fix(Session): prevent use-after-free when database is GC'd before session

mceachen · mceachen · commit a151cb6f1c98 · 2026-01-26T14:17:42.000-08:00
The Session class was using a raw DatabaseSync* pointer without holding
a reference to keep the database object alive. When JavaScript lost its
reference to the DatabaseSync and GC ran, the database destructor would
be called while Sessions still referenced it, causing SIGSEGV on Alpine
Linux.

Fix: Add Napi::ObjectReference database_ref_ to Session class, matching
the pattern used by StatementSync to prevent the same issue.

Fixes: SIGSEGV in session-lifecycle.test.ts on Alpine Linux (ARM64/x64)
diff --git a/src/sqlite_impl.cpp b/src/sqlite_impl.cpp
@@ -2974,6 +2974,11 @@ void Session::SetSession(DatabaseSync *database, sqlite3_session *session) {
   session_ = session;
   if (database_) {
     database_->AddSession(this);
+    // Create a strong reference to the database object to prevent it from being
+    // garbage collected while this session exists. This fixes use-after-free
+    // when the database is GC'd before its sessions.
+    // See: https://github.com/nodejs/node/pull/56840 (similar fix for statements)
+    database_ref_ = Napi::Persistent(database->Value());
   }
 }
 
@@ -2996,6 +3001,11 @@ void Session::Delete() {
 
   // Now it's safe to delete the SQLite session
   sqlite3session_delete(session_to_delete);
+
+  // Release the strong reference to the database object
+  if (!database_ref_.IsEmpty()) {
+    database_ref_.Reset();
+  }
 }
 
 template <int (*sqliteChangesetFunc)(sqlite3_session *, int *, void **)>
diff --git a/src/sqlite_impl.h b/src/sqlite_impl.h
@@ -360,6 +360,10 @@ class Session : public Napi::ObjectWrap<Session> {
 
   sqlite3_session *session_ = nullptr;
   DatabaseSync *database_ = nullptr; // Direct pointer to database
+  // Strong reference to database object to prevent GC while session exists.
+  // This fixes use-after-free when database is GC'd before its sessions.
+  // See: https://github.com/nodejs/node/pull/56840 (similar fix for statements)
+  Napi::ObjectReference database_ref_;
 
   friend class DatabaseSync;
 };
