New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't serialize external values over IPC #6998

Merged
merged 12 commits into from Aug 31, 2016

Conversation

Projects
None yet
2 participants
@kevinsawicki
Contributor

kevinsawicki commented Aug 26, 2016

While looking into the crash in #6992 introduced via #6776, I came across https://chromium.googlesource.com/chromium/src/+/0af364dd5cac55192409e88cbb47cb8ce4209683 which states:

Don't serialize any DOM objects in V8ValueConverter, it can be extremely slow.
There have been several attempts to implement this in the past, but none have
actually stuck for various reasons. This patch uses the same technique that
Blink has for structured cloning.

It looks like removing the HasRealNamedCallbackProperty to get this working initially in #6776 has caused certain objects, specifically the http.ClientRequest object in Node to now cause crashes when serialized over IPC.

This pull requests adds a InternalFieldCount check that prevents the crash but also removes support for DOM objects over IPC.

I'm not sure if there is another way to fix this to keep DOM objects working but prevent the crashes since the stack trace for the current crash is pretty deep in v8: https://cs.chromium.org/chromium/src/v8/src/objects.cc?l=2981

@zcbenz

This comment has been minimized.

Contributor

zcbenz commented Aug 29, 2016

This is probably going to prevent serializing Electron objects, they all have internal fields too.

@kevinsawicki kevinsawicki changed the title from Don't serialize DOM objects over IPC to Don't serialize external values over IPC Aug 29, 2016

@kevinsawicki

This comment has been minimized.

Contributor

kevinsawicki commented Aug 29, 2016

This is probably going to prevent serializing Electron objects, they all have internal fields too

Good point, after digging into this a bit more, it looks like the value causing the crash was https://github.com/nodejs/node/blob/e0b8dd59bcb44a775c7672ac235656c3bbb096f2/src/stream_base-inl.h#L41-L46

Switching the check to IsExternal() seems to prevent the crash and still allow DOM objects and Electron API objects to serialize properly, @zcbenz what do you think about this approach?

@@ -415,6 +415,11 @@ base::Value* V8ValueConverter::FromV8Object(
child_v8 = v8::Null(isolate);
}
// Ignore external values since calling CreationContext() on them can
// crash
if (child_v8->IsExternal())

This comment has been minimized.

@zcbenz

zcbenz Aug 30, 2016

Contributor

Can this check be done in FromV8ValueImpl? Otherwise crash may still happen when the external property is passed directly to ipc.send.

This comment has been minimized.

@kevinsawicki

kevinsawicki Aug 30, 2016

Contributor

Can this check be done in FromV8ValueImpl?

Great call, moved there and the specs still pass

This comment has been minimized.

@kevinsawicki

kevinsawicki Aug 30, 2016

Contributor

Also added another spec explicitly for this case.

@zcbenz

This comment has been minimized.

Contributor

zcbenz commented Aug 31, 2016

👍

@zcbenz zcbenz merged commit 4833c48 into master Aug 31, 2016

6 of 7 checks passed

electron-win-x64 Build #1321 failed in 1 hr 21 min
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
electron-linux-arm Build #3991299 succeeded in 48s
Details
electron-linux-ia32 Build #3991300 succeeded in 43s
Details
electron-linux-x64 Build #3991301 succeeded in 78s
Details
electron-win-ia32 Build #1341 succeeded in 6 min 30 sec
Details

@zcbenz zcbenz deleted the ipc-v8-converter-crash branch Aug 31, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment