Crash on node.js v14 in v8::ArrayBuffer::GetBackingStore()

[ChiChou]

frida@14.2.13

Reproduction:

const frida = require('frida');

async function main() {
    console.log(await frida.enumerateDevices());
    console.log(await frida.enumerateDevices()); // crash
}

main();

Crash log:

#
# Fatal error in , line 0
# Check failed: result.second.
#
#
#
#FailureMessage Object: 000000850F12A700
 1: 00007FF649891DDF napi_wrap+109135
 2: 00007FF6497C4F7F std::basic_ostream<char,std::char_traits<char> >::operator<<+56895
 3: 00007FF64A4035E2 V8_Fatal+162
 4: 00007FF649EA5BFD v8::internal::BackingStore::Reallocate+653
 5: 00007FF64A0ED089 v8::ArrayBuffer::GetBackingStore+137
 6: 00007FF6497133CD v8::internal::OrderedHashTable<v8::internal::OrderedHashSet,1>::NumberOfBucketsIndex+33693
 7: 00007FF64985292C v8::internal::Malloced::operator delete+6124
 8: 00007FF64A0B35FF v8::internal::Builtins::builtin_handle+321615
 9: 00007FF64A0B2B8E v8::internal::Builtins::builtin_handle+318942
10: 00007FF64A0B2E87 v8::internal::Builtins::builtin_handle+319703
11: 00007FF64A0B2CD3 v8::internal::Builtins::builtin_handle+319267
12: 00007FF64A18F0FD v8::internal::SetupIsolateDelegate::SetupHeap+464173
13: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
14: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
15: 00007FF64A121639 v8::internal::SetupIsolateDelegate::SetupHeap+14953
16: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
17: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
18: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
19: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
20: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
21: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
22: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
23: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
24: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
25: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
26: 00007FF64A121639 v8::internal::SetupIsolateDelegate::SetupHeap+14953
27: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
28: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
29: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
30: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
31: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
32: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
33: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
34: 00007FF64A121639 v8::internal::SetupIsolateDelegate::SetupHeap+14953
35: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
36: 00007FF64A121639 v8::internal::SetupIsolateDelegate::SetupHeap+14953
37: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
38: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
39: 00007FF64A121639 v8::internal::SetupIsolateDelegate::SetupHeap+14953
40: 00007FF64A1256BE v8::internal::SetupIsolateDelegate::SetupHeap+31470
41: 00007FF64A1252AC v8::internal::SetupIsolateDelegate::SetupHeap+30428
42: 00007FF649FF5959 v8::internal::Execution::CallWasm+1657
43: 00007FF649FF51BF v8::internal::Execution::Call+191
44: 00007FF64A0E0797 v8::Function::Call+615
45: 00007FF64973770C std::basic_ostream<char,std::char_traits<char> >::put+46316
46: 00007FF64A0B35FF v8::internal::Builtins::builtin_handle+321615
47: 00007FF64A0B2B8E v8::internal::Builtins::builtin_handle+318942
48: 00007FF64A0B2E87 v8::internal::Builtins::builtin_handle+319703
49: 00007FF64A0B2CD3 v8::internal::Builtins::builtin_handle+319267
50: 00007FF64A18F0FD v8::internal::SetupIsolateDelegate::SetupHeap+464173
51: 00007FF64A127A02 v8::internal::SetupIsolateDelegate::SetupHeap+40498
52: 00007FF64A1547F0 v8::internal::SetupIsolateDelegate::SetupHeap+224288
53: 00007FF64A1D0BEE v8::internal::SetupIsolateDelegate::SetupHeap+733214
54: 00007FF64A14796D v8::internal::SetupIsolateDelegate::SetupHeap+171421
55: 00007FF64A1255AC v8::internal::SetupIsolateDelegate::SetupHeap+31196
56: 00007FF649FF5A17 v8::internal::Execution::CallWasm+1847
57: 00007FF649FF5B1B v8::internal::Execution::CallWasm+2107
58: 00007FF649FF656A v8::internal::Execution::TryCall+378
59: 00007FF649FD6C65 v8::internal::MicrotaskQueue::RunMicrotasks+501
60: 00007FF649FD69C0 v8::internal::MicrotaskQueue::PerformCheckpoint+32
61: 00007FF6498B5A70 node::CallbackScope::~CallbackScope+672
62: 00007FF6498B5E6B node::CallbackScope::~CallbackScope+1691
63: 00007FF6498B62B1 node::MakeCallback+209
64: 00007FFD0C9AA4FE g_win32_run_session_bus+234175
65: 00007FF6498E612B uv_async_send+331
66: 00007FF6498E58BC uv_loop_init+1292
67: 00007FF6498E5A5A uv_run+202
68: 00007FF6497F0495 v8::internal::OrderedHashTable<v8::internal::OrderedHashSet,1>::NumberOfBucketsOffset+9477
69: 00007FF6498651C7 node::Start+311
70: 00007FF6496C67CC RC4_options+339660
71: 00007FF64A66B1EC v8::internal::compiler::RepresentationChanger::Uint32OverflowOperatorFor+152748
72: 00007FFD8C747034 BaseThreadInitThunk+20
73: 00007FFD8D0DCEC1 RtlUserThreadStart+33

Tested on both node.js v14.15.0 (x64) & node.js v15.8.0 (Apple Silicon)

[ChiChou]

nodejs/node#32463
https://chromium-review.googlesource.com/c/v8/v8/+/2450064

[ChiChou]

Thank you so much! 🎉