|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38878 Engine crashes with function with default parameters, with opcode cache.
Submitted: 2006-09-19 12:27 UTC Modified: 2006-09-19 13:44 UTC
From: kaien at sparcs dot org Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.1.6 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
24 + 10 = ?
Subscribe to this entry?

 [2006-09-19 12:27 UTC] kaien at sparcs dot org
Function with default parameters consisting of an array of string elements causes a race condition leading to engine crash when used with opcode cache.

ZEND_RECV_INIT handler duplicates the array hashtable itself, but does not duplicate each individual elements from shm, AND only increments the refcount of the default parameter array element.
So, zval_copy_ctor and zval_dtor modifies the zval refcount of the array element without any mutex, which causes an engine crash.

Tested on php5 with Zend performance suite and eaccelerator, with 2way, 4way boxes.
I guess there will be same problem on php4 too.

I know this is not just bug of script engine alone,
but I guess the engine should not modify compiled opcodes while executing.

Reproduce code:
function a($cols = array("AAA", "BBB"))
  $cols = implode(',', $cols);
  $query = "select $cols";

% ab -n 100000 -c 10 http://localhost/script.php

Expected result:
No segv.

Actual result:
Repeated segv after refcount of string zval("AAA") becomes 0.
(stacktrace points to zval_dtor/efree() called on zval("AAA") in shm, because refcount == 0.)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-19 12:33 UTC]
Do not file bugs when you have Zend extensions (zend_extension=)
loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache,
APC, Xdebug and ionCube loader.  These extensions often modify engine
behavior which is not related to PHP itself.

 [2006-09-19 12:51 UTC] kaien at sparcs dot org
I thought the PHP script engine is designed not to modify the data in the compiled opcodes(zend_op[])
So I reported this bug as scripting engine problem,
rather then report to zend performance suite, eaccelerator developer.
Furthermore, since this seems to a general architectural problem which manifests itself when used with ANY opcode cache system, we are hoping that anyone possibly involved in the Zend Performance Suite might be able to help us.  If it would be possible for Dmitry (since he seems to have been involved in the Turcke MM cache development) for see into this problem, it would be greatly appreciated.
 [2006-09-19 13:10 UTC]
I remeber this kind of bags.
I catched them several years ago (before I come to Zend).
I'll try to look into them when I'll have time.
 [2006-09-19 13:44 UTC]
It's still not a PHP bug.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jul 13 02:01:25 2020 UTC