ID: 38878
Updated by: [EMAIL PROTECTED]
Reported By: kaien at sparcs dot org
-Status: Open
+Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.1.6
New Comment:
Do not file bugs when you have Zend extensions (zend_extension=)
loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache,
APC, Xdebug and ionCube loader. These extensions often modify engine
behavior which is not related to PHP itself.
Previous Comments:
------------------------------------------------------------------------
[2006-09-19 12:27:29] kaien at sparcs dot org
Description:
------------
Function with default parameters consisting of an array of string
elements causes a race condition leading to engine crash when used with
opcode cache.
ZEND_RECV_INIT handler duplicates the array hashtable itself, but does
not duplicate each individual elements from shm, AND only increments
the refcount of the default parameter array element.
So, zval_copy_ctor and zval_dtor modifies the zval refcount of the
array element without any mutex, which causes an engine crash.
Tested on php5 with Zend performance suite and eaccelerator, with 2way,
4way boxes.
I guess there will be same problem on php4 too.
I know this is not just bug of script engine alone,
but I guess the engine should not modify compiled opcodes while
executing.
Reproduce code:
---------------
script.php:
<?
function a($cols = array("AAA", "BBB"))
{
$cols = implode(',', $cols);
$query = "select $cols";
}
a();
?>
% ab -n 100000 -c 10 http://localhost/script.php
Expected result:
----------------
No segv.
Actual result:
--------------
Repeated segv after refcount of string zval("AAA") becomes 0.
(stacktrace points to zval_dtor/efree() called on zval("AAA") in shm,
because refcount == 0.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38878&edit=1
