Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: https://github.com/nodejs/node/pull/4181
Before this commit you had to pass multiple CA certificates as an array
of strings. For convenience you can now pass them as a single string.
Fixes: https://github.com/nodejs/node/issues/4096
PR-URL: https://github.com/nodejs/node/pull/4099
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This change cleans up outstanding comments on #3032. It improves error
handling when no isolate file is provided and adds the --prof-process
flag to the node binary which executes the tick processor on the
provided isolate file.
PR-URL: https://github.com/nodejs/node/pull/4021
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
If JS throws an object whose toString() method throws, then Node
attempts to print an empty message, but actually prints garbage.
This commit checks for this case, and prints a message instead.
Fixes: https://github.com/nodejs/node/issues/4079
PR-URL: https://github.com/nodejs/node/pull/4112
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Rename doNTCallback functions for clarity when profiling, these make
sense internally but the "NT" in particular is a bit obtuse to be
immediately understandable by non-core developers.
PR-URL: https://github.com/nodejs/node/pull/4167
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
These changes simplify using ECDH with private keys that are not
dynamically generated with ECDH.generateKeys.
Support for computing the public key corresponding to the given private
key was added. Validity checks to reduce the possibility of computing
a weak or invalid shared secret were also added.
Finally, ECDH.setPublicKey was softly deprecated.
PR-URL: https://github.com/nodejs/node/pull/3511
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Commit a9c0c65 ("src: define getpid() based on OS") made src/env.cc
use `GetCurrentProcessId()` on Windows for the PID in log messages.
`GetCurrentProcessId()` is also what is used by libuv, OpenSSL and V8.
This commit makes `process.pid` use `GetCurrentProcessId()` instead of
`_getpid()` for consistency.
PR-URL: https://github.com/nodejs/node/pull/4163
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Determine object types of regular expressions, Dates, Maps, and
Sets in the C++ layer instead of depending on toString()
behavior in JavaScript.
PR-URL: https://github.com/nodejs/node/pull/4100
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Remove a hack that was introduced in commit bb6d468d from November 2010.
This is groundwork for a follow-up commit that makes it possible to use
internal modules in lib/repl.js.
PR-URL: https://github.com/nodejs/node/pull/4026
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This feature supports the Intel Vtune profiling support for JITted
JavaScript on IA32 / X64 / X32 platform. The advantage of this profiling
is that the user / developer of NodeJS application can get the detailed
profiling information for every line of the JavaScript source code.
This information will be very useful for the owner to optimize their
applications.
This feature is a compile-time option. For windows platform, the user
needs to pass the following parameter to vcbuild.bat: "enable-vtune"
For other OS, the user needs to pass the following parameter to
./configure command: "--enable-vtune-profiling"
PR-URL: https://github.com/nodejs/node/pull/3785
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit adds an internal util method that makes hidden
values in the C++ layer visible in JS.
PR-URL: https://github.com/nodejs/node/pull/3988
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Versions of Node.js after v0.12 have relocated byte-swapping away from
the StringBytes::Encode function, thereby causing a nan test (which
accesses this function directly) to fail on big-endian machines.
This change re-introduces byte swapping in StringBytes::Encode,
done via a call to a function in util-inl. Another change in
NodeBuffer::StringSlice was necessary to avoid double byte swapping
in big-endian function calls to StringSlice.
PR-URL: https://github.com/nodejs/node/pull/3410
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.
PR-URL: https://github.com/nodejs/node/pull/3951
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Because Node modules are wrapped, errors on the first line
of a file leak the wrapper to the user and report the wrong
column number. This commit adds a line break to the module
wrapper so that the first line is treated the same as all
other lines. To compensate for the additional line, a line
offset of -1 is also applied to errors.
Fixes: https://github.com/nodejs/node/issues/2860
PR-URL: https://github.com/nodejs/node/pull/2867
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
The type and range checks performed by this function can be done more
efficiently in native code.
PR-URL: https://github.com/nodejs/node/pull/3763
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 140-2 disallows use of MD5, which is used to derive the
initialization vector and key for createCipher(). Modify
all tests to expect exceptions in FIPS mode when disallowed
API is used, or to avoid testing such API in FIPS Mode.
PR-URL: https://github.com/nodejs/node/pull/3754
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Security Update
Notable items:
* **http**: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against DH, an attack against RSA
and DSA is considered possible but unlikely, EC algorithms are not
affected. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/11
Documentation currently states that setting noAssert and passing a value
larger than can fit in the Buffer will cause data to be silently
dropped. Change implementation to match documented behavior.
Fixes: https://github.com/nodejs/node/issues/3766
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.
PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.
Fix: #2772
PR-URL: https://github.com/nodejs/node/pull/3537
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Added checks where necessary to prevent hard crashes and gave
precedence to returning the OpenSSL error strings instead of generic
error strings.
PR-URL: https://github.com/nodejs/node/pull/3753
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
SmartOS does not line buffer stderr by default, or at least that is the
behavior on the Node project Jenkins server. Force line buffering. This
resolves the flakiness observed on SmartOS for
test-debug-signal-cluster.
PR-URL: https://github.com/nodejs/node/pull/3701
Fixes: https://github.com/nodejs/node/issues/2476
Refs: https://github.com/nodejs/node/pull/3615
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
When getaddrinfo linked-list results contain entries other than AF_INET
and AF_INET6, the resulting v8::Array will contain undefined values.
That's because initialization of v8::Array pre-allocates entries for all
linked-list nodes, but not all of them will be in the final results.
This commit ensures that the array only contains valid results.
PR-URL: https://github.com/nodejs/node/pull/3696
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts 8cee8f5 which was causing stdin to behave strangely on
Windows 8 and 10. The suspected explanation for the issue is that there
might be a race condition occuring when stdin._readableState.reading is
set indirectly through `push('')`.
PR-URL: https://github.com/nodejs/node/pull/3490
Fixes: https://github.com/nodejs/node/issues/2996
Fixes: https://github.com/nodejs/node/issues/2504
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Call a user's callback to notify that the handle has been destroyed.
Only pass the id of the AsyncWrap instance since the object no longer
exists.
The object that's being destructed should never be inspected within the
callback or any time afterward.
This commit make a breaking change. The init callback will now be passed
arguments in the order of provider, id, parent.
PR-URL: https://github.com/nodejs/node/pull/3461
Reviewed-By: Fedor Indutny <fedor@indutny.com>
New instances of AsyncWrap are automatically assigned a unique id. The
value will be used in future commits to communicate additional
information via the async hooks.
While the largest value we can reliably communicate to JS is 2^53, even
if a new AsyncWrap is created every 100ns the uid won't reach its end
for 28.5 years.
PR-URL: https://github.com/nodejs/node/pull/3461
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Only enforce that the init callback is passed to setupHooks(). The
remaining hooks can be optionally passed.
Throw if async_wrap.enable() runs before setting the init callback or if
setupHooks() is called while async wrap is enabled.
Add test to verify calls throw appropriately.
PR-URL: https://github.com/nodejs/node/pull/3461
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Neuter external `nullptr` buffers, otherwise their contents will be
materialized on access, and the buffer instance will be internalized.
This leads to a crash like this:
v8::ArrayBuffer::Neuter Only externalized ArrayBuffers can be
neutered
Fix: #3619
PR-URL: https://github.com/nodejs/node/pull/3624
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This is to ensure that it is evaluated the same way it would be if it
were to be run by node or required.
Before, the following would pass if run by node, but fail if run via
the syntax check flag:
if (true) {
return;
}
Now, this will pass the syntax check
PR-URL: https://github.com/nodejs/node/pull/3587
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This reverts commit ff877e93e1.
Reverted for breaking `node --debug-brk -e 0`. It should immediately
quit but instead it hangs now.
PR-URL: https://github.com/nodejs/node/pull/3585
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
these have been deprecated for a long time (Sakthipriyan Vairamani) #2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
accuracy added (Michaël Zasso) #3166.
* fs:
- fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
descriptor as their first argument (Johannes Wüller) #3163.
- (Breaking) In fs.readFile(), if an encoding is specified and the internal
toString() fails the error is no longer thrown but is passed to the callback
(Evan Lucas) #3485.
- (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
callback) form), if the internal toString() fails the error is no longer
thrown but is passed to the callback (Evan Lucas) #3503.
* http:
- Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342.
- (Breaking) When parsing HTTP, don't add duplicates of the following headers:
Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
to the following headers which already block duplicates: Content-Type,
Content-Length, User-Agent, Referer, Host, Authorization,
Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
Max-Forwards (James M Snell) #3090.
- (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
function or a TypeError is thrown (James M Snell) #3090.
- (Breaking) HTTP methods and header names must now conform to the RFC 2616
"token" rule, a list of allowed characters that excludes control characters
and a number of separator characters. Specifically, methods and header names
must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
(James M Snell) #2526.
* node:
- (Breaking) Deprecated the _linklist module (Rich Trott) #3078.
- (Breaking) Removed require.paths and require.registerExtension(), both had
been previously set to throw Error when accessed
(Sakthipriyan Vairamani) #2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
major version bump for npm and it has seen a significant amount of change.
Please see the original npm v3.0.0 release notes for a list of major changes
(Rebecca Turner) #3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
due to the V8 upgrade. Native add-ons will need to be recompiled
(Rod Vagg) #3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
a long-standing known issue where unrefed timers would perviously hold
beforeExit open (Fedor Indutny) #3407.
* tls:
- Added ALPN Support (Shigeki Ohtsu) #2564.
- TLS options can now be passed in an object to createSecurePair()
(Коренберг Марк) #2441.
- (Breaking) The default minimum DH key size for tls.connect() is now 1024
bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
option can be used to override the default. (Shigeki Ohtsu) #1831.
* util:
- (Breaking) util.p() was deprecated for years, and has now been removed
(Wyatt Preul) #3432.
- (Breaking) util.inherits() can now work with ES6 classes. This is considered
a breaking change because of potential subtle side-effects caused by a
change from directly reassigning the prototype of the constructor using
`ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
(Michaël Zasso) #3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351.
- Implements the spread operator, see
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
for further information.
- Implements new.target, see
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
file) (Yuval Brik) #2595.
PR-URL: https://github.com/nodejs/node/pull/3466
Before this commit, sending a SIGUSR1 at program exit could trigger a
hard to reproduce race condition where `v8::Debug::DebugBreak(isolate)`
got called when the isolate was in the process of being torn down.
A similar race condition is in theory possible when sending signals
to two threads simultaneously but I haven't been able to reproduce
that myself (and I tried, oh how I tried.)
This commit fixes the race condition by turning `node_isolate` into
a `std::atomic` and using it as an ad hoc synchronization primitive
in places where that is necessary.
A bare minimum std::atomic polyfill is added for OS X because Apple
wouldn't be Apple if things just worked out of the box.
PR-URL: https://github.com/nodejs/node/pull/3528
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This fix is to be consistent implementation with ALPN. Tow NPN
protocol data in the persistent memebers move to hidden variables in
the wrap object.
PR-URL: https://github.com/nodejs/node/pull/2564
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
ALPN is added to tls according to RFC7301, which supersedes NPN.
When the server receives both NPN and ALPN extensions from the client,
ALPN takes precedence over NPN and the server does not send NPN
extension to the client. alpnProtocol in TLSSocket always returns
false when no selected protocol exists by ALPN.
In https server, http/1.1 token is always set when no
options.ALPNProtocols exists.
PR-URL: https://github.com/nodejs/node/pull/2564
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
malloc(0) and realloc(ptr, 0) have implementation-defined behavior in
that the standard allows them to either return a unique pointer or a
nullptr for zero-sized allocation requests. Normalize by always using
a nullptr.
Fixes: https://github.com/nodejs/node/issues/3496
PR-URL: https://github.com/nodejs/node/pull/3499
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
v8 is faster at setting object properties in JS than C++. Even when it
requires calling into JS from native code. Make
process._getActiveRequests() faster by doing this when populating the
array containing request objects.
Simple benchmark:
for (let i = 0; i < 22; i++)
fs.open(__filename, 'r', function() { });
let t = process.hrtime();
for (let i = 0; i < 1e6; i++)
process._getActiveRequests();
t = process.hrtime(t);
console.log((t[0] * 1e9 + t[1]) / 1e6);
Results between the two:
Previous: 4406 ns/op
Patched: 690 ns/op 5.4x faster
PR-URL: https://github.com/nodejs/node/pull/3375
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
For Node.js v5.0.0, due to upgrade to V8 4.6 which has an incompatible
ABI
PR-URL: https://github.com/nodejs/node/pull/3400
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove the Watchdog class' dependency on Environment.
No functional changes, only code cleanup.
PR-URL: https://github.com/nodejs/node/pull/3274
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Check for unexpected end-of-file error when decompressing. If the output
buffer still has space after decompressing and deflate returned Z_OK or
Z_BUF_ERROR - that means unexpected end-of-file. Added
test-zlib-truncated.js for the case of truncated input. Fixed the zlib
dictionary test to not end the inflate stream on a truncated output (no
crc) of deflate
Fixes: https://github.com/nodejs/node/issues/2043
PR-URL: https://github.com/nodejs/node/pull/2595
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Rod Vagg
Ben Noordhuis
Fedor Indutny
Matt Loring
cjihrig
Michael Ruddy
yorkie
Chunyang Dai
Bryon Leung
Tristian Flanagan
Stefan Budeanu
Jeremiah Senkpiel
P.S.V.R
Rich Trott
Junliang Yan
Roman Reiss
Trevor Norris
Ömer Fadıl Usta
Evan Lucas
Shigeki Ohtsu
Ido Ben-Yair
Glen Keane
Yuval Brik