[jira] [Resolved] (THRIFT-5769) Large messages crash Node.js client when using TFramedTransport

Mon, 18 Mar 2024 13:44:40 -0700 


     [ 
https://issues.apache.org/jira/browse/THRIFT-5769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer resolved THRIFT-5769.
--------------------------------
    Fix Version/s: 0.21.0
         Assignee: Tuomo Jokimies
       Resolution: Fixed

> Large messages crash Node.js client when using TFramedTransport
> ---------------------------------------------------------------
>
>                 Key: THRIFT-5769
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5769
>             Project: Thrift
>          Issue Type: Bug
>          Components: Node.js - Library
>    Affects Versions: 0.19.0
>            Reporter: Tuomo Jokimies
>            Assignee: Tuomo Jokimies
>            Priority: Major
>             Fix For: 0.21.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Large messages cause Thrift client to crash when using TFramedTransport.
> Crash is caused by array overflow of residual variable in receiver function.
>  
> *Stack trace for Node.js v21.7.1*
> (pinpoints the cause as it is using new version of V8)
> {code:java}
> <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43
>       residual.push(data[i])
>                ^
> RangeError: Invalid array length
>     at Array.push (<anonymous>)
>     at <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43:16
>     <redacted>{code}
>  
> *Stack trace for Node.js LTS v20.11.1*
> {code:java}
> #
> # Fatal error in , line 0
> # Fatal JavaScript invalid size error 169220804 (see crbug.com/1201626)
> #
> #
> #
> #FailureMessage Object: 0x16f48a0f8
> ----- Native stack trace -----
> 1: 0x100aad340 node::NodePlatform::GetStackTracePrinter()::$_3::__invoke() 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 2: 0x101b309ac V8_Fatal(char const*, <redacted>) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 3: 0x100d71334 
> v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>,
>  int, v8::internal::Handle<v8::internal::Oddball>, 
> v8::internal::AllocationType) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 4: 0x100f0cf68 v8::internal::(anonymous 
> namespace)::ElementsAccessorBase<v8::internal::(anonymous 
> namespace)::FastPackedSmiElementsAccessor, v8::internal::(anonymous 
> namespace)::ElementsKindTraits<(v8::internal::ElementsKind)0>>::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>,
>  unsigned int) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 5: 0x101158600 v8::internal::Runtime_GrowArrayElements(int, unsigned long*, 
> v8::internal::Isolate*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 6: 0x1014c4c44 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 7: 0x1064cfe9c
> 8: 0x1064aac88
> 9: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 10: 0x1064aac88
> 11: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 12: 0x10143c3e4 Builtins_InterpreterEntryTrampoline 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 13: 0x10143a50c Builtins_JSEntryTrampoline 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 14: 0x10143a1f4 Builtins_JSEntry 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 15: 0x100d104f8 v8::internal::(anonymous 
> namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous 
> namespace)::InvokeParams const&) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 16: 0x100d0f944 v8::internal::Execution::Call(v8::internal::Isolate*, 
> v8::internal::Handle<v8::internal::Object>, 
> v8::internal::Handle<v8::internal::Object>, int, 
> v8::internal::Handle<v8::internal::Object>*) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 17: 0x100bea214 v8::Function::Call(v8::Local<v8::Context>, 
> v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 18: 0x100978fd8 node::InternalMakeCallback(node::Environment*, 
> v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int, 
> v8::Local<v8::Value>*, node::async_context) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 19: 0x100979304 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>, 
> v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 20: 0x1009ee554 node::Environment::CheckImmediate(uv_check_s*) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 21: 0x1014209e0 uv__run_check 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 22: 0x10141a700 uv_run [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 23: 0x100979754 node::SpinEventLoopInternal(node::Environment*) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 24: 0x100a89c6c node::NodeMainInstance::Run(node::ExitCode*, 
> node::Environment*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 25: 0x100a89a08 node::NodeMainInstance::Run() 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 26: 0x100a13718 node::Start(int, char**) 
> [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
> 27: 0x1a61dff28 start [/usr/lib/dyld]{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to