Tuomo Jokimies created THRIFT-5769:
--------------------------------------
Summary: Large messages crash Node.js client when using
TFramedTransport
Key: THRIFT-5769
URL: https://issues.apache.org/jira/browse/THRIFT-5769
Project: Thrift
Issue Type: Bug
Components: Node.js - Library
Affects Versions: 0.19.0
Environment: *Stack trace for Node.js v21.7.1*
(pinpoints the cause as it is using new version of V8)
{code:java}
<redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43
residual.push(data[i])
^
RangeError: Invalid array length
at Array.push (<anonymous>)
at <redacted>/thrift/lib/nodejs/lib/thrift/framed_transport.js:43:16
<redacted>{code}
*Stack trace for Node.js LTS v20.11.1*
{code:java}
#
# Fatal error in , line 0
# Fatal JavaScript invalid size error 169220804 (see crbug.com/1201626)
#
#
#
#FailureMessage Object: 0x16f48a0f8
----- Native stack trace -----
1: 0x100aad340 node::NodePlatform::GetStackTracePrinter()::$_3::__invoke()
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
2: 0x101b309ac V8_Fatal(char const*, <redacted>)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
3: 0x100d71334
v8::internal::FactoryBase<v8::internal::Factory>::NewFixedArrayWithFiller(v8::internal::Handle<v8::internal::Map>,
int, v8::internal::Handle<v8::internal::Oddball>,
v8::internal::AllocationType) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
4: 0x100f0cf68 v8::internal::(anonymous
namespace)::ElementsAccessorBase<v8::internal::(anonymous
namespace)::FastPackedSmiElementsAccessor, v8::internal::(anonymous
namespace)::ElementsKindTraits<(v8::internal::ElementsKind)0>>::GrowCapacity(v8::internal::Handle<v8::internal::JSObject>,
unsigned int) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
5: 0x101158600 v8::internal::Runtime_GrowArrayElements(int, unsigned long*,
v8::internal::Isolate*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
6: 0x1014c4c44 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
7: 0x1064cfe9c
8: 0x1064aac88
9: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
10: 0x1064aac88
11: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
12: 0x10143c3e4 Builtins_InterpreterEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
13: 0x10143a50c Builtins_JSEntryTrampoline
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
14: 0x10143a1f4 Builtins_JSEntry
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
15: 0x100d104f8 v8::internal::(anonymous
namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous
namespace)::InvokeParams const&)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
16: 0x100d0f944 v8::internal::Execution::Call(v8::internal::Isolate*,
v8::internal::Handle<v8::internal::Object>,
v8::internal::Handle<v8::internal::Object>, int,
v8::internal::Handle<v8::internal::Object>*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
17: 0x100bea214 v8::Function::Call(v8::Local<v8::Context>,
v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
18: 0x100978fd8 node::InternalMakeCallback(node::Environment*,
v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int,
v8::Local<v8::Value>*, node::async_context)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
19: 0x100979304 node::MakeCallback(v8::Isolate*, v8::Local<v8::Object>,
v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
20: 0x1009ee554 node::Environment::CheckImmediate(uv_check_s*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
21: 0x1014209e0 uv__run_check [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
22: 0x10141a700 uv_run [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
23: 0x100979754 node::SpinEventLoopInternal(node::Environment*)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
24: 0x100a89c6c node::NodeMainInstance::Run(node::ExitCode*,
node::Environment*) [<redacted>/.nvm/versions/node/v20.11.1/bin/node]
25: 0x100a89a08 node::NodeMainInstance::Run()
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
26: 0x100a13718 node::Start(int, char**)
[<redacted>/.nvm/versions/node/v20.11.1/bin/node]
27: 0x1a61dff28 start [/usr/lib/dyld]{code}
Reporter: Tuomo Jokimies
Large messages cause Thrift client to crash when using TFramedTransport.
Crash is caused by array overflow of residual variable in receiver function.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
