PHPC-1151: Maintain Session reference on Cursor

jmikola · jmikola · commit 21307dee76b0 · 2018-04-16T11:28:21.000-04:00
This ensures that the Session and underlying mongoc_client_session_t will not be freed until after the Cursor's mongoc_cursor_t object is destroyed.
diff --git a/php_phongo.c b/php_phongo.c
@@ -238,7 +238,7 @@ static void php_phongo_log(mongoc_log_level_t log_level, const char *log_domain,
 /* }}} */
 
 /* {{{ Init objects */
-static void phongo_cursor_init(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, zval *readPreference TSRMLS_DC) /* {{{ */
+static void phongo_cursor_init(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, zval *readPreference, zval *session TSRMLS_DC) /* {{{ */
 {
 	php_phongo_cursor_t *intern;
 
@@ -256,15 +256,24 @@ static void phongo_cursor_init(zval *return_value, mongoc_client_t *client, mong
 #else
 		Z_ADDREF_P(readPreference);
 		intern->read_preference = readPreference;
+#endif
+	}
+
+	if (session) {
+#if PHP_VERSION_ID >= 70000
+		ZVAL_ZVAL(&intern->session, session, 1, 0);
+#else
+		Z_ADDREF_P(session);
+		intern->session = session;
 #endif
 	}
 } /* }}} */
 
-static void phongo_cursor_init_for_command(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, const char *db, zval *command, zval *readPreference TSRMLS_DC) /* {{{ */
+static void phongo_cursor_init_for_command(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, const char *db, zval *command, zval *readPreference, zval *session TSRMLS_DC) /* {{{ */
 {
 	php_phongo_cursor_t *intern;
 
-	phongo_cursor_init(return_value, client, cursor, readPreference TSRMLS_CC);
+	phongo_cursor_init(return_value, client, cursor, readPreference, session TSRMLS_CC);
 	intern = Z_CURSOR_OBJ_P(return_value);
 
 	intern->database = estrdup(db);
@@ -277,11 +286,11 @@ static void phongo_cursor_init_for_command(zval *return_value, mongoc_client_t *
 #endif
 } /* }}} */
 
-static void phongo_cursor_init_for_query(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, const char *namespace, zval *query, zval *readPreference TSRMLS_DC) /* {{{ */
+static void phongo_cursor_init_for_query(zval *return_value, mongoc_client_t *client, mongoc_cursor_t *cursor, const char *namespace, zval *query, zval *readPreference, zval *session TSRMLS_DC) /* {{{ */
 {
 	php_phongo_cursor_t *intern;
 
-	phongo_cursor_init(return_value, client, cursor, readPreference TSRMLS_CC);
+	phongo_cursor_init(return_value, client, cursor, readPreference, session TSRMLS_CC);
 	intern = Z_CURSOR_OBJ_P(return_value);
 
 	/* namespace has already been validated by phongo_execute_query() */
@@ -748,6 +757,7 @@ int phongo_execute_query(mongoc_client_t *client, const char *namespace, zval *z
 	char *collname;
 	mongoc_collection_t *collection;
 	zval *zreadPreference = NULL;
+	zval *zsession = NULL;
 
 	if (!phongo_split_namespace(namespace, &dbname, &collname)) {
 		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "%s: %s", "Invalid namespace provided", namespace);
@@ -769,7 +779,7 @@ int phongo_execute_query(mongoc_client_t *client, const char *namespace, zval *z
 		return false;
 	}
 
-	if (!phongo_parse_session(options, client, query->opts, NULL TSRMLS_CC)) {
+	if (!phongo_parse_session(options, client, query->opts, &zsession TSRMLS_CC)) {
 		/* Exception should already have been thrown */
 		mongoc_collection_destroy(collection);
 		return false;
@@ -799,7 +809,8 @@ int phongo_execute_query(mongoc_client_t *client, const char *namespace, zval *z
 		return true;
 	}
 
-	phongo_cursor_init_for_query(return_value, client, cursor, namespace, zquery, zreadPreference TSRMLS_CC);
+	phongo_cursor_init_for_query(return_value, client, cursor, namespace, zquery, zreadPreference, zsession TSRMLS_CC);
+
 	return true;
 } /* }}} */
 
@@ -825,6 +836,7 @@ int phongo_execute_command(mongoc_client_t *client, php_phongo_command_type_t ty
 	bson_t opts = BSON_INITIALIZER;
 	mongoc_cursor_t *cmd_cursor;
 	zval *zreadPreference = NULL;
+	zval *zsession = NULL;
 	int result;
 
 	command = Z_COMMAND_OBJ_P(zcommand);
@@ -841,7 +853,7 @@ int phongo_execute_command(mongoc_client_t *client, php_phongo_command_type_t ty
 		return false;
 	}
 
-	if (!phongo_parse_session(options, client, &opts, NULL TSRMLS_CC)) {
+	if (!phongo_parse_session(options, client, &opts, &zsession TSRMLS_CC)) {
 		/* Exception should already have been thrown */
 		bson_destroy(&opts);
 		return false;
@@ -922,7 +934,7 @@ int phongo_execute_command(mongoc_client_t *client, php_phongo_command_type_t ty
 		bson_destroy(&reply);
 	}
 
-	phongo_cursor_init_for_command(return_value, client, cmd_cursor, db, zcommand, zreadPreference TSRMLS_CC);
+	phongo_cursor_init_for_command(return_value, client, cmd_cursor, db, zcommand, zreadPreference, zsession TSRMLS_CC);
 	return true;
 } /* }}} */
 /* }}} */
diff --git a/php_phongo_structs.h b/php_phongo_structs.h
@@ -65,6 +65,7 @@ typedef struct {
 	PHONGO_STRUCT_ZVAL     query;
 	PHONGO_STRUCT_ZVAL     command;
 	PHONGO_STRUCT_ZVAL     read_preference;
+	PHONGO_STRUCT_ZVAL     session;
 	PHONGO_ZEND_OBJECT_POST
 } php_phongo_cursor_t;
 
diff --git a/src/MongoDB/Cursor.c b/src/MongoDB/Cursor.c
@@ -392,6 +392,10 @@ static void php_phongo_cursor_free_object(phongo_free_object_arg *object TSRMLS_
 		zval_ptr_dtor(&intern->read_preference);
 	}
 
+	if (!Z_ISUNDEF(intern->session)) {
+		zval_ptr_dtor(&intern->session);
+	}
+
 	php_phongo_cursor_free_current(intern);
 
 #if PHP_VERSION_ID < 70000
diff --git a/tests/cursor/bug1151-001.phpt b/tests/cursor/bug1151-001.phpt
@@ -0,0 +1,38 @@
+--TEST--
+PHPC-1151: Segfault if session unset before first getMore (find)
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php NEEDS_CRYPTO(); ?>
+<?php NEEDS('STANDALONE'); ?>
+<?php NEEDS_ATLEAST_MONGODB_VERSION(STANDALONE, "3.6"); ?>
+<?php CLEANUP(STANDALONE); ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = new MongoDB\Driver\Manager(STANDALONE);
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$bulk->insert(['_id' => 3]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$query = new MongoDB\Driver\Query([], ['batchSize' => 2]);
+$session = $manager->startSession();
+
+$cursor = $manager->executeQuery(NS, $query, ['session' => $session]);
+
+foreach ($cursor as $document) {
+    unset($session);
+    echo $document->_id, "\n";
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+1
+2
+3
+===DONE===
diff --git a/tests/cursor/bug1151-002.phpt b/tests/cursor/bug1151-002.phpt
@@ -0,0 +1,42 @@
+--TEST--
+PHPC-1151: Segfault if session unset before first getMore (aggregate)
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php NEEDS_CRYPTO(); ?>
+<?php NEEDS('STANDALONE'); ?>
+<?php NEEDS_ATLEAST_MONGODB_VERSION(STANDALONE, "3.6"); ?>
+<?php CLEANUP(STANDALONE); ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = new MongoDB\Driver\Manager(STANDALONE);
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$bulk->insert(['_id' => 3]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$command = new MongoDB\Driver\Command([
+    'aggregate' => COLLECTION_NAME,
+    'pipeline' => [],
+    'cursor' => ['batchSize' => 2],
+]);
+$session = $manager->startSession();
+
+$cursor = $manager->executeReadCommand(DATABASE_NAME, $command, ['session' => $session]);
+
+foreach ($cursor as $document) {
+    unset($session);
+    echo $document->_id, "\n";
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+1
+2
+3
+===DONE===
diff --git a/tests/cursor/bug1151-003.phpt b/tests/cursor/bug1151-003.phpt
@@ -0,0 +1,32 @@
+--TEST--
+PHPC-1151: Segfault if session unset before cursor is killed (find)
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php NEEDS_CRYPTO(); ?>
+<?php NEEDS('STANDALONE'); ?>
+<?php NEEDS_ATLEAST_MONGODB_VERSION(STANDALONE, "3.6"); ?>
+<?php CLEANUP(STANDALONE); ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = new MongoDB\Driver\Manager(STANDALONE);
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$bulk->insert(['_id' => 3]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$query = new MongoDB\Driver\Query([], ['batchSize' => 2]);
+$session = $manager->startSession();
+
+$cursor = $manager->executeQuery(NS, $query, ['session' => $session]);
+unset($session);
+unset($cursor);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+===DONE===
diff --git a/tests/cursor/bug1151-004.phpt b/tests/cursor/bug1151-004.phpt
@@ -0,0 +1,36 @@
+--TEST--
+PHPC-1151: Segfault if session unset before cursor is killed (aggregate)
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php NEEDS_CRYPTO(); ?>
+<?php NEEDS('STANDALONE'); ?>
+<?php NEEDS_ATLEAST_MONGODB_VERSION(STANDALONE, "3.6"); ?>
+<?php CLEANUP(STANDALONE); ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = new MongoDB\Driver\Manager(STANDALONE);
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$bulk->insert(['_id' => 3]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$command = new MongoDB\Driver\Command([
+    'aggregate' => COLLECTION_NAME,
+    'pipeline' => [],
+    'cursor' => ['batchSize' => 2],
+]);
+$session = $manager->startSession();
+
+$cursor = $manager->executeReadCommand(DATABASE_NAME, $command, ['session' => $session]);
+unset($session);
+unset($cursor);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+===DONE===

Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,10 @@ static void php_phongo_cursor_free_object(phongo_free_object_arg *object TSRMLS_`
`392`	`392`	`zval_ptr_dtor(&intern->read_preference);`
`393`	`393`	`}`
`394`	`394`
	`395`	`+ if (!Z_ISUNDEF(intern->session)) {`
	`396`	`+ zval_ptr_dtor(&intern->session);`
	`397`	`+ }`
	`398`	`+`
`395`	`399`	`php_phongo_cursor_free_current(intern);`
`396`	`400`
`397`	`401`	`#if PHP_VERSION_ID < 70000`