ID: 38878
Updated by: [EMAIL PROTECTED]
Reported By: kaien at sparcs dot org
-Status: Open
+Status: Assigned
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.1.6
-Assigned To:
+Assigned To: dmitry
New Comment:
I remeber this kind of bags.
I catched them several years ago (before I come to Zend).
I'll try to look into them when I'll have time.
Previous Comments:
------------------------------------------------------------------------
[2006-09-19 12:51:23] kaien at sparcs dot org
I thought the PHP script engine is designed not to modify the data in
the compiled opcodes(zend_op[])
So I reported this bug as scripting engine problem,
rather then report to zend performance suite, eaccelerator developer.
Furthermore, since this seems to a general architectural problem which
manifests itself when used with ANY opcode cache system, we are hoping
that anyone possibly involved in the Zend Performance Suite might be
able to help us. If it would be possible for Dmitry (since he seems to
have been involved in the Turcke MM cache development) for see into this
problem, it would be greatly appreciated.
------------------------------------------------------------------------
[2006-09-19 12:33:08] [EMAIL PROTECTED]
Do not file bugs when you have Zend extensions (zend_extension=)
loaded. Examples are Zend Optimizer, Zend Debugger, Turck MM Cache,
APC, Xdebug and ionCube loader. These extensions often modify engine
behavior which is not related to PHP itself.
------------------------------------------------------------------------
[2006-09-19 12:27:29] kaien at sparcs dot org
Description:
------------
Function with default parameters consisting of an array of string
elements causes a race condition leading to engine crash when used with
opcode cache.
ZEND_RECV_INIT handler duplicates the array hashtable itself, but does
not duplicate each individual elements from shm, AND only increments
the refcount of the default parameter array element.
So, zval_copy_ctor and zval_dtor modifies the zval refcount of the
array element without any mutex, which causes an engine crash.
Tested on php5 with Zend performance suite and eaccelerator, with 2way,
4way boxes.
I guess there will be same problem on php4 too.
I know this is not just bug of script engine alone,
but I guess the engine should not modify compiled opcodes while
executing.
Reproduce code:
---------------
script.php:
<?
function a($cols = array("AAA", "BBB"))
{
$cols = implode(',', $cols);
$query = "select $cols";
}
a();
?>
% ab -n 100000 -c 10 http://localhost/script.php
Expected result:
----------------
No segv.
Actual result:
--------------
Repeated segv after refcount of string zval("AAA") becomes 0.
(stacktrace points to zval_dtor/efree() called on zval("AAA") in shm,
because refcount == 0.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38878&edit=1
