profiling: block all (non-fault) signals on helper threads

realFlowControl · realFlowControl · commit ea2df5102512 · 2026-06-17T20:13:14.000+02:00
The profiler helper threads (ddprof_time, ddprof_upload) only masked the
fixed set of signals the Zend Engine registers (SIGPROF, SIGHUP, SIGINT,
SIGTERM, SIGUSR1, SIGUSR2). A PHP script can install an async handler for
any other signal via pcntl_async_signals(true) + pcntl_signal(), e.g.
SIGCHLD. The kernel could then deliver that signal to a helper thread,
where pcntl_signal_handler runs without a PHP/TSRM context and dereferences
the thread-local PCNTL_G, segfaulting (ZTS only). Seen on PHP 8.4 ZTS via
ext/pcntl/tests/waiting_on_sigchild_pcntl_wait.phpt.

Block every signal on the helper threads (sigfillset) so async signals are
delivered to a PHP thread instead, leaving only the synchronous fault
signals (SIGSEGV/SIGBUS/SIGFPE/SIGILL/SIGABRT/SIGTRAP) deliverable so a real
fault on a helper thread is still reported (crashtracker).

Add a regression test
profiling/tests/phpt/pcntl_async_signal_helper_thread.phpt. Verified: it
fails ~15/20 on the old code and passes 20/20 with the fix; full profiler
phpt suite still green.
diff --git a/profiling/src/profiling/thread_utils.rs b/profiling/src/profiling/thread_utils.rs
@@ -20,25 +20,38 @@ where
     let result = std::thread::Builder::new()
         .name(name.to_string())
         .spawn(move || {
-            /* Thread must not handle signals intended for PHP threads.
-             * See Zend/zend_signal.c for which signals it registers.
+            /* This helper thread has no valid PHP/TSRM context, so it must not
+             * run any PHP signal handler. The Zend Engine registers a fixed set
+             * of signals (see Zend/zend_signal.c), but a PHP script can install
+             * a handler for *any* signal via pcntl_signal() (e.g. SIGCHLD with
+             * pcntl_async_signals(true)). If such a signal is delivered to this
+             * thread, pcntl_signal_handler() dereferences PCNTL_G(spares) with
+             * no thread context and segfaults
+             * (see ext/pcntl/tests/waiting_on_sigchild_pcntl_wait.phpt).
+             *
+             * So block every signal here; async signals are then delivered to a
+             * PHP thread instead. The synchronous fault signals are left
+             * unblocked so a genuine fault on this thread is still reported
+             * (e.g. by the crashtracker) rather than masked.
              */
             unsafe {
                 let mut sigset_mem = MaybeUninit::uninit();
                 let sigset = sigset_mem.as_mut_ptr();
-                libc::sigemptyset(sigset);
-
-                const SIGNALS: [libc::c_int; 6] = [
-                    libc::SIGPROF, // todo: SIGALRM on __CYGWIN__/__PHASE__
-                    libc::SIGHUP,
-                    libc::SIGINT,
-                    libc::SIGTERM,
-                    libc::SIGUSR1,
-                    libc::SIGUSR2,
+                libc::sigfillset(sigset);
+
+                // Hardware/synchronous fault signals: keep them deliverable to
+                // this thread.
+                const KEEP_UNBLOCKED: [libc::c_int; 6] = [
+                    libc::SIGSEGV,
+                    libc::SIGBUS,
+                    libc::SIGFPE,
+                    libc::SIGILL,
+                    libc::SIGABRT,
+                    libc::SIGTRAP,
                 ];
 
-                for signal in SIGNALS {
-                    libc::sigaddset(sigset, signal);
+                for signal in KEEP_UNBLOCKED {
+                    libc::sigdelset(sigset, signal);
                 }
                 libc::pthread_sigmask(libc::SIG_BLOCK, sigset, std::ptr::null_mut());
             }
diff --git a/profiling/tests/phpt/pcntl_async_signal_helper_thread.phpt b/profiling/tests/phpt/pcntl_async_signal_helper_thread.phpt
@@ -0,0 +1,77 @@
+--TEST--
+[profiling] async PHP signal handlers must not run on profiler helper threads
+--DESCRIPTION--
+Regression test for a crash when a PHP script installs an async signal handler
+(pcntl_async_signals(true) + pcntl_signal()) for a signal the Zend Engine does
+not itself register, e.g. SIGCHLD.
+
+The profiler's helper threads (`ddprof_time`, `ddprof_upload`) only masked the
+fixed set of signals the Zend Engine uses, so the kernel could deliver SIGCHLD
+to one of them. pcntl's handler then ran on a thread with no valid PHP/TSRM
+context and dereferenced the thread-local PCNTL_G, segfaulting. The fix is to
+block every (non-fault) signal on the helper threads so async signals are
+delivered to a PHP thread.
+
+Only crashes on ZTS, where PCNTL_G is thread-local. Observed on PHP 8.4 ZTS,
+reproduced by ext/pcntl/tests/waiting_on_sigchild_pcntl_wait.phpt:
+
+    Thread 2 "ddprof_time" received signal SIGSEGV, Segmentation fault.
+    #0  pcntl_signal_handler (signo=17, ...) at ext/pcntl/pcntl.c:1289
+    1289        struct php_pcntl_pending_signal *psig = PCNTL_G(spares);
+    #1  <signal handler called>
+    #2  syscall ()
+    #3  std::sys::pal::unix::futex::futex_wait ()
+    #4  std::sys::sync::thread_parking::futex::Parker::park_timeout ()
+    ...
+    #15 run () at profiling/src/profiling/uploader.rs:157
+    #16 {closure#3} () at profiling/src/profiling/mod.rs:898
+    #17 ... at profiling/src/profiling/thread_utils.rs:45
+--SKIPIF--
+<?php
+foreach (['datadog-profiling', 'pcntl'] as $extension)
+    if (!extension_loaded($extension))
+        echo "skip: test requires {$extension}\n";
+if (!ZEND_THREAD_SAFE)
+    echo "skip: ZTS only (the crash is a thread-local PCNTL_G access from a helper thread)\n";
+if (PHP_OS_FAMILY !== 'Linux')
+    echo "skip: Linux only\n";
+if (getenv('SKIP_ASAN'))
+    die('skip: the profiler leaks on purpose in child of a fork');
+?>
+--ENV--
+DD_PROFILING_ENABLED=yes
+DD_PROFILING_LOG_LEVEL=off
+--FILE--
+<?php
+
+pcntl_async_signals(true);
+
+$processes = [];
+pcntl_signal(SIGCHLD, function () use (&$processes) {
+    while (($pid = pcntl_wait($status, WUNTRACED | WNOHANG)) > 0) {
+        unset($processes[$pid]);
+    }
+});
+
+// Spawn bursts of short-lived children. They exit at roughly the same time, so
+// a burst of SIGCHLD arrives while the main thread is idle in usleep(). If the
+// profiler's helper threads do not block SIGCHLD the kernel may deliver it to
+// one of them, where pcntl's handler runs without a PHP/TSRM context and
+// crashes. Several rounds widen the (timing-dependent) race window.
+for ($round = 0; $round < 4; $round++) {
+    for ($i = 0; $i < 8; $i++) {
+        $proc = proc_open('sleep 0.3', [], $pipes);
+        if ($proc !== false) {
+            $processes[proc_get_status($proc)['pid']] = $proc;
+        }
+    }
+    $iters = 50;
+    while (!empty($processes) && $iters-- > 0) {
+        usleep(100_000);
+    }
+}
+
+echo empty($processes) ? "OK\n" : "leftover children\n";
+?>
+--EXPECT--
+OK
