hold extra reference on v8 instance as long as we call into V8, closes #472

2024-09-19 00:25:18 +00:00 · 2022-05-29 21:48:47 +02:00 · 2022-05-29 21:48:47 +02:00 · 3257a86bef
commit 3257a86bef
parent 6a7753a43a
3 changed files with 159 additions and 109 deletions
--- a/tests/issue_472_basic.phpt
+++ b/tests/issue_472_basic.phpt
@ -0,0 +1,30 @@
+--TEST--
+Test V8::executeString() : Issue #472 Destroy V8Js object which V8 isolate entered
+--SKIPIF--
+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
+--FILE--
+<?php
+class myjs extends \V8Js
+{
+   public function bosh()
+   {
+      $GLOBALS['v8test'] = null;
+	  unset($GLOBALS['v8test']);
+	}
+}
+
+$GLOBALS['v8test'] = new myjs('myjs');
+$ret = $GLOBALS['v8test']->executeString('
+	(() => {
+		myjs.bosh()
+	})
+');
+
+$ret();
+var_dump($ret);
+?>
+===EOF===
+--EXPECTF--
+object(V8Function)#%d (0) {
+}
+===EOF===
--- a/v8js_class.h
+++ b/v8js_class.h
@ -83,6 +83,10 @@ static inline struct v8js_ctx *v8js_ctx_fetch_object(zend_object *obj) {
 	return (struct v8js_ctx *)((char *)obj - XtOffsetOf(struct v8js_ctx, std));
 }

+static inline zend_object *v8js_ctx_to_zend_object(struct v8js_ctx *ctx) {
+	return (zend_object *)((char *)ctx + XtOffsetOf(struct v8js_ctx, std));
+}
+
 #define Z_V8JS_CTX_OBJ_P(zv) v8js_ctx_fetch_object(Z_OBJ_P(zv));


--- a/v8js_v8.cc
+++ b/v8js_v8.cc
@ -120,6 +120,13 @@ void v8js_v8_call(v8js_ctx *c, zval **return_value,
 {
 	char *tz = NULL;

+	// hold extra reference on v8 instance as long as we call into V8 (issue #472)
+	zend_object *obj = v8js_ctx_to_zend_object(c);
+	zval zv_v8inst;
+	ZVAL_OBJ(&zv_v8inst, obj);
+	Z_ADDREF_P(&zv_v8inst);
+
+	{
 		V8JS_CTX_PROLOGUE(c);

 		V8JSG(timer_mutex).lock();
@ -184,6 +191,7 @@ void v8js_v8_call(v8js_ctx *c, zval **return_value,
 				// Execution has been terminated due to time limit
 				sprintf(exception_string, "Script time limit of %lu milliseconds exceeded", time_limit);
 				zend_throw_exception(php_ce_v8js_time_limit_exception, exception_string, 0);
+				zval_ptr_dtor(&zv_v8inst);
 				return;
 			}

@ -206,11 +214,13 @@ void v8js_v8_call(v8js_ctx *c, zval **return_value,
 				// Execution has been terminated due to memory limit
 				sprintf(exception_string, "Script memory limit of %lu bytes exceeded", memory_limit);
 				zend_throw_exception(php_ce_v8js_memory_limit_exception, exception_string, 0);
+				zval_ptr_dtor(&zv_v8inst);
 				return;
 			}

 			if (!try_catch.CanContinue()) {
 				// At this point we can't re-throw the exception
+				zval_ptr_dtor(&zv_v8inst);
 				return;
 			}

@ -229,18 +239,21 @@ void v8js_v8_call(v8js_ctx *c, zval **return_value,
 					/* Report immediately if report_uncaught is true */
 					if (c->report_uncaught) {
 						v8js_throw_script_exception(c->isolate, &try_catch);
+						zval_ptr_dtor(&zv_v8inst);
 						return;
 					}

 					/* Exception thrown from JS, preserve it for future execution */
 					if (result.IsEmpty()) {
 						v8js_create_script_exception(&c->pending_exception, c->isolate, &try_catch);
+						zval_ptr_dtor(&zv_v8inst);
 						return;
 					}
 				}

 				/* Rethrow back to JS */
 				try_catch.ReThrow();
+				zval_ptr_dtor(&zv_v8inst);
 				return;
 			}

@ -250,6 +263,9 @@ void v8js_v8_call(v8js_ctx *c, zval **return_value,
 			}
 		}
 	}
+
+	zval_ptr_dtor(&zv_v8inst);
+}
 /* }}} */

 void v8js_terminate_execution(v8::Isolate *isolate) /* {{{ */