[jira] [Resolved] (THRIFT-4807) PHP extension segfaults if reference is used in input

Fri, 22 Feb 2019 03:29:31 -0800 


     [ 
https://issues.apache.org/jira/browse/THRIFT-4807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James E. King III resolved THRIFT-4807.
---------------------------------------
       Resolution: Fixed
         Assignee: James E. King III
    Fix Version/s: 0.13.0

> PHP extension segfaults if reference is used in input
> -----------------------------------------------------
>
>                 Key: THRIFT-4807
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4807
>             Project: Thrift
>          Issue Type: Bug
>          Components: PHP - Library
>    Affects Versions: 0.12.0
>         Environment: php 7.0 & php 7.2 with php extension
>            Reporter: Josip Sokcevic
>            Assignee: James E. King III
>            Priority: Major
>             Fix For: 0.13.0
>
>         Attachments: 0001-THRIFT-4807-Fix-php-segfault-on-reference-pass.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When reference is passed to php extension, it's unreferenced (instead of 
> derefrenced). The next time one tries to use the same variable PHP segaults. 
> Even if not used again, php segfaults on user_shutdown_function_call.
> Example:
> Thrift
> {code:java}
> namespace php tt.demo
> struct SumInput {
>     1: required list<i64> numbers;
> }
> service DemoService {
>     i64 sum(1: SumInput input)
> }
> {code}
> PHP client:
> {code:java}
> // Create HTTP Transport
> $transport = new \Thrift\Transport\TNullTransport();
> // binary protocol
> $protocol = new \Thrift\Protocol\TBinaryProtocolAccelerated($transport, true, 
> true);
> // create a client
> $client = new \tt\demo\DemoServiceClient($protocol);
> // at this point, client is ready, and we can make RPC calls:
> $numbers = [];
> $input = new \tt\demo\SumInput();
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> var_dump('never reached');
> {code}
> Output (gdb)
> {code:java}
> (gdb) run -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> Starting program: /home/jsokcevic/bin/php7-0-33/bin/php -c 
> ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/usr/lib/libthread_db.so.1".
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(1){
>   }
> }
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(4094359424){
>   }
> }
> php: /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356: 
> convert_to_long_base: Assertion `0' failed.
> Program received signal SIGABRT, Aborted.
> 0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> (gdb) bt
> #0  0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> #1  0x00007ffff51c1672 in abort () from /usr/lib/libc.so.6
> #2  0x00007ffff51c1548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
> #3  0x00007ffff51cf396 in __assert_fail () from /usr/lib/libc.so.6
> #4  0x0000555555b7422b in convert_to_long_base (op=0x7ffff4006448, base=10)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356
> #5  0x0000555555b73e13 in convert_to_long (op=0x7ffff4006448)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:297
> #6  0x00007ffff3c99052 in binary_serialize (thrift_typeID=10 '\n', 
> transport=..., value=0x7ffff4006448,
>     fieldspec=0x7ffff407ecc0) at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:744
> #7  0x00007ffff3c9956c in binary_serialize (thrift_typeID=15 '\017', 
> transport=..., value=0x7ffff40af4a8,
>     fieldspec=0x7ffff40afc60) at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:818
> #8  0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff407e328, 
> transport=..., spec=0x7ffff40c43c0)
>     at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #9  0x00007ffff3c98ef3 in binary_serialize (thrift_typeID=12 '\f', 
> transport=..., value=0x7ffff407e328,
>     fieldspec=0x7ffff40c45a0) at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:722
> #10 0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff4015560, 
> transport=..., spec=0x7ffff40c4540)
>     at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #11 0x00007ffff3c9a4ef in zif_thrift_protocol_write_binary 
> (execute_data=0x7ffff40154d0, return_value=0x7ffff4015410)
>     at 
> /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1053
> #12 0x0000555555be76e7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:714
> #13 0x0000555555be6b68 in execute_ex (ex=0x7ffff4015030) at 
> /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:414
> #14 0x0000555555be6c79 in zend_execute (op_array=0x7ffff4085000, 
> return_value=0x0)
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:458
> #15 0x0000555555b872ff in zend_execute_scripts (type=8, retval=0x0, 
> file_count=3)
>     at /home/jsokcevic/Work/php-src/Zend/zend.c:1445
> #16 0x0000555555aef67b in php_execute_script (primary_file=0x7fffffffcaa0)
>     at /home/jsokcevic/Work/php-src/main/main.c:2516
> #17 0x0000555555c4ff4b in do_cli (argc=4, argv=0x55555638e310) at 
> /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:977
> #18 0x0000555555c51132 in main (argc=4, argv=0x55555638e310) at 
> /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:1347
> (gdb){code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to