Description
Present in v22.x and main, happens here:
https://github.com/nodejs/node/blob/v22.9.0/deps/v8/src/execution/isolate.cc#L4600-L4610
process_wide_shared_space_isolate_ is a static variable that is read and written without holding a mutex.
Worse, it's a pointer to a "toplevel" isolate (for want of a better word) that can go away before the current isolate is disposed, resulting in a use-after-free (most likely: a crash.)
It's hard to reliably demonstrate with node but it's pretty easy to reproduce with standalone V8, some threads, and patience. It shows up as a DCHECK in debug builds:
# Fatal error in ../deps/v8/src/heap/safepoint.cc, line 338
# Debug check failed: (clients_head_) == nullptr.
V8 fixed it last month in v8/v8@7710cb8 and, caveat emptor, it removes the problematic static variable but I'm not 100% sure it fixes the lifecycle bug.
I don't have good suggestions to offer except maybe remove the flag (and --harmony_struct because it has the same issue.)
Activity