fix: clear in_save_handler state that blocks the subsequent close handler (#2443)

fixes #2368

Author: henderkes

caddy/caddy_test.go

@@ -3,6 +3,7 @@ package caddy_test
 import (
 	"bytes"
 	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -2010,3 +2011,50 @@ func TestSymlinkWorkerBehavior(t *testing.T) {
 		}
 	})
 }
+
+// TestSessionLockReleaseOnAbortInUserSaveHandler reproduces issue #2368: a
+// timeout bailout inside a user save handler leaks the underlying flock.
+// num_threads is 2 so R3 can't start until R1's thread frees, which
+// guarantees R2 (blocked in flock) inherits the lock when R1 releases and
+// then bails inside StrictSessionHandler. Without the fix R3 hangs in flock.
+func TestSessionLockReleaseOnAbortInUserSaveHandler(t *testing.T) {
+	tester := caddytest.NewTester(t)
+	initServer(t, tester, `
+		{
+			skip_install_trust
+			admin localhost:2999
+			http_port `+testPort+`
+			https_port 9443
+			frankenphp {
+				num_threads 2
+				max_threads 2
+			}
+		}
+		localhost:`+testPort+` {
+			route {
+				php {
+					root ../testdata
+				}
+			}
+		}
+		`, "caddyfile")
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	get := func() error {
+		resp, err := client.Get("http://localhost:" + testPort + "/session_deadlock.php")
+		if err != nil {
+			return err
+		}
+		_, _ = io.Copy(io.Discard, resp.Body)
+		return resp.Body.Close()
+	}
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() { defer wg.Done(); _ = get() }() // R1: holder
+	time.Sleep(300 * time.Millisecond)
+	go func() { defer wg.Done(); _ = get() }() // R2: bails inside user save handler
+	time.Sleep(100 * time.Millisecond)
+	require.NoError(t, get(), "third request hung -- session lock leaked (issue #2368)")
+	wg.Wait()
+}

frankenphp.c

@@ -29,7 +29,7 @@
 #ifndef ZEND_WIN32
 #include <unistd.h>
 #endif
-#if defined(__linux__)
+#ifdef __linux__
 #include <sys/prctl.h>
 #elif defined(__FreeBSD__) || defined(__OpenBSD__)
 #include <pthread_np.h>
@@ -610,7 +610,7 @@ PHP_FUNCTION(frankenphp_request_headers) {
 
   for (size_t i = 0; i < headers.r1; i++) {
     go_string key = headers.r0[i * 2];
-    go_string val = headers.r0[i * 2 + 1];
+    go_string val = headers.r0[(i * 2) + 1];
 
     add_assoc_stringl_ex(return_value, key.data, key.len, val.data, val.len);
   }
@@ -1107,14 +1107,14 @@ frankenphp_register_variables_from_request_info(zval *track_vars_array) {
       frankenphp_strings.content_type, (char *)SG(request_info).content_type,
       true, track_vars_array);
   frankenphp_register_variable_from_request_info(
-      frankenphp_strings.path_translated,
-      (char *)SG(request_info).path_translated, false, track_vars_array);
+      frankenphp_strings.path_translated, SG(request_info).path_translated,
+      false, track_vars_array);
   frankenphp_register_variable_from_request_info(
       frankenphp_strings.query_string, SG(request_info).query_string, true,
       track_vars_array);
-  frankenphp_register_variable_from_request_info(
-      frankenphp_strings.remote_user, (char *)SG(request_info).auth_user, false,
-      track_vars_array);
+  frankenphp_register_variable_from_request_info(frankenphp_strings.remote_user,
+                                                 SG(request_info).auth_user,
+                                                 false, track_vars_array);
   frankenphp_register_variable_from_request_info(
       frankenphp_strings.request_method,
       (char *)SG(request_info).request_method, false, track_vars_array);
@@ -1223,7 +1223,7 @@ sapi_module_struct frankenphp_sapi_module = {
  * License: MIT
  */
 static void set_thread_name(char *thread_name) {
-#if defined(__linux__)
+#ifdef __linux__
   /* Use prctl instead to prevent using _GNU_SOURCE flag and implicit
    * declaration */
   prctl(PR_SET_NAME, thread_name);
@@ -1310,6 +1310,19 @@ static void *php_thread(void *arg) {
 
       has_attempted_shutdown = true;
 
+#ifdef HAVE_PHP_SESSION
+      /* A bailout inside a user save handler skips the cleanup that clears
+       * PS(in_save_handler); RSHUTDOWN's recursion guard then refuses to run
+       * the handler's close() and any resource it holds leaks
+       * (https://github.com/php/frankenphp/issues/2368). See
+       * https://github.com/php/php-src/blob/900797e54fb8d21a761205e5788b9275dc1c7c0e/ext/session/mod_user.c#L29
+       * fpm doesn't run into this because it kills timed out processes, which
+       * releases all resources:
+       * https://github.com/php/php-src/blob/900797e54fb8d21a761205e5788b9275dc1c7c0e/sapi/fpm/fpm/fpm_request.c#L276
+       */
+      PS(in_save_handler) = false;
+#endif
+
       /* shutdown the request, potential bailout to zend_catch */
       php_request_shutdown((void *)0);
       frankenphp_free_request_context();
@@ -1678,8 +1691,8 @@ void frankenphp_destroy_thread_metrics(void) {
   thread_metrics = NULL;
 }
 
-size_t frankenphp_get_thread_memory_usage(uintptr_t idx) {
-  return __atomic_load_n(&thread_metrics[idx].last_memory_usage,
+size_t frankenphp_get_thread_memory_usage(uintptr_t thread_index) {
+  return __atomic_load_n(&thread_metrics[thread_index].last_memory_usage,
                          __ATOMIC_RELAXED);
 }
 

testdata/session_deadlock.php

@@ -0,0 +1,126 @@
+<?php
+
+require_once __DIR__.'/_executor.php';
+
+// Self-contained repro of https://github.com/php/frankenphp/issues/2368
+if (!class_exists('StrictSessionHandler', false)) {
+    abstract class AbstractSessionHandler implements SessionHandlerInterface, SessionUpdateTimestampHandlerInterface
+    {
+        private string $sessionName;
+        private string $prefetchId;
+        private string $prefetchData;
+        private ?string $newSessionId = null;
+
+        public function open(string $savePath, string $sessionName): bool
+        {
+            $this->sessionName = $sessionName;
+            return true;
+        }
+
+        abstract protected function doRead(string $sessionId): string;
+        abstract protected function doWrite(string $sessionId, string $data): bool;
+        abstract protected function doDestroy(string $sessionId): bool;
+
+        public function validateId(string $sessionId): bool
+        {
+            $this->prefetchData = $this->read($sessionId);
+            $this->prefetchId = $sessionId;
+            return '' !== $this->prefetchData;
+        }
+
+        public function read(string $sessionId): string
+        {
+            if (isset($this->prefetchId)) {
+                $prefetchId = $this->prefetchId;
+                $prefetchData = $this->prefetchData;
+                unset($this->prefetchId, $this->prefetchData);
+                if ($prefetchId === $sessionId || '' === $prefetchData) {
+                    $this->newSessionId = '' === $prefetchData ? $sessionId : null;
+                    return $prefetchData;
+                }
+            }
+            $data = $this->doRead($sessionId);
+            $this->newSessionId = '' === $data ? $sessionId : null;
+            return $data;
+        }
+
+        public function write(string $sessionId, string $data): bool
+        {
+            $this->newSessionId = null;
+            return $this->doWrite($sessionId, $data);
+        }
+
+        public function destroy(string $sessionId): bool
+        {
+            return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
+        }
+    }
+
+    class StrictSessionHandler extends AbstractSessionHandler
+    {
+        public function __construct(private SessionHandlerInterface $handler) {}
+
+        public function open(string $savePath, string $sessionName): bool
+        {
+            parent::open($savePath, $sessionName);
+            return $this->handler->open($savePath, $sessionName);
+        }
+
+        public function updateTimestamp(string $sessionId, string $data): bool
+        {
+            return $this->write($sessionId, $data);
+        }
+
+        protected function doRead(string $sessionId): string
+        {
+            return $this->handler->read($sessionId);
+        }
+
+        protected function doWrite(string $sessionId, string $data): bool
+        {
+            return $this->handler->write($sessionId, $data);
+        }
+
+        protected function doDestroy(string $sessionId): bool
+        {
+            return $this->handler->destroy($sessionId);
+        }
+
+        public function close(): bool
+        {
+            return $this->handler->close();
+        }
+
+        public function gc(int $maxlifetime): int|false
+        {
+            return $this->handler->gc($maxlifetime);
+        }
+    }
+}
+
+return function () {
+    // Pre-flock timer: any request that doesn't get the lock immediately will
+    // have this fire while blocked in flock(), so when the lock is finally
+    // released the request bails out *inside* StrictSessionHandler::doRead —
+    // the path that leaks the fd without the fix from 2c6d2b5.
+    set_time_limit(1);
+
+    $savePath = sys_get_temp_dir() . '/frankenphp-session-deadlock';
+    @mkdir($savePath);
+    ini_set('session.use_strict_mode', '1');
+    ini_set('session.save_path', $savePath);
+    session_set_save_handler(new StrictSessionHandler(new SessionHandler()), true);
+    session_id('testsession2368');
+    session_start();
+
+    // Reset the timer so the holder (and any waiter that successfully acquires
+    // the lock) gets enough headroom to finish.
+    set_time_limit(5);
+
+    echo "Done.\n";
+    flush();
+    // Hold the lock long enough that a 1s timer expires for any concurrent
+    // waiter still blocked in flock().
+    system('sleep 2');
+    echo "ok!\n";
+};