php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38878 Engine crashes with function with default parameters, with opcode cache.
Submitted: 2006-09-19 12:27 UTC Modified: 2006-09-19 13:44 UTC
From: kaien at sparcs dot org Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.1.6 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kaien at sparcs dot org
New email:
PHP Version: OS:

 

 [2006-09-19 12:27 UTC] kaien at sparcs dot org
Description:
------------
Function with default parameters consisting of an array of string elements causes a race condition leading to engine crash when used with opcode cache.

ZEND_RECV_INIT handler duplicates the array hashtable itself, but does not duplicate each individual elements from shm, AND only increments the refcount of the default parameter array element.
So, zval_copy_ctor and zval_dtor modifies the zval refcount of the array element without any mutex, which causes an engine crash.

Tested on php5 with Zend performance suite and eaccelerator, with 2way, 4way boxes.
I guess there will be same problem on php4 too.

I know this is not just bug of script engine alone,
but I guess the engine should not modify compiled opcodes while executing.


Reproduce code:
---------------
script.php:
<?
function a($cols = array("AAA", "BBB"))
{
  $cols = implode(',', $cols);
  $query = "select $cols";
}
 a();
?>

% ab -n 100000 -c 10 http://localhost/script.php


Expected result:
----------------
No segv.


Actual result:
--------------
Repeated segv after refcount of string zval("AAA") becomes 0.
(stacktrace points to zval_dtor/efree() called on zval("AAA") in shm, because refcount == 0.)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-19 12:33 UTC] johannes@php.net
Do not file bugs when you have Zend extensions (zend_extension=)
loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache,
APC, Xdebug and ionCube loader.  These extensions often modify engine
behavior which is not related to PHP itself.


 [2006-09-19 12:51 UTC] kaien at sparcs dot org
I thought the PHP script engine is designed not to modify the data in the compiled opcodes(zend_op[])
So I reported this bug as scripting engine problem,
rather then report to zend performance suite, eaccelerator developer.
Furthermore, since this seems to a general architectural problem which manifests itself when used with ANY opcode cache system, we are hoping that anyone possibly involved in the Zend Performance Suite might be able to help us.  If it would be possible for Dmitry (since he seems to have been involved in the Turcke MM cache development) for see into this problem, it would be greatly appreciated.
 [2006-09-19 13:10 UTC] dmitry@php.net
I remeber this kind of bags.
I catched them several years ago (before I come to Zend).
I'll try to look into them when I'll have time.
 [2006-09-19 13:44 UTC] derick@php.net
It's still not a PHP bug.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 18:01:24 2019 UTC