php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75601 Thread race in PCRE JIT support
Submitted: 2017-11-30 14:23 UTC Modified: 2017-11-30 20:08 UTC
From: rperper at litespeedtech dot com Assigned: ab (profile)
Status: Closed Package: PCRE related
PHP Version: 7.2.0 OS: OpenSuSE
Private report: No CVE-ID: None
 [2017-11-30 14:23 UTC] rperper at litespeedtech dot com
Description:
------------
I am a developer at LiteSpeed Technologies and am working on a thread-capable version of the PHP module to be included in the Open-LiteSpeed web server.  During load testing, using PCRE with JIT support enabled (the default) with the thread-sanitizer enabled, we detected a race condition in sljitUtils.c line 224.  It appears that there are unprotected globals which will never be successful in a multi-threaded environment.  We recommend protecting these globals with atomic functions, or in some other way to avoid the race conditions.

Test script:
---------------
Can not be reproduced in a script.

Actual result:
--------------
WARNING: ThreadSanitizer: data race (pid=49992)
  Read of size 8 at 0x7ffff4de1798 by thread T2 (mutexes: write M546):
    #0 sljit_allocate_stack /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/ext/pcre/pcrelib/sljit/sljitUtils.c:224 (mod_lsphp72.so+0x000000323c2f)
    #1 php_pcre_jit_stack_alloc /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/ext/pcre/pcrelib/pcre_jit_compile.c:11625 (mod_lsphp72.so+0x000000323b9f)
    #2 zm_activate_pcre /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/ext/pcre/php_pcre.c:229 (mod_lsphp72.so+0x00000037f31b)
    #3 zend_activate_modules /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/Zend/zend_API.c:2600 (mod_lsphp72.so+0x0000012ebfab)
    #4 php_request_startup /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/main/main.c:1696 (mod_lsphp72.so+0x0000010c528e)
    #5 lsiapi_module_main /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/sapi/mod_lsphp/mod_lsphp.c:1489 (mod_lsphp72.so+0x000001586250)
    #6 process_req /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/sapi/mod_lsphp/mod_lsphp.c:1536 (mod_lsphp72.so+0x0000015847c5)
    #7 mod_lsphp_begin_process /home/user/proj/openlitespeed/src/modules/mod_lsphp/php-7.2/sapi/mod_lsphp/mod_lsphp.c:1667 (mod_lsphp72.so+0x00000157f3a0)
    #8 MtHandlerProcess(ls_lfnodei_s*) /home/user/proj/openlitespeed/src/lsiapi/modulehandler.cpp:46 (openlitespeed+0x00000088ced5)
    #9 WorkCrew::workerRoutine(CrewWorker*) /home/user/proj/openlitespeed/src/thread/workcrew.cpp:448 (openlitespeed+0x000000944a11)
    #10 CrewWorker::thr_main(void*) /home/user/proj/openlitespeed/src/thread/crewworker.cpp:36 (openlitespeed+0x00000094531e)
    #11 Thread::start_routine(void*) /home/user/proj/openlitespeed/src/thread/thread.cpp:43 (openlitespeed+0x000000942657)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-30 20:08 UTC] ab@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: ab
 [2017-11-30 20:08 UTC] ab@php.net
Confirmed. What is merely needed is to mutex protect the jit stack allocation, patching the bundled library is not needed. If you have a patch for this, please attach, otherwise i'm going to work on a fix next days.

Thanks.
 [2017-12-05 16:42 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=31b2b14a712f9a8e6beddec4522e12484259422b
Log: Fixed bug #75601 Thread race in PCRE JIT support
 [2017-12-05 16:42 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2017-12-05 16:42 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75a2ee7f7bad4d3bc7bc60c181eabcc6d58c7937
Log: Fixed bug #75601 Thread race in PCRE JIT support
 [2017-12-05 16:42 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9cca85ff0760603dfa8ac58e1828f4c5ab3a5afe
Log: Fixed bug #75601 Thread race in PCRE JIT support
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 23:01:23 2019 UTC