PHP :: Bug #38878 :: Engine crashes with function with default parameters, with opcode cache.

Bug #38878	Engine crashes with function with default parameters, with opcode cache.
Submitted:	2006-09-19 12:27 UTC	Modified:	2006-09-19 13:44 UTC
From:	kaien at sparcs dot org	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	5.1.6	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 30 + 30 = ?
Subscribe to this entry?

[2006-09-19 12:27 UTC] kaien at sparcs dot org

Description:
------------
Function with default parameters consisting of an array of string elements causes a race condition leading to engine crash when used with opcode cache.

ZEND_RECV_INIT handler duplicates the array hashtable itself, but does not duplicate each individual elements from shm, AND only increments the refcount of the default parameter array element.
So, zval_copy_ctor and zval_dtor modifies the zval refcount of the array element without any mutex, which causes an engine crash.

Tested on php5 with Zend performance suite and eaccelerator, with 2way, 4way boxes.
I guess there will be same problem on php4 too.

I know this is not just bug of script engine alone,
but I guess the engine should not modify compiled opcodes while executing.


Reproduce code:
---------------
script.php:
<?
function a($cols = array("AAA", "BBB"))
{
  $cols = implode(',', $cols);
  $query = "select $cols";
}
 a();
?>

% ab -n 100000 -c 10 http://localhost/script.php


Expected result:
----------------
No segv.


Actual result:
--------------
Repeated segv after refcount of string zval("AAA") becomes 0.
(stacktrace points to zval_dtor/efree() called on zval("AAA") in shm, because refcount == 0.)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-09-19 12:33 UTC] johannes@php.net

Do not file bugs when you have Zend extensions (zend_extension=)
loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache,
APC, Xdebug and ionCube loader.  These extensions often modify engine
behavior which is not related to PHP itself.

[2006-09-19 12:51 UTC] kaien at sparcs dot org

I thought the PHP script engine is designed not to modify the data in the compiled opcodes(zend_op[])
So I reported this bug as scripting engine problem,
rather then report to zend performance suite, eaccelerator developer.
Furthermore, since this seems to a general architectural problem which manifests itself when used with ANY opcode cache system, we are hoping that anyone possibly involved in the Zend Performance Suite might be able to help us.  If it would be possible for Dmitry (since he seems to have been involved in the Turcke MM cache development) for see into this problem, it would be greatly appreciated.

[2006-09-19 13:10 UTC] dmitry@php.net

I remeber this kind of bags.
I catched them several years ago (before I come to Zend).
I'll try to look into them when I'll have time.

[2006-09-19 13:44 UTC] derick@php.net

It's still not a PHP bug.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 02:01:29 2024 UTC