Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Mattias Geniar:
Mitigating PHP’s long standing issue with OPCache leaking sensitive data
Feb 28, 2017 @ 11:39:33

In a new post to his site Mattias Geniar looks at an old security issue in PHP, opcache information leakage and how to mitigating the issue.

A very old security vulnerability has been fixed in PHP regarding the way it handles its OPCaches in environments where a single master process shares multiple PHP-FPM pools. This is the most common way to run PHP nowadays and might affect you, too.

He starts by talking about the vulnerability itself, that the PHP process doesn't validate the userid when fetching cached bytecode. This could result in information from other operations/scripts being exposed to other processes in a PHP-FPM pool. His solution? Upgrade PHP (the bug is fixed back in PHP 5.6.5) and set a few additional opcache ini settings to enforce the validation. Besides 5.6.29, it was also corrected in the PHP 7 releases (7.0.14 and 7.1.0). The post then talks about the potential exploit - an indirect local privilege escalation to root where the shared memory is read and access to outside information is possible.

tagged: opcache bytecode security issue leak sensitive information mitigation

Link: https://ma.ttias.be/mitigating-phps-long-standing-issue-opcache-leaking-sensitive-data/

Julien Pauli:
Huge Page usage in PHP 7
Oct 30, 2015 @ 12:16:48

In this post to his site Julien Pauli looks at the concept of "huge pages" and how it relates to some of the behind the scenes work done in PHP 7 to improve memory usage.

Memory paging is a way Operating Systems manage userland process memory. Each process memory access is virtual, and the OS together with the hardware MMU must translate that address into a physical address used to access the data in main memory (RAM).

Paging memory is dividing memory in chunks of fixed size, called pages. [...] Why use huge pages? The concept is easy. If we make the OS Kernel use bigger page sizes, that means that more data can be accessed into one single page. That also means that we'll suffer from less TLB miss, once the page translation is stored into the TLB, because one translation will now be valid for more data.

He briefly covers how some updated memory handling and opcode restructuring helps PHP 7 perform even better, especially when it comes to the OPCache handling. He talks about the changes made in the extension specifically to support the "huge pages" idea, complete with code examples (in C) of how this was accomplished.

tagged: huge page php7 memory improvement performance opcache

Link: http://jpauli.github.io/2015/10/28/huge-page.html

SitePoint PHP Blog:
Understanding OpCache
Jul 30, 2014 @ 10:39:27

On the SitePoint PHP blog there's a new tutorial posted helping you understand OpCache, the caching engine built into PHP versions 5.5 and above. This cache isn't designed to cache data or other content, though. An OpCache caches "opcodes" when a script is executed.

PHP in version 5.5 comes with a caching engine built-in – OpCache – which stores precompiled script bytecode in the memory. If you’re familiar with APC or Xcache, you will already know how such engines work. As each PHP script is being compiled at runtime, a part of the execution time gets used for transforming the human readable code into code that can be understood by the machine. A bytecode cache engine like OpCache, APC or Xcache does it only once – during the first execution of a specific PHP file. Then the precompiled script is being stored in memory, which should lead to performance boosts in your PHP applications.

The remainder of the article is a series of answers to some common questions about using the cache, what it will do for your applications and some tools to use for tuning and status updates:

  • Is OpCache worth installing at all? What speed boost can I expect?
  • I already use APC cache. Should I migrate to OpCache?
  • How to check if OpCache is actually caching my files?
  • Is there any framework-specific config that I should set?
  • I keep my app config in a PHP file. Can I prevent it from being cached?
  • How can I run both a development and a production environment on a single server where OpCache is enabled?
tagged: opcache opcode cache tutorial introduction php55 bytecode

Link: http://www.sitepoint.com/understanding-opcache/

Simon Holywell:
HHVM vs Zephir vs PHP: The showdown
Mar 03, 2014 @ 12:38:14

Simon Holywell has posted what he calls a "showdown" between HHVM, Zephir and PHP comparing various benchmarks (based on a Mandelbrot Set fractal).

Since its inception the slow running speed of PHP has been widely publicised and over the years there have been a number of improvements. [...] It has become more interesting recently however with three projects looking for improvements in different ways. The core has adopted the Zend OPcache for future versions of PHP, Facebook has been working on a just in time compiler called HipHop VM and the team that brought us Phalcon framework have created Zephir.

All of these projects have chosen to tackle the issue of PHP's speed via different avenues. It has therefore left one simple question - who's making the biggest improvements? Who's the fastest?

He briefly introduces the "contenders" for those not familiar with them and gets right into the benchmarking process. He shares the link to the tests he used and a few notes about the HHVM setup that could account for lower numbers. He shares his results in a few graphs or you can grab the CSV data yourself and parse it. The entire setup is also over on GitHub if you'd like to just check that out.

tagged: showdown benchmark performance hhvm zephir opcache

Link: http://simonholywell.com/post/2014/02/hhvm-vs-zephir-vs-php-the-showdown.html

Davey Shafik:
Everything You Need to Know About OpCode Caches
Oct 01, 2013 @ 10:49:48

Davey Shafik has a new post to his site today sharing everything you need to know about opcode caches, the mechanism that's works "behind the scenes" to cache the execution of the opcode paths for later reuse.

Last year I wrote a talk called “Fast, Not Furious: How to Find and Fix Slow Code” - a performance talk covering profiling, memcache and some other stuff. As I often do - to hedge my bets = I stuck a few slides on the end “just in case” I ran through everything too quickly and needed to fill in time. These slides were on APC, the Alternative PHP Cache, and went just a little into tokens and how APC works under the hood. I really enjoyed presenting those 6 slides, and I’ve been wanting to expand on that topic ever since then. Well, after a few weeks of hard work, some input from some great people, including Sara Golemon, Elizabeth Smith and Julien Pauli, I’m so very happy to publish PHP Performance I: Everything You Need to Know About OpCode Caches.

The result is published over on the Engine Yard Developer Center and has been made into a 20 minute screencast (with original slides here). He covers what they are, which ones are out there, the common execution cycle and what happens when the opcodes are cached.

tagged: opcode cache presentation screencast guide tutorial apc zend opcache

Link: http://daveyshafik.com/archives/68838-everything-you-need-to-know-about-opcode-caches.html