Clean up some dangerous memory accesses in callbacks #1642
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is especially helpful right now, because certain parameters have difficult garbage collection patterns. At the very least, for cases where a garbage collection pattern has not been fully fleshed out, we can ignore certain callback parameters until we can safely handle their memory.
We discovered that after the garbage collection PR, that submodules can trigger the filter with a filter_source that has a repo that NodeGit has never seen before. This causes libgit2 to free their repo, and us to free what we thought was our repo. As a temporary stopgap to allow filter writers to user repos, I've converted the repo getter to async, and opened a nodegit owned repo. This should prevent any segfaults when pulling the repo out during a filter operation at a small perf penalty.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We don't have a very good pattern for garbage collection in callback parameters at the moment. After introducing garbage collection elsewhere in the library, we left callback parameters as not garbage collected, because they typically are owned by libgit2 anyway. So as long libgit2 is cleaning up their pointer, and we're cleaning up our v8 object, the memory ends up being cleaned up anyway.
The caveat was that callback parameters should not be trusted after a callback exits.
What sucks is that we discovered that you can access a git_repository from a git_filter_source, and that the git_repository that you can access is not guaranteed to be a git_repository that nodegit has ever seen before. In fact, it may not even be owned by NodeGit. In the case of submodules, when a git_submodule_status is performed, the filters are invoked with a repository that is internal to git_submodule_status. This means that those repos are freed by libgit2, and are never owned by nodegit.
This PR addresses that segfault, by making the git_filter_source repo getter async, and having that getter open a new repo that nodegit owns. This PR also removes access to git_diff in git_diff_notify_cb and git_diff_progress_cb, as I can't figure out a good way to handle that memory access at the moment... Something something tree invalidation 😅.