I believe this is the buggy code. It is setting a signal handler for SIGPROF that immediately dumps a timeout error message when the signal is received. However if the signal is delivered whilst PHP is processing a libc call to time(), a pthread mutex within libc is not released, causing a deadlock when Apache tries to call time() for the output.

A fix would be to have PHP set some flag such as "processing time exceeded" for the request and to then abort the request at the next available opporunity from within PHP instead of jumping out and leaving libc in a potentially unstable or dangerous state. Obviously this reduces the effectiveness of the maximum execution timeout as a blocking libc call could cause the timeout to be greatly exceeded, but I see no other safe way of handling this without leaving libc in a potentially dangerous state. Perhaps two signals could be used, the first one to break execution if possible at the next available opportunity and then the current "hard" break if no response within 15 seconds or something.

ZEND_API void zend_timeout(int dummy)
{
        TSRMLS_FETCH();

        if (zend_on_timeout) {
                zend_on_timeout(EG(timeout_seconds) TSRMLS_CC);
        }

        zend_error(E_ERROR, "Maximum execution time of %d second%s exceeded",
                          EG(timeout_seconds), EG(timeout_seconds) == 1 ? "" : "s");
}

...
                t_r.it_value.tv_sec = seconds;
                t_r.it_value.tv_usec = t_r.it_interval.tv_sec = t_r.it_interval.tv_usec = 0;

                setitimer(ITIMER_PROF, &t_r, NULL);
                signal(SIGPROF, zend_timeout);
                sigemptyset(&sigset);
                sigaddset(&sigset, SIGPROF);
                sigprocmask(SIG_UNBLOCK, &sigset, NULL);
        }

I've created a patch against 5.0.3 to implement my "soft timeout" idea above. It will try to soft-break execution after the timeout period elapses and then hard-break after another timeout period.

There seem to be a lot of calls to the zend_set_timeout and zend_unset_timeout functions that I'm not too sure are helping the situation. Here's what happens using the CLI PHP and printing whenever certain functions are hit:

$ sapi/cli/php /www/htdocs/time.php
zend_unset_timeout()
zend_set_timeout (0)
zend_set_timeout (0)
zend_set_timeout (0)
zend_unset_timeout()
zend_set_timeout (5)
Array 2005 2217696508 Jan-01-1998 Jan 01 1998 05:00:00
Array 2005 2217696508 Jan-01-1998 Jan 01 1998 05:00:00
Array 2005 2217696510 Jan-01-1998 Jan 01 1998 05:00:00
Array 2005 2217696512 Jan-01-1998 Jan 01 1998 05:00:00
Array 2005 2217696516 Jan-01-1998 Jan 01 1998 05:00:00
Array 2005 2217696516 Jan-01-1998 Jan 01 1998 05:00:00
zend_soft_timeout()
zend_set_timeout (5)
zend_timeout()
zend_set_timeout (5)

Fatal error: Maximum execution time of 5 seconds exceeded in /www/htdocs/time.php on line 10
zend_unset_timeout()
zend_set_timeout (30)
zend_unset_timeout()

And the patch to 5.0.3 to implement the "zend_soft_timeout" that "works for me" in that I'm not getting any more deadlocked Apache children: http://www.r1hosting.net/zend_timeout.patch

Andi, please take a look.  I remember some talk in the past about going this route, but I don't recall the arguments against it.
Similarly, I'm not sure that this is really a problem for PHP to fix; given that the time() function is officially not thread-safe, it seems wrong for the libc to mutex internally.

Dmitry, can you check this out please?

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

I have the same problem, reproduced on php 4.4.9 and 5.3.0.

Basically pseudocode to reproduce is set_time_limit(1); do { ... } until time passed = 1 second.

This will create a race condition where sometimes a libc lock will prevent zend_timeout to process properly.

Script to reproduce on 5.3.0: ($limit is not 1, because php seems to not break accurately on time - this value must be adjusted so the error "PHP Fatal error:  Maximum execution time of 1 second exceeded in Unknown on line 0" frequently appears. The script should fail within 100 runs (lock up).

<?php
  echo "Trying to break php...\n";
  set_time_limit(1);
  $limit = 1.235;
  $start = array_sum(explode(' ',$x = microtime()));
  $a = array();
  for ($cnt = 0; $cnt < 10; $cnt++) {
    for ($cntb = 0; $cntb < 100; $cntb++) {
      for ($cntc = 0; $cntc < 100; $cntc++) {
        $end = array_sum(explode(' ',$y = microtime()));
        $a[$cnt][$cntb][$cntc] = md5($cnt.$cntb.$cntc);
        if ($end >= $start+$limit) break;   
      }
      if ($end >= $start+$limit) break;   
    }
    if ($end >= $start+$limit) break;   
  }
  echo "$x - $y (".($end-$start).")\n";
?>

run with: while [ true ]; do php break.php; done

Though this scenario is unlikely, there are other cases where it can happen very often, however I fail to come up with a short example of it. The reason for generating a multidimensional array is that in php4, the hang is very likely to happen within zend_shutdown, as the resources are freed (hangs within 1-10 cycles)

Keep in mind error logging has to be enabled (this is when there's calls for libc "get time" which causes the locking issue within zend_timeout)

pstack for php 5.3.0:

# pstack 1565
#0  0x00319402 in __kernel_vsyscall ()
#1  0x001dede3 in __lll_lock_wait_private () from /lib/libc.so.6
#2  0x0016e6f6 in _L_lock_15330 () from /lib/libc.so.6
#3  0x0016dbb4 in free () from /lib/libc.so.6
#4  0x0012067c in setlocale () from /lib/libc.so.6
#5  0x08084586 in seek_to_tz_position ()
#6  0x08084664 in timelib_timezone_id_is_valid ()
#7  0x0806575c in guess_timezone ()
#8  0x080657a5 in get_timezone_info ()
#9  0x08067f35 in php_format_date ()
#10 0x082ab96e in php_log_err ()
#11 0x082abe17 in php_error_cb ()
#12 0x082f9fe8 in zend_error_noreturn ()
#13 0x082ec745 in zend_timeout ()
#14 <signal handler called>
#15 0x00169c49 in _int_free () from /lib/libc.so.6
#16 0x0016dbc0 in free () from /lib/libc.so.6
#17 0x082ac6df in php_conv_fp ()
#18 0x082ad409 in strx_printv ()
#19 0x082ad804 in ap_php_snprintf ()
#20 0x082565f2 in _php_gettimeofday ()
#21 0x08342509 in zend_do_fcall_common_helper_SPEC ()
#22 0x08319f3d in execute ()
#23 0x082f8e47 in zend_execute_scripts ()
#24 0x082a92be in php_execute_script ()
#25 0x08378457 in main ()

Any suggestions how to patch php4 be greatly appreciated!

Michael

The suggested patch is an improvement, but it still calls zend_timeout() when the "hard timeout" is reached, which will usually deadlock if a libc mutex such as the one for malloc() is held. The only safe way to handle this situation is to kill the process without calling any non-signal-safe functions, e.g. by calling abort(). If you return control to Apache using longjmp() (like what zend_bailout() does), Apache will deadlock instead. I haven't found any robust way to display an error message, it would look the same as a segfault to the user.

I added a workaround to our custom error handler:

https://www.mediawiki.org/wiki/Special:Code/MediaWiki/103433

Interesting as well as weird bug.
I have nothing to say about it that would move things forward but that signal 
handling have been rewritten in PHP5.4. It might handle such cases, see with 
contributors.

You should have a look at http://lxr.php.net/xref/PHP_5_4/Zend/zend_signal.c and 
try to reproduce the bug on a 5.4 basis.

Seems like there are problems with 5.4 zend signals.
http://marc.info/?l=php-internals&m=132921501729587

Also, see related #61067

For Apache1 longjmp() problems, I added the "exit_on_timeout" ini switch a long 
time ago. It is a crude but effective way to deal with this.

This is finally fixed in PHP-7.1 with "safe timeout handling.