There have been misterious macOS failures with the following error for a long
time, which would usually happen 1-2x per nightly run:
> The hosted runner lost communication with the server. Anything in your
> workflow that terminates the runner process, starves it for CPU/Memory, or
> blocks its network access can cause this error.
After way too much debugging, it looks like this is caused by the two fpm tests
skipped in this commit. When there's a failure, the responsible test will run
for at least 120 seconds until the job is eventually killed by GitHub Actions.
It's not clear yet why the tests stall.
Debugging this is a PITA because the GitHub Actions log gets partially lost for
killed jobs. It took an external log server to actually figure out where the job
fails. Let's disable the tests first to be sure this actually solves the issue.
The fix fixes some other races that could result in mixed up copy and
nprocs number. It requires creating a copy in a similar way like for
request status.
This was not previously used to not impact other requests. However this
does not make that much sense as the only thing that impacts it is
holding the lock and not waiting for it. It is true that if there was a
big contention then the lock would be acquired more often but that can
be achieved by using fpm_get_status in loop so it should not make a
huge difference hopefully.
Closes GH-19974
This changes default for fastcgi.script_path_encoded INI to have
default behavior without a BC break. There has been already issue
about this in RC so it is very likely that it could have much bigger
impact so it's better to be safe.
* main: Ignore `register_argc_argv` when `SG(request_info).argc` is available
* sapi: Remove hardcoded `register_argc_argv` for CLI SAPIs
This INI is ignored since the previous commit, which makes the hardcoded
setting obsolete.
* main: Deprecate deriving $_SERVER['argc'] and $_SERVER['argv'] from the query string
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_the_register_argc_argv_ini_directive
* main: Adjust deprecation message for `register_argc_argv`
* NEWS/UPGRADING
* fpm: Improve the error message when FPM is running as root
Co-authored-by: Jakub Zelenka <bukka@php.net>
* fpm: Disable `TEST_FPM_RUN_AS_ROOT` for proc-user-not-set-when-root.phpt
---------
Co-authored-by: Jakub Zelenka <bukka@php.net>
The value is temporarily duplicated. While the value is allocated persistently,
it will be freed if the ini value can't be set. This is safe, given the value
has not actually been stored.
Exposed by GH-19619
Closes GH-19671
* opcache: Do not emit “temporary enabling” message when OPcache is already active
An easy way to accidentally enable OPcache “temporarily” is by using
`php_admin_value[opcache.enable]=1` within a FPM pool’s configuration, since
the `php_admin_value` settings mostly behave like settings in php.ini, with
many OPcache INI settings being a notable exception.
As long as OPcache is already enabled within php.ini (or simply by default),
emitting a warning for `php_admin_value[opcache.enable]=1` or similar is going
to be confusing, since is not actually temporarily enabling anything.
A follow-up commit will also try to detect this kind of incorrect configuration
and try to provide better advice for cases where OPcache is actually not yet
enabled.
* opcache: Improve error message when OPcache is enabled dynamically
The error message will now advice on the `php_admin_value[opcache.enable]=1`
mistake. It will also send the message to OPcache’s logging facility instead of
the regular error handling logic during startup so that it will not be made
available to `error_get_last()`, since it is related to a specific request and
thus not actionable by a script either.
php/php-src#19146 made a related change to `opcache.memory_consumption`.
* opcache: Fix typo in warning message
* opcache: Use more formal language in warning message
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#remove_disable_classes_ini_setting
This took longer to merge than expected but the initial motivation from 2 years ago still applied:
As described in the email to the PHP internals list [1] this feature is fundamentally broken and pointless.
Only internal classes can be disable which brings the following observation. On a minimal build of PHP, with only the mandatory extensions enabled, there are 148 classes/interfaces/traits defined. [2]
Other than the SPL ones (and even then), disabling any of these classes will cause issues within the engine.
Moreover, the SPL ones are not a security concern.
Therefore, any other class that can be disabled must come from an extension that can be disabled altogether. And "disabling" a class from an extension without disabling said extension will render it useless anyway.
If a hosting provided is concerned about an extension, then it should not enable it in the first place. Not break it ad hoc.
Considering the above, I cannot see how this functionality was ever useful.
This is in stark contrast to the disable_functions INI setting, which can be used to selectively remove functionality of an extension without breaking it overall.
What makes this setting particularly broken is that it does not unregister the class, it only overwrites the create CE handler to emit a warning and purge the properties and function hashtables. This leads to various use after free, segfaults, and broken expectations for the engine and extensions which define said classes. On top of that, it is possible to actually instantiate such a class (and even classes which actually disallow this like ext/imap) in userland, and pass it to function that are typed against said class without raising a TypeError. However, when trying to do anything with said object stuff is going to explode in countless ways.
[1] https://news-web.php.net/php.internals/120896
[2] https://gist.github.com/Girgias/63d55ba1e50b580412b004046daed02b
The shadow key is refreshed when resetting the memory manager between two
requests. But in forking SAPIs the first request of a child process inherits the
shadow key of the parent. As a result, a leak of the shadow key during the first
request of one process gives away the shadow key used during the first request
of other processes. This makes the key refresh mechanism less useful.
Here I ensure that we refresh the shadow key after a fork. We can not reset the
manager as there may be active allocations. Instead, we have to recompute shadow
pointers with the new key.
Closes GH-16765
It sets the access log limit as configurable log_limit to allow larger
log limit than the currently fixed limit of 1024 characters.
Fixes GH-12302
Closes GH-18725
This fixes null dereference error when calling fpm_get_status() and one
of the children is just being created.
Closes GH-18662
Co-authored-by: Jakub Zelenka <bukka@php.net>
* Move glob to main/ from win32/
In preparation to make the Win32 reimplementation the standard
cross-platform one. Currently, it doesn't do that and just passes
through the original glob implementation. We could consider also having
an option to use the standard glob for systems that have a sufficient
one.
* Enable building with win32 glob on non-windows
Kind of broken. We're namespacing the function and struct, but not yet
the GLOB_* defines. There are a lot of places callers check if i.e.
NOMATCH is defined that would likely become redundant.
Currently it also has php_glob and #defines glob php_glob (etc.) - I
suspect doing the opposite and changing the callers would make more
sense, just doing MVP to geet it to build (even if it fails tests).
* Massive first pass at conversion to internal glob
Have not tested yet. the big things are:
- Should be invisible to userland PHP code.
- A lot of :%s/GLOB_/PHP_GLOB_/g; the diff can be noisy as a result,
especially in comments.
- Prefixes everything with PHP_ to avoid conflicts with system glob in
case it gets included transitively.
- A lot of weird shared definitions that were sprawled out to other
headers are now included in php_glob.h.
- A lot of (but not yet all cases) of HAVE_GLOB are removed, since we
can always fall back to php_glob.
- Using the system glob is not wired up yet; it'll need more shim
ifdefs for each flag type than just glob_t/glob/globfree defs.
* Fix inclusion of GLOB_ONLYDIR
This is a GNU extension, but we don't need to implement it, as the GNU
implementation is flawed enough that callers have to manually filter it
anyways; just provide a stub definition for the constant.
We could consideer implementing this properly later. For now, fixes the
basic glob constant tests.
* Remove HAVE_GLOBs
We now always have a glob implementation that works. HAVE_GLOB should
only be used to check if we have a system implementation, for if we
decide to wrap the system implementation instead.
* We don't need to care about being POSIXly correct for internal glob
* Check for reallocarray
Ideally temporary until GH-17433.
* Forgot to move this file from win32/ to main/
* Check for issetugid (BSD function)
* Allow using the system glob with --enable-system-glob
* Style fix after removing ifdef
* Remove empty case for system glob
This changes make FPM always decode SCRIPT_FILENAME when Apache
ProxyPass or ProxyPassMatch is used. It also introduces a new INI
option fastcgi.script_path_encoded that allows using the previous
behavior of not decoding the path. The INI is introduced because
there is a chance that some users could use encoded file paths in
their file system as a workaround for the previous behavior.
Close GH-17896
This fixes a ZEND_RC_MOD_CHECK() assertion failure when building with
"-DZEND_RC_DEBUG=1 --enable-debug --enable-zts". php_dl() is called after
startup, and manipulates the refcount of persistent strings, which is not
allowed at this point of the lifecycle.
The dl() function disables the ZEND_RC_MOD_CHECK() assertion before calling
php_dl(). This change applies the same workaround in FPM.
Closes GH-18075
The reason this breaks is because of a type mismatch.
The following line uses fields of the timeval struct which are both 8 bytes on
Alpine 32-bit, which results in a computed value of also 8 bytes:
b09ed9a0f2/sapi/fpm/fpm/fpm_status.c (L611)
However, it is passed to a format string which expects 4 bytes
(`unsigned long` and thus the `%lu` format specifier is 4 bytes on Alpine 32-bit),
resulting in argument corruption.
Since the value is generally small, truncating to 4 bytes is sufficient to fix this.
Closes GH-17286.
