[
https://issues.apache.org/jira/browse/THRIFT-5769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tuomo Jokimies updated THRIFT-5769:
-----------------------------------
Description:
Large messages cause Thrift client to crash when using TFramedTransport.
Crash is caused by array overflow of residual variable in receiver function.
*Stack trace for Node.js v21.7.1*
(pinpoints the cause as it is using new version of V8)
{code:java}
<redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43
residual.push(data[i])
^
RangeError: Invalid array length
at Array.push (<anonymous>)
at <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43:16
<redacted>{code}
*Stack trace for Node.js LTS v20.11.1*
{code:java}
#
# Fatal error in , line 0
# Fatal JavaScript invalid size error 169220804 (see crbug.com/1201626)
#
#
#
#FailureMessage Object: 0x16f48a0f8
----- Native stack trace -----
1: 0x100aad340 node::NodePlatform::GetStackTracePrinter()::$_3::__invoke()
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
2: 0x101b309ac V8_Fatal(char const*, <redacted>)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
3: 0x100d71334
v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>,
int, v8::internal::Handle<v8::internal::Oddball>,
v8::internal::AllocationType) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
4: 0x100f0cf68 v8::internal::(anonymous
namespace)::ElementsAccessorBase<v8::internal::(anonymous
namespace)::FastPackedSmiElementsAccessor, v8::internal::(anonymous
namespace)::ElementsKindTraits<(v8::internal::ElementsKind)0>>::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>,
unsigned int) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
5: 0x101158600 v8::internal::Runtime_GrowArrayElements(int, unsigned long*,
v8::internal::Isolate*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
6: 0x1014c4c44 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
7: 0x1064cfe9c
8: 0x1064aac88
9: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
10: 0x1064aac88
11: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
12: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
13: 0x10143a50c Builtins_JSEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
14: 0x10143a1f4 Builtins_JSEntry
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
15: 0x100d104f8 v8::internal::(anonymous
namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous
namespace)::InvokeParams const&)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
16: 0x100d0f944 v8::internal::Execution::Call(v8::internal::Isolate*,
v8::internal::Handle<v8::internal::Object>,
v8::internal::Handle<v8::internal::Object>, int,
v8::internal::Handle<v8::internal::Object>*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
17: 0x100bea214 v8::Function::Call(v8::Local<v8::Context>,
v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
18: 0x100978fd8 node::InternalMakeCallback(node::Environment*,
v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int,
v8::Local<v8::Value>*, node::async_context)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
19: 0x100979304 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>,
v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
20: 0x1009ee554 node::Environment::CheckImmediate(uv_check_s*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
21: 0x1014209e0 uv__run_check [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
22: 0x10141a700 uv_run [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
23: 0x100979754 node::SpinEventLoopInternal(node::Environment*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
24: 0x100a89c6c node::NodeMainInstance::Run(node::ExitCode*,
node::Environment*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
25: 0x100a89a08 node::NodeMainInstance::Run()
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
26: 0x100a13718 node::Start(int, char**)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
27: 0x1a61dff28 start [/usr/lib/dyld]{code}
was:
Large messages cause Thrift client to crash when using TFramedTransport.
Crash is caused by array overflow of residual variable in receiver function.
> Large messages crash Node.js client when using TFramedTransport
> ---------------------------------------------------------------
>
> Key: THRIFT-5769
> URL: https://issues.apache.org/jira/browse/THRIFT-5769
> Project: Thrift
> Issue Type: Bug
> Components: Node.js - Library
> Affects Versions: 0.19.0
> Reporter: Tuomo Jokimies
> Priority: Major
>
> Large messages cause Thrift client to crash when using TFramedTransport.
> Crash is caused by array overflow of residual variable in receiver function.
>
> *Stack trace for Node.js v21.7.1*
> (pinpoints the cause as it is using new version of V8)
> {code:java}
> <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43
> residual.push(data[i])
> ^
> RangeError: Invalid array length
> at Array.push (<anonymous>)
> at <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43:16
> <redacted>{code}
>
> *Stack trace for Node.js LTS v20.11.1*
> {code:java}
> #
> # Fatal error in , line 0
> # Fatal JavaScript invalid size error 169220804 (see crbug.com/1201626)
> #
> #
> #
> #FailureMessage Object: 0x16f48a0f8
> ----- Native stack trace -----
> 1: 0x100aad340 node::NodePlatform::GetStackTracePrinter()::$_3::__invoke()
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 2: 0x101b309ac V8_Fatal(char const*, <redacted>)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 3: 0x100d71334
> v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>,
> int, v8::internal::Handle<v8::internal::Oddball>,
> v8::internal::AllocationType)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 4: 0x100f0cf68 v8::internal::(anonymous
> namespace)::ElementsAccessorBase<v8::internal::(anonymous
> namespace)::FastPackedSmiElementsAccessor, v8::internal::(anonymous
> namespace)::ElementsKindTraits<(v8::internal::ElementsKind)0>>::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>,
> unsigned int) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 5: 0x101158600 v8::internal::Runtime_GrowArrayElements(int, unsigned long*,
> v8::internal::Isolate*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 6: 0x1014c4c44 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 7: 0x1064cfe9c
> 8: 0x1064aac88
> 9: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 10: 0x1064aac88
> 11: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 12: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 13: 0x10143a50c Builtins_JSEntryTrampoline
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 14: 0x10143a1f4 Builtins_JSEntry
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 15: 0x100d104f8 v8::internal::(anonymous
> namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous
> namespace)::InvokeParams const&)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 16: 0x100d0f944 v8::internal::Execution::Call(v8::internal::Isolate*,
> v8::internal::Handle<v8::internal::Object>,
> v8::internal::Handle<v8::internal::Object>, int,
> v8::internal::Handle<v8::internal::Object>*)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 17: 0x100bea214 v8::Function::Call(v8::Local<v8::Context>,
> v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 18: 0x100978fd8 node::InternalMakeCallback(node::Environment*,
> v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int,
> v8::Local<v8::Value>*, node::async_context)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 19: 0x100979304 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>,
> v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 20: 0x1009ee554 node::Environment::CheckImmediate(uv_check_s*)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 21: 0x1014209e0 uv__run_check
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 22: 0x10141a700 uv_run [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 23: 0x100979754 node::SpinEventLoopInternal(node::Environment*)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 24: 0x100a89c6c node::NodeMainInstance::Run(node::ExitCode*,
> node::Environment*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 25: 0x100a89a08 node::NodeMainInstance::Run()
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 26: 0x100a13718 node::Start(int, char**)
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 27: 0x1a61dff28 start [/usr/lib/dyld]{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
