Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-2210

Fix direct copying of BSON data from Document and PackedArray objects

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.16.0
    • Affects Version/s: None
    • Component/s: None
    • None

      I discovered an issue with the direct copying of Document and PackedArray instances in php_phongo_zval_to_bson_internal. This appears to be related to using bson_copy_to on a previously destroyed bson_t* instead of an uninitialized bson_t.

      This was discovered when using a MongoDB\BSON\Document as the $filter argument for a MongoDB\Driver\Query and executing the Query. This results in an abort from malloc() on a subsequent call to bson_copy_to() (copying the cluster time); however, Valgrind helped me trace this back to a series of invalid read/write ops originating with the previous copy in php_phongo_zval_to_bson_internal().

      Note: I only encountered this with executeQuery(), but we should add tests for any PHPC API where a Document or PackedArray might be accepted for BSON (e.g. MongoDB\Driver\Command and executeCommand()).

      Error details and backtrace follow:

      malloc(): unaligned tcache chunk detected
Aborted (core dumped)

Termsig=6

      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140017863835136) at ./nptl/pthread_kill.c:44
44	./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140017863835136) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140017863835136) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140017863835136, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007f5875b9f476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007f5875b857f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007f5875be66f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f5875d38b8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007f5875bfdd7c in malloc_printerr (str=str@entry=0x7f5875d3bd40 "malloc(): unaligned tcache chunk detected") at ./malloc/malloc.c:5664
#7  0x00007f5875c0245c in tcache_get (tc_idx=<optimized out>) at ./malloc/malloc.c:3195
#8  __GI___libc_malloc (bytes=128) at ./malloc/malloc.c:3313
#9  0x000055959c92a04b in __zend_malloc (len=128) at /tmp/build_php-8.2.3.BLG/php-8.2.3/Zend/zend_alloc.c:3114
#10 0x00007f58727760c3 in php_phongo_malloc (num_bytes=128) at /home/jmikola/workspace/mongodb/phpc/php_phongo.c:60
#11 0x00007f5872641551 in bson_malloc (num_bytes=128) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libbson/src/bson/bson-memory.c:99
#12 0x00007f587262e44a in bson_copy_to (src=0x55959de56af8, dst=0x55959e145b90) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libbson/src/bson/bson.c:2207
#13 0x00007f58726e3e44 in mongoc_server_stream_new (td=0x55959de568a0, sd=0x55959e14b280, stream=0x55959e1494b0) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-server-stream.c:37
#14 0x00007f5872681745 in _cluster_fetch_stream_single (cluster=0x55959df705a8, td=0x55959de568a0, server_id=1, reconnect_ok=true, error=0x55959e0e1110) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cluster.c:2515
#15 0x00007f5872680dbb in _try_get_server_stream (cluster=0x55959df705a8, td=0x55959de568a0, server_id=1, reconnect_ok=true, error=0x55959e0e1110) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cluster.c:2254
#16 0x00007f5872680f23 in _mongoc_cluster_stream_for_server (cluster=0x55959df705a8, server_id=1, reconnect_ok=true, cs=0x0, reply=0x7ffe7d67c990, error=0x55959e0e1110) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cluster.c:2284
#17 0x00007f58726812f7 in mongoc_cluster_stream_for_server (cluster=0x55959df705a8, server_id=1, reconnect_ok=true, cs=0x0, reply=0x7ffe7d67c990, error=0x55959e0e1110) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cluster.c:2385
#18 0x00007f587269e1e7 in _mongoc_cursor_fetch_stream (cursor=0x55959e0e1030) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cursor.c:657
#19 0x00007f58726a49dc in _prime (cursor=0x55959e0e1030) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cursor-find.c:40
#20 0x00007f58726a12f6 in _call_transition (cursor=0x55959e0e1030) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cursor.c:1242
#21 0x00007f58726a16de in mongoc_cursor_next (cursor=0x55959e0e1030, bson=0x7ffe7d67cae8) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/libmongoc/src/mongoc/mongoc-cursor.c:1318
#22 0x00007f58727b6040 in phongo_cursor_advance_and_check_for_error (cursor=0x55959e0e1030) at /home/jmikola/workspace/mongodb/phpc/src/MongoDB/Cursor.c:520
#23 0x00007f58727b5e6a in phongo_cursor_init_for_query (return_value=0x7f5872e1a1d0, manager=0x7f5872e1a230, cursor=0x55959e0e1030, namespace=0x7f5872e05978 "phongo.query_query_ctor_document_001", query=0x7f5872e1a270, readPreference=0x0, session=0x0)
    at /home/jmikola/workspace/mongodb/phpc/src/MongoDB/Cursor.c:490
#24 0x00007f58727889c1 in phongo_execute_query (manager=0x7f5872e1a230, namespace=0x7f5872e05978 "phongo.query_query_ctor_document_001", zquery=0x7f5872e1a270, options=0x0, server_id=1, return_value=0x7f5872e1a1d0)
    at /home/jmikola/workspace/mongodb/phpc/src/phongo_execute.c:567
#25 0x00007f58727bbaaf in zim_MongoDB_Driver_Manager_executeQuery (execute_data=0x7f5872e1a210, return_value=0x7f5872e1a1d0) at /home/jmikola/workspace/mongodb/phpc/src/MongoDB/Manager.c:541
#26 0x000055959c9af59b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/build_php-8.2.3.BLG/php-8.2.3/Zend/zend_vm_execute.h:1951
#27 0x000055959ca26756 in execute_ex (ex=0x7f5872e1a020) at /tmp/build_php-8.2.3.BLG/php-8.2.3/Zend/zend_vm_execute.h:56056
#28 0x000055959ca2bee0 in zend_execute (op_array=0x7f5872e9a000, return_value=0x0) at /tmp/build_php-8.2.3.BLG/php-8.2.3/Zend/zend_vm_execute.h:60384
#29 0x000055959c96b14c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/build_php-8.2.3.BLG/php-8.2.3/Zend/zend.c:1780
#30 0x000055959c8c2b55 in php_execute_script (primary_file=0x7ffe7d67e7a0) at /tmp/build_php-8.2.3.BLG/php-8.2.3/main/main.c:2541
#31 0x000055959caeb2fc in do_cli (argc=80, argv=0x55959de562f0) at /tmp/build_php-8.2.3.BLG/php-8.2.3/sapi/cli/php_cli.c:964
#32 0x000055959caebff5 in main (argc=80, argv=0x55959de562f0) at /tmp/build_php-8.2.3.BLG/php-8.2.3/sapi/cli/php_cli.c:1333

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: