[Pkg-javascript-devel] Bug#922075: Bug#922075: npm: segfault during extract on i386

[Jérémy Lal]

Le mar. 21 sept. 2021 à 08:46, Jérémy Lal <kapouer at melix.org> a écrit :

>
>
> Le mar. 21 sept. 2021 à 08:34, Ondrej Zary <ondrej at zary.sk> a écrit :
>
>> On Tuesday 21 September 2021, Jérémy Lal wrote:
>>
>> > Libuv1 1.34.2 - same version as the one in nodejs/deps/uv/ - is in
>> > buster-backports.
>> > It would be nice to try building against that version.
>> > Some nodejs tests might fail (patched to support old uv).
>>
>> I've alrady tried installing it (stretch-backports), still segfaulted the
>> same way.
>> Could rebuilding nodejs change anything?
>>
>
> That's scary - how come the same version of uv, used as a shared lib,
> fails, while when compiled statically without the --shared-uv flag,
> succeeds ?
> I need to see for myself... i'll try on a porter box.
>

Ok since i'm preparing a security update for node 10 i'm testing this issue.

- rebuilt nodejs 10.24.0 with the bundled libuv (1.34.2): it doesn't
segfault anymore.
(and i'm not hallucinating here - it segfaults 100% without using bundled
libuv).

- diffed bundled libuv with debian backport of libuv 1.34.2: they are the
same

By mistake i looked at uv/src/win/fs.c and discovered that they do a much
better job at making sure multiple calls to uv_fs_req_cleanup(req) can't
crash.
I really think this is the problem. I'm trying to fix it by protecting it
from the nodejs side.

Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20211015/be0823c9/attachment.htm>