ID: 38878 Updated by: [EMAIL PROTECTED] Reported By: kaien at sparcs dot org -Status: Open +Status: Bogus Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.1.6 New Comment:
Do not file bugs when you have Zend extensions (zend_extension=) loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache, APC, Xdebug and ionCube loader. These extensions often modify engine behavior which is not related to PHP itself. Previous Comments: ------------------------------------------------------------------------ [2006-09-19 12:27:29] kaien at sparcs dot org Description: ------------ Function with default parameters consisting of an array of string elements causes a race condition leading to engine crash when used with opcode cache. ZEND_RECV_INIT handler duplicates the array hashtable itself, but does not duplicate each individual elements from shm, AND only increments the refcount of the default parameter array element. So, zval_copy_ctor and zval_dtor modifies the zval refcount of the array element without any mutex, which causes an engine crash. Tested on php5 with Zend performance suite and eaccelerator, with 2way, 4way boxes. I guess there will be same problem on php4 too. I know this is not just bug of script engine alone, but I guess the engine should not modify compiled opcodes while executing. Reproduce code: --------------- script.php: <? function a($cols = array("AAA", "BBB")) { $cols = implode(',', $cols); $query = "select $cols"; } a(); ?> % ab -n 100000 -c 10 http://localhost/script.php Expected result: ---------------- No segv. Actual result: -------------- Repeated segv after refcount of string zval("AAA") becomes 0. (stacktrace points to zval_dtor/efree() called on zval("AAA") in shm, because refcount == 0.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38878&edit=1