http_parser: assert on incoming argument's type

[gireeshpunathil]

Unchecked argument conversion in Parser::Consume crashes node
in an slightly undesirable manner - 'unreachable code' in parser.

Make sure we validate the incoming type at the earliest point.

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• commit message follows commit guidelines

Affected core subsystem(s)

http_parser

[gireeshpunathil]

Reference: #12178

[bnoordhuis]

Why not a simple CHECK(args[0]->IsExternal())? If you want to throw an exception, don't reinvent the wheel and use parser->env()->ThrowError("error message").

[gireeshpunathil]

out/Release/node[8983]: ../src/node_http_parser.cc:486:static void node::Parser::Consume(const FunctionCallbackInfo<v8::Value> &): Assertion `args[0]->IsExternal()' failed.
...

With the CHECK macro, the failure is a simple assertion as above (with callstack) and the message is not very intuitive and hence I went with a throw.

Regarding throw: made the changes are suggested.

Hope this is fine by you?

[aqrln]

@gireeshpunathil FWIW, you can use a message with a CHECK assertion (though one may qualify it as a little hack). A common pattern used in some parts of the codebase is CHECK(expr && "message").

[cjihrig]

Can you add a test please. The current changes LGTM though.

[aqrln]

@gireeshpunathil do you mind adding the Fixes: https://github.com/nodejs/node/issues/12178 field to the commit message? Thanks!

[bnoordhuis]

The comment is superfluous and the error message is misleading: no conversion is attempted, it's just a type check.

I'd simply turn it into a CHECK and even then it's not all that useful; a few lines below we cast the wrapped value to a StreamBase without ever checking if it's actually a StreamBase instance.

[gireeshpunathil]

@bnoordhuis - done, followed your suggestion.

[gireeshpunathil]

@aqrln - thanks, added the Fixes: tag into the commit message.
Regarding the CHECK (expr && msg) semantics: I found it less useful - this is how the output appears:

out/Release/node[2219]: ../src/node_http_parser.cc:476:static void node::Parser::Consume(const FunctionCallbackInfo<v8::Value> &): Assertion `args[0]->IsExternal() && "parser.consume requires a stream argument."' failed.
 1: node::Abort() [./node]
...

[gireeshpunathil]

@cjihrig - thanks. I have this test program (sort of a regression test) devised - based on the Exception throwing logic, but @bnoordhuis 's latest suggestion (use of CHECK) would mean that we would assert in C++ land on failure, and managing / validating that in a JS test case seems hacky. Any suggestions?

#cat test/parallel/test-http-parser-consume.js
'use strict';
const common = require('../common');
const assert = require('assert');
const http = require('http');
const spawn = require('child_process').spawn;

if (process.argv[2] === 'child') {
  var server = http.createServer(function(q, s) {
    s.end('hello');
  });

  server.listen(common.PORT, function(s) {
    var rr = http.get('http://localhost:' + common.PORT, function(d) {
      try {
        rr.parser.consume(0);
      }
      catch(e) {
        e.toString().includes('parser.consume requires a stream argument.');
        process.exit(0);
      }
    });
  });
}
else {
  const child = spawn(process.argv[0], [process.argv[1], 'child']);
  child.on('stdout', function(d) {
    console.log(d.toString());
  });
  child.on('stderr', function(d) {
    console.log(d.toString());
  });
  child.on('exit', common.mustCall(function(code, signal) {
    assert(signal === null && code === 0, 'Parser::Consume should not crash the process.');
  }));
}

[aqrln]

Nit: I'd remove this empty line.

[gireeshpunathil]

@aqrln - done

[aqrln]

I was only talking about removing the empty line I left the comment at, not both of them. The idea was to make everything related to extracting stream from args one visual block, if my comment was too short to be clear :)
You are not obliged to do that though, and I'm fine with both of your variants too, that's just my personal preference you may or may not agree with.

[gireeshpunathil]

@aqrln - sure, understood.

[gireeshpunathil]

@cjihrig - Added a test case to capture this. As it stands out, the evolved change in the parser code means that the process now ABRTs as opposed to a SEGV in response to bad input, and the test is made to validate this fact only.

[cjihrig]

Can you use const here.

[cjihrig]

Can you also use more descriptive names than q and s.

[gireeshpunathil]

@cjihrig - done, followed your suggestions.

[cjihrig]

Instead of using common.PORT, you can just request a port from the operating system. Also, please wrap the callback in common.mustCall().

[gireeshpunathil]

done

[cjihrig]

Could the first parameter just be { port: server.address().port }. Also, please use const.

[gireeshpunathil]

done

[cjihrig]

Can you close the server to let the process exit naturally.

[gireeshpunathil]

yes, done.

[cjihrig]

Style nit: else should go on the previous line.

[gireeshpunathil]

done

[cjihrig]

These can be removed right?

[aqrln]

And even if you do need these for some reason, I think a better way to do that is

child.stdout.pipe(process.stdout);
child.stderr.pipe(process.stderr);

EDIT: or, even better than that, pass { stdio: 'inherit' } to spawn().

[cjihrig]

I don't think child.on('stdout', ...) is even a thing.

[aqrln]

Yeah, I don't recall those events too.

[sam-github]

inheriting stdio is the right way

[gireeshpunathil]

Sorry, don't know how I picked up 'stdout' as an event. Removed them and inherited from parent.

Debugging issues and isolating them between test issues and node issues have been effortful, so please allow me to retain the child output, if it is fine by you?

[cjihrig]

Please move this over one more space.

[gireeshpunathil]

done

[DemiMarie]

Why is crashing with SIGABRT okay? I would expect that this should throw a proper JS exception.

[addaleax]

Why is crashing with SIGABRT okay? I would expect that this should throw a proper JS exception.

I think the reasoning of @bnoordhuis (and maybe others) here is that this kind of crash can only be produced by messing with or accessing what Node.js would consider its internals, here by using .parser.

I talked about this again with @bengl a few days ago, and while we agreed that we would like to see a more un-crashable Node, we also agreed that Ben has a good and valid point here.

[cjihrig]

One more nit in the test, but LGTM if the CI passes.

[cjihrig]

This needs common.mustCall() on the callback.

[gireeshpunathil]

made this change, thanks @cjihrig

[aqrln]

This line is longer than 80 characters.

[gireeshpunathil]

sliced it, thanks.

[aqrln]

Ditto.

[gireeshpunathil]

done

[jasnell]

what would the semver level be on this? Should we treat this as a major?

[addaleax]

what would the semver level be on this? Should we treat this as a major?

I’d say it’s semver-patch at most (semver-doesntreallymatteranyway if we’re being honest). It turns one kind of hard crash into another, and practically speaking it’s not a bug that gets triggered unless you are actively looking into how to crash node.

[aqrln]

LGTM. Now that the PR performs a CHECK() instead of throwing an exception like it did initially, I'm not sure that it fixes #12178 in a way one would expect it to, so, arguably, it's worth changing "Fixes:" to "Refs:". That said, I'm +1 for this change.

CI: https://ci.nodejs.org/job/node-test-pull-request/7350/

[aqrln]

Nit: why not make these callbacks arrow functions?

[gireeshpunathil]

done, all the callbacks are arrow'ed.

[aqrln]

Not sure about the indentation here.

[gireeshpunathil]

fixed

[aqrln]

node-test-linter on CI doesn't seem to be happy. Can you please fix the linter errors?

[jasnell]

I'm good with semver-patch. LGTM with the linting issue fixed.

[gireeshpunathil]

all clear - a CI please!
/cc @nodejs/http
/cc @nodejs/platform-windows

[santigimeno]

CI: https://ci.nodejs.org/job/node-test-pull-request/8468/

[gibfahn]

cc/ @nodejs/http
cc/ @nodejs/platform-windows

Duplicating cc/ as I don't think it works if you're not a collaborator (which is a bit of a pain).

[gireeshpunathil]

o! I never knew - thanks @gibfahn for that. I would have (and had) spent a lot of cc/ stuff thinking that someone will get a mail.

[refack]

Duplicating cc/ as I don't think it works if you're not a collaborator (which is a bit of a pain).

fullish GitHub 🤦‍♂️

[refack]

o! I never knew - thanks @gibfahn for that. I would have (and had) spent a lot of cc/ stuff thinking that someone will get a mail.

I think the limitation it's just for @nodejs/ teams. This and a inability to assign issues to everyone, IMHO very foolish.

[refack]

2 nits

[refack]

I know people have asked for a 1e6 changes... but, would you reindent with both arguments in a new line (nececitating less whitespace):

  server.listen(0, common.mustCall((s) => {
    const rr = http.get(
      { port: server.address().port },
      common.mustCall((d) => {
        rr.parser.consume(0);
        server.close();
      }));
    })
  );

I'm fine if you don't want to.

[gireeshpunathil]

@refack - thanks, done

[refack]

Nit: Add comment that this line should abort the process

[gireeshpunathil]

added a comment to explain the code

[refack]

Pre-land CI: https://ci.nodejs.org/job/node-test-commit/10368/
@gireeshpunathil did you address all comments (I couldn't find @sam-github's)?

[sam-github]

I can't find mine either, ignore me please.

[gibfahn]

(I couldn't find @sam-github's)?

#12288 (comment)

[refack]

landed in efab784

[refack]

extra CI to check master's sanity: https://ci.nodejs.org/job/node-test-commit-linuxone/6400/

[MylesBorins]

Should this land on v6.x?

[MylesBorins]

ping

[addaleax]

@MylesBorins yes.