[PR] THRIFT-5926: Rust generator: unknown field in union deserializer causes process panic [thrift]

Tue, 10 Mar 2026 18:42:26 -0700 


santiagomed opened a new pull request, #3336:
URL: https://github.com/apache/thrift/pull/3336

   ## Problem
   
   The Rust code generator emits union deserializers that panic when a message 
contains an unrecognized field ID.
   
   In `render_union_sync_read`, the wildcard arm increments 
`received_field_count` but never sets `ret`:
   
   ```cpp
   // t_rs_generator.cc
   f_gen_ << indent() << "_ => {" << '\n';
   f_gen_ << indent() << "i_prot.skip(field_ident.field_type)?;" << '\n';
   f_gen_ << indent() << "received_field_count += 1;" << '\n';  // ← the bug
   ```
   
   This breaks the invariant `received_field_count == 1 ⟹ ret.is_some()`. When 
a message delivers exactly one field whose ID is outside the union's declared 
range, the generated code:
   
   1. Skips the field
   2. Increments the counter to 1
   3. Exits the loop
   4. Hits the `else { ... .expect("return value should have been constructed") 
}` branch
   5. **Panics and aborts the process**
   
   A single malformed or forward-compatible message from a peer running a newer 
schema version is enough to crash the parser. No authentication or valid 
session credential is required — the crash occurs before any cryptographic 
validation.
   
   ## Fix
   
   Remove `received_field_count += 1` from the wildcard arm. Unknown fields are 
already silently discarded by `i_prot.skip()`; they must not contribute to the 
count.
   
   ```cpp
   // after
   f_gen_ << indent() << "_ => {" << '\n';
   f_gen_ << indent() << "i_prot.skip(field_ident.field_type)?;" << '\n';
   // removed: received_field_count += 1
   ```
   
   With this change, a message carrying only unknown union fields returns a 
`ProtocolError` ("received empty union") instead of panicking — consistent with 
how zero-field unions are already handled.
   
   ## Impact
   
   Affects every generated Rust union deserializer. We hit this in production 
at xAI while doing a rolling schema deploy where newer servers briefly 
delivered event types unknown to older SDK versions. The process crashed 
instead of gracefully returning an unknown-variant error.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to