Skip to content

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
legendecas wants to merge 2 commits into
base: main
Choose a base branch
from
Open

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

legendecas wants to merge 2 commits into from

Conversation

@legendecas
Copy link
Member

@legendecas legendecas commented Jan 13, 2026
edited
Loading

deps: V8: cherry-pick c5ff7c4d6cde

Original commit message:

[builtins] disallow ArrayBuffer transfer with a detach key

This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
an arraybuffer that is not detachable. This also fix the check on
`ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

Refs: https://github.com/nodejs/node/issues/61362
Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
Commit-Queue: Chengzhong Wu <cwu631@bloomberg.net>
Reviewed-by: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4

buffer: disallow ArrayBuffer transfer on pooled buffer

This is an alternative solution that disallows transfer operation on buffer pool.

Depends on https://chromium-review.googlesource.com/c/v8/v8/+/7454288.

Fixes: #61362

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 13, 2026

Review requested:

  • @nodejs/security-wg
  • @nodejs/v8-update

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jan 13, 2026
@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@Renegade334
Copy link
Member

Renegade334 commented Jan 13, 2026
edited
Loading

This requires V8 changes to properly work.

I don't believe so – calling SetDetachKey() on the array buffer object should effectively mark the object as untransferable, without setting the flag on the object handle directly?

@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@legendecas
Copy link
Member Author

legendecas commented Jan 13, 2026

https://chromium-review.googlesource.com/c/v8/v8/+/7454288 would be required to have SetDetachKey() properly disables arrayBuffer.transfer().

@Renegade334 Renegade334 mentioned this pull request Jan 14, 2026
Closed
@legendecas legendecas marked this pull request as ready for review January 15, 2026 14:24
addaleax
addaleax approved these changes Jan 15, 2026
View reviewed changes
lib/internal/buffer.js

// This would better be placed in internal/worker/io.js, but that doesn't work
// because Buffer needs this and that would introduce a cyclic dependency.
function markAsUntransferable(obj) {
Copy link
Member

@addaleax addaleax Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a public method on the worker_threads module, I'd suggest adding a documentation update there (and I'd say this doesn't count as a breaking change, since it is very much in line with the intent of this method)

Renegade334
Renegade334 reviewed Jan 15, 2026
View reviewed changes
lib/internal/buffer.js Outdated
obj[untransferable_object_private_symbol] = true;

if (isArrayBuffer(obj)) {
setDetachKey(obj, Symbol('unique_detach_key_for_untransferable_arraybuffer'));
Copy link
Member

@Renegade334 Renegade334 Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: is there any disadvantage to making this a static key, rather than generating a new symbol for each invocation?

Copy link
Member Author

@legendecas legendecas Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, updated to use a constant unique symbol.

@codecov
Copy link

codecov bot commented Jan 15, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 84.37500% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.84%. Comparing base (41c6256) to head (513d284).
⚠️ Report is 13 commits behind head on main.

Files with missing lines Patch % Lines
lib/buffer.js 78.57% 3 Missing ⚠️
src/node_buffer.cc 77.77% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #61372      +/-   ##
==========================================
- Coverage   89.85%   89.84%   -0.01%     
==========================================
  Files         671      671              
  Lines      203309   203341      +32     
  Branches    39085    39102      +17     
==========================================
+ Hits       182677   182690      +13     
- Misses      12972    12994      +22     
+ Partials     7660     7657       -3
Files with missing lines Coverage Δ
lib/internal/buffer.js 98.74% <100.00%> (+0.01%) ⬆️
src/node_buffer.cc 68.70% <77.77%> (+0.08%) ⬆️
lib/buffer.js 99.78% <78.57%> (-0.22%) ⬇️

... and 38 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@legendecas legendecas mentioned this pull request Jan 16, 2026
Merged
@legendecas
Copy link
Member Author

legendecas commented Jan 16, 2026

It looks like quic tests are failing because it tries to detach certs buffer, which is read with fs.readFileSync that internally uses pooled buffer with Buffer.allocUnsafe.

Submitting a separate PR to address it: #61403

nodejs-github-bot pushed a commit that referenced this pull request Jan 22, 2026
@legendecas
quic: copy options.certs buffer instead of detaching
41c6256 
The certs could be allocated in a pooled buffer, like `Buffer.from`, and
`Buffer.allocUnsafe` (used by `fs.readFileSync`, etc).

PR-URL: #61403
Refs: #61372
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@legendecas
deps: V8: cherry-pick c5ff7c4d6cde
7804cb4 
Original commit message:

    [builtins] disallow ArrayBuffer transfer with a detach key

    This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
    an arraybuffer that is not detachable. This also fix the check on
    `ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

    Refs: nodejs#61362
    Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
    Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
    Commit-Queue: Chengzhong Wu <cwu631@bloomberg.net>
    Reviewed-by: Olivier Flückiger <olivf@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4
@legendecas legendecas force-pushed the buffer-transfer branch 2 times, most recently from fa99c0d to a7d8f6a Compare January 22, 2026 16:18
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 22, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/70973/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Renegade334 Renegade334 Renegade334 left review comments

@addaleax addaleax addaleax approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can not construct Buffer after different Buffer was previously transfererd

4 participants

@legendecas @nodejs-github-bot @Renegade334 @addaleax