Quoting the CVE:
Google V8, as used in Google Chrome before 28.0.1500.95, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that leverage "type confusion."
Likely has zero impact on node.js because it only runs local, trusted
code but let's apply it anyway.
This is a back-port of upstream commit r15665. Original commit log:
Use internal array as API function cache.
R=yangguo@chromium.org
BUG=chromium:260106
TEST=cctest/test-api/Regress260106
Review URL: https://codereview.chromium.org/19159003Fixes#5973.
Flags and modes aren't the same, symlinks are followed in all of the
path but the last component, docs should say something about what the
mode argument is for and when its used, fs.openSync should point to the
function that contains the docs for its args, as fs.writeSync does.
This is [1] applied ahead of time. Summary:
OpenBSD doesn't have <ucontext.h>. ucontext_t lives in <signal.h>
and is a typedef for struct sigcontext. There is no uc_mcontext.
[1] https://codereview.chromium.org/21705003/
It shouldn't ignore it!
There're two possibile cases, which should be handled properly:
1. Having a default `SNICallback` which is using contexts, added with
`server.addContext(...)` routine
2. Having a custom `SNICallback`.
In first case we may want to opt-out setting `.onsniselect` method (and
thus save some CPU time), if there're no contexts added. But, if custom
`SNICallback` is used, `.onsniselect` should always be set, because
server contexts don't affect it.
Update a few more `Local<T>::New(isolate, persistent)` call sites to
`PersistentToLocal(isolate, persistent)` - the latter has a fast path
for non-weak persistent references.
When doing `FreeEmpty`, `NodeBIO` skips pre-allocated `head_` buffer.
However this might lead to double-freeing buffers since in `~NodeBIO()`
we're starting deallocation from `head_` buffer.
Commit 78d9094 updated src/*.cc to use the version of PersistentToLocal
that takes a v8::Isolate* as its first argument. This commit removes
the non-isolate version.
* Numeric values passed to alloc were converted to int32, not uint32
before the range check, which allows wrap around on ToUint32. This
would cause massive malloc calls and v8 fatal errors.
* dispose would not check if value was an Object, causing segfault if a
Primitive was passed.
* kMaxLength was not enumerable.
Build breakage accidentally introduced in 8e29ce9 during code cleanup.
HAVE_OPENSSL is always defined (as either 0 or 1) so use #if rather
than #ifdef.
Fixes#5979.
Run the garbage collector before running the actual test. It doesn't
matter now but if in the future something in node.js core creates a lot
of reclaimable garbage, that will break the test's expectation.
* Run the garbage collector before creating the big array. It doesn't
matter now but if in the future something in node.js core creates
a lot of reclaimable garbage, that will break the test's expectation.
* The first RSS check was being done too late. The garbage collector
might have run before the check, throwing off the 'reclaimed memory'
calculation.
* Due to changes in how V8 represents the big array internally, the
actual memory usage is just below 256 MB on x64. Update the test's
expectation.
Before this commit, events were set to undefined rather than deleted
from the EventEmitter's backing dictionary for performance reasons:
`delete obj.key` causes a transition of the dictionary's hidden class
and that can be costly.
Unfortunately, that introduces a memory leak when many events are added
and then removed again. The strings containing the event names are never
reclaimed by the garbage collector because they remain part of the
dictionary.
That's why this commit makes EventEmitter delete events again. This
effectively reverts commit 0397223.
Fixes#5970.
Change the build/include_order rule to match our preference:
project headers before system headers.
The rationale is that system headers before project headers makes it
easy to slip in bugs where a project header that requires a definition
from a system header, forgets to include the system header but still
compiles because the source files that include the project header
coincidentally include the system header too.
A good example is the size_t type. A project header file that needs the
definition of size_t should include stddef.h but forgetting to do so
will probably go unnoticed for a long time because almost every other
system header includes stddef.h (either directly or indirectly) and
almost every source file includes one or more system headers.
Ergo, project headers before system headers. It's a good thing.
To prevent all unnecessary calls to JS from MakeCallback, the remaining
two immediate return variables inTick and lastThrew have been added to
infoBox. Now MakeCallback should never need to call into JS unless it
absolutely has to.
Also removed Tock. Performance tests showed it was at least as fast or
faster than using a normal object, and this is more readable.
Avoid a costly buffer-to-string operation. Instead, allocate a new
buffer, copy the chunk header and data into it and send that.
The speed difference is negligible on small payloads but it really
shines with larger (10+ kB) chunks. benchmark/http/end-vs-write-end
with 64 kB chunks gives 45-50% higher throughput. With 1 MB chunks,
the difference is a staggering 590%.
Of course, YMMV will vary with real workloads and networks but this
commit should have a positive impact on CPU and memory consumption.
Big kudos to Wyatt Preul (@wpreul) for reporting the issue and providing
the initial patch.
Fixes#5941 and #5944.
Use the StringBytes::IsValidString() function introduced in commit
dce26cc to ensure that the input string meets the expectations of the
other StringBytes functions before processing it further.
Fixes the following assertion:
Assertion failed: (str->Length() % 2 == 0 && "invalid hex string
length"), function StorageSize, file ../../src/string_bytes.cc,
line 301.
Fixes#5725.
Performs a quick, non-exhaustive check on the input string to see if
it's compatible with the specified string encoding.
Curently it only checks that hex strings have a length that is a
multiple of two.
Don't throw an exception when the argument to %j is an object that
contains circular references, it's not helpful. Catch the exception
and return the string '[Circular]'.