Fix ZTS heap corruption by calling php_module_startup only once

Qard · claude · Qard · commit 858d72962226 · 2025-12-16T16:21:14.000+08:00
The previous code called php_module_startup() per-thread via Sapi::startup(), but this function is only meant to be called once during application initialization. Calling it multiple times caused heap corruption in PHP's memory allocator, manifesting as EXC_BAD_ACCESS (code=2) crashes in _estrdup on macOS aarch64. The correct ZTS lifecycle is: 1. php_module_startup() - once at app init (in Sapi::new()) 2. ts_resource(0) - per-thread TLS init (in ThreadScope::new()) 3. php_request_startup()/shutdown() - per-request (in RequestScope) Sapi::startup() now only verifies the SAPI is accessible (read lock) rather than reinitializing PHP modules. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/embed.rs b/src/embed.rs
@@ -341,17 +341,16 @@ impl Handler for Embed {
 
     // Spawn blocking PHP execution - ALL PHP operations happen here
     let blocking_handle = tokio::task::spawn_blocking(move || {
-      eprintln!("[DEBUG 1] spawn_blocking started");
-      // Initialize thread-local storage for this worker thread
+      // Initialize thread-local storage for this worker thread.
+      // This calls ext_php_rs_sapi_per_thread_init() -> ts_resource(0) which sets up
+      // PHP's thread-local storage for the current thread.
       let _thread_scope = ThreadScope::new();
-      eprintln!("[DEBUG 2] ThreadScope::new() completed");
-      // Call SAPI startup on THIS thread to initialize PHP's memory allocator.
-      // This is required before any estrdup calls can be made.
-      // The startup call is serialized via write lock to prevent concurrent php_module_startup.
+
+      // Verify SAPI is accessible (no longer calls php_module_startup per-thread).
+      // php_module_startup is only called once in Sapi::new(), not per-thread.
       _sapi
         .startup()
         .map_err(|_| EmbedRequestError::SapiNotStarted)?;
-      eprintln!("[DEBUG 3] sapi.startup() completed");
 
       // Setup RequestContext (always streaming from SAPI perspective)
       // RequestContext::new() will extract the request body's read stream and add it as RequestStream extension
@@ -361,16 +360,12 @@ impl Handler for Embed {
         response_writer.clone(),
         headers_sent_tx,
       );
-      eprintln!("[DEBUG 4] RequestContext::new() completed");
       RequestContext::set_current(Box::new(ctx));
-      eprintln!("[DEBUG 5] RequestContext::set_current() completed");
 
       // All estrdup calls happen here, inside spawn_blocking, after ThreadScope::new()
       // has initialized PHP's thread-local storage. These will be freed by efree in
       // sapi_module_deactivate during request shutdown.
-      eprintln!("[DEBUG 6] About to call estrdup for request_uri_str: {:?}", request_uri_str);
       let request_uri_c = estrdup(request_uri_str.as_str());
-      eprintln!("[DEBUG 7] estrdup(request_uri_str) completed");
       let path_translated = estrdup(translated_path_str.as_str());
       let request_method = estrdup(method_str.as_str());
       let query_string = estrdup(query_str.as_str());
diff --git a/src/sapi.rs b/src/sapi.rs
@@ -114,22 +114,23 @@ impl Sapi {
     })
   }
 
-  /// Initialize PHP for the current thread and call the SAPI module startup.
-  /// This must be called on each worker thread before using PHP's memory allocator (estrdup).
-  /// On ZTS builds, this initializes thread-local storage and module state.
-  /// Uses a write lock to serialize startup calls across threads.
+  /// Verify that the SAPI module has been initialized.
+  ///
+  /// In ZTS mode, thread-local storage is initialized by ThreadScope::new() which
+  /// calls ext_php_rs_sapi_per_thread_init() -> ts_resource(0). The module startup
+  /// (php_module_startup) is only called once in Sapi::new(), not per-thread.
+  ///
+  /// This method verifies the SAPI is accessible, but no longer calls php_module_startup
+  /// per-thread as that causes heap corruption when called multiple times.
   pub fn startup(&self) -> Result<(), EmbedRequestError> {
-    let sapi = &mut self
+    // Just verify we can acquire a read lock - the actual module startup
+    // already happened in Sapi::new(). ThreadScope::new() handles per-thread
+    // TLS initialization via ts_resource(0).
+    let _sapi = self
       .module
-      .write()
+      .read()
       .map_err(|_| EmbedRequestError::SapiNotStarted)?;
 
-    if let Some(startup) = sapi.startup {
-      if unsafe { startup(sapi.as_mut()) } != ZEND_RESULT_CODE_SUCCESS {
-        return Err(EmbedRequestError::SapiNotStarted);
-      }
-    }
-
     Ok(())
   }
 
