Fix segfault: Remove per-thread php_module_startup calls

The crash was caused by calling php_module_startup() from multiple
tokio worker threads concurrently. php_module_startup() is not
thread-safe - it modifies global state including the memory allocator
function pointers.

The fix:
- php_module_startup() is called ONCE on the main thread when Sapi
  is constructed (via startup callback)
- Worker threads only call ext_php_rs_sapi_per_thread_init() via
  ThreadScope to set up thread-local storage (TSRM TLS)
- Removed ModuleScope since it's not needed for per-thread init

The crash manifested as EXC_BAD_ACCESS in _estrdup when the
corrupted memory allocator function pointer table was dereferenced.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Qard

index.js

@@ -28,9 +28,12 @@ function getNativeBinding({ platform, arch }) {
     name += '-msvc'
   }
 
-  const path = process.env.PHP_NODE_TEST
-    ? `./php.${name}.node`
-    : `./npm/${name}/binding.node`
-
-  return require(path)
+  try {
+    return require(`./npm/${name}/binding.node`)
+  } catch (err) {
+    if (err.code === 'MODULE_NOT_FOUND') {
+      return require(`./php.${name}.node`)
+    }
+    throw err
+  }
 }

src/embed.rs

@@ -341,62 +341,48 @@ impl Handler for Embed {
 
     // Spawn blocking PHP execution - ALL PHP operations happen here
     let blocking_handle = tokio::task::spawn_blocking(move || {
-      eprintln!("DEBUG [spawn_blocking] Step 1: Entered spawn_blocking");
+      // Keep sapi alive for the duration of the blocking task
+      let _sapi = sapi;
 
       // Initialize thread-local storage for this worker thread.
       // This calls ext_php_rs_sapi_per_thread_init() -> ts_resource(0) which sets up
       // PHP's thread-local storage for the current thread.
+      //
+      // NOTE: php_module_startup() is called ONCE on the main thread when Sapi is created.
+      // Worker threads only need per-thread TLS initialization via ThreadScope, NOT
+      // another php_module_startup call. Calling php_module_startup from multiple threads
+      // concurrently corrupts global state (memory allocator function pointers).
       let _thread_scope = ThreadScope::new();
-      eprintln!("DEBUG [spawn_blocking] Step 2: ThreadScope created");
-
-      // Initialize PHP module for this thread.
-      // In ZTS mode, php_module_startup must be called per-thread after the thread's
-      // local storage has been initialized. ModuleScope ensures matching shutdown.
-      let _module_scope = sapi
-        .module_scope()
-        .map_err(|_| EmbedRequestError::SapiNotStarted)?;
-      eprintln!("DEBUG [spawn_blocking] Step 3: ModuleScope created (php_module_startup called)");
 
       // Setup RequestContext (always streaming from SAPI perspective)
       // RequestContext::new() will extract the request body's read stream and add it as RequestStream extension
-      eprintln!("DEBUG [spawn_blocking] Step 4: Creating RequestContext");
       let ctx = RequestContext::new(
         request,
         docroot.clone(),
         response_writer.clone(),
         headers_sent_tx,
       );
       RequestContext::set_current(Box::new(ctx));
-      eprintln!("DEBUG [spawn_blocking] Step 5: RequestContext set as current");
 
       // All estrdup calls happen here, inside spawn_blocking, after ThreadScope::new()
       // has initialized PHP's thread-local storage. These will be freed by efree in
       // sapi_module_deactivate during request shutdown.
-      eprintln!("DEBUG [spawn_blocking] Step 6: About to call estrdup for request_uri");
-      let request_uri_c = estrdup(request_uri_str.as_str());
-      eprintln!("DEBUG [spawn_blocking] Step 7: estrdup for request_uri completed");
-      let path_translated = estrdup(translated_path_str.as_str());
-      eprintln!("DEBUG [spawn_blocking] Step 8: estrdup for path_translated completed");
-      let request_method = estrdup(method_str.as_str());
-      eprintln!("DEBUG [spawn_blocking] Step 9: estrdup for request_method completed");
-      let query_string = estrdup(query_str.as_str());
-      eprintln!("DEBUG [spawn_blocking] Step 10: estrdup for query_string completed");
+      let request_uri_c = estrdup(request_uri_str);
+      let path_translated = estrdup(translated_path_str.clone());
+      let request_method = estrdup(method_str);
+      let query_string = estrdup(query_str);
       let content_type = content_type_str
-        .as_ref()
-        .map(|s| estrdup(s.as_str()))
+        .map(estrdup)
         .unwrap_or(std::ptr::null_mut());
-      eprintln!("DEBUG [spawn_blocking] Step 11: estrdup for content_type completed");
 
       // Prepare argv pointers
       let argc = args.len() as i32;
       let mut argv_ptrs: Vec<*mut c_char> = args
         .iter()
         .map(|s| estrdup(s.as_str()))
         .collect();
-      eprintln!("DEBUG [spawn_blocking] Step 12: argv_ptrs prepared");
 
       // Set SAPI globals BEFORE php_request_startup since PHP reads these during initialization
-      eprintln!("DEBUG [spawn_blocking] Step 13: Setting SAPI globals");
       {
         let mut globals = SapiGlobals::get_mut();
         globals.options |= ext_php_rs::ffi::SAPI_OPTION_NO_CHDIR as i32;
@@ -412,61 +398,40 @@ impl Handler for Embed {
         globals.request_info.content_type = content_type;
         globals.request_info.content_length = content_length;
       }
-      eprintln!("DEBUG [spawn_blocking] Step 14: SAPI globals set");
 
       let result = try_catch_first(|| {
-        eprintln!("DEBUG [spawn_blocking] Step 15: Creating RequestScope");
         let _request_scope = RequestScope::new()?;
-        eprintln!("DEBUG [spawn_blocking] Step 16: RequestScope created");
 
         // Execute PHP script
-        eprintln!("DEBUG [spawn_blocking] Step 17: Creating FileHandleScope");
         {
           let mut file_handle = FileHandleScope::new(translated_path_str.clone());
-          eprintln!("DEBUG [spawn_blocking] Step 18: Executing PHP script");
           try_catch(|| unsafe { php_execute_script(file_handle.deref_mut()) })
             .map_err(|_| EmbedRequestError::Bailout)?;
-          eprintln!("DEBUG [spawn_blocking] Step 19: PHP script execution completed");
         }
 
         // Handle exceptions
         if let Some(err) = ExecutorGlobals::take_exception() {
           let ex = Error::Exception(err);
-          eprintln!("DEBUG [spawn_blocking] PHP exception occurred: {}", ex);
           return Err(EmbedRequestError::Exception(ex.to_string()));
         }
 
-        eprintln!("DEBUG [spawn_blocking] Step 20: No exceptions, returning Ok");
         Ok(())
         // RequestScope drops here, triggering request shutdown
         // Output buffering flush happens during shutdown, calling ub_write
         // RequestContext must still be alive at this point!
       });
 
-      eprintln!("DEBUG [spawn_blocking] Step 21: try_catch_first completed, reclaiming RequestContext");
       // Reclaim RequestContext AFTER RequestScope has dropped
       // This ensures output buffer flush during shutdown can still access the context
       // Note: reclaim() also shuts down the response stream to signal EOF to consumers
       let _ctx = RequestContext::reclaim();
-      eprintln!("DEBUG [spawn_blocking] Step 22: RequestContext reclaimed");
 
       // Flatten the result
-      let final_result = match result {
-        Ok(Ok(())) => {
-          eprintln!("DEBUG [spawn_blocking] Step 23: Returning success");
-          Ok(())
-        }
-        Ok(Err(e)) => {
-          eprintln!("DEBUG [spawn_blocking] Step 23: Returning error: {:?}", e);
-          Err(e)
-        }
-        Err(_) => {
-          eprintln!("DEBUG [spawn_blocking] Step 23: Returning bailout");
-          Err(EmbedRequestError::Bailout)
-        }
-      };
-      eprintln!("DEBUG [spawn_blocking] Step 24: spawn_blocking task ending");
-      final_result
+      match result {
+        Ok(Ok(())) => Ok(()),
+        Ok(Err(e)) => Err(e),
+        Err(_) => Err(EmbedRequestError::Bailout)
+      }
     });
 
     // Wait for headers to be sent (with owned status, mimetype, custom headers, and logs)

src/sapi.rs

@@ -2,20 +2,18 @@ use std::{
   collections::HashMap,
   env::current_exe,
   ffi::{c_char, c_int, c_void, CStr},
-  sync::{Arc, Mutex, RwLock, Weak},
-  thread::ThreadId,
+  sync::{Arc, RwLock, Weak},
 };
 
 use bytes::Buf;
 
 use ext_php_rs::{
   alloc::{efree, estrdup},
   builders::SapiBuilder,
-  embed::{ext_php_rs_sapi_shutdown, ext_php_rs_sapi_startup, SapiModule},
+  embed::{SapiModule, ext_php_rs_sapi_shutdown, ext_php_rs_sapi_startup},
   // exception::register_error_observer,
   ffi::{
-    php_module_startup, php_register_variable, sapi_headers_struct, sapi_send_headers,
-    sapi_shutdown, sapi_startup, ZEND_RESULT_CODE_SUCCESS,
+    ZEND_RESULT_CODE_SUCCESS, php_module_shutdown, php_module_startup, php_register_variable, sapi_headers_struct, sapi_send_headers, sapi_shutdown, sapi_startup
   },
   prelude::*,
   zend::{SapiGlobals, SapiHeader},
@@ -43,13 +41,7 @@ pub(crate) fn fallback_handle() -> &'static tokio::runtime::Handle {
 // This is a helper to ensure that PHP is initialized and deinitialized at the
 // appropriate times.
 #[derive(Debug)]
-pub(crate) struct Sapi {
-  module: RwLock<Box<SapiModule>>,
-  // Track which thread created this Sapi so we only shutdown from that thread
-  creator_thread: ThreadId,
-  // Track if shutdown has been called to prevent double-shutdown
-  shutdown_called: Mutex<bool>,
-}
+pub(crate) struct Sapi(RwLock<Box<SapiModule>>);
 
 impl Sapi {
   pub fn new() -> Result<Self, EmbedStartError> {
@@ -86,8 +78,6 @@ impl Sapi {
       ext_php_rs_sapi_startup();
       sapi_startup(boxed.as_mut());
 
-      // Call module startup for the main thread that's constructing this Sapi.
-      // Each worker thread also needs its own module startup via module_scope().
       if let Some(startup) = boxed.startup {
         startup(boxed.as_mut());
       }
@@ -109,80 +99,20 @@ impl Sapi {
     //   }
     // });
 
-    Ok(Sapi {
-      module: RwLock::new(boxed),
-      creator_thread: std::thread::current().id(),
-      shutdown_called: Mutex::new(false),
-    })
-  }
-
-  /// Creates a new ModuleScope for per-thread module startup.
-  ///
-  /// In ZTS mode, php_module_startup must be called per-thread after the thread's
-  /// local storage has been initialized via ts_resource(0) in ThreadScope::new().
-  ///
-  /// This method provides access to the SAPI module and module entry pointers
-  /// needed by ModuleScope::new().
-  pub fn module_scope(&self) -> Result<crate::scopes::ModuleScope, EmbedRequestError> {
-    let mut sapi = self
-      .module
-      .write()
-      .map_err(|_| EmbedRequestError::SapiNotStarted)?;
-
-    unsafe {
-      crate::scopes::ModuleScope::new(sapi.as_mut() as *mut _, get_module())
-    }
-  }
-
-  pub fn shutdown(&self) -> Result<(), EmbedRequestError> {
-    // Only shutdown if we're on the same thread that created this Sapi
-    let current_thread = std::thread::current().id();
-    if current_thread != self.creator_thread {
-      return Ok(());
-    }
-
-    // Prevent double-shutdown
-    let mut shutdown_called = self
-      .shutdown_called
-      .lock()
-      .map_err(|_| EmbedRequestError::SapiNotShutdown)?;
-
-    if *shutdown_called {
-      return Ok(());
-    }
-
-    *shutdown_called = true;
-
-    let sapi = &mut self
-      .module
-      .write()
-      .map_err(|_| EmbedRequestError::SapiNotShutdown)?;
-
-    if let Some(shutdown) = sapi.shutdown {
-      if unsafe { shutdown(sapi.as_mut()) } != ZEND_RESULT_CODE_SUCCESS {
-        return Err(EmbedRequestError::SapiNotShutdown);
-      }
-    }
-
-    Ok(())
+    Ok(Sapi(RwLock::new(boxed)))
   }
 }
 
 impl Drop for Sapi {
   fn drop(&mut self) {
-    // Attempt shutdown, but it will be skipped if we're on the wrong thread
-    let _ = self.shutdown();
+    let sapi = &mut self.0.write().unwrap();
+    if let Some(shutdown) = sapi.shutdown {
+      unsafe { shutdown(sapi.as_mut()); }
+    }
 
-    // Only call low-level shutdown functions if on the creator thread and shutdown succeeded
-    if std::thread::current().id() == self.creator_thread {
-      if let Ok(shutdown_called) = self.shutdown_called.lock() {
-        if *shutdown_called {
-          unsafe {
-            sapi_shutdown();
-            ext_php_rs_sapi_shutdown();
-          }
-        }
-      }
+    unsafe {
+      sapi_shutdown();
+      ext_php_rs_sapi_shutdown();
     }
   }
 }
@@ -274,6 +204,8 @@ pub extern "C" fn sapi_module_shutdown(
 ) -> ext_php_rs::ffi::zend_result {
   // CRITICAL: Clear server_context BEFORE php_module_shutdown
   // to prevent sapi_flush from accessing freed RequestContext
+  unsafe { php_module_shutdown(); }
+
   {
     let mut globals = SapiGlobals::get_mut();
     globals.server_context = std::ptr::null_mut();
@@ -635,7 +567,7 @@ pub extern "C" fn sapi_module_register_server_variables(vars: *mut ext_php_rs::t
         env_var(vars, "SERVER_PROTOCOL", "HTTP/1.1")?;
 
         let sapi = get_sapi()?;
-        if let Ok(inner_sapi) = sapi.module.read() {
+        if let Ok(inner_sapi) = sapi.0.read() {
           env_var_c(vars, "SERVER_SOFTWARE", inner_sapi.name)?;
         }