Fix GH-16727: Opcache bad signal 139 crash in ZTS bookworm (frankenphp) #16748
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nphp) Reproducer: php#16727 (comment) The root cause is a data race between two different threads: 1) We allocate a lower cased name for an anonymous class here: https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8109 2) This gets looked up as an interned string here: https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8112 Assuming that there are uppercase symbols in the string and therefore `lcname != name` and that `lcname` is not yet in the interned string table, the pointer value of `lcname` won't change. 3) Here we add the string into the interned string table: https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8223 However, in the meantime another thread could've added the string into the interned string table. This means that the following code will run, indirectly called via the `LITERAL_STR` macro, freeing `lcname`: https://github.com/php/php-src/blob/62e53e6f4965f37d379a3fd21f65a4210c5c86b5/ext/opcache/ZendAccelerator.c#L572-L575 4) In the reproducer we then access the freed `lcname` string here: https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8229 This is solved in my patch by retrieving the interned string pointer and putting it in `lcname`.
iluuu1994
approved these changes
Nov 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reproducer: #16727 (comment), only happens when opcache is enabled. Reporter confirmed this fixes the problem for them and I also can't reproduce the issue anymore with this patch. I don't know how to write a test for this.
The root cause is a race condition between two different threads:
php-src/Zend/zend_compile.c
Line 8109 in f97353f
php-src/Zend/zend_compile.c
Line 8112 in f97353f
Assuming that there are uppercase symbols in the string and therefore
lcname != nameand thatlcnameis not yet in the interned string table,the pointer value of
lcnamewon't change.php-src/Zend/zend_compile.c
Line 8223 in f97353f
However, in the meantime another thread could've added the string into the interned string table.
This means that the following code will run, indirectly called via the
LITERAL_STRmacro,freeing
lcname:php-src/ext/opcache/ZendAccelerator.c
Lines 572 to 575 in 62e53e6
lcnamestring here:php-src/Zend/zend_compile.c
Line 8229 in f97353f
This is solved in my patch by retrieving the interned string pointer and putting it in
lcname.