search

phpv8 / v8js

V8 Javascript Engine for PHP — This PHP extension embeds the Google V8 Javascript Engine
http://pecl.php.net/package/v8js
MIT License
1.84k stars 200 forks source link

cross-injection segfault with callback function #115

Closed stesie closed 10 years ago

stesie commented 10 years ago

If we have to V8Js instances, and A provides a callback function to PHP, and in PHP we forward the callback function to V8Js instance B like so:

<?php

$a = new V8Js();
$b = new V8Js();

$a->name = 'A';
$b->name = 'B';

$a->callback = function($cb) {
  global $b;
  var_dump($cb);
  $b->test = $cb;
};

$a->executeString('PHP.callback(function() { print("Hallo from " + PHP.name + ".\\n"); });');

var_dump($b->test);
$b->executeString('PHP.test();');  // <-- crashes

... when V8Js B tries to call, then segfault:

object(V8Function)#4 (0) {
}
object(V8Function)#4 (0) {
}

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff43f94fb in v8::internal::Builtin_HandleApiCallAsFunction(int, v8::internal::Object**, v8::internal::Isolate*) ()
   from /usr/local/v8/lib/libv8.so
(gdb) bt
#0  0x00007ffff43f94fb in v8::internal::Builtin_HandleApiCallAsFunction(int, v8::internal::Object**, v8::internal::Isolate*) ()
   from /usr/local/v8/lib/libv8.so
#1  0x00001c94a52072ae in ?? ()
#2  0x00001c94a5207201 in ?? ()
#3  0x00007fffffffa0d0 in ?? ()
#4  0x00007fffffffa118 in ?? ()
#5  0x00001c94a525c03c in ?? ()
#6  0x0000125074081ba1 in ?? ()
#7  0x000017f03a861fb9 in ?? ()
#8  0x00001c94a525bf81 in ?? ()
#9  0x0000000800000000 in ?? ()
#10 0x0000000000000000 in ?? ()
stesie commented 10 years ago

After all this is issue #116, here it's just PHP code which makes the assignment on the V8Js object as opposed to #116 where it is JS code.