Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-4807

PHP extension segfaults if reference is used in input

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.12.0
    • 0.13.0
    • PHP - Library
    • None

    • php 7.0 & php 7.2 with php extension

    • Patch Available
    • Patch

    Description

      When reference is passed to php extension, it's unreferenced (instead of derefrenced). The next time one tries to use the same variable PHP segaults. Even if not used again, php segfaults on user_shutdown_function_call.

      Example:

      Thrift

      namespace php tt.demo

struct SumInput {
    1: required list<i64> numbers;
}

service DemoService {
    i64 sum(1: SumInput input)
}

      PHP client:

      // Create HTTP Transport
$transport = new \Thrift\Transport\TNullTransport();

// binary protocol
$protocol = new \Thrift\Protocol\TBinaryProtocolAccelerated($transport, true, true);

// create a client
$client = new \tt\demo\DemoServiceClient($protocol);

// at this point, client is ready, and we can make RPC calls:
$numbers = [];
$input = new \tt\demo\SumInput();
$input->numbers = &$numbers;

debug_zval_dump($input);

$client->send_sum($input); // used by sum()

$input->numbers = &$numbers;
debug_zval_dump($input);

$client->send_sum($input); // used by sum()
var_dump('never reached');

      Output (gdb)

      (gdb) run -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
Starting program: /home/jsokcevic/bin/php7-0-33/bin/php -c ~/bin/php7-0-33/php.ini ~/Work/thrift-examples/php/client.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
object(tt\demo\SumInput)#6 (1) refcount(2){
  ["numbers"]=>
  &array(0) refcount(1){
  }
}
object(tt\demo\SumInput)#6 (1) refcount(2){
  ["numbers"]=>
  &array(0) refcount(4094359424){
  }
}
php: /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356: convert_to_long_base: Assertion `0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff51d6d7f in raise () from /usr/lib/libc.so.6
#1  0x00007ffff51c1672 in abort () from /usr/lib/libc.so.6
#2  0x00007ffff51c1548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
#3  0x00007ffff51cf396 in __assert_fail () from /usr/lib/libc.so.6
#4  0x0000555555b7422b in convert_to_long_base (op=0x7ffff4006448, base=10)
    at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:356
#5  0x0000555555b73e13 in convert_to_long (op=0x7ffff4006448)
    at /home/jsokcevic/Work/php-src/Zend/zend_operators.c:297
#6  0x00007ffff3c99052 in binary_serialize (thrift_typeID=10 '\n', transport=..., value=0x7ffff4006448,
    fieldspec=0x7ffff407ecc0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:744
#7  0x00007ffff3c9956c in binary_serialize (thrift_typeID=15 '\017', transport=..., value=0x7ffff40af4a8,
    fieldspec=0x7ffff40afc60) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:818
#8  0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff407e328, transport=..., spec=0x7ffff40c43c0)
    at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
#9  0x00007ffff3c98ef3 in binary_serialize (thrift_typeID=12 '\f', transport=..., value=0x7ffff407e328,
    fieldspec=0x7ffff40c45a0) at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:722
#10 0x00007ffff3c9a318 in binary_serialize_spec (zthis=0x7ffff4015560, transport=..., spec=0x7ffff40c4540)
    at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1021
#11 0x00007ffff3c9a4ef in zif_thrift_protocol_write_binary (execute_data=0x7ffff40154d0, return_value=0x7ffff4015410)
    at /home/jsokcevic/Work/php-workspace/thrift_protocol/php_thrift_protocol.cpp:1053
#12 0x0000555555be76e7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
    at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:714
#13 0x0000555555be6b68 in execute_ex (ex=0x7ffff4015030) at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:414
#14 0x0000555555be6c79 in zend_execute (op_array=0x7ffff4085000, return_value=0x0)
    at /home/jsokcevic/Work/php-src/Zend/zend_vm_execute.h:458
#15 0x0000555555b872ff in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/jsokcevic/Work/php-src/Zend/zend.c:1445
#16 0x0000555555aef67b in php_execute_script (primary_file=0x7fffffffcaa0)
    at /home/jsokcevic/Work/php-src/main/main.c:2516
#17 0x0000555555c4ff4b in do_cli (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:977
#18 0x0000555555c51132 in main (argc=4, argv=0x55555638e310) at /home/jsokcevic/Work/php-src/sapi/cli/php_cli.c:1347
(gdb)

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1747

          Activity

            People

              jking3 James E. King III
              sokac Josip Sokcevic
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m