Ctor has to be added as memset to 0 is no longer an option, since
the structure now has std::vector member.
Attempt at fixing nodejs/node#8155 (so far I was not able to repro it)
PR-URL: https://github.com/nodejs/node/pull/8536
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This test executes a simple debug session over the inspector protocol.
PR-URL: https://github.com/nodejs/node/pull/8429
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/60
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
crypto.pbkdf2() would cause a fatal error
(Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in the
wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
(Myles Borins) https://github.com/nodejs/node/pull/8673
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.
Fixes: https://github.com/nodejs/node/issues/8571
PR-URL: https://github.com/nodejs/node/pull/8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This commit attempts to address one of the items in
https://github.com/nodejs/node/issues/4641 which is related to
src/pipe_wrap.cc and src/tcp_wrap.cc.
Currently both pipe_wrap.cc and tcp_wrap.cc contain an AfterConnect
function that are almost identical. This commit extracts this function
into ConnectionWrap so that that both can share it.
PR-URL: https://github.com/nodejs/node/pull/8448
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
They seem to have been introduced as "convenience methods" in commit
75adde0 ("src: remove `node_isolate` from source") for reasons I can
only guess at but they can be removed without much hassle.
PR-URL: https://github.com/nodejs/node/pull/8427
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Conflicts:
src/env.h
Reinstate crypto.timingSafeEqual() which was reverted due to test
issues. The flaky test issues are resolved in this new changeset.
PR-URL: https://github.com/nodejs/node/pull/8304
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Commit a01e8bc (src: moving f function call comment, 2016-09-04) moved
a comment to be closer to the place in the code it was describing.
While working on this there was feedback on the comment
itself:
https://github.com/nodejs/node/commit/
a01e8bcf189bd598d496f347f60007bc2211e528#comments
This PR includes the suggestions in the above comments.
PR-URL: https://github.com/nodejs/node/pull/8416
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
`malloc(0)` may return NULL on some platforms. Do not report
out-of-memory error unless `malloc` was passed a number greater than
`0`.
PR-URL: https://github.com/nodejs/node/pull/8352
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
malloc(0) and realloc(ptr, 0) have implementation-defined behavior in
that the standard allows them to either return a unique pointer or a
nullptr for zero-sized allocation requests. Normalize by always using
a nullptr.
- Introduce node::malloc, node::realloc and node::calloc that should
be used throught our source.
- Update all existing node source files to use the new functions
instead of the native allocation functions.
Fixes: https://github.com/nodejs/node/issues/7549
PR-URL: https://github.com/nodejs/node/pull/7564
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Conflicts:
src/node.cc
It seems that it is possible with some toolchains for both `__GLIBC__`
and `__UCLIBC__` to be defined, confusing our "do we have execinfo.h?"
logic.
Assume that when `__UCLIBC__` is defined, we are dealing with a libc
that does not have execinfo.h.
Fixes: https://github.com/nodejs/node/issues/8233
PR-URL: https://github.com/nodejs/node/pull/8308
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The comment about calling the f function seems to have drifted
a little. Moving it to be closer to the actual call.
PR-URL: https://github.com/nodejs/node/pull/8405
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Changes inspector integration to use Node.js script file name as target
title (reported in JSON and shown in developer tools UIs). It will also
report file:// URL for the script as some tools seem to use that field
to open the script in the editor.
PR-URL: https://github.com/nodejs/node/pull/8243
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Conflicts:
src/node.cc
node.cc had two functions with the name AtExit with entirely different
purposes:
* node::AtExit(): file static; used to register the atexit(3) handler
for the Node process.
* node::AtExit(void (*)(void*), void*): publicly exported symbol that
addons can use to request callbacks upon exit.
For code readability it is better to avoid the unintentional overload.
PR-URL: https://github.com/nodejs/node/pull/8273
Reviewed-By: addaleax - Anna Henningsen <anna@addaleax.net>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This fixes a race condition when messages are coming while V8 is still
dispatching the previous batch.
PR-URL: https://github.com/nodejs/node/pull/8264
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This change simplifies buffer management to address a number of issues
that original implementation had.
Original implementation was trying to reduce the number of allocations
by providing regions of the internal buffer to libuv IO code. This
introduced some potential use after free issues if the buffer grows
(or shrinks) while there's a pending read. It also had some confusing
math that resulted in issues on Windows version of the libuv.
PR-URL: https://github.com/nodejs/node/pull/8257
Fixes: https://github.com/nodejs/node/issues/8155
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Set the `req.buffer` property, which serves as a way of keeping
a `Buffer` alive that is being written to a stream, on the C++
side instead of the JS side.
This closes a hole where buffers that were temporarily created
in order to write strings with uncommon encodings (e.g. `hex`)
were passed to the native side without being set as `req.buffer`.
Fixes: https://github.com/nodejs/node/issues/8251
PR-URL: https://github.com/nodejs/node/pull/8252
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
If user make some actions during (e.g. stepOver native call)
that requests program break and disconnect DevTools frontend then
AgentImpl won't be disconnected until other message from frontend.
The root of issue:
1. Inspector requests program break.
2. User requests disconnect (e.g. refresh page with DevTools frontend).
3. On program break V8Inspector call runMessageLoopOnPause on
V8NodeInspector.
4. Message loop will wait until next message from frontend.
5. After message Agent will be disconnected.
We can dispatch all pending message on step 3 to solve a problem.
PR-URL: https://github.com/nodejs/node/pull/8021
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Remove strings from the PER_ISOLATE_STRING_PROPERTIES list that are
only used once during initialization. It's less expensive to simply
create them when needed than turn them into v8::Eternal instances.
PR-URL: https://github.com/nodejs/node/pull/8207
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove unused strings from the PER_ISOLATE_STRING_PROPERTIES list.
PR-URL: https://github.com/nodejs/node/pull/8207
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The node.js script was renamed to bootstrap_node.js as part of
81b6882e51. Several comments were
missed in src/node.cc that referred to the old file name.
This commit updates the comments to refer to bootstrap_node.js and
correct the path to this file where used.
It also moves a comment that seems to have drifted in the file.
PR-URL: https://github.com/nodejs/node/pull/8092
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
`StartInspector` should return `bool` but there was signature
mismatch if not building for v8 platform i.e.
`!NODE_USE_V8_PLATFORM`
PR-URL: https://github.com/nodejs/node/pull/8114
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
To output exception in DevTools console method exceptionThrown should
be called on uncaught exception on V8Inspector object. Additionally
we need to wait disconnect to provide user way to inspect exception.
PR-URL: https://github.com/nodejs/node/pull/8043
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
When node is running with --inspect flag, default console.log,
console.warn and other methods call inspector console methods in
addition to current behaviour (dump formatted message to stderr and
stdout). Inspector console methods forward message to DevTools and
show up in DevTools Console with DevTools formatters. Inspector
console methods not present on Node console will be added into it.
Only own methods on global.console object will be changed while in a
debugging session. User are still able to redefine it, use
console.Console or change original methods on Console.prototype.
PR-URL: https://github.com/nodejs/node/pull/7988
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
uv_close() is an asynchronous operation. Calling it on a data member
inside the destructor is unsound because its memory is about to be
reclaimed but libuv is not done with it yet.
PR-URL: https://github.com/nodejs/node/pull/7907
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@chromium.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Make the inspector code easier to reason about by restructuring it
to avoid manual memory allocation and copying as much as possible.
An amusing side effect is that it reduces the total amount of memory
used in the test suite.
Before:
$ valgrind ./out/Release/cctest 2>&1 | grep 'total heap' | cut -c31-
1,017 allocs, 1,017 frees, 21,695,456 allocated
After:
$ valgrind ./out/Release/cctest 2>&1 | grep 'total heap' | cut -c31-
869 allocs, 869 frees, 14,484,641 bytes allocated
PR-URL: https://github.com/nodejs/node/pull/7906
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Node process will no longer terminate with an assertion if the
inspector port is not available.
PR-URL: https://github.com/nodejs/node/pull/7874
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Conflicts:
src/node.cc
The `repeat` param in `start(timeout, repeat)` was 0 in all callsites.
PR-URL: https://github.com/nodejs/node/pull/7994
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/7990
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/7987
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
According to TC39 specification, the delete
operator returns false or throws
in strict mode, if the property is
non-configurable. It returns true in all other cases.
Process.env can never have non-configurable
properties, thus EnvDelete must always return true. This
is independent of strict mode.
Fixes: https://github.com/nodejs/node/issues/7960
PR-URL: https://github.com/nodejs/node/pull/7975
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Eugene Ostroukhov
Ben Noordhuis
Evan Lucas
Rich Trott
Jeremiah Senkpiel
Daniel Bevenius
not-an-aardvark
Michael Dawson
Ali Ijaz Sheikh
Anna Henningsen
Nikolai Vavilov
Aleksei Koziatinskii
Kunal Pathak
cjihrig
Jan Schär
Haojian Wu
Franziska Hinkelmann