nodejs: Double free on napi-rs Buffer in decode_buffer #368
Description
Under high-concurrency conditions, the JS binding sometimes fails with a segmentation fault, and the following backtrace:
(lldb) bt
* thread #1, name = 'node', stop reason = signal SIGSEGV: address not mapped to object (fault address=0x7fffbc00b)
* frame #0: 0x00007ffff33a1920 libnode.so.127`napi_delete_reference + 32
frame #1: 0x00007fffeca56b81 impit-node.linux-x64-gnu.node`_$LT$napi..bindgen_runtime..js_values..buffer..Buffer$u20$as$u20$core..ops..drop..Drop$GT$::drop::h2869d2629c1e274a(self=0x00007fffffff8640) at buffer.rs:350:18
frame #2: 0x00007fffeca4443b impit-node.linux-x64-gnu.node`core::ptr::drop_in_place$LT$napi..bindgen_runtime..js_values..buffer..Buffer$GT$::h6248e95f1a357b4e((null)=0x00007fffffff8640) at mod.rs:804:1
frame #3: 0x00007fffec9dc9cf impit-node.linux-x64-gnu.node`impit_node::response::ImpitResponse::decode_buffer::hadd409c4b774c460(self=0x0000555556d5ec80, buffer=Buffer @ 0x00007fffffff8640) at response.rs:195:3
frame #4: 0x00007fffec958d22 impit-node.linux-x64-gnu.node`impit_node::response::__napi_impl_helper_ImpitResponse_0::decode_buffer_c_callback::_$u7b$$u7b$closure$u7d$$u7d$::hcb7fcaddb104120a(cb=CallbackInfo<1> @ 0x00007fffffff8788) at response.rs:83:1
frame #5: 0x00007fffec9ccb22 impit-node.linux-x64-gnu.node`core::result::Result$LT$T$C$E$GT$::and_then::h4fc881fa3d67c2ec(self=Result<napi::bindgen_runtime::callback_info::CallbackInfo<1>, napi::error::Error<napi::status::Status>> @ 0x00007fffffff8838, op={closure_env#0} @ 0x00007fffffff87e0) at result.rs:1415:22
frame #6: 0x00007fffec950bf8 impit-node.linux-x64-gnu.node`impit_node::response::__napi_impl_helper_ImpitResponse_0::decode_buffer_c_callback::h2908496a0a77f9a0(env=0x00005555556b9840, cb=0x00007fffffff8890) at response.rs:83:1
frame #7: 0x00007ffff33b4b48 libnode.so.127`v8impl::(anonymous namespace)::FunctionCallbackWrapper::Invoke(v8::FunctionCallbackInfo<v8::Value> const&) + 104
frame #8: 0x00007fff9528f5e2
frame #9: 0x00007fff755c3c60
frame #10: 0x00007fff952cc9c3
frame #11: 0x00007fff953ab275
frame #12: 0x00007fff952bc919
frame #13: 0x00007fff9528b403
frame #14: 0x00007ffff562e1ed libnode.so.127`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 957
frame #15: 0x00007ffff562f5d0 libnode.so.127`v8::internal::Execution::TryRunMicrotasks(v8::internal::Isolate*, v8::internal::MicrotaskQueue*) + 160
frame #16: 0x00007ffff5665310 libnode.so.127`v8::internal::MicrotaskQueue::RunMicrotasks(v8::internal::Isolate*) + 240
frame #17: 0x00007ffff566572d libnode.so.127`v8::internal::MicrotaskQueue::PerformCheckpointInternal(v8::Isolate*) + 61
frame #18: 0x00007ffff3331130 libnode.so.127`node::InternalCallbackScope::Close() + 304
frame #19: 0x00007ffff33313b5 libnode.so.127`node::InternalCallbackScope::~InternalCallbackScope() + 21
frame #20: 0x00007ffff3331415 libnode.so.127`node::CallbackScope::~CallbackScope() + 53
frame #21: 0x00007ffff33f1c5f libnode.so.127`v8impl::(anonymous namespace)::ThreadSafeFunction::AsyncCb(uv_async_s*) + 575
frame #22: 0x00007ffff2fb160e libuv.so.1`uv__async_io + 270
frame #23: 0x00007ffff2fd071e libuv.so.1`uv__io_poll + 1182
frame #24: 0x00007ffff2fbb9e2 libuv.so.1`uv_run + 466
frame #25: 0x00007ffff33305bb libnode.so.127`node::SpinEventLoopInternal(node::Environment*) + 427
frame #26: 0x00007ffff3487c02 libnode.so.127`node::NodeMainInstance::Run(node::ExitCode*, node::Environment*) + 98
frame #27: 0x00007ffff349090c libnode.so.127`node::NodeMainInstance::Run() + 172
frame #28: 0x00007ffff33f19d7 libnode.so.127`node::Start(int, char**) + 855
frame #29: 0x00007ffff30105b5 libc.so.6`__libc_start_call_main + 117
frame #30: 0x00007ffff3010668 libc.so.6`__libc_start_main@@GLIBC_2.34 + 136
frame #31: 0x0000555555556035 node`_start + 37
originally reported by @oklinov