Avoid segfault from v8 on snapshot version mismatch, closes #73

Author: pinepain

.gitignore

@@ -3,6 +3,7 @@ tests/*
 !tests/.testsuite.php
 !tests/.v8-helpers.php
 !tests/.tracking_dtors.php
+!tests/stubs
 
 .deps
 *.lo

src/php_v8_isolate.cc

@@ -200,9 +200,18 @@ static PHP_METHOD(Isolate, __construct) {
 
     if (snapshot_zv != NULL) {
         PHP_V8_STARTUP_DATA_FETCH_INTO(snapshot_zv, php_v8_startup_data);
-        if (php_v8_startup_data->blob && php_v8_startup_data->blob->hasData()) {
-            php_v8_isolate->blob = php_v8_startup_data->blob;
-            php_v8_isolate->create_params->snapshot_blob = php_v8_isolate->blob->acquire();
+
+        if (php_v8_startup_data->blob && php_v8_startup_data->blob->hasData() && !php_v8_startup_data->blob->rejected()) {
+
+            script_compiler_tag runtime = php_v8_startup_data_get_current_tag();
+            script_compiler_tag version = php_v8_startup_data->blob->version();
+
+            if (runtime.magic == version.magic && runtime.tag == version.tag) {
+                php_v8_isolate->blob = php_v8_startup_data->blob;
+                php_v8_isolate->create_params->snapshot_blob = php_v8_isolate->blob->acquire();
+            } else {
+                php_v8_startup_data->blob->reject();
+            }
         }
     }
 

src/php_v8_script_compiler.cc

@@ -24,7 +24,9 @@
 #include "php_v8_string.h"
 #include "php_v8_value.h"
 #include "php_v8_isolate.h"
+#include "php_v8_a.h"
 #include "php_v8.h"
+#include "zend_smart_str.h"
 
 zend_class_entry* php_v8_script_compiler_class_entry;
 #define this_ce php_v8_script_compiler_class_entry
@@ -59,13 +61,17 @@ static v8::ScriptCompiler::Source * php_v8_build_source(zval *source_string_zv,
     return source;
 }
 
-static PHP_METHOD(ScriptCompiler, cachedDataVersionTag)
+static PHP_METHOD(ScriptCompiler, getCachedDataVersionTag)
 {
     if (zend_parse_parameters_none() == FAILURE) {
         return;
     }
 
-    RETURN_LONG(static_cast<zend_long>(v8::ScriptCompiler::CachedDataVersionTag()));
+    php_v8_init();
+    script_compiler_tag version = php_v8_startup_data_get_current_tag();
+    uint64_t tag = (uint64_t) version.magic << (sizeof(version.tag) * 8) | version.tag;
+
+    RETURN_DOUBLE(tag);
 }
 
 static PHP_METHOD(ScriptCompiler, compileUnboundScript)
@@ -80,6 +86,8 @@ static PHP_METHOD(ScriptCompiler, compileUnboundScript)
         return;
     }
 
+    php_v8_init();
+
     PHP_V8_CHECK_COMPILER_OPTIONS_RANGE(options, "Invalid Script compiler options given. See V8\\ScriptCompiler OPTION_* class constants for available options.")
 
     PHP_V8_CONTEXT_FETCH_WITH_CHECK(php_v8_context_zv, php_v8_context);
@@ -136,6 +144,8 @@ static PHP_METHOD(ScriptCompiler, compile)
         return;
     }
 
+    php_v8_init();
+
     PHP_V8_CHECK_COMPILER_OPTIONS_RANGE(options, "Invalid Script compiler options given. See V8\\ScriptCompiler OPTION_* class constants for available options.")
 
     PHP_V8_CONTEXT_FETCH_WITH_CHECK(php_v8_context_zv, php_v8_context);
@@ -198,6 +208,8 @@ static PHP_METHOD(ScriptCompiler, compileFunctionInContext)
         return;
     }
 
+    php_v8_init();
+
     PHP_V8_CONTEXT_FETCH_WITH_CHECK(php_v8_context_zv, php_v8_context);
 
     zval *source_string_zv = PHP_V8_SOURCE_READ_SOURCE_STRING(php_v8_source_zv);
@@ -252,7 +264,7 @@ static PHP_METHOD(ScriptCompiler, compileFunctionInContext)
 }
 
 
-PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_cachedDataVersionTag, ZEND_RETURN_VALUE, 0, IS_LONG, 0)
+PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_getCachedDataVersionTag, ZEND_RETURN_VALUE, 0, IS_DOUBLE, 0)
 ZEND_END_ARG_INFO()
 
 PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(arginfo_compileUnboundScript, ZEND_RETURN_VALUE, 2, V8\\UnboundScript, 0)
@@ -276,7 +288,7 @@ ZEND_END_ARG_INFO()
 
 
 static const zend_function_entry php_v8_script_compiler_methods[] = {
-    PHP_V8_ME(ScriptCompiler, cachedDataVersionTag,     ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
+    PHP_V8_ME(ScriptCompiler, getCachedDataVersionTag,  ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
     PHP_V8_ME(ScriptCompiler, compileUnboundScript,     ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
     PHP_V8_ME(ScriptCompiler, compile,                  ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
     PHP_V8_ME(ScriptCompiler, compileFunctionInContext, ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)

src/php_v8_script_compiler.h

@@ -13,6 +13,7 @@
 #ifndef PHP_V8_SCRIPT_COMPILER_H
 #define PHP_V8_SCRIPT_COMPILER_H
 
+
 extern "C" {
 #include "php.h"
 
@@ -21,6 +22,8 @@ extern "C" {
 #endif
 }
 
+#include "v8.h"
+
 extern zend_class_entry *php_v8_script_compiler_class_entry;
 
 #define PHP_V8_CHECK_COMPILER_OPTIONS_RANGE(options, message) \

src/php_v8_startup_data.cc

@@ -16,22 +16,36 @@
 
 #include "php_v8_startup_data.h"
 #include "php_v8_exceptions.h"
+#include "php_v8_script_compiler.h"
 #include "php_v8_a.h"
 #include "php_v8.h"
+#include "zend_smart_str.h"
 
 
 zend_class_entry *php_v8_startup_data_class_entry;
 #define this_ce php_v8_startup_data_class_entry
 
 static zend_object_handlers php_v8_startup_data_object_handlers;
 
+extern script_compiler_tag php_v8_startup_data_get_current_tag() {
+    script_compiler_tag tag = {PHP_V8_SCRIPT_COMPILER_TAG_MAGIC, v8::ScriptCompiler::CachedDataVersionTag()};
+    return tag;
+}
 
 void php_v8_startup_data_create(zval *return_value, v8::StartupData *blob) {
     object_init_ex(return_value, this_ce);
 
     PHP_V8_STARTUP_DATA_FETCH_INTO(return_value, php_v8_startup_data);
 
-    php_v8_startup_data->blob = new phpv8::StartupData(blob);
+    script_compiler_tag version = php_v8_startup_data_get_current_tag();
+
+    const char *blob_data = blob->data;
+
+    blob->data = (const char *) estrndup(blob->data, blob->raw_size);
+
+    delete []blob_data;
+
+    php_v8_startup_data->blob = new phpv8::StartupData(blob, version);
 }
 
 static void php_v8_startup_data_free(zend_object *object) {
@@ -68,22 +82,27 @@ static PHP_METHOD(StartupData, __construct) {
         return;
     }
 
-    if (ZSTR_LEN(blob_string) > INT_MAX) {
-        PHP_V8_THROW_EXCEPTION("Failed to create startup blob due to blob size integer overflow");
+    if (ZSTR_LEN(blob_string) > INT_MAX + sizeof(script_compiler_tag)) {
+        PHP_V8_THROW_EXCEPTION("Invalid startup blob (too large)");
         return;
     }
 
-    if (!ZSTR_LEN(blob_string)) {
+    if (ZSTR_LEN(blob_string) < sizeof(script_compiler_tag)) {
+        PHP_V8_THROW_EXCEPTION("Invalid startup blob (too small)");
         return;
     }
 
+    script_compiler_tag version = {};
+    memcpy(&version, &ZSTR_VAL(blob_string)[0], sizeof(script_compiler_tag));
+
     PHP_V8_STARTUP_DATA_FETCH_INTO(getThis(), php_v8_startup_data);
 
     v8::StartupData *blob = new v8::StartupData();
-    blob->data = (const char *) estrndup(ZSTR_VAL(blob_string), ZSTR_LEN(blob_string));
-    blob->raw_size = static_cast<int>(ZSTR_LEN(blob_string));
 
-    php_v8_startup_data->blob = new phpv8::StartupData(blob);
+    blob->data     = (const char *) estrndup(&ZSTR_VAL(blob_string)[sizeof(script_compiler_tag)], ZSTR_LEN(blob_string) - sizeof(script_compiler_tag));
+    blob->raw_size = static_cast<int>(ZSTR_LEN(blob_string) - sizeof(script_compiler_tag));
+
+    php_v8_startup_data->blob = new phpv8::StartupData(blob, version);
 }
 
 static PHP_METHOD(StartupData, getData) {
@@ -94,26 +113,34 @@ static PHP_METHOD(StartupData, getData) {
     PHP_V8_STARTUP_DATA_FETCH_INTO(getThis(), php_v8_startup_data);
 
     if (php_v8_startup_data->blob && php_v8_startup_data->blob->hasData()) {
-        zend_string *out = zend_string_init(php_v8_startup_data->blob->data()->data, static_cast<size_t>(php_v8_startup_data->blob->data()->raw_size), 0);
+        script_compiler_tag loaded = php_v8_startup_data->blob->version();
+        smart_str my_str = {0};
+
+        smart_str_appendl(&my_str, (char *)&loaded, sizeof(script_compiler_tag));
+        smart_str_appendl(&my_str, php_v8_startup_data->blob->data()->data, static_cast<size_t>(php_v8_startup_data->blob->data()->raw_size));
+        smart_str_0(&my_str);
+
+        zend_string *out = zend_string_copy(my_str.s);
+        smart_str_free(&my_str);
+
         RETURN_STR(out);
     }
 
     RETURN_EMPTY_STRING();
 }
 
-static PHP_METHOD(StartupData, getRawSize) {
+static PHP_METHOD(StartupData, isRejected) {
     if (zend_parse_parameters_none() == FAILURE) {
         return;
     }
 
     PHP_V8_STARTUP_DATA_FETCH_INTO(getThis(), php_v8_startup_data);
 
-    if (php_v8_startup_data->blob && php_v8_startup_data->blob->hasData()) {
-        RETVAL_LONG(static_cast<zend_long>(php_v8_startup_data->blob->data()->raw_size));
-        return;
+    if (php_v8_startup_data->blob) {
+        RETURN_BOOL(php_v8_startup_data->blob->rejected());
     }
 
-    RETURN_LONG(0);
+    RETURN_BOOL(false);
 }
 
 static PHP_METHOD(StartupData, createFromSource) {
@@ -128,7 +155,7 @@ static PHP_METHOD(StartupData, createFromSource) {
     const char *source = ZSTR_VAL(blob);
     php_v8_init();
 
-    v8::StartupData *startup_blob = new v8::StartupData;
+    v8::StartupData *startup_blob = new v8::StartupData();
 
     *startup_blob = v8::V8::CreateSnapshotDataBlob(source);
 
@@ -175,7 +202,7 @@ ZEND_END_ARG_INFO()
 PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_getData, ZEND_RETURN_VALUE, 0, IS_STRING, 0)
 ZEND_END_ARG_INFO()
 
-PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_getRawSize, ZEND_RETURN_VALUE, 0, IS_LONG, 0)
+PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_isRejected, ZEND_RETURN_VALUE, 0, _IS_BOOL, 0)
 ZEND_END_ARG_INFO()
 
 PHP_V8_ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(arginfo_createFromSource, ZEND_RETURN_VALUE, 1, V8\\StartupData, 0)
@@ -191,7 +218,7 @@ ZEND_END_ARG_INFO()
 static const zend_function_entry php_v8_startup_data_methods[] = {
         PHP_V8_ME(StartupData, __construct,            ZEND_ACC_PUBLIC | ZEND_ACC_CTOR)
         PHP_V8_ME(StartupData, getData,                ZEND_ACC_PUBLIC)
-        PHP_V8_ME(StartupData, getRawSize,             ZEND_ACC_PUBLIC)
+        PHP_V8_ME(StartupData, isRejected,             ZEND_ACC_PUBLIC)
         PHP_V8_ME(StartupData, createFromSource,       ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
         PHP_V8_ME(StartupData, warmUpSnapshotDataBlob, ZEND_ACC_PUBLIC | ZEND_ACC_STATIC)
 

src/php_v8_startup_data.h

@@ -14,6 +14,7 @@
 #define PHP_V8_STARTUP_DATA_H
 
 typedef struct _php_v8_startup_data_t php_v8_startup_data_t;
+typedef struct _script_compiler_tag script_compiler_tag;
 
 namespace phpv8 {
     class StartupData;
@@ -33,15 +34,22 @@ extern "C" {
 extern zend_class_entry* php_v8_startup_data_class_entry;
 
 inline php_v8_startup_data_t * php_v8_startup_data_fetch_object(zend_object *obj);
+extern script_compiler_tag php_v8_startup_data_get_current_tag();
 
 #define PHP_V8_STARTUP_DATA_FETCH(zv) php_v8_startup_data_fetch_object(Z_OBJ_P(zv))
 #define PHP_V8_STARTUP_DATA_FETCH_INTO(pzval, into) php_v8_startup_data_t *(into) = PHP_V8_STARTUP_DATA_FETCH((pzval))
 
+#define PHP_V8_SCRIPT_COMPILER_TAG_MAGIC 1 // increment it whenever you change sth that breaks blobs
+
+struct _script_compiler_tag {
+    uint32_t magic;
+    uint32_t tag;
+};
 
 namespace phpv8 {
     class StartupData {
     public:
-        StartupData(v8::StartupData *data = nullptr) : _data(data), in_use(1) {}
+        StartupData(v8::StartupData *data, script_compiler_tag version) : _data(data), in_use(1), _version(version), _rejected(false) {}
 
         inline v8::StartupData *acquire() {
             assert(in_use < UINT32_MAX);
@@ -62,8 +70,23 @@ namespace phpv8 {
             return --in_use == 0;
         }
 
+        void reject() {
+            _rejected = true;
+        }
+
+        bool rejected() {
+            return _rejected;
+        }
+
+        script_compiler_tag version() {
+            return _version;
+        }
+
         ~StartupData() {
             if (_data) {
+                efree((void*)_data->data);
+                _data->data = nullptr;
+                _data->raw_size = 0;
                 delete _data;
             }
         }
@@ -72,6 +95,8 @@ namespace phpv8 {
     private:
         v8::StartupData *_data;
         uint32_t in_use;
+        script_compiler_tag _version;
+        bool _rejected;
     };
 }
 

stubs/src/ScriptCompiler.php

@@ -1,23 +1,35 @@
 <?php declare(strict_types=1);
 
+/**
+ * This file is part of the pinepain/php-v8 PHP extension.
+ *
+ * Copyright (c) 2015-2017 Bogdan Padalko <pinepain@gmail.com>
+ *
+ * Licensed under the MIT license: http://opensource.org/licenses/MIT
+ *
+ * For the full copyright and license information, please view the
+ * LICENSE file that was distributed with this source or visit
+ * http://opensource.org/licenses/MIT
+ */
+
 
 namespace V8;
 
-use V8\ScriptCompiler\CompileOptions;
+
 use V8\ScriptCompiler\Source;
 
 
 /**
  * For compiling scripts.
  */
-class  ScriptCompiler
+class ScriptCompiler
 {
-    const OPTION_NO_COMPILE_OPTIONS = 0;
-    const OPTION_PRODUCE_PARSER_CACHE = 1;
-    const OPTION_CONSUME_PARSER_CACHE = 2;
-    const OPTION_PRODUCE_CODE_CACHE = 3;
+    const OPTION_NO_COMPILE_OPTIONS      = 0;
+    const OPTION_PRODUCE_PARSER_CACHE    = 1;
+    const OPTION_CONSUME_PARSER_CACHE    = 2;
+    const OPTION_PRODUCE_CODE_CACHE      = 3;
     const OPTION_PRODUCE_FULL_CODE_CACHE = 4;
-    const OPTION_CONSUME_CODE_CACHE = 5;
+    const OPTION_CONSUME_CODE_CACHE      = 5;
 
     private function __construct()
     {
@@ -41,9 +53,9 @@ private function __construct()
      *   Alternatively, this tag can be stored alongside the cached data and
      *   compared when it is being used.
      *
-     * @return int
+     * @return float
      */
-    public static function cachedDataVersionTag(): int
+    public static function getCachedDataVersionTag(): float
     {
     }
 

stubs/src/StartupData.php

@@ -29,7 +29,7 @@ public function getData(): string
     {
     }
 
-    public function getRawSize(): int
+    public function isRejected(): bool
     {
     }