000000 00:00 0
60ffb00000-60ffc00000 rw-p 00000000 00:00 0
6a5a900000-6a5aa00000 rw-p 00000000 00:00 0
6ba5100000-6ba5200000 rw-p 00000000 00:00 0
9f31b00000-9f31c00000 rw-p 00000000 00:00 0
ba12c00000-ba12d00000 rw-p 00000000 00:00 0
c13e600000-c13e700000 rw-p 00000000 00:00 0
c36de00000-c36df00000 rw-p 00000000 00:00 0
d9dbb00000-d9dbc00000 rw-p 00000000 00:00 0
dd1ff00000-dd20000000 rw-p 00000000 00:00 0
e4f1600000-e4f1700000 rw-p 00000000 00:00 0
ea2d200000-ea2d300000 rw-p 00000000 00:00 0
ead4f00000-ead5000000 rw-p 00000000 00:00 0
11c35100000-11c35200000 rw-p 00000000 00:00 0
12668b00000-12668c00000 rw-p 00000000 00:00 0
1360a200000-1360a300000 rw-p 00000000 00:00 0
1590c500000-1590c600000 rw-p 00000000 00:00 0
16200b00000-16200c00000 rw-p 00000000 00:00 0
17868f00000-17869000000 rw-p 00000000 00:00 0
1800a100000-1800a200000 rw-p 00000000 00:00 0
18c71e00000-18c71f00000 rw-p 00000000 00:00 0
1c93bc00000-1c93bd00000 rw-p 00000000 00:00 0
1de02a00000-1de02b00000 rw-p 00000000 00:00 0
21a88600000-21a88700000 rw-p 00000000 00:00 0
21bcf200000-21bcf300000 rw-p 00000000 00:00 0
23158e00000-23158f00000 rw-p 00000000 00:00 0
242aa600000-242aa700000 rw-p 00000000 00:00 0
24488300000-24488400000 rw-p 00000000 00:00 0
2451b800000-2451b900000 rw-p 00000000 00:00 0
25ad1900000-25ad1a00000 rw-p 00000000 00:00 0
25eb5800000-25eb5900000 rw-p 00000000 00:00 0
26388500000-26388600000 rw-p 00000000 00:00 0
264c1200000-264c1300000 rw-p 00000000 00:00 0
26523400000-26523500000 rw-p 00000000 00:00 0
27438000000-27438100000 rw-p 00000000 00:00 0
28294b00000-28294c00000 rw-p 00000000 00:00 0
2891b500000-2891b600000 rw-p 00000000 00:00 0
28f0e800000-28f0e900000 rw-p 00000000 00:00 0
2cffaf00000-2cffb000000 rw-p 00000000 00:00 0
2e2e5500000-2e2e5600000 rw-p 00000000 00:00 0
2f5fd600000-2f5fd700000 rw-p 00000000 00:00 0
3180b700000-3180b800000 rw-p 00000000 00:00 0
31d10200000-31d10300000 rw-p 00000000 00:00 0
328f3300000-328f3400000 rw-p 00000000 00:00 0
33326b00000-33326c00000 rw-p 00000000 00:00 0
33c85c00000-33c85d00000 rw-p 00000000 00:00 0
34f83b00000-34f83c00000 rw-p 00000000 00:00 0
356a8900000-356a8a00000 rw-p 00000000 00:00 0
39491d00000-39491e00000 rw-p 00000000 00:00 0
3a448c00000-3a448d00000 rw-p 00000000 00:00 0
3b0f2000000-3b0f2100000 rw-p 00000000 00:00 0
3bd4e900000-3bd4ea00000 rw-p 00000000 00:00 0
3cd5f600000-3cd5f700000 rw-p 00000000 00:00 0
3dbc1000000-3dbc1100000 rw-p 00000000 00:00 0
3ea07000000-3ea07100000 rw-p 00000000 00:00 0
3f627300000-3f627400000 rw-p 00000000 00:00 0
40233600000-40233700000 rw-p 00000000 00:00 0
41920700000-41920800000 rw-p 00000000 00:00 0
41c0b200000-41c0b300000 rw-p 00000000 00:00 0
46990200000-46990300000 rw-p 00000000 00:00 0
46cb3f00000-46cb4000000 rw-p 00000000 00:00 0
49567900000-49567a00000 rw-p 00000000 00:00 0
499fd900000-499fda00000 rw-p 00000000 00:00 0
4a48e600000-4a48e700000 rw-p 00000000 00:00 0
4b2df100000-4b2df200000 rw-p 00000000 00:00 0
4cb91b00000-4cb91c00000 rw-p 00000000 00:00 0
4cee4700000-4cee4800000 rw-p 00000000 00:00 0
4cf7dc00000-4cf7dd00000 rw-p 00000000 00:00 0
4d82df00000-4d82e000000 rw-p 00000000 00:00 0
4d8f4400000-4d8f4500000 rw-p 00000000 00:00 0
4debbb00000-4debbc00000 rw-p 00000000 00:00 0
4ded1b00000-4ded1c00000 rw-p 00000000 00:00 0
4e966600000-4e966700000 rw-p 00000000 00:00 0
4f1b3f00000-4f1b4000000 rw-p 00000000 00:00 0
54792600000-54792700000 rw-p 00000000 00:00 0
56a04e00000-56a04f00000 rw-p 00000000 00:00 0
59a94100000-59a94200000 rw-p 00000000 00:00 0
5aedc200000-5aedc300000 rw-p 00000000 00:00 0
5b5f9100000-5b5f9200000 rw-p 00000000 00:00 0
5b7ce600000-5b7ce700000 rw-p 00000000 00:00 0
5dd98400000-5dd98500000 rw-p 00000000 00:00 0
5f342100000-5f342200000 rw-p 00000000 00:00 0
61a1d400000-61a1d500000 rw-p 00000000 00:00 0
62018400000-62018500000 rw-p 00000000 00:00 0
65167100000-65167200000 rw-p 00000000 00:00 0
6828a800000-6828a900000 rw-p 00000000 00:00 0
6b3a1200000-6b3a1300000 rw-p 00000000 00:00 0
6beeca00000-6beecb00000 rw-p 00000000 00:00 0
6ef53800000-6ef53900000 rw-p 00000000 00:00 0
70d5fb00000-70d5fc00000 rw-p 00000000 00:00 0
7123c800000-7123c900000 rw-p 00000000 00:00 0
71b9b400000-71b9b500000 rw-p 00000000 00:00 0
73289200000-73289300000 rw-p 00000000 00:00 0
73613b00000-73613c00000 rw-p 00000000 00:00 0
73bb2a00000-73bb2b00000 rw-p 00000000 00:00 0
75aca200000-75aca300000 rw-p 00000000 00:00 0
76caa800000-76caa900000 rw-p 00000000 00:00 0
76d36e00000-76d36f00000 rw-p 00000000 00:00 0
77cb1000000-77cb1100000 rw-p 00000000 00:00 0
79b88300000-79b88400000 rw-p 00000000 00:00 0
7a6c9f00000-7a6ca000000 rw-p 00000000 00:00 0
7a937300000-7a937400000 rw-p 00000000 00:00 0
7b4aba00000-7b4abb00000 rw-p 00000000 00:00 0
7d0dff00000-7d0e0000000 rw-p 00000000 00:00 0
7d455800000-7d455900000 rw-p 00000000 00:00 0
7eaa3f00000-7eaa4000000 rw-p 00000000 00:00 0
7ed51500000-7ed51600000 rw-p 00000000 00:00 0
808aec00000-808aed00000 rw-p 00000000 00:00 0
818feb00000-818fec00000 rw-p 00000000 00:00 0
850bb800000-850bb900000 rw-p 00000000 00:00 0
86e30100000-86e30200000 rw-p 00000000 00:00 0
86f4dd00000-86f4de00000 rw-p 00000000 00:00 0
87a52c00000-87a52d00000 rw-p 00000000 00:00 0
87ce6a00000-87ce6b00000 rw-p 00000000 00:00 0
887b1e00000-887b1f00000 rw-p 00000000 00:00 0
8a41ce00000-8a41cf00000 rw-p 00000000 00:00 0
8a4c6c00000-8a4c6d00000 rw-p 00000000 00:00 0
8b215300000-8b215400000 rw-p 00000000 00:00 0
8c461a00000-8c461b00000 rw-p 00000000 00:00 0
8ec89600000-8ec89700000 rw-p 00000000 00:00 0

Where find the problem?

V8 Engine

Source

FarmHitman

Most helpful comment

@FarmHitman Because Buffer::New() uses the pointer it's given, while Buffer::Copy() does a memcpy() of the char* passed in. Focusing on these two lines:

char* PketRev = node::Buffer::Data(args[0]->ToObject());
Local<Object> slowBuffer = node::Buffer::New(isolate, PketRev, length).ToLocalChecked();

There are now two Buffers that point to the same char*. When one is free()'d the pointer to the other Buffer becomes invalid.

Though, looking at it now I wonder. It looks like you want to modify the Buffer in place. If so then the function could be reduced down to the following:

void XorWork(const FunctionCallbackInfo<Value>& args) {
    PaketXor((BYTE*)node::Buffer::Data(args[0]));
    args.GetReturnValue().Set(args[0]);
}

Note that Buffers are not zero terminated, so your cast of (int)*(WORD*)(&PketRev[0]) will lead to all sorts of unexpected behavior. Instead you should be using node::Buffer::Length(args[0]). Taking note of this, your call of PaketXor((BYTE*)PketRev) worries me. There's no way for PaketXor() to know how long the data is. With this in mind, the function call should most likely be (adding guards to prevent an abort):

void XorWork(const FunctionCallbackInfo<Value>& args) {
    if (!node::Buffer::HasInstance(args[0]))
        return;  // handle this how you want.
    PaketXor(reinterpret_cast<uint8_t*>(node::Buffer::Data(args[0])),
             node::Buffer::Length(args[0]));
    args.GetReturnValue().Set(args[0]);
}

trevnorris on 20 Jul 2016

👍2

All 12 comments

Have you got any example code or an explanation of what you're doing that fails? Seems something pretty catastrophic is happening

gareth-ellis on 19 Jul 2016

@FarmHitman Could you provide a minimal reproducible testcase? Does this still happen if you disable all native add-on modules?

ChALkeR on 19 Jul 2016

@gareth-ellis Its game server with net module. Errors always occur at random. In Login server I have this problem too, but very funny:

console.log(1);
//Some code processing request
console.log(2);
console.log(socket.session)
console.log(3);
___________________
Output:
1
2
Error

Another option:

console.log(1);
//Some code processing request
console.log(2);
console.log(JSON.stringify(socket.session))
console.log(3);
_________________
Output:
1
2
Here JSON
3

Also I got errors: double free or corruption(out), munmap_chunk(). In version 0.10.13 worked stable

FarmHitman on 19 Jul 2016

/cc @nodejs/v8

mscdex on 19 Jul 2016

Does find . -name \*.node find anything when you run it from your project directory?

bnoordhuis on 19 Jul 2016

can you compile with ASAN and paste what it reports?

jeisinger on 19 Jul 2016

/cc @mlippautz

jeisinger on 19 Jul 2016

@bnoordhuis
./build/Release/obj.target/Xor.node
./build/Release/Xor.node

void XorWork(const FunctionCallbackInfo<Value>& args) {
    Isolate* isolate = args.GetIsolate();
    char* PketRev = node::Buffer::Data(args[0]->ToObject());
    PaketXor((BYTE*)PketRev);
    int length = (int)*(WORD*)(&PketRev[0]);
    Local<Object> slowBuffer = node::Buffer::New(isolate, PketRev, length).ToLocalChecked();
    args.GetReturnValue().Set(slowBuffer);
}

Code from function PaketXor I cant send.

FarmHitman on 19 Jul 2016

Local<Object> slowBuffer = node::Buffer::New(isolate, PketRev, length).ToLocalChecked();

Should be

Local<Object> slowBuffer = node::Buffer::Copy(isolate, PketRev, length).ToLocalChecked();

trevnorris on 19 Jul 2016

👍1

@trevnorris Thank you, its works! But why with New have problems?

FarmHitman on 19 Jul 2016

@FarmHitman Because Buffer::New() uses the pointer it's given, while Buffer::Copy() does a memcpy() of the char* passed in. Focusing on these two lines:

char* PketRev = node::Buffer::Data(args[0]->ToObject());
Local<Object> slowBuffer = node::Buffer::New(isolate, PketRev, length).ToLocalChecked();

There are now two Buffers that point to the same char*. When one is free()'d the pointer to the other Buffer becomes invalid.

Though, looking at it now I wonder. It looks like you want to modify the Buffer in place. If so then the function could be reduced down to the following:

void XorWork(const FunctionCallbackInfo<Value>& args) {
    PaketXor((BYTE*)node::Buffer::Data(args[0]));
    args.GetReturnValue().Set(args[0]);
}

void XorWork(const FunctionCallbackInfo<Value>& args) {
    if (!node::Buffer::HasInstance(args[0]))
        return;  // handle this how you want.
    PaketXor(reinterpret_cast<uint8_t*>(node::Buffer::Data(args[0])),
             node::Buffer::Length(args[0]));
    args.GetReturnValue().Set(args[0]);
}

trevnorris on 20 Jul 2016

👍2

Closing as I think this was answered. Feel free to reopen if I'm mistaken!