PHP扩展开发/Debug调试相关研究
一、编译PHP源码
PHP扩展开发和编译需要和PHP源码一起,所以进行PHP扩展开发的第一步就是先了解熟悉PHP源码的编译。
wget http://cn2.php.net/distributions/php-5.5.31.tar.gz tar -zvzf php-5.5.31.tar.gz //为了尽快得到可以测试的环境,我们仅编译一个最精简的PHP。通过执行 ./configure –disable-all来进行配置。 以后如果需要其他功能可以重新编译。如果configure命令出现错误,可能是缺少PHP所依赖的库,各个系统的环境可能不一样。 出现错误可根据出错信息上网搜索。 直到完成configure。configure完成后我们就可以开始编译 ./configure --enable-debug --enable-tokenizer /* apt-get install -y libxml2 */ make //运行编译后PHP ./sapi/cli/php -v //install NetBeans http://download.netbeans.org/netbeans/8.1/final/bundles/netbeans-8.1-linux.sh chmod 777 ./* ./netbeans-8.1-linux.sh ./configure CC=${IDE_CC} CXX=${IDE_CXX} CFLAGS="-g3 -gdwarf-2" CXXFLAGS="-g3 -gdwarf-2" --disable-all --enable-debug --enable-tokenizer
参考链接:
http://www.cnblogs.com/LittleHann/p/3562259.html
二、PHP扩展开发的项目结构
0x1:PHP扩展的优缺点
1、优点
- 效率:减少PHP脚本的复杂度,极端情况下,你只需要在PHP脚本中,简单的调用一个扩展实现的函数,然后所有的功能都就被扩展实现。
- 方便PHP应用代码与外部的库做交互:比如你有一个C/C++的库, 不妨假设,这个库呢就是实现了一个字符串加密和解密,而你并没有这个库的源码,也就是说,你无法把这个库在PHP中实现,那么你只有编写一个PHP扩展,来做为一个桥梁,连接起你的PHP和这个库。
- 复用Zend的词法/语法处理逻辑:在特殊领域的应用,例如WEBSHELL检测中,通过扩展Hook机制实现Token AST树的获取,然后在此基础上进行语法还原、和语法层面模拟执行
2、缺点
- 开发复杂:开发周期变长,最简单的一个例子,当你用PHP脚本的时候,如果你发现某个判断条件出错。你只要修改了这一行,保存,那么就立刻能见效。而如果是在C/C++编写的PHP扩展中, 那你可需要,修改源码,重新编译,然后重新load进PHP,然后重启Apache,才能见效。
- 可维护性降低。
0x2:扩展框架的源码项目结构
root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# cd helloworld/ root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext/helloworld# ll total 44 drwxr-xr-x 3 root root 4096 Jan 27 16:10 ./ drwxr-xr-x 80 ubuntu1204 ubuntu1204 4096 Jan 27 16:10 ../ -rw-r--r-- 1 root root 2178 Jan 27 16:10 config.m4 -rw-r--r-- 1 root root 324 Jan 27 16:10 config.w32 -rw-r--r-- 1 root root 10 Jan 27 16:10 CREDITS -rw-r--r-- 1 root root 0 Jan 27 16:10 EXPERIMENTAL -rw-r--r-- 1 root root 5296 Jan 27 16:10 helloworld.c -rw-r--r-- 1 root root 514 Jan 27 16:10 helloworld.php -rw-r--r-- 1 root root 2962 Jan 27 16:10 php_helloworld.h -rw-r--r-- 1 root root 16 Jan 27 16:10 .svnignore drwxr-xr-x 2 root root 4096 Jan 27 16:10 tests/
1、helloworld.c
这个文件是我们扩展的主要文件,扩展的主体逻辑都在里面实现
/* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ | Copyright (c) 1997-2015 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: | +----------------------------------------------------------------------+ */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include "php.h" #include "php_ini.h" #include "ext/standard/info.h" #include "php_helloworld.h" /* If you declare any globals in php_helloworld.h uncomment this: ZEND_DECLARE_MODULE_GLOBALS(helloworld) */ /* True global resources - no need for thread safety here */ static int le_helloworld; /* {{{ helloworld_functions[] * * Every user visible function must have an entry in helloworld_functions[]. */ const zend_function_entry helloworld_functions[] = { PHP_FE(confirm_helloworld_compiled, NULL) /* For testing, remove later. */ PHP_FE_END /* Must be the last line in helloworld_functions[] */ }; /* }}} */ /* {{{ helloworld_module_entry */ zend_module_entry helloworld_module_entry = { #if ZEND_MODULE_API_NO >= 20010901 STANDARD_MODULE_HEADER, #endif "helloworld", helloworld_functions, PHP_MINIT(helloworld), PHP_MSHUTDOWN(helloworld), PHP_RINIT(helloworld), /* Replace with NULL if there's nothing to do at request start */ PHP_RSHUTDOWN(helloworld), /* Replace with NULL if there's nothing to do at request end */ PHP_MINFO(helloworld), #if ZEND_MODULE_API_NO >= 20010901 PHP_HELLOWORLD_VERSION, #endif STANDARD_MODULE_PROPERTIES }; /* }}} */ #ifdef COMPILE_DL_HELLOWORLD ZEND_GET_MODULE(helloworld) #endif /* {{{ PHP_INI */ /* Remove comments and fill if you need to have entries in php.ini PHP_INI_BEGIN() STD_PHP_INI_ENTRY("helloworld.global_value", "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_helloworld_globals, helloworld_globals) STD_PHP_INI_ENTRY("helloworld.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_helloworld_globals, helloworld_globals) PHP_INI_END() */ /* }}} */ /* {{{ php_helloworld_init_globals */ /* Uncomment this function if you have INI entries static void php_helloworld_init_globals(zend_helloworld_globals *helloworld_globals) { helloworld_globals->global_value = 0; helloworld_globals->global_string = NULL; } */ /* }}} */ /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(helloworld) { /* If you have INI entries, uncomment these lines REGISTER_INI_ENTRIES(); */ return SUCCESS; } /* }}} */ /* {{{ PHP_MSHUTDOWN_FUNCTION */ PHP_MSHUTDOWN_FUNCTION(helloworld) { /* uncomment this line if you have INI entries UNREGISTER_INI_ENTRIES(); */ return SUCCESS; } /* }}} */ /* Remove if there's nothing to do at request start */ /* {{{ PHP_RINIT_FUNCTION */ PHP_RINIT_FUNCTION(helloworld) { return SUCCESS; } /* }}} */ /* Remove if there's nothing to do at request end */ /* {{{ PHP_RSHUTDOWN_FUNCTION */ PHP_RSHUTDOWN_FUNCTION(helloworld) { return SUCCESS; } /* }}} */ /* {{{ PHP_MINFO_FUNCTION */ PHP_MINFO_FUNCTION(helloworld) { php_info_print_table_start(); php_info_print_table_header(2, "helloworld support", "enabled"); php_info_print_table_end(); /* Remove comments if you have entries in php.ini DISPLAY_INI_ENTRIES(); */ } /* }}} */ /* Remove the following function when you have successfully modified config.m4 so that your module can be compiled into PHP, it exists only for testing purposes. */ /* Every user-visible function in PHP should document itself in the source */ /* {{{ proto string confirm_helloworld_compiled(string arg) Return a string to confirm that the module is compiled in */ PHP_FUNCTION(confirm_helloworld_compiled) { char *arg = NULL; int arg_len, len; char *strg; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg, &arg_len) == FAILURE) { return; } len = spprintf(&strg, 0, "Congratulations! You have successfully modified ext/%.78s/config.m4. Module %.78s is now compiled into PHP.", "helloworld", arg); RETURN_STRINGL(strg, len, 0); } /* }}} */ /* The previous line is meant for vim and emacs, so it can correctly fold and unfold functions in source code. See the corresponding marks just before function definition, where the functions purpose is also documented. Please follow this convention for the convenience of others editing your code. */ /* * Local variables: * tab-width: 4 * c-basic-offset: 4 * End: * vim600: noet sw=4 ts=4 fdm=marker * vim<600: noet sw=4 ts=4 */
函数自身的定义使用了宏PHP_FUNCTION(),该宏可以生成一个适合于Zend引擎的函数原型。
为了获得函数传递的参数,可以使用zend_parse_parameters()API函数:
zend_parse_parameters(int num_args TSRMLS_DC, char *type_spec, ...); 1. num_args: 传递给函数的参数个数。通常的做法是传给它ZEND_NUM_ARGS(),这是一个表示传递给函数参数总个数的宏。 2. TSRMLS_DC: 为了线程安全,总是传递TSRMLS_CC宏 3. *type_spec: 是一个字符串,指定了函数期望的参数类型 4. ...: 需要随参数值更新的变量列表,是一个变长数量参数传递
2、config.m4
m4是一个宏解释工具,它会把输入文件中的宏展开到输出文件。所以这个config.m4是PHP扩展框架所必须的,也是关键的一个文件,用来生成我们扩展的makefile
dnl $Id$ dnl config.m4 for extension helloworld //在m4中,dnl表示注释,如果需要启用对应配置项,则删除行首的dnl即可 dnl Comments in this file start with the string 'dnl'. dnl Remove where necessary. This file will not work dnl without editing. dnl If your extension references something external, use with: /* with说明了,要启用这个模块,必须要的先决条件,也就是说这个模块依赖于某些其他模块 */ dnl PHP_ARG_WITH(helloworld, for helloworld support, dnl Make sure that the comment is aligned: dnl [ --with-helloworld Include helloworld support]) dnl Otherwise use enable: /* 这段指令创建了一个configure时的参数“enable-example”, 第二个参数会显示在当configure处理到这个模块的configure文件的时候。第三个参数,会在用户输入./configurehelp的时候,作为一个可选的选项被显示 即相当于: ./configure --enable-helloworld */ dnl PHP_ARG_ENABLE(helloworld, whether to enable helloworld support, dnl Make sure that the comment is aligned: dnl [ --enable-helloworld Enable helloworld support]) if test "$PHP_HELLOWORLD" != "no"; then dnl Write more examples of tests here... dnl # --with-helloworld -> check with-path dnl SEARCH_PATH="/usr/local /usr" # you might want to change this dnl SEARCH_FOR="/include/helloworld.h" # you most likely want to change this dnl if test -r $PHP_HELLOWORLD/$SEARCH_FOR; then # path given as parameter dnl HELLOWORLD_DIR=$PHP_HELLOWORLD dnl else # search default path list dnl AC_MSG_CHECKING([for helloworld files in default path]) dnl for i in $SEARCH_PATH ; do dnl if test -r $i/$SEARCH_FOR; then dnl HELLOWORLD_DIR=$i dnl AC_MSG_RESULT(found in $i) dnl fi dnl done dnl fi dnl dnl if test -z "$HELLOWORLD_DIR"; then dnl AC_MSG_RESULT([not found]) dnl AC_MSG_ERROR([Please reinstall the helloworld distribution]) dnl fi dnl # --with-helloworld -> add include path dnl PHP_ADD_INCLUDE($HELLOWORLD_DIR/include) dnl # --with-helloworld -> check for lib and symbol presence dnl LIBNAME=helloworld # you may want to change this dnl LIBSYMBOL=helloworld # you most likely want to change this /* 在库library中查找第二个参数是否存在(这里是AC_DEFINE(HAVE_HELLOWORLDLIB,1,[ ])),如果存在则这个宏会被展开成found,否则not-found; */ dnl PHP_CHECK_LIBRARY($LIBNAME,$LIBSYMBOL, dnl [ dnl PHP_ADD_LIBRARY_WITH_PATH($LIBNAME, $HELLOWORLD_DIR/$PHP_LIBDIR, HELLOWORLD_SHARED_LIBADD) dnl AC_DEFINE(HAVE_HELLOWORLDLIB,1,[ ]) dnl ],[ dnl AC_MSG_ERROR([wrong helloworld lib version or lib not found]) dnl ],[ dnl -L$HELLOWORLD_DIR/$PHP_LIBDIR -lm dnl ]) dnl dnl PHP_SUBST(HELLOWORLD_SHARED_LIBADD) /* 这个就是对AC_DEFUN简单包装,最终会被展开成: #define what value */ dnl PHP_DEFINE(what, [value]) /* 如果你的扩展是使用C++编写,那么你就必须使用这个宏,来告诉编译器使用C++编译器。这个宏会被展开成 AC_PROG_CXX AC_PROG_CXXCPP */ dnl PHP_REQURE_CXX PHP_NEW_EXTENSION(helloworld, helloworld.c, $ext_shared) fi
3、CREDITES
用来在发布你的扩展的时候附加一些其他信息 ,比如等等
4、helloworld.php
用来简单测试你的扩展的
<?php $br = (php_sapi_name() == "cli")? "":"<br>"; if(!extension_loaded('helloworld')) { dl('helloworld.' . PHP_SHLIB_SUFFIX); } $module = 'helloworld'; $functions = get_extension_funcs($module); echo "Functions available in the test extension:$br\n"; foreach($functions as $func) { echo $func."$br\n"; } echo "$br\n"; $function = 'confirm_' . $module . '_compiled'; if (extension_loaded($module)) { $str = $function($module); } else { $str = "Module $module is not compiled into PHP"; } echo "$str\n"; ?>
5、php_helloworld.h
/* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ | Copyright (c) 1997-2015 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: | +----------------------------------------------------------------------+ */ /* $Id$ */ #ifndef PHP_HELLOWORLD_H #define PHP_HELLOWORLD_H extern zend_module_entry helloworld_module_entry; #define phpext_helloworld_ptr &helloworld_module_entry #define PHP_HELLOWORLD_VERSION "0.1.0" /* Replace with version number for your extension */ #ifdef PHP_WIN32 # define PHP_HELLOWORLD_API __declspec(dllexport) #elif defined(__GNUC__) && __GNUC__ >= 4 # define PHP_HELLOWORLD_API __attribute__ ((visibility("default"))) #else # define PHP_HELLOWORLD_API #endif #ifdef ZTS #include "TSRM.h" #endif PHP_MINIT_FUNCTION(helloworld); PHP_MSHUTDOWN_FUNCTION(helloworld); PHP_RINIT_FUNCTION(helloworld); PHP_RSHUTDOWN_FUNCTION(helloworld); PHP_MINFO_FUNCTION(helloworld); PHP_FUNCTION(confirm_helloworld_compiled); /* For testing, remove later. */ /* Declare any global variables you may need between the BEGIN and END macros here: ZEND_BEGIN_MODULE_GLOBALS(helloworld) long global_value; char *global_string; ZEND_END_MODULE_GLOBALS(helloworld) */ /* In every utility function you add that needs to use variables in php_helloworld_globals, call TSRMLS_FETCH(); after declaring other variables used by that function, or better yet, pass in TSRMLS_CC after the last function argument and declare your utility function with TSRMLS_DC after the last declared argument. Always refer to the globals in your function as HELLOWORLD_G(variable). You are encouraged to rename these macros something shorter, see examples in any other php module directory. */ #ifdef ZTS #define HELLOWORLD_G(v) TSRMG(helloworld_globals_id, zend_helloworld_globals *, v) #else #define HELLOWORLD_G(v) (helloworld_globals.v) #endif #endif /* PHP_HELLOWORLD_H */ /* * Local variables: * tab-width: 4 * c-basic-offset: 4 * End: * vim600: noet sw=4 ts=4 fdm=marker * vim<600: noet sw=4 ts=4 */
参考链接:
http://www.laruence.com/2008/08/16/301.html
三、使用PHP原生扩展框架wizard ext_skel编写扩展
0x1:Hello world扩展框架代码生成
root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31# cd ext/ root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# pwd /home/ubuntu1204/phpsourcecode/php-5.5.31/ext root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# ./ext_skel --extname=helloworld Creating directory helloworld Creating basic files: config.m4 config.w32 .svnignore helloworld.c php_helloworld.h CREDITS EXPERIMENTAL tests/001.phpt helloworld.php [done]. To use your new extension, you will have to execute the following steps: 1. $ cd .. 2. $ vi ext/helloworld/config.m4 3. $ ./buildconf 4. $ ./configure --[with|enable]-helloworld 5. $ make 6. $ ./sapi/cli/php -f ext/helloworld/helloworld.php 7. $ vi ext/helloworld/helloworld.c 8. $ make Repeat steps 3-6 until you are satisfied with ext/helloworld/config.m4 and step 6 confirms that your module is compiled into PHP. Then, start writing code and repeat the last two steps as often as necessary.
在ext目录下生成了一个名为example的目录,并在这个目录下生成了所有的要完成一个PHP扩展所必须的文件和代码。
0x2:修改config.m4
去除注释
PHP_ARG_WITH(helloworld, for helloworld support, dnl Make sure that the comment is aligned: [ --with-helloworld Include helloworld support])
0x3:编译
编译扩展有两种方法
- 可装载模块或者DSO(动态共享对象)
- 静态编译到PHP
1、可装载模块或者DSO(动态共享对象)
./buildconf --force root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31# ./configure --help | grep helloworld --with-helloworld Include helloworld support make /* 安装PHP Installing shared extensions: /usr/local/lib/php/extensions/debug-non-zts-20121212/ Installing PHP CLI binary: /usr/local/bin/ Installing PHP CLI man page: /usr/local/php/man/man1/ Installing PHP CGI binary: /usr/local/bin/ Installing PHP CGI man page: /usr/local/php/man/man1/ Installing build environment: /usr/local/lib/php/build/ Installing header files: /usr/local/include/php/ Installing helper programs: /usr/local/bin/ program: phpize program: php-config Installing man pages: /usr/local/php/man/man1/ page: phpize.1 page: php-config.1 Installing PEAR environment: /usr/local/lib/php/ [PEAR] Archive_Tar - installed: 1.4.0 [PEAR] Console_Getopt - installed: 1.4.1 [PEAR] Structures_Graph- installed: 1.1.1 [PEAR] XML_Util - installed: 1.3.0 [PEAR] PEAR - installed: 1.10.1 Wrote PEAR system config file at: /usr/local/etc/pear.conf You may want to add: /usr/local/lib/php to your php.ini include_path /home/ubuntu1204/phpsourcecode/php-5.5.31/build/shtool install -c ext/phar/phar.phar /usr/local/bin ln -s -f phar.phar /usr/local/bin/phar Installing PDO headers: /usr/local/include/php/ext/pdo/ */ make install //编译扩展 cd ./ext/helloword phpize ./configure --with-helloworld make //复制扩展so库到PHP目录 make install
2、静态编译到PHP
将静态库编译进PHP,和普通的静态库编译链接是一个道理,我们使用C/C++编写逻辑代码,并编译成静态.a库,然后重新编译PHP主程序源代码,并在编译参数中显式说明需要链接对应静态库。
大致流程如下:
- 用C/C++写PHP扩展
- 编译静态库.a库
- 把静态库加入PHP: 假设静态库的文件名叫libnpc.a,放在/home目录下。在PHP的安装目录下输入如下命令: export LDFLAGS="–L/home –lnpc",这个环境变量的作用就是让PHP在编译时知道要把这个库也一起编译进去
- 编译PHP
参考链接:
http://www.laruence.com/2011/09/13/2139.html https://segmentfault.com/a/1190000003952548 http://hzcsky.blog.51cto.com/1560073/820232 http://www.laruence.com/2009/04/28/719.html http://www.thinksaas.cn/manual/php/features.commandline.html http://weizhifeng.net/write-php-extension-part1.html
四、一个PHP扩展的例子 -- 编译/安装/Debug调试VLD
VLD(Vulcan Logic Dumper)是一个在Zend引擎中,以挂钩的方式实现的用于输出PHP脚本生成的中间代码(执行单元)的扩展。
0x1:编译安装
cd /home/ubuntu1204/phpsourcecode/php-5.5.31/ext/vld 解压VLD(Vulcan Logic Dumper) phpize ./configure --enable-vld make make install //需要注意的,在PHP CLI模式下,php.ini的配置会被覆盖,我们可以自己显式配置php.ini指令 ./sapi/cli/php -d extension=vld.so -dvld.active=1 /home/ubuntu1204/phpsourcecode/sample/shell.php
0x2:使用VLD打印PHP源码对应的Opcode
//./sapi/cli/php -d extension=vld.so -dvld.active=1 -dvld.verbosity=3 /home/ubuntu1204/phpsourcecode/sample/shell.php //./sapi/cli/php -d extension=vld.so -dvld.active=1 -dvld.execute=0 /home/ubuntu1204/phpsourcecode/sample/shell.php 1. -dvld.active: 是否在执行PHP时激活VLD挂钩 1) 默认为0: 表示禁用 2) 使用-dvld.active=1启用 2. -dvld.skip_prepend: 是否跳过php.ini配置文件中auto_prepend_file指定的文件 1) 默认为0,即不跳过包含的文件,显示这些包含的文件中的代码所生成的中间代码。此参数生效有一个前提条件:-dvld.execute=0 3. -dvld.execute: 是否执行这段PHP脚本 1) 默认值为1,表示执行 2) 使用-dvld.execute=0,表示只显示中间代码,不执行生成的中间代码 4. -dvld.format: 是否以自定义的格式显示 1) 默认为0,表示否 2) 使用-dvld.format=1,表示以自己定义的格式显示。这里自定义的格式输出是以-dvld.col_sep指定的参数间隔 5. -dvld.col_sep: 在-dvld.format参数启用时此函数才会有效,默认为 "t" 6. -dvld.verbosity: 是否显示更详细的信息 1) 默认为1 2) 其值可以为0,1,2,3 其实比0小的也可以,只是效果和0一样,比如0.1之类,但是负数除外,负数和效果和3的效果一样 比3大的值也是可以的,只是效果和3一样,3代表最详细 7. -dvld.save_dir: 指定文件输出的路径,默认路径为/tmp 8. -dvld.save_paths: 控制是否输出文件,默认为0,表示不输出文件 9. -dvld.dump_paths: 控制输出的内容,现在只有0和1两种情况,默认为1,输出内容
参考链接:
http://techlog.cn/article/list/10182879 http://pecl.php.net/package/vld http://www.lampweb.org/seo/8/20.html http://hilojack.com/p/php-vld/
0x3:Debug调试VLD源码
cd /home/ubuntu1204/phpsourcecode/php-5.5.31/ext/vld vim config.m4 /* 在最后一行添加 if test -z "$PHP_DEBUG"; then AC_ARG_ENABLE(debug, [--enable-debg compile with debugging system], [PHP_DEBUG=$enableval], [PHP_DEBUG=no] ) fi 这样就表示该扩展能够进行调试了,然后编译该扩展 */ phpize ./configure --enable-vld make make install //编辑netbeans Debug参数 "${OUTPUT_PATH}" -d extension=vld.so -dvld.active=3 /home/ubuntu1204/phpsourcecode/sample/shell.php
参考链接:
https://segmentfault.com/a/1190000002703073 http://www.codefrom.com/paper/%E4%BD%BF%E7%94%A8gdb%E8%B0%83%E8%AF%95php%E6%89%A9%E5%B1%95
0x4:VLD源码分析
1、vld_compile_file
vld.c
/* {{{ zend_op_array vld_compile_file (file_handle, type) * This function provides a hook for compilation */ static zend_op_array *vld_compile_file(zend_file_handle *file_handle, int type TSRMLS_DC) { zend_op_array *op_array; if (!VLD_G(execute) && ((VLD_G(skip_prepend) && PG(auto_prepend_file) && PG(auto_prepend_file)[0] && PG(auto_prepend_file) == file_handle->filename) || (VLD_G(skip_append) && PG(auto_append_file) && PG(auto_append_file)[0] && PG(auto_append_file) == file_handle->filename))) { zval nop; #if PHP_VERSION_ID >= 70000 zend_op_array *ret; ZVAL_STRINGL(&nop, "RETURN ;", 8); ret = compile_string(&nop, "NOP" TSRMLS_CC); zval_dtor(&nop); return ret; #else ZVAL_STRINGL(&nop, "RETURN ;", 8, 0); return compile_string(&nop, "NOP" TSRMLS_CC); #endif } //调用Zend的编译Lex函数,获取待检测样本Opcode array op_array = old_compile_file (file_handle, type TSRMLS_CC); if (VLD_G(path_dump_file)) { fprintf(VLD_G(path_dump_file), "subgraph cluster_file_%08x { label=\"file %s\";\n", op_array, op_array->filename ? ZSTRING_VALUE(op_array->filename) : "__main"); } if (op_array) { //打印opcod数组 vld_dump_oparray (op_array TSRMLS_CC); } zend_hash_apply_with_arguments (CG(function_table) APPLY_TSRMLS_CC, (apply_func_args_t) vld_dump_fe, 0); zend_hash_apply (CG(class_table), (apply_func_t) vld_dump_cle TSRMLS_CC); if (VLD_G(path_dump_file)) { fprintf(VLD_G(path_dump_file), "}\n"); } return op_array; } /* }}} */
2、vld_dump_oparray
srm_oparray.c
void vld_dump_oparray(zend_op_array *opa TSRMLS_DC) { unsigned int i; vld_set *set; vld_branch_info *branch_info; //获取oparray中保存opcode数组的基地址 unsigned int base_address = (unsigned int)(zend_intptr_t)&(opa->opcodes[0]); //为分析结果集申请空间,初始化 set = vld_set_create(opa->last); //为分支逻辑块申请空间,初始化 branch_info = vld_branch_info_create(opa->last); if (VLD_G(dump_paths)) { vld_analyse_oparray(opa, set, branch_info TSRMLS_CC); } if (VLD_G(format)) { vld_printf (stderr, "filename:%s%s\n", VLD_G(col_sep), ZSTRING_VALUE(opa->filename)); vld_printf (stderr, "function name:%s%s\n", VLD_G(col_sep), ZSTRING_VALUE(opa->function_name)); vld_printf (stderr, "number of ops:%s%d\n", VLD_G(col_sep), opa->last); } else { vld_printf (stderr, "filename: %s\n", ZSTRING_VALUE(opa->filename)); vld_printf (stderr, "function name: %s\n", ZSTRING_VALUE(opa->function_name)); vld_printf (stderr, "number of ops: %d\n", opa->last); } #ifdef IS_CV /* PHP >= 5.1 */ vld_printf (stderr, "compiled vars: "); for (i = 0; i < opa->last_var; i++) { vld_printf (stderr, "!%d = $%s%s", i, OPARRAY_VAR_NAME(opa->vars[i]), ((i + 1) == opa->last_var) ? "\n" : ", "); } if (!opa->last_var) { vld_printf(stderr, "none\n"); } #endif if (VLD_G(format)) { vld_printf(stderr, "line%s# *%s%s%sop%sfetch%sext%sreturn%soperands\n",VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep)); } else { vld_printf(stderr, "line #* E I O op fetch ext return operands\n"); vld_printf(stderr, "-------------------------------------------------------------------------------------\n"); } for (i = 0; i < opa->last; i++) { vld_dump_op(i, opa->opcodes, base_address, vld_set_in(set, i), vld_set_in(branch_info->entry_points, i), vld_set_in(branch_info->starts, i), vld_set_in(branch_info->ends, i), opa TSRMLS_CC); } vld_printf(stderr, "\n"); if (VLD_G(dump_paths)) { vld_branch_post_process(opa, branch_info); vld_branch_find_paths(branch_info); vld_branch_info_dump(opa, branch_info TSRMLS_CC); } vld_set_free(set); vld_branch_info_free(branch_info); }
3、vld_analyse_oparray
void vld_analyse_oparray(zend_op_array *opa, vld_set *set, vld_branch_info *branch_info TSRMLS_DC) { unsigned int position = 0; VLD_PRINT(1, "Finding entry points\n"); while (position < opa->last) { if (position == 0) { vld_analyse_branch(opa, position, set, branch_info TSRMLS_CC); vld_set_add(branch_info->entry_points, position); #if PHP_MAJOR_VERSION >= 5 } else if (opa->opcodes[position].opcode == ZEND_CATCH) { if (VLD_G(format)) { VLD_PRINT2(1, "Found catch point at position:%s%d\n", VLD_G(col_sep),position); } else { VLD_PRINT1(1, "Found catch point at position: %d\n", position); } vld_analyse_branch(opa, position, set, branch_info TSRMLS_CC); vld_set_add(branch_info->entry_points, position); #endif } position++; } vld_set_add(branch_info->ends, opa->last-1); branch_info->branches[opa->last-1].start_lineno = opa->opcodes[opa->last-1].lineno; }
4、vld_analyse_branch
可以看到,VLD是根据Branch进行"逐块"翻译的,从PHP Zend的角度来看,构成"分支结构语法"的用户态代码结构有
1. if 2. for 3. foreach 4. goto 5. exit ..
void vld_analyse_branch(zend_op_array *opa, unsigned int position, vld_set *set, vld_branch_info *branch_info TSRMLS_DC)
void vld_analyse_branch(zend_op_array *opa, unsigned int position, vld_set *set, vld_branch_info *branch_info TSRMLS_DC) { long jump_pos1 = VLD_JMP_NOT_SET; long jump_pos2 = VLD_JMP_NOT_SET; if (VLD_G(format)) { VLD_PRINT2(1, "Branch analysis from position:%s%d\n", VLD_G(col_sep),position); } else { VLD_PRINT1(1, "Branch analysis from position: %d\n", position); } vld_set_add(branch_info->starts, position); branch_info->branches[position].start_lineno = opa->opcodes[position].lineno; /* First we see if the branch has been visited, if so we bail out. */ if (vld_set_in(set, position)) { return; } /* Loop over the opcodes until the end of the array, or until a jump point has been found */ VLD_PRINT1(2, "Add %d\n", position); vld_set_add(set, position); while (position < opa->last) { jump_pos1 = VLD_JMP_NOT_SET; jump_pos2 = VLD_JMP_NOT_SET; /* See if we have a jump instruction */ //定位条件逻辑块的起始、结束位置 if (vld_find_jump(opa, position, &jump_pos1, &jump_pos2)) { VLD_PRINT1(1, "Jump found. Position 1 = %d", jump_pos1); if (jump_pos2 != VLD_JMP_NOT_SET) { VLD_PRINT1(1, ", Position 2 = %d\n", jump_pos2); } else { VLD_PRINT(1, "\n"); } //从当前条件分支(Branch)开始,递归处理子语句块 if (jump_pos1 == VLD_JMP_EXIT || jump_pos1 >= 0) { vld_branch_info_update(branch_info, position, opa->opcodes[position].lineno, 0, jump_pos1); if (jump_pos1 != VLD_JMP_EXIT) { vld_analyse_branch(opa, jump_pos1, set, branch_info TSRMLS_CC); } } if (jump_pos2 == VLD_JMP_EXIT || jump_pos2 >= 0) { vld_branch_info_update(branch_info, position, opa->opcodes[position].lineno, 1, jump_pos2); if (jump_pos2 != VLD_JMP_EXIT) { vld_analyse_branch(opa, jump_pos2, set, branch_info TSRMLS_CC); } } break; } #ifdef ZEND_ENGINE_2 /* See if we have a throw instruction */ if (opa->opcodes[position].opcode == ZEND_THROW) { VLD_PRINT1(1, "Throw found at %d\n", position); vld_set_add(branch_info->ends, position); branch_info->branches[position].start_lineno = opa->opcodes[position].lineno; break; } #endif /* See if we have an exit instruction */ if (opa->opcodes[position].opcode == ZEND_EXIT) { VLD_PRINT(1, "Exit found\n"); vld_set_add(branch_info->ends, position); branch_info->branches[position].start_lineno = opa->opcodes[position].lineno; break; } /* See if we have a return instruction */ if ( opa->opcodes[position].opcode == ZEND_RETURN #if PHP_VERSION_ID >= 50400 || opa->opcodes[position].opcode == ZEND_RETURN_BY_REF #endif ) { VLD_PRINT(1, "Return found\n"); vld_set_add(branch_info->ends, position); branch_info->branches[position].start_lineno = opa->opcodes[position].lineno; break; } position++; VLD_PRINT1(2, "Add %d\n", position); vld_set_add(set, position); } }
5、vld_dump_op
void vld_dump_op(int nr, zend_op * op_ptr, unsigned int base_address, int notdead, int entry, int start, int end, zend_op_array *opa TSRMLS_DC) { static uint last_lineno = (uint) -1; int print_sep = 0, len; char *fetch_type = ""; unsigned int flags, op1_type, op2_type, res_type; const zend_op op = op_ptr[nr]; if (op.lineno == 0) { return; } if (op.opcode >= NUM_KNOWN_OPCODES) { flags = ALL_USED; } else { flags = opcodes[op.opcode].flags; } op1_type = op.VLD_TYPE(op1); op2_type = op.VLD_TYPE(op2); res_type = op.VLD_TYPE(result); if (flags == SPECIAL) { flags = vld_get_special_flags(&op, base_address); } if (flags & OP1_OPLINE) { op1_type = VLD_IS_OPLINE; } if (flags & OP2_OPLINE) { op2_type = VLD_IS_OPLINE; } if (flags & OP1_OPNUM) { op1_type = VLD_IS_OPNUM; } if (flags & OP2_OPNUM) { op2_type = VLD_IS_OPNUM; } if (flags & OP1_CLASS) { op1_type = VLD_IS_CLASS; } if (flags & RES_CLASS) { res_type = VLD_IS_CLASS; } if (flags & OP_FETCH) { #ifdef ZEND_ENGINE_2 switch (op.VLD_EXTENDED_VALUE(op2)) { case ZEND_FETCH_GLOBAL: fetch_type = "global"; break; case ZEND_FETCH_LOCAL: fetch_type = "local"; break; case ZEND_FETCH_STATIC: fetch_type = "static"; break; case ZEND_FETCH_STATIC_MEMBER: fetch_type = "static member"; break; #ifdef ZEND_FETCH_GLOBAL_LOCK case ZEND_FETCH_GLOBAL_LOCK: fetch_type = "global lock"; break; #endif #ifdef ZEND_FETCH_AUTO_GLOBAL case ZEND_FETCH_AUTO_GLOBAL: fetch_type = "auto global"; break; #endif default: fetch_type = "unknown"; break; } #else if (op.op2.u.fetch_type == ZEND_FETCH_GLOBAL) { fetch_type = "global"; } else if (op.op2.u.fetch_type == ZEND_FETCH_STATIC) { fetch_type = "static"; } #endif } if (op.lineno == last_lineno) { vld_printf(stderr, " "); } else { vld_printf(stderr, "%4d ", op.lineno); last_lineno = op.lineno; } if (op.opcode >= NUM_KNOWN_OPCODES) { if (VLD_G(format)) { vld_printf(stderr, "%5d %s %c %c %c %c %s <%03d>%-23s %s %-14s ", nr, VLD_G(col_sep), notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', VLD_G(col_sep), op.opcode, VLD_G(col_sep), fetch_type); } else { vld_printf(stderr, "%5d%c %c %c %c <%03d>%-23s %-14s ", nr, notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', op.opcode, "", fetch_type); } } else { if (VLD_G(format)) { vld_printf(stderr, "%5d %s %c %c %c %c %s %-28s %s %-14s ", nr, VLD_G(col_sep), notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', VLD_G(col_sep), opcodes[op.opcode].name, VLD_G(col_sep), fetch_type); } else { vld_printf(stderr, "%5d%c %c %c %c %-28s %-14s ", nr, notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', opcodes[op.opcode].name, fetch_type); } } if (flags & EXT_VAL) { vld_printf(stderr, "%3d ", op.extended_value); } else { vld_printf(stderr, " "); } if ((flags & RES_USED) && !(op.VLD_EXTENDED_VALUE(result) & EXT_TYPE_UNUSED)) { VLD_PRINT(3, " RES[ "); len = vld_dump_znode (NULL, res_type, op.result, base_address TSRMLS_CC); VLD_PRINT(3, " ]"); if (VLD_G(format)) { if (len==0) { vld_printf(stderr, " "); } } else { vld_printf(stderr, "%*s", 8-len, " "); } } else { vld_printf(stderr, " "); } if (flags & OP1_USED) { VLD_PRINT(3, " OP1[ "); vld_dump_znode (&print_sep, op1_type, op.op1, base_address TSRMLS_CC); VLD_PRINT(3, " ]"); } if (flags & OP2_USED) { VLD_PRINT(3, " OP2[ "); if (flags & OP2_INCLUDE) { if (VLD_G(verbosity) < 3 && print_sep) { vld_printf(stderr, ", "); } #if PHP_VERSION_ID >= 50399 switch (op.extended_value) { #else switch (Z_LVAL(op.op2.u.constant)) { #endif case ZEND_INCLUDE_ONCE: vld_printf(stderr, "INCLUDE_ONCE"); break; case ZEND_REQUIRE_ONCE: vld_printf(stderr, "REQUIRE_ONCE"); break; case ZEND_INCLUDE: vld_printf(stderr, "INCLUDE"); break; case ZEND_REQUIRE: vld_printf(stderr, "REQUIRE"); break; case ZEND_EVAL: vld_printf(stderr, "EVAL"); break; default: vld_printf(stderr, "!!ERROR!!"); break; } } else { vld_dump_znode (&print_sep, op2_type, op.op2, base_address TSRMLS_CC); } VLD_PRINT(3, " ]"); } if (flags & OP2_BRK_CONT) { long jmp; zend_brk_cont_element *el; VLD_PRINT(3, " BRK_CONT[ "); #if PHP_VERSION_ID >= 50399 el = vld_find_brk_cont(Z_LVAL_P(op.op2.zv), VLD_ZNODE_ELEM(op.op1, opline_num), opa); #else el = vld_find_brk_cont(op.op2.u.constant.value.lval, VLD_ZNODE_ELEM(op.op1, opline_num), opa); #endif jmp = op.opcode == ZEND_BRK ? el->brk : el->cont; vld_printf (stderr, ", ->%d", jmp); VLD_PRINT(3, " ]"); } if (flags & NOP2_OPNUM) { zend_op next_op = op_ptr[nr+1]; vld_dump_znode (&print_sep, VLD_IS_OPNUM, next_op.op2, base_address TSRMLS_CC); } vld_printf (stderr, "\n"); }
参考链接:
http://bug1874.com/archives/125 http://blog.csdn.net/phpkernel/article/details/5718519
