You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Josip Sokcevic (JIRA)" <ji...@apache.org> on 2019/02/21 07:23:00 UTC

[jira] [Updated] (THRIFT-4807) PHP extension segfaults if reference is used in input

     [ https://issues.apache.org/jira/browse/THRIFT-4807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josip Sokcevic updated THRIFT-4807:
-----------------------------------
    Attachment: 0001-THRIFT-4807-Fix-php-segfault-on-reference-pass.patch

> PHP extension segfaults if reference is used in input
> -----------------------------------------------------
>
>                 Key: THRIFT-4807
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4807
>             Project: Thrift
>          Issue Type: Bug
>          Components: PHP - Library
>    Affects Versions: 0.12.0
>         Environment: php 7.0 & php 7.2 with php extension
>            Reporter: Josip Sokcevic
>            Priority: Major
>         Attachments: 0001-THRIFT-4807-Fix-php-segfault-on-reference-pass.patch
>
>
> When reference is passed to php extension, it's unreferenced (instead of derefrenced). The next time one tries to use the same variable PHP segaults. Even if not used again, php segfaults on user_shutdown_function_call.
> Example:
> Thrift
> {code:java}
> namespace php tt.demo
> struct SumInput {
>     1: required list<i64> numbers;
> }
> service DemoService {
>     i64 sum(1: SumInput input)
> }
> {code}
> PHP client:
> {code:java}
> // Create HTTP Transport
> $transport = new \Thrift\Transport\TNullTransport();
> // binary protocol
> $protocol = new \Thrift\Protocol\TBinaryProtocolAccelerated($transport, true, true);
> // create a client
> $client = new \tt\demo\DemoServiceClient($protocol);
> // at this point, client is ready, and we can make RPC calls:
> $numbers = [];
> $input = new \tt\demo\SumInput();
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> $input->numbers = &$numbers;
> debug_zval_dump($input);
> $client->send_sum($input); // used by sum()
> var_dump('never reached');
> {code}
> Output (gdb)
> {code:java}
> (gdb) run -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> Starting program: /home/jsokcevic/bin/php7-0-33/bin/php -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/usr/lib/libthread_db.so.1".
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(1){
>   }
> }
> object(tt\demo\SumInput)#6 (1) refcount(2){
>   ["numbers"]=>
>   &array(0) refcount(4094359424){
>   }
> }
> php: /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356: convert_to_long_base: Assertion `0' failed.
> Program received signal SIGABRT, Aborted.
> 0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> (gdb) bt
> #0  0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
> #1  0x00007ffff51c1672 in abort () from /usr/lib/libc.so.6
> #2  0x00007ffff51c1548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
> #3  0x00007ffff51cf396 in __assert_fail () from /usr/lib/libc.so.6
> #4  0x0000555555b7422b in convert_to_long_base (op=0x7ffff4006448, base=10)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356
> #5  0x0000555555b73e13 in convert_to_long (op=0x7ffff4006448)
>     at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:297
> #6  0x00007ffff3c99052 in binary_serialize (thrift_typeID=10 '\n', transport=..., value=0x7ffff4006448,
>     fieldspec=0x7ffff407ecc0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:744
> #7  0x00007ffff3c9956c in binary_serialize (thrift_typeID=15 '\017', transport=..., value=0x7ffff40af4a8,
>     fieldspec=0x7ffff40afc60) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:818
> #8  0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff407e328, transport=..., spec=0x7ffff40c43c0)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #9  0x00007ffff3c98ef3 in binary_serialize (thrift_typeID=12 '\f', transport=..., value=0x7ffff407e328,
>     fieldspec=0x7ffff40c45a0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:722
> #10 0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff4015560, transport=..., spec=0x7ffff40c4540)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
> #11 0x00007ffff3c9a4ef in zif_thrift_protocol_write_binary (execute_data=0x7ffff40154d0, return_value=0x7ffff4015410)
>     at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1053
> #12 0x0000555555be76e7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:714
> #13 0x0000555555be6b68 in execute_ex (ex=0x7ffff4015030) at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:414
> #14 0x0000555555be6c79 in zend_execute (op_array=0x7ffff4085000, return_value=0x0)
>     at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:458
> #15 0x0000555555b872ff in zend_execute_scripts (type=8, retval=0x0, file_count=3)
>     at /home/jsokcevic/Work/php-src/Zend/zend.c:1445
> #16 0x0000555555aef67b in php_execute_script (primary_file=0x7fffffffcaa0)
>     at /home/jsokcevic/Work/php-src/main/main.c:2516
> #17 0x0000555555c4ff4b in do_cli (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:977
> #18 0x0000555555c51132 in main (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:1347
> (gdb){code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)