Skip to content

ext/pdo: Convert def_stmt_ctor_args field to Hashtable* #12154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

ext/pdo: Convert def_stmt_ctor_args field to Hashtable* #12154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5a437c7
Zend/GC: Add zend_get_gc_buffer_add_ht() function
Girgias Sep 8, 2023
6b056e2
Add GC_DTOR_NOGC() macro function
Girgias Sep 16, 2023
7bf9192
ext/pdo: Convert def_stmt_ctor_args field from zval to Hashtable pointer
Girgias Sep 8, 2023
c82b47d
Use existent GC macro
Girgias Sep 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Zend/zend_gc.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,15 @@ static zend_always_inline void zend_get_gc_buffer_add_zval(
}
}

static zend_always_inline void zend_get_gc_buffer_add_ht(
zend_get_gc_buffer *gc_buffer, HashTable *ht) {
if (UNEXPECTED(gc_buffer->cur == gc_buffer->end)) {
zend_get_gc_buffer_grow(gc_buffer);
}
ZVAL_ARR(gc_buffer->cur, ht);
gc_buffer->cur++;
}

static zend_always_inline void zend_get_gc_buffer_add_obj(
zend_get_gc_buffer *gc_buffer, zend_object *obj) {
if (UNEXPECTED(gc_buffer->cur == gc_buffer->end)) {
Expand Down
8 changes: 8 additions & 0 deletions Zend/zend_types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -721,6 +721,14 @@ static zend_always_inline uint8_t zval_get_type(const zval* pz) {
} \
} while (0)

#define GC_DTOR_NOGC(p) \
do { \
zend_refcounted_h *_p = &(p)->gc; \
if (zend_gc_delref(_p) == 0) { \
rc_dtor_func((zend_refcounted *)_p); \
} \
} while (0)

#define GC_DTOR_NO_REF(p) \
do { \
zend_refcounted_h *_p = &(p)->gc; \
Expand Down
57 changes: 26 additions & 31 deletions ext/pdo/pdo_dbh.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -434,11 +434,9 @@ PHP_METHOD(PDO, __construct)
}
/* }}} */

static zval *pdo_stmt_instantiate(pdo_dbh_t *dbh, zval *object, zend_class_entry *dbstmt_ce, zval *ctor_args) /* {{{ */
static zval *pdo_stmt_instantiate(pdo_dbh_t *dbh, zval *object, zend_class_entry *dbstmt_ce, const HashTable *ctor_args) /* {{{ */
{
if (!Z_ISUNDEF_P(ctor_args)) {
/* This implies an error within PDO if this does not hold */
ZEND_ASSERT(Z_TYPE_P(ctor_args) == IS_ARRAY);
if (ctor_args) {
if (!dbstmt_ce->constructor) {
zend_throw_error(NULL, "User-supplied statement does not accept constructor arguments");
return NULL;
Expand Down Expand Up @@ -475,8 +473,9 @@ PHP_METHOD(PDO, prepare)
{
pdo_stmt_t *stmt;
zend_string *statement;
zval *options = NULL, *value, *item, ctor_args;
zval *options = NULL, *value, *item;
zend_class_entry *dbstmt_ce, *pce;
/* const */ HashTable *ctor_args = NULL;
pdo_dbh_object_t *dbh_obj = Z_PDO_OBJECT_P(ZEND_THIS);
pdo_dbh_t *dbh = dbh_obj->inner;

Expand Down Expand Up @@ -525,16 +524,14 @@ PHP_METHOD(PDO, prepare)
zend_zval_value_name(value));
RETURN_THROWS();
}
ZVAL_COPY_VALUE(&ctor_args, item);
} else {
ZVAL_UNDEF(&ctor_args);
ctor_args = Z_ARRVAL_P(item);
}
} else {
dbstmt_ce = dbh->def_stmt_ce;
ZVAL_COPY_VALUE(&ctor_args, &dbh->def_stmt_ctor_args);
ctor_args = dbh->def_stmt_ctor_args;
}

if (!pdo_stmt_instantiate(dbh, return_value, dbstmt_ce, &ctor_args)) {
if (!pdo_stmt_instantiate(dbh, return_value, dbstmt_ce, ctor_args)) {
RETURN_THROWS();
}
stmt = Z_PDO_STMT_P(return_value);
Expand All @@ -549,11 +546,7 @@ PHP_METHOD(PDO, prepare)
ZVAL_UNDEF(&stmt->lazy_object_ref);

if (dbh->methods->preparer(dbh, statement, stmt, options)) {
if (Z_TYPE(ctor_args) == IS_ARRAY) {
pdo_stmt_construct(stmt, return_value, dbstmt_ce, Z_ARRVAL(ctor_args));
} else {
pdo_stmt_construct(stmt, return_value, dbstmt_ce, /* ctor_args */ NULL);
}
pdo_stmt_construct(stmt, return_value, dbstmt_ce, ctor_args);
return;
}

Expand Down Expand Up @@ -817,17 +810,19 @@ static bool pdo_dbh_attribute_set(pdo_dbh_t *dbh, zend_long attr, zval *value) /
return false;
}
dbh->def_stmt_ce = pce;
if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
zval_ptr_dtor(&dbh->def_stmt_ctor_args);
ZVAL_UNDEF(&dbh->def_stmt_ctor_args);
if (dbh->def_stmt_ctor_args) {
zend_array_release(dbh->def_stmt_ctor_args);
dbh->def_stmt_ctor_args = NULL;
}
if ((item = zend_hash_index_find(Z_ARRVAL_P(value), 1)) != NULL) {
if (Z_TYPE_P(item) != IS_ARRAY) {
zend_type_error("PDO::ATTR_STATEMENT_CLASS constructor_args must be of type ?array, %s given",
zend_zval_value_name(value));
return false;
}
ZVAL_COPY(&dbh->def_stmt_ctor_args, item);
dbh->def_stmt_ctor_args = Z_ARRVAL_P(item);
/* Increase refcount */
GC_TRY_ADDREF(dbh->def_stmt_ctor_args);
Copy link
Member

@SakiTakamachi SakiTakamachi Sep 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't increasing the count here the cause of the memory leak?

Passing it to the constructor increments the ref count, so I thought maybe there was no need to increment the count at this point, so I commented it out and tried running the following code.
Memory leak no longer occurs.

<?php
$db = new PDO('mysql:host=mysql;dbname=test;', 'root', ''); // my env
class Foo extends PDOStatement {
    private function __construct($v) {
        var_dump($v);
    }
}
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('Foo', ['param1']));

$stmt = $db->query('SELECT 1');
var_dump($stmt);

result:

string(6) "param1"
object(Foo)#2 (1) {
  ["queryString"]=>
  string(8) "SELECT 1"
}

I also tried this as well.
This does not leak memory to begin with, but I tried it to confirm behavior.

<?php
class Foo extends PDOStatement {
    private function __construct($v) {
        var_dump($v);
    }
}

class Bar extends PDO {
    public $statementClass = 'Foo';
    function __construct($dsn, $username, $password, $driver_options = []) {
        $driver_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
        parent::__construct($dsn, $username, $password, $driver_options);

        $this->setAttribute(PDO::ATTR_STATEMENT_CLASS, [$this->statementClass, [$this]]);
    }
}

$db = new Bar('mysql:host=mysql;dbname=test;', 'root', ''); // my env

$stmt = $db->query('SELECT 1');
var_dump($stmt);

result:

object(Bar)#1 (1) {
  ["statementClass"]=>
  string(3) "Foo"
}
object(Foo)#2 (1) {
  ["queryString"]=>
  string(8) "SELECT 1"
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think not incrementing the reference counter is the correct approach.

As something along the lines of:

<?php
if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';

class Foo extends PDOStatement {
    private function __construct($v) {
        var_dump($v);
    }
}

$db = PDOTest::factory();

$a = ['Foo', ['param1']];
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, $a);
unset($a);
$stmt = $db->query('SELECT 1');
var_dump($stmt);

?>

Should still work, I'm pretty sure this is why I did a dup.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also just removing this line causes use after frees so just that is definitely not the solution.

Copy link
Member

@SakiTakamachi SakiTakamachi Sep 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Girgias

Passing it to the constructor increments the ref count, so I thought maybe there was no need to increment the count at this point

This was clearly a mistake.
However, after looking around, I still don't think I should increment the refcount here, for other reasons.

The test code you provided that includes unset worked fine even after removing GC_TRY_ADDREF.

dbh->def_stmt_ctor_args = Z_ARRVAL_P(item); is a copy, so whatever happens to $a after this should have no effect at all (of course, there is no problem using unset()).

Sorry, the above is also incorrect.

In the following case, at the time of setAttribute, refcount is 2, and unset() reduces it to 1.
(with removing GC_TRY_ADDREF. I checked by gdb.)

<?php
$db = new PDO('mysql:host=mysql;dbname=test;', 'root', '');
class Foo extends PDOStatement {
    private function __construct($v) {
        var_dump($v);
    }
}
$a = ['Foo', ['param1']];
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, $a); // refcount 2
unset($a[1]);

$stmt = $db->query('SELECT 1'); // refcount 1
var_dump($stmt);

Copy link
Member

@SakiTakamachi SakiTakamachi Sep 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I remove GC_TRY_ADDREF, ht will be freed by the next process and then used again.

if (dbh->def_stmt_ctor_args) {
	zend_array_release(dbh->def_stmt_ctor_args);
	dbh->def_stmt_ctor_args = NULL;
}

// If I try to set the exact same thing twice, a problem will occur.
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, ['Foo', ['param1']]);
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, ['Foo', ['param1']]);

So in this case, it definitely need an GC_TRY_ADDREF here, I understood it.

}
return true;
}
Expand Down Expand Up @@ -906,9 +901,10 @@ PHP_METHOD(PDO, getAttribute)
case PDO_ATTR_STATEMENT_CLASS:
array_init(return_value);
add_next_index_str(return_value, zend_string_copy(dbh->def_stmt_ce->name));
if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
Z_TRY_ADDREF(dbh->def_stmt_ctor_args);
add_next_index_zval(return_value, &dbh->def_stmt_ctor_args);
if (dbh->def_stmt_ctor_args) {
/* Increment refcount of constructor arguments */
GC_TRY_ADDREF(dbh->def_stmt_ctor_args);
add_next_index_array(return_value, dbh->def_stmt_ctor_args);
}
return;
case PDO_ATTR_DEFAULT_FETCH_MODE:
Expand Down Expand Up @@ -1093,7 +1089,7 @@ PHP_METHOD(PDO, query)

PDO_DBH_CLEAR_ERR();

if (!pdo_stmt_instantiate(dbh, return_value, dbh->def_stmt_ce, &dbh->def_stmt_ctor_args)) {
if (!pdo_stmt_instantiate(dbh, return_value, dbh->def_stmt_ce, dbh->def_stmt_ctor_args)) {
RETURN_THROWS();
}
stmt = Z_PDO_STMT_P(return_value);
Expand Down Expand Up @@ -1122,11 +1118,7 @@ PHP_METHOD(PDO, query)
stmt->executed = 1;
}
if (ret) {
if (Z_TYPE(dbh->def_stmt_ctor_args) == IS_ARRAY) {
pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, Z_ARRVAL(dbh->def_stmt_ctor_args));
} else {
pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, /* ctor_args */ NULL);
}
pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, dbh->def_stmt_ctor_args);
return;
}
}
Expand Down Expand Up @@ -1320,7 +1312,9 @@ static HashTable *dbh_get_gc(zend_object *object, zval **gc_data, int *gc_count)
{
pdo_dbh_t *dbh = php_pdo_dbh_fetch_inner(object);
zend_get_gc_buffer *gc_buffer = zend_get_gc_buffer_create();
zend_get_gc_buffer_add_zval(gc_buffer, &dbh->def_stmt_ctor_args);
if (dbh->def_stmt_ctor_args) {
zend_get_gc_buffer_add_ht(gc_buffer, dbh->def_stmt_ctor_args);
}
if (dbh->methods && dbh->methods->get_gc) {
dbh->methods->get_gc(dbh, gc_buffer);
}
Expand Down Expand Up @@ -1382,8 +1376,8 @@ static void dbh_free(pdo_dbh_t *dbh, bool free_persistent)
pefree((char *)dbh->persistent_id, dbh->is_persistent);
}

if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
zval_ptr_dtor(&dbh->def_stmt_ctor_args);
if (dbh->def_stmt_ctor_args) {
GC_DTOR_NO_REF(dbh->def_stmt_ctor_args);
}

for (i = 0; i < PDO_DBH_DRIVER_METHOD_KIND__MAX; i++) {
Expand Down Expand Up @@ -1427,6 +1421,7 @@ zend_object *pdo_dbh_new(zend_class_entry *ce)
rebuild_object_properties(&dbh->std);
dbh->inner = ecalloc(1, sizeof(pdo_dbh_t));
dbh->inner->def_stmt_ce = pdo_dbstmt_ce;
dbh->inner->def_stmt_ctor_args = NULL;

return &dbh->std;
}
Expand Down
2 changes: 1 addition & 1 deletion ext/pdo/php_pdo_driver.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -487,7 +487,7 @@ struct _pdo_dbh_t {

zend_class_entry *def_stmt_ce;

zval def_stmt_ctor_args;
HashTable *def_stmt_ctor_args;

/* when calling PDO::query(), we need to keep the error
* context from the statement around until we next clear it.
Expand Down
48 changes: 48 additions & 0 deletions ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_gc.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
--TEST--
PDO: Set PDOStatement class with ctor_args that are freed with GC intervention
--EXTENSIONS--
pdo
--SKIPIF--
<?php
$dir = getenv('REDIR_TEST_DIR');
if (false == $dir) die('skip no driver');
require_once $dir . 'pdo_test.inc';
PDOTest::skip();
?>
--FILE--
<?php
if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';

class Foo extends PDOStatement {
private function __construct($v) {
var_dump($v);
}
}

class Bar extends PDO {
public $statementClass = 'Foo';
function __construct($dsn, $username, $password, $driver_options = []) {
$driver_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
parent::__construct($dsn, $username, $password, $driver_options);

$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, [$this->statementClass, [$this]]);
}
}

$db = PDOTest::factory(Bar::class);

$dummy_query = get_dummy_sql_request();

$stmt = $db->query($dummy_query);
var_dump($stmt instanceof Foo);
var_dump($stmt->queryString === $dummy_query);

?>
--EXPECT--
object(Bar)#1 (1) {
["statementClass"]=>
string(3) "Foo"
}
bool(true)
bool(true)
37 changes: 37 additions & 0 deletions ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_no-gc.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
--TEST--
PDO: Set PDOStatement class with ctor_args that are freed without GC intervention
--EXTENSIONS--
pdo
--SKIPIF--
<?php
$dir = getenv('REDIR_TEST_DIR');
if (false == $dir) die('skip no driver');
require_once $dir . 'pdo_test.inc';
PDOTest::skip();
?>
--FILE--
<?php
if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';

class Foo extends PDOStatement {
private function __construct($v) {
var_dump($v);
}
}

$db = PDOTest::factory();

$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('Foo', ['param1']));

$dummy_query = get_dummy_sql_request();

$stmt = $db->query($dummy_query);
var_dump($stmt instanceof Foo);
var_dump($stmt->queryString === $dummy_query);

?>
--EXPECT--
string(6) "param1"
bool(true)
bool(true)
39 changes: 39 additions & 0 deletions ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_no-gc_var_modified.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
--TEST--
PDO: Set PDOStatement class with ctor_args that are freed without GC intervention as a variable that is modified
--EXTENSIONS--
pdo
--SKIPIF--
<?php
$dir = getenv('REDIR_TEST_DIR');
if (false == $dir) die('skip no driver');
require_once $dir . 'pdo_test.inc';
PDOTest::skip();
?>
--FILE--
<?php
if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';

class Foo extends PDOStatement {
private function __construct($v) {
var_dump($v);
}
}

$db = PDOTest::factory();

$a = ['Foo', ['param1']];
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, $a);
$a[0] = 'Bar';

$dummy_query = get_dummy_sql_request();

$stmt = $db->query($dummy_query);
var_dump($stmt instanceof Foo);
var_dump($stmt->queryString === $dummy_query);

?>
--EXPECT--
string(6) "param1"
bool(true)
bool(true)
39 changes: 39 additions & 0 deletions ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_no-gc_var_unset.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
--TEST--
PDO: Set PDOStatement class with ctor_args that are freed without GC intervention as a variable that is unset
--EXTENSIONS--
pdo
--SKIPIF--
<?php
$dir = getenv('REDIR_TEST_DIR');
if (false == $dir) die('skip no driver');
require_once $dir . 'pdo_test.inc';
PDOTest::skip();
?>
--FILE--
<?php
if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';

class Foo extends PDOStatement {
private function __construct($v) {
var_dump($v);
}
}

$db = PDOTest::factory();

$a = ['Foo', ['param1']];
$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, $a);
unset($a);

$dummy_query = get_dummy_sql_request();

$stmt = $db->query($dummy_query);
var_dump($stmt instanceof Foo);
var_dump($stmt->queryString === $dummy_query);

?>
--EXPECT--
string(6) "param1"
bool(true)
bool(true)
Loading