n-api: back up env before async work finalize

We must back up the value of `_env` before calling the async work
complete callback, because the complete callback may delete the
instance in which `_env` is stored by calling `napi_delete_async_work`,
and because we need to use it after the complete callback has
completed.

Fixes: https://github.com/nodejs/node/issues/20966
PR-URL: https://github.com/nodejs/node/pull/21129
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/src/node_api.cc b/src/node_api.cc
index a83244131f..fdd12afc22 100644
--- a/src/node_api.cc
+++ b/src/node_api.cc
@@ -3393,13 +3393,19 @@ class Work : public node::AsyncResource, public node::ThreadPoolWork {
 
     CallbackScope callback_scope(this);
 
-    NAPI_CALL_INTO_MODULE(_env,
+    // We have to back up the env here because the `NAPI_CALL_INTO_MODULE` macro
+    // makes use of it after the call into the module completes, but the module
+    // may have deallocated **this**, and along with it the place where _env is
+    // stored.
+    napi_env env = _env;
+
+    NAPI_CALL_INTO_MODULE(env,
         _complete(_env, ConvertUVErrorCode(status), _data),
-        [this] (v8::Local<v8::Value> local_err) {
+        [env] (v8::Local<v8::Value> local_err) {
           // If there was an unhandled exception in the complete callback,
           // report it as a fatal exception. (There is no JavaScript on the
           // callstack that can possibly handle it.)
-          v8impl::trigger_fatal_exception(_env, local_err);
+          v8impl::trigger_fatal_exception(env, local_err);
         });
 
     // Note: Don't access `work` after this point because it was