thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James E. King III (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (THRIFT-4807) PHP extension segfaults if reference is used in input
Date Fri, 22 Feb 2019 11:23:00 GMT

     [ https://issues.apache.org/jira/browse/THRIFT-4807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James E. King III resolved THRIFT-4807.
---------------------------------------
       Resolution: Fixed
         Assignee: James E. King III
    Fix Version/s: 0.13.0

> PHP extension segfaults if reference is used in input
> -----------------------------------------------------
>
>                 Key: THRIFT-4807
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4807
>             Project: Thrift
>          Issue Type: Bug
>          Components: PHP - Library
>    Affects Versions: 0.12.0
>         Environment: php 7.0 & php 7.2 with php extension
>            Reporter: Josip Sokcevic
>            Assignee: James E. King III
>            Priority: Major
>             Fix For: 0.13.0
>
>         Attachments: 0001-THRIFT-4807-Fix-php-segfault-on-reference-pass.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When reference is passed to php extension, it's unreferenced (instead of derefrenced).
The next time one tries to use the same variable PHP segaults. Even if not used again, php
segfaults on user_shutdown_function_call.
> Example:
> Thrift
> {code:java}
> namespace php tt.demo
> struct SumInput {
>     1: required list<i64> numbers;
> }
> service DemoService {
>     i64 sum(1: SumInput input)
> }
> {code}
> PHP client:
> {code:java}
> // Create HTTP Transport
> $transport = new \Thrift\Transport\TNullTransport();
> // binary protocol
> $protocol = new \Thrift\Protocol\TBinaryProtocolAccelerated($transport, true, true);
> // create a client
> $client = new \tt\demo\DemoServiceClient($protocol);
> // at this point, client is ready, and we can make RPC calls:
> $numbers = [];
> $input = new \tt\demo\SumInput();
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> var_dump('never reached');
> {code}
> Output (gdb)
> {code:java}
> (gdb) run -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> Starting program: /home/jsokcevic/bin/php7-0-33/bin/php -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/usr/lib/libthread_db.so.1".
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(1){
>   }
> }
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(4094359424){
>   }
> }
> php: /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356: convert_to_long_base: Assertion
`0' failed.
> Program received signal SIGABRT, Aborted.
> 0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> (gdb) bt
> #0  0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> #1  0x00007ffff51c1672 in abort () from /usr/lib/libc.so.6
> #2  0x00007ffff51c1548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
> #3  0x00007ffff51cf396 in __assert_fail () from /usr/lib/libc.so.6
> #4  0x0000555555b7422b in convert_to_long_base (op=0x7ffff4006448, base=10)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356
> #5  0x0000555555b73e13 in convert_to_long (op=0x7ffff4006448)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:297
> #6  0x00007ffff3c99052 in binary_serialize (thrift_typeID=10 '\n', transport=..., value=0x7ffff4006448,
>     fieldspec=0x7ffff407ecc0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:744
> #7  0x00007ffff3c9956c in binary_serialize (thrift_typeID=15 '\017', transport=...,
value=0x7ffff40af4a8,
>     fieldspec=0x7ffff40afc60) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:818
> #8  0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff407e328, transport=...,
spec=0x7ffff40c43c0)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #9  0x00007ffff3c98ef3 in binary_serialize (thrift_typeID=12 '\f', transport=..., value=0x7ffff407e328,
>     fieldspec=0x7ffff40c45a0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:722
> #10 0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff4015560, transport=...,
spec=0x7ffff40c4540)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #11 0x00007ffff3c9a4ef in zif_thrift_protocol_write_binary (execute_data=0x7ffff40154d0,
return_value=0x7ffff4015410)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1053
> #12 0x0000555555be76e7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:714
> #13 0x0000555555be6b68 in execute_ex (ex=0x7ffff4015030) at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:414
> #14 0x0000555555be6c79 in zend_execute (op_array=0x7ffff4085000, return_value=0x0)
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:458
> #15 0x0000555555b872ff in zend_execute_scripts (type=8, retval=0x0, file_count=3)
>     at /home/jsokcevic/Work/php-src/Zend/zend.c:1445
> #16 0x0000555555aef67b in php_execute_script (primary_file=0x7fffffffcaa0)
>     at /home/jsokcevic/Work/php-src/main/main.c:2516
> #17 0x0000555555c4ff4b in do_cli (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:977
> #18 0x0000555555c51132 in main (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:1347
> (gdb){code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message