fix: lazy-reseed GC random state per worker process

Replace the per-call php_random_bytes_silent() approach with lazy
reseeding of PS(random) on first use. GINIT initializes the PCG state
but runs before PHP-FPM forks workers, so all workers would otherwise
inherit and replay the same sequence. A one-time CSPRNG call on first
GC check per process breaks the correlation while keeping subsequent
draws cheap (PCG, not CSPRNG).

Add gc_random_seeded bool to php_ps_globals to track whether the per-
process reseed has happened. Restore the random struct initialization
in GINIT (removed in previous commit) since the field is now actively
used again.

Author: jorgsowa

ext/session/php_session.h

@@ -146,10 +146,9 @@ typedef struct _php_ps_globals {
 	zend_string *session_started_filename;
 	uint32_t session_started_lineno;
 	int module_number;
-	/* Unused since the GC probability draw was made stateless; retained only
-	 * to preserve struct layout (ABI) on stable branches. */
 	php_random_status_state_pcgoneseq128xslrr64 random_state;
 	php_random_algo_with_state random;
+	bool gc_random_seeded; /* false until first GC check; reseeds after fork */
 	zend_long gc_probability;
 	zend_long gc_divisor;
 	zend_long gc_maxlifetime;

ext/session/session.c

@@ -393,14 +393,22 @@ static zend_long php_session_gc(bool immediate)
 	/* GC must be done before reading session data. */
 	if ((PS(mod_data) || PS(mod_user_implemented))) {
 		if (!collect && PS(gc_probability) > 0) {
-			/* Draw fresh entropy per request instead of using the per-process
-			 * PS(random) state. The latter is seeded once in GINIT, which runs
-			 * before SAPIs such as PHP-FPM fork their workers, so every worker
-			 * would inherit and replay the same GC-decision sequence. */
-			uint32_t rand_val;
-			if (php_random_bytes_silent(&rand_val, sizeof(rand_val)) == SUCCESS) {
-				collect = (rand_val % (uint32_t) PS(gc_divisor)) < (uint32_t) PS(gc_probability);
+			/* Reseed PS(random) on first use per process. GINIT runs in the
+			 * master process before SAPIs like PHP-FPM fork their workers, so
+			 * all workers would otherwise inherit and replay the same PCG
+			 * sequence. One CSPRNG call here breaks the correlation. */
+			if (UNEXPECTED(!PS(gc_random_seeded))) {
+				php_random_uint128_t seed;
+				if (php_random_bytes_silent(&seed, sizeof(seed)) == FAILURE) {
+					seed = php_random_uint128_constant(
+						php_random_generate_fallback_seed(),
+						php_random_generate_fallback_seed()
+					);
+				}
+				php_random_pcgoneseq128xslrr64_seed128(PS(random).state, seed);
+				PS(gc_random_seeded) = true;
 			}
+			collect = php_random_range(PS(random), 0, PS(gc_divisor) - 1) < PS(gc_probability);
 		}
 
 		if (collect) {
@@ -2892,6 +2900,12 @@ static PHP_GINIT_FUNCTION(ps)
 	ZVAL_UNDEF(&ps_globals->mod_user_names.ps_validate_sid);
 	ZVAL_UNDEF(&ps_globals->mod_user_names.ps_update_timestamp);
 	ZVAL_UNDEF(&ps_globals->http_session_vars);
+
+	ps_globals->random = (php_random_algo_with_state){
+		.algo = &php_random_algo_pcgoneseq128xslrr64,
+		.state = &ps_globals->random_state,
+	};
+	ps_globals->gc_random_seeded = false;
 }
 
 static PHP_MINIT_FUNCTION(session)