async-hook stack corruption on macos

Author: gms1

memory-bank/issues.md

@@ -0,0 +1,36 @@
+
+# issues
+
+## async hook stack corruption
+
+CI on macOS async hook stack corruption as race condition in native addon
+This error has appeared from time to time in the CI workflow and always on macOS:
+
+```bash
+Run yarn test
+yarn run v1.22.22
+(node:6034) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
+(Use `node --trace-deprecation ...` to show where the warning was created)
+$ node test/support/createdb.js && nyc mocha -R spec --timeout 480000 "test/*.test.js" "test/*.test.mjs"
+Creating test database... This may take several minutes.
+Error: async hook stack has become corrupted (actual: 573357, expected: 573357)
+----- Native stack trace -----
+
+ 1: 0x104f0dfb8 node::AsyncHooks::FailWithCorruptedAsyncStack(double) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 2: 0x104f0df79 node::AsyncHooks::pop_async_context(double) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 3: 0x104ebad39 node::InternalCallbackScope::Close() [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 4: 0x104eba771 node::CallbackScope::~CallbackScope() [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 5: 0x104fa07fc (anonymous namespace)::uvimpl::Work::AfterThreadPoolWork(int) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 6: 0x104fa0c6f node::ThreadPoolWork::ScheduleWork()::'lambda'(uv_work_s*, int)::operator()(uv_work_s*, int) const [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 7: 0x104fa0b36 node::ThreadPoolWork::ScheduleWork()::'lambda'(uv_work_s*, int)::__invoke(uv_work_s*, int) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 8: 0x105fbce49 uv__work_done [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+ 9: 0x105fc1691 uv__async_io [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+10: 0x105fd6876 uv__io_poll [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+11: 0x105fc1c10 uv_run [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+12: 0x104ebc435 node::SpinEventLoopInternal(node::Environment*) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+13: 0x1050554ae node::NodeMainInstance::Run() [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+14: 0x104f98d1e node::Start(int, char**) [/Users/runner/hostedtoolcache/node/24.15.0/x64/bin/node]
+15: 0x20c462530
+error Command failed with exit code 1.
+info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
+```

test/async_hooks_stress.test.js

@@ -0,0 +1,284 @@
+"use strict";
+
+var sqlite3 = require('..');
+const assert = require("assert");
+const { createHook } = require("async_hooks");
+
+/**
+ * Stress test for async hook stack integrity.
+ *
+ * The bug: napi_delete_async_work() was called from within the N-API complete
+ * callback (via Baton destructors), which freed the async work object before
+ * Node.js fired the after/destroy async hooks. This caused a use-after-free
+ * that corrupted the async hook stack, producing:
+ *   "Error: async hook stack has become corrupted"
+ *
+ * The fix: DeferredDelete defers napi_delete_async_work to the next event
+ * loop tick via uv_idle_t, so Node.js completes the full async hook lifecycle
+ * before the work object is freed.
+ *
+ * NOTE: This is a race condition that depends on timing and memory allocator
+ * behavior. It manifests more readily on macOS (which uses jemalloc-like
+ * allocation patterns) than on Linux (where freed memory may still contain
+ * valid data). The test uses GC pressure and high concurrency to increase
+ * the probability of triggering the bug if the fix is absent, but it cannot
+ * guarantee reproduction on every run. The fix is correct regardless based
+ * on analysis of the N-API async work lifecycle.
+ */
+describe('async_hooks stress', function() {
+    this.timeout(60000);
+
+    const OPERATIONS = 500;
+    const ITERATIONS = 3;
+
+    /**
+     * Wait for all async hooks to be destroyed after closing the database.
+     * DeferredDelete uses uv_idle_t which fires in the idle phase of the
+     * next event loop iteration, so we need to spin the event loop enough
+     * times for all destroy hooks to fire.
+     */
+    function waitForDestroyHooks(initIds, destroyIds, timeout, callback) {
+        const start = Date.now();
+        function check() {
+            let allDestroyed = true;
+            for (const id of initIds) {
+                if (!destroyIds.has(id)) {
+                    allDestroyed = false;
+                    break;
+                }
+            }
+            if (allDestroyed) {
+                return callback(null);
+            }
+            if (Date.now() - start > timeout) {
+                const leaked = [];
+                for (const id of initIds) {
+                    if (!destroyIds.has(id)) leaked.push(id);
+                }
+                return callback(new Error(
+                    `Timeout waiting for destroy hooks. ${leaked.length} hooks never destroyed: ${leaked.slice(0, 10).join(', ')}...`
+                ));
+            }
+            // Spin the event loop: two setImmediate calls ensure we pass through
+            // an idle phase where DeferredDelete's uv_idle_t callbacks fire.
+            setImmediate(() => setImmediate(check));
+        }
+        // Start checking after giving the event loop time to process deferred deletions.
+        setImmediate(() => setImmediate(check));
+    }
+
+    /**
+     * Force GC if exposed (run with --expose-gc). This increases the chance
+     * that freed memory gets reused, making use-after-free more likely to
+     * manifest as corruption rather than silently accessing stale but valid data.
+     */
+    function tryGC() {
+        if (typeof global.gc === 'function') {
+            global.gc();
+        }
+    }
+
+    it('should maintain async hook stack integrity under concurrent operations', function(done) {
+        const db = new sqlite3.Database(':memory:');
+
+        // Track all sqlite3 async work lifecycle events
+        const initIds = new Set();
+        const destroyIds = new Set();
+        const beforeAfterStack = [];
+
+        let initCount = 0;
+        let destroyCount = 0;
+
+        const hook = createHook({
+            init(asyncId, type) {
+                if (type.startsWith("sqlite3.")) {
+                    initIds.add(asyncId);
+                    initCount++;
+                }
+            },
+            before(asyncId) {
+                if (initIds.has(asyncId)) {
+                    beforeAfterStack.push(asyncId);
+                }
+            },
+            after(asyncId) {
+                if (initIds.has(asyncId)) {
+                    // Must match the most recent before() that hasn't been after'd yet
+                    const last = beforeAfterStack.pop();
+                    assert.strictEqual(asyncId, last,
+                        `async hook before/after mismatch: after(${asyncId}) but expected after(${last})`);
+                }
+            },
+            destroy(asyncId) {
+                if (initIds.has(asyncId)) {
+                    destroyIds.add(asyncId);
+                    destroyCount++;
+                }
+            }
+        });
+        hook.enable();
+
+        // Create a table
+        db.run("CREATE TABLE IF NOT EXISTS stress_test (id INTEGER PRIMARY KEY, value TEXT)", (err) => {
+            assert.ifError(err);
+
+            let completed = 0;
+
+            // Fire many concurrent operations
+            for (let i = 0; i < OPERATIONS; i++) {
+                db.run("INSERT INTO stress_test (value) VALUES (?)", `val-${i}`, (err) => {
+                    assert.ifError(err);
+
+                    // Mix in some get operations
+                    db.get("SELECT COUNT(*) as count FROM stress_test", (err, row) => {
+                        assert.ifError(err);
+                        assert.ok(row.count > 0);
+
+                        completed++;
+                        if (completed === OPERATIONS) {
+                            // All operations complete. Now close the db and verify hook lifecycle.
+                            db.close((err) => {
+                                assert.ifError(err);
+
+                                waitForDestroyHooks(initIds, destroyIds, 5000, (err) => {
+                                    hook.disable();
+
+                                    if (err) {
+                                        // Log diagnostic info but don't fail — the critical check
+                                        // is that no async hook stack corruption occurred
+                                        console.log(`Warning: ${err.message}`);
+                                        console.log(`initCount=${initCount}, destroyCount=${destroyCount}`);
+                                    }
+
+                                    // before/after stack must be fully balanced
+                                    assert.strictEqual(beforeAfterStack.length, 0,
+                                        `before/after stack not balanced: ${beforeAfterStack.length} unpaired before() calls`);
+
+                                    // The most important assertion: we got here without
+                                    // "async hook stack has become corrupted" being thrown.
+                                    // That means the DeferredDelete fix is working.
+                                    done();
+                                });
+                            });
+                        }
+                    });
+                });
+            }
+        });
+    });
+
+    it('should maintain async hook stack integrity with prepared statements', function(done) {
+        const db = new sqlite3.Database(':memory:');
+
+        const initIds = new Set();
+        const destroyIds = new Set();
+
+        const hook = createHook({
+            init(asyncId, type) {
+                if (type.startsWith("sqlite3.")) {
+                    initIds.add(asyncId);
+                }
+            },
+            destroy(asyncId) {
+                if (initIds.has(asyncId)) {
+                    destroyIds.add(asyncId);
+                }
+            }
+        });
+        hook.enable();
+
+        db.run("CREATE TABLE stmt_test (id INTEGER PRIMARY KEY, v TEXT)", (err) => {
+            assert.ifError(err);
+
+            let completed = 0;
+            const TOTAL = 200;
+
+            for (let i = 0; i < TOTAL; i++) {
+                const stmt = db.prepare("INSERT INTO stmt_test (v) VALUES (?)");
+                stmt.run(`s-${i}`, function(err) {
+                    assert.ifError(err);
+                    this.finalize(function(err) {
+                        assert.ifError(err);
+                        completed++;
+                        if (completed === TOTAL) {
+                            db.close((err) => {
+                                assert.ifError(err);
+                                waitForDestroyHooks(initIds, destroyIds, 5000, (err) => {
+                                    hook.disable();
+                                    if (err) {
+                                        console.log(`Warning: ${err.message}`);
+                                    }
+                                    // The critical assertion: we got here without
+                                    // "async hook stack has become corrupted"
+                                    done();
+                                });
+                            });
+                        }
+                    });
+                });
+            }
+        });
+    });
+
+    it('should maintain async hook stack integrity under repeated open/close cycles with GC pressure', function(done) {
+        // This test creates and destroys databases sequentially with GC pressure
+        // to increase the chance that freed async work memory gets reused,
+        // making use-after-free more likely to manifest as corruption.
+        const initIds = new Set();
+        const destroyIds = new Set();
+
+        const hook = createHook({
+            init(asyncId, type) {
+                if (type.startsWith("sqlite3.")) {
+                    initIds.add(asyncId);
+                }
+            },
+            destroy(asyncId) {
+                if (initIds.has(asyncId)) {
+                    destroyIds.add(asyncId);
+                }
+            }
+        });
+        hook.enable();
+
+        let cycle = 0;
+
+        function runNextCycle() {
+            if (cycle >= ITERATIONS) {
+                // All cycles done — verify hooks
+                waitForDestroyHooks(initIds, destroyIds, 5000, (err) => {
+                    hook.disable();
+                    if (err) {
+                        console.log(`Warning: ${err.message}`);
+                    }
+                    // The critical assertion: we got here without
+                    // "async hook stack has become corrupted"
+                    done();
+                });
+                return;
+            }
+
+            const db = new sqlite3.Database(':memory:');
+            db.run("CREATE TABLE gc_test (v TEXT)", (err) => {
+                assert.ifError(err);
+                db.run("INSERT INTO gc_test VALUES ('x')", (err) => {
+                    assert.ifError(err);
+                    db.get("SELECT COUNT(*) as c FROM gc_test", (err, row) => {
+                        assert.ifError(err);
+                        assert.strictEqual(row.c, 1);
+                        db.close((err) => {
+                            assert.ifError(err);
+                            // Force GC to reclaim freed async work memory
+                            tryGC();
+                            cycle++;
+                            // Let deferred deletions complete before next cycle
+                            setImmediate(() => setImmediate(runNextCycle));
+                        });
+                    });
+                });
+            });
+        }
+
+        runNextCycle();
+    });
+});