PHPC-2210 and PHPC-2211: Fix direct BSON copy and toJson memory leak (#1415)

* PHPC-2211: Free intermediary result in php_phongo_bson_to_json()

This was responsible for several memory leaks in MongoDB\BSON\Document's JSON output methods.

* PHPC-2210: Fix direct copying of Document and PackedArray BSON

bson_copy_to() cannot be used with a bson_t originally allocated with bson_new(), since there is no way to revert the bson_t to an uninitialized state.

The previous code with bson_destroy() resulted in invalid reads/writes (reported by Valgrind) and could cause "malloc(): unaligned tcache chunk detected" aborts later in the process during a future, unrelated call to bson_copy_to().

With bson_destroy() removed, the malloc() aborts are avoided but Valgrind reports a leak for the originally allocation by bson_new().

The solution applied here borrows logic from bson_copy_to_excluding_noinit() to do a more flexible copy. bson_copy_to_excluding_noinit() could not be used directly because it requires at least one exclusion field name.

* Run clang-format

Co-authored-by: Andreas Braun <[email protected]>

Author: jmikola

src/phongo_bson.c

@@ -1438,6 +1438,7 @@ bool php_phongo_bson_to_json(zval* return_value, const bson_t* bson, php_phongo_
 	}
 
 	ZVAL_STRINGL(return_value, json, json_len);
+	bson_free(json);
 
 	return true;
 }

src/phongo_bson_encode.c

@@ -381,6 +381,24 @@ static void php_phongo_bson_append(bson_t* bson, php_phongo_field_path* field_pa
 	}
 }
 
+/* This is based on bson_copy_to_excluding_noinit() and is necessary because
+ * bson_copy_to() cannot be used with a bson_t allocated with bson_new(). */
+static void phongo_bson_copy_to_noinit(const bson_t* src, bson_t* dst)
+{
+	bson_iter_t iter;
+
+	if (bson_iter_init(&iter, src)) {
+		while (bson_iter_next(&iter)) {
+			if (!bson_append_iter(dst, NULL, 0, &iter)) {
+				/* This should not be able to happen since we are copying from
+				 * within a valid bson_t. */
+				phongo_throw_exception(PHONGO_ERROR_UNEXPECTED_VALUE, "Error copying \"%s\" field from source document", bson_iter_key(&iter));
+				return;
+			}
+		}
+	}
+}
+
 static void php_phongo_zval_to_bson_internal(zval* data, php_phongo_field_path* field_path, php_phongo_bson_flags_t flags, bson_t* bson, bson_t** bson_out)
 {
 	HashTable* ht_data = NULL;
@@ -403,17 +421,15 @@ static void php_phongo_zval_to_bson_internal(zval* data, php_phongo_field_path*
 			if (instanceof_function(Z_OBJCE_P(data), php_phongo_document_ce)) {
 				php_phongo_document_t* intern = Z_DOCUMENT_OBJ_P(data);
 
-				bson_destroy(bson);
-				bson_copy_to(intern->bson, bson);
+				phongo_bson_copy_to_noinit(intern->bson, bson);
 
 				goto done;
 			}
 
 			if (instanceof_function(Z_OBJCE_P(data), php_phongo_packedarray_ce)) {
 				php_phongo_packedarray_t* intern = Z_PACKEDARRAY_OBJ_P(data);
 
-				bson_destroy(bson);
-				bson_copy_to(intern->bson, bson);
+				phongo_bson_copy_to_noinit(intern->bson, bson);
 
 				goto done;
 			}

tests/bson/bson-document-fromPHP-004.phpt

@@ -0,0 +1,23 @@
+--TEST--
+MongoDB\BSON\Document::fromPHP() copies BSON data from Document and PackedArray
+--FILE--
+<?php
+
+require_once __DIR__ . '/../utils/basic.inc';
+
+$document = MongoDB\BSON\Document::fromJSON('{ "foo": "bar" }');
+$fromDocument = MongoDB\BSON\Document::fromPHP($document);
+echo $fromDocument->toRelaxedExtendedJSON(), "\n";
+
+// This will be interpreted as an object after copying, i.e. { "0": 1, "1": 2, "2": 3 }
+$packedArray = MongoDB\BSON\PackedArray::fromPHP([ 1, 2, 3 ]);
+$fromPackedArray = MongoDB\BSON\Document::fromPHP($packedArray);
+echo $fromPackedArray->toRelaxedExtendedJSON(), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+{ "foo" : "bar" }
+{ "0" : 1, "1" : 2, "2" : 3 }
+===DONE===

tests/bulk/bulkwrite-delete-003.phpt

@@ -0,0 +1,32 @@
+--TEST--
+MongoDB\Driver\BulkWrite::delete() $filter is MongoDB\BSON\Document
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$bulk = new MongoDB\Driver\BulkWrite();
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$filter = MongoDB\BSON\Document::fromJSON('{ "_id": { "$gt": 1 } }');
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->delete($filter);
+$result = $manager->executeBulkWrite(NS, $bulk);
+
+var_dump($result->getDeletedCount());
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+int(1)
+===DONE===

tests/bulk/bulkwrite-insert-002.phpt

@@ -0,0 +1,29 @@
+--TEST--
+MongoDB\Driver\BulkWrite::insert() $document is MongoDB\BSON\Document
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$document = MongoDB\BSON\Document::fromJSON('{ "_id": 2 }');
+
+$bulk = new MongoDB\Driver\BulkWrite();
+$insertedId = $bulk->insert($document);
+$result = $manager->executeBulkWrite(NS, $bulk);
+
+var_dump($insertedId);
+var_dump($result->getInsertedCount());
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+int(2)
+int(1)
+===DONE===

tests/bulk/bulkwrite-update-005.phpt

@@ -0,0 +1,35 @@
+--TEST--
+MongoDB\Driver\BulkWrite::update() $filter and $newObj are MongoDB\BSON\Document
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$bulk = new MongoDB\Driver\BulkWrite();
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$filter = MongoDB\BSON\Document::fromJSON('{ "_id": { "$gt": 1 } }');
+$newObj = MongoDB\BSON\Document::fromJSON('{ "$set": { "x": 1 } }');
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->update($filter, $newObj);
+$result = $manager->executeBulkWrite(NS, $bulk);
+
+var_dump($result->getMatchedCount());
+var_dump($result->getModifiedCount());
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+int(1)
+int(1)
+===DONE===

tests/command/command-ctor-002.phpt

@@ -0,0 +1,38 @@
+--TEST--
+MongoDB\Driver\Command::__construct() $document is MongoDB\Driver\Document
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$document = MongoDB\BSON\Document::fromJSON('{ "ping": 1 }');
+$command = new MongoDB\Driver\Command($document);
+
+var_dump($command);
+
+$cursor = $manager->executeCommand(DATABASE_NAME, $command);
+
+var_dump($cursor->toArray()[0]);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+object(MongoDB\Driver\Command)#%d (%d) {
+  ["command"]=>
+  object(stdClass)#%d (%d) {
+    ["ping"]=>
+    int(1)
+  }
+}
+object(stdClass)#%d (%d) {
+  ["ok"]=>
+  float(1)%A
+}
+===DONE===

tests/query/query-ctor-007.phpt

@@ -0,0 +1,54 @@
+--TEST--
+MongoDB\Driver\Query::__construct() $filter is MongoDB\Driver\Document
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$filter = MongoDB\BSON\Document::fromJSON('{ "_id": { "$gt": 1 } }');
+$query = new MongoDB\Driver\Query($filter);
+
+var_dump($query);
+
+$cursor = $manager->executeQuery(NS, $query);
+
+var_dump($cursor->toArray());
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+object(MongoDB\Driver\Query)#%d (%d) {
+  ["filter"]=>
+  object(stdClass)#%d (%d) {
+    ["_id"]=>
+    object(stdClass)#%d (%d) {
+      ["$gt"]=>
+      int(1)
+    }
+  }
+  ["options"]=>
+  object(stdClass)#%d (%d) {
+  }
+  ["readConcern"]=>
+  NULL
+}
+array(1) {
+  [0]=>
+  object(stdClass)#%d (%d) {
+    ["_id"]=>
+    int(2)
+  }
+}
+===DONE===