git.kaiwu.me - njs.git/commit

]> git.kaiwu.me - njs.git/commit

projects / njs.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 8f42e99) | patch

author	Dmitry Volyntsev <xeioex@nginx.com>
	Fri, 27 Mar 2026 00:16:11 +0000 (17:16 -0700)
committer	Dmitry Volyntsev <xeioexception@gmail.com>
	Mon, 30 Mar 2026 23:53:46 +0000 (16:53 -0700)
commit	754771984a7f1d017f80e1c3a602a4c9dc64cc56
tree	db476bb920c7ef618847e89270b1743f5b95938c	tree \| snapshot
parent	8f42e991a2528ed64663599ffd76e66988b8f126	commit \| diff

Modules: fixed double-free in shared dict update with eviction.

Previously, when updating an existing key's string value in a shared
dictionary with timeout and evict enabled, ngx_js_dict_alloc() could
trigger ngx_js_dict_evict() if the zone was full. Since the node being
updated was still in the expire tree, eviction could free it. The
subsequent ngx_slab_free_locked() call in the update path then freed the
already-freed string data, causing the "chunk is already free" alert
followed by a segfault.

The fix removes the node from the expire tree before allocating
memory for the new value, preventing eviction from reaching it.
On allocation failure the node is re-inserted with its original
expiry time.

nginx/ngx_js_shared_dict.c		diff \| blob \| history
nginx/t/js_shared_dict.t		diff \| blob \| history
nginx/t/js_shared_dict_evict.t	[new file with mode: 0644]	blob

njs upstream