EG(strtod_state).freelist leaks with opcache.preload

[bwoebi]

Description

The following code (in a file preload.php):

<?php
var_dump(1.5);

Resulted in this output:

$ php -d zend_extension=opcache.so -d opcache.enable_cli=1 -d opcache.preload=$(pwd)/preload.php -r ''
float(1.5)

=================================================================
==34672==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 44 byte(s) in 1 object(s) allocated from:
    #0 0xffff94f4b8c0 in malloc (/usr/lib/llvm-17/lib/clang/17/lib/linux/libclang_rt.asan-aarch64.so+0x10a8c0) (BuildId: 5edc5baee74137099dd7cbd6e2b27e95530fd7e2)
    #1 0xaaaad35a2c20 in Balloc /usr/local/src/php/Zend/zend_strtod.c:591:18
    #2 0xaaaad35a48d0 in lshift /usr/local/src/php/Zend/zend_strtod.c:1026:7
    #3 0xaaaad35aa5c0 in zend_dtoa /usr/local/src/php/Zend/zend_strtod.c:4203:7
    #4 0xaaaad35ad224 in zend_gcvt /usr/local/src/php/Zend/zend_strtod.c:4516:11
    #5 0xaaaad2c9c754 in xbuf_format_converter /usr/local/src/php/main/spprintf.c:654:10
    #6 0xaaaad2c96054 in php_printf_to_smart_string /usr/local/src/php/main/spprintf.c:778:2
    #7 0xaaaad35ca1fc in zend_vspprintf /usr/local/src/php/Zend/zend.c:293:2
    #8 0xaaaad2c23790 in php_printf_unchecked /usr/local/src/php/main/main.c:964:9
    #9 0xaaaad28140d8 in php_var_dump /usr/local/src/php/ext/standard/var.c:132:4
    #10 0xaaaad2816a48 in zif_var_dump /usr/local/src/php/ext/standard/var.c:245:3
    #11 0xaaaad3277030 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /usr/local/src/php/Zend/zend_vm_execute.h:1287:2
    #12 0xaaaad30ace60 in execute_ex /usr/local/src/php/Zend/zend_vm_execute.h:58554:7
    #13 0xaaaad30adde8 in zend_execute /usr/local/src/php/Zend/zend_vm_execute.h:64206:2
    #14 0xffff8df97a30 in accel_preload /usr/local/src/php/ext/opcache/ZendAccelerator.c:4392:4
    #15 0xffff8df95308 in accel_finish_startup_preload /usr/local/src/php/ext/opcache/ZendAccelerator.c:4658:7
    #16 0xffff8df88674 in accel_finish_startup /usr/local/src/php/ext/opcache/ZendAccelerator.c:4803:10
    #17 0xffff8df82924 in accel_post_startup /usr/local/src/php/ext/opcache/ZendAccelerator.c:3355:6
    #18 0xaaaad35d0860 in zend_post_startup /usr/local/src/php/Zend/zend.c:1103:7
    #19 0xaaaad2c2ca5c in php_module_startup /usr/local/src/php/main/main.c:2323:6
    #20 0xaaaad35e7924 in php_cli_startup /usr/local/src/php/sapi/cli/php_cli.c:397:9
    #21 0xaaaad35e1bc4 in main /usr/local/src/php/sapi/cli/php_cli.c:1277:6
    #22 0xffff91fdcda0 in __libc_start_main /build/reproducible-path/glibc-2.28/csu/../csu/libc-start.c:308:16

// multiple further leaks at a very similar location

PHP Version

PHP 8.4RC3

Operating System

No response

[nielsdos]

I can reproduce this only on ZTS.

[nielsdos]

This happens because on ZTS we execute executor_globals_ctor which reset the freelist and p5s pointers, while on NTS we don't. I think this can be solved by calling zend_shutdown_strtod when the preload is done.

[bwoebi]

Sorry for not mentioning that it's a ZTS build, though I was aware that it's ZTS specific. Thanks :-)

[nielsdos]

No worries 🙂