From:             slangley at google dot com
Operating system: N/A
PHP version:      5.4.14
Package:          XSLT related
Bug Type:         Bug
Bug description:The XSLT extension is not thread safe.

Description:
------------
ThreadSanitizer has detected a data race in php_xsl.c.

The function xsltSetGenericErrorFunc is not thread safe, yet it can be
accessed 
concurrently by separate threads from the request INIT & SHUTDOWN handlers
in the 
xslt extension.


/* {{{ PHP_RINIT_FUNCTION
 */
PHP_RINIT_FUNCTION(xsl)
{
        xsltSetGenericErrorFunc(NULL, php_libxml_error_handler);
        return SUCCESS;
}
/* }}} */

/* {{{ PHP_RSHUTDOWN_FUNCTION
 */
PHP_RSHUTDOWN_FUNCTION(xsl)
{
        xsltSetGenericErrorFunc(NULL, NULL);
        return SUCCESS;
}

xsltSetGenericErrorFunc uses two global variables to record state, with no

protection against concurrent access.


from xsltutils.c

xmlGenericErrorFunc xsltGenericError = xsltGenericErrorDefaultFunc;
void *xsltGenericErrorContext = NULL;


/**
 * xsltSetGenericErrorFunc:
 * @ctx:  the new error handling context
 * @handler:  the new handler function
 *
 * Function to reset the handler and the error context for out of
 * context error messages.
 * This simply means that @handler will be called for subsequent
 * error messages while not parsing nor validating. And @ctx will
 * be passed as first argument to @handler
 * One can simply force messages to be emitted to another FILE * than
 * stderr by setting @ctx to this file handle and @handler to NULL.
 */
void
xsltSetGenericErrorFunc(void *ctx, xmlGenericErrorFunc handler) {
    xsltGenericErrorContext = ctx;
    if (handler != NULL)
        xsltGenericError = handler;
    else
        xsltGenericError = xsltGenericErrorDefaultFunc;
}

Calling xsltSetGenericErrorFunc from the module initializer should solve
this 
problem.

Test script:
---------------
build PHP with --enable-maintainer-zts.

Execute concurrent requests.


-- 
Edit bug report at https://bugs.php.net/bug.php?id=64776&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=64776&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=64776&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=64776&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=64776&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=64776&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=64776&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=64776&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=64776&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=64776&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=64776&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=64776&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=64776&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=64776&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64776&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=64776&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=64776&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=64776&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=64776&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=64776&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=64776&r=mysqlcfg

Reply via email to