From: raven7370 at yahoo dot com
Operating system: Win32 (XP SP2)
PHP version: 5.2.0
PHP Bug Type: Unknown/Other Function
Bug description: zend_strtod not Thread Safe (causes Infinite Loop)
Description:
------------
zend_strtod infinite loop
In Short:
What causes the problem:
Script A stores data in a session, creates two images that call Script B
that reads the session data to create two different graphs.
The problem:
During the unserialize of the session data retrieval the zend_strtod
function is called, when multiple concurrent threads unserialize the same
data there is (in my experience) a 10% chance that:
A: one of the thread crashes (apache error box, main apache thread and
other thread still runs)
or
B: that the zend_strtod function hangs in an infinite loop for both
threads.
The second (the infinite loop) is far worse since both Threads hang and
completely maxes out the two CPUs. Leaving the main Apache thread with so
little cpu cycles that any other page request will never finish.
The code that hangs in an infinite loop at the end of the zend_strtod
function is:
for (i = 0; i <= Kmax; i++) {
Bigint **listp = &freelist[i];
while ((tmp = *listp) != NULL) {
*listp = tmp->next;
free(tmp);
}
freelist[i] = NULL;
}
while (p5s) {
tmp = p5s;
p5s = p5s->next;
free(tmp);
}
It either hangs in the first while or the second while loop (most of the
time on the first).
The reason for the infinite loop is that somehow the next pointer
references create a circular loop
every time I have seen it, it is just a
two link loop, i.e. A->B and B->A and both threads are affected and looping
in the same position.
This is not just on the debug version but also on the stable 5.1.6 and 5.2
binary release files.
Using OllyDbg the code is:
If I circumvent the code execution described above (using the stable
binary release files) with a two byte short jmp, I no longer have any
infinite loop hanging the server or crashes
BUT apparently a memory leak
since I have removed what appears to be a clean up of a linked list.
So this is a really BAD fix
but it is still BETTER then the infinite
loop.. dont you think?
Important note: (apparently only HT / multi cpu/core have this problem)
I have these problems on a cpu with HT, not a true multi core or multi
cpu.. but another system with a normal (single core, non HT cpu) does not
have the problem.. I think only one thread might be created by php since
windows only shows one cpu.
Anyway.. a true fix would be really great since iI have no idea what
excluding the above code REALLY means
I am somewhat hoping that when a
thread is killed that windows cleans up.. but does it? And even if it
does, when is a php worker thread killed?
Btw.. thread safety is ON when this problem occurs.
(and this is as short as i could make it ;)
Thanks for any help!!!
Reproduce code:
---------------
Well its a thread interaction problem that is very hard to reproduce on
command, I tried to create a script that maximizes the occurrence (one php
script that sores some random x & y values in an array and that creats html
that continuously loads two images from another php script that uses the
session data to draw random images..
But with that I couldnt reproduce the bug at all
the original script
gets the data from a mysql database using adodb and the data stored in the
session is more complex.. not sure what exactly makes this go off or not
and unfortunately I cant post the original script and database since it
is work related :(
But I tried to narrow the problem down as much as I could and hope that
someone might have a clue on what goes wrong where
Expected result:
----------------
Well i would expect multiple concurrent session unserializations of the
same data to NOT cause the server to die in a horrible infinite loop >_>
Actual result:
--------------
well it does.. die..
well ok it just hangs with 100% cpu makeing everything else go 0.00001x
speed but that makes a server and everything running on it useless :(
i mean apache can't even answer the request for a new plain unrelated html
anymore!
thanks for any help!!! and please do help!
--
Edit bug report at http://bugs.php.net/?id=39465&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39465&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39465&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39465&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39465&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39465&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39465&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=39465&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=39465&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39465&r=support
Expected behavior: http://bugs.php.net/fix.php?id=39465&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39465&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39465&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39465&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39465&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39465&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=39465&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39465&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39465&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39465&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=39465&r=mysqlcfg
