Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10441
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44062 invoked by uid 1010); 14 Jun 2004 15:38:28 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43910 invoked from network); 14 Jun 2004 15:38:27 -0000
Received: from unknown (HELO asuka.prohost.org) (69.196.31.138)
  by pb1.pair.com with SMTP; 14 Jun 2004 15:38:27 -0000
Received: (qmail 17637 invoked from network); 14 Jun 2004 15:38:26 -0000
Received: from rei.nerv (HELO dummy.com) (rei@192.168.1.1)
  by asuka.nerv with SMTP; 14 Jun 2004 15:38:26 -0000
Reply-To: ilia@prohost.org
To: internals@lists.php.net
Date: Mon, 14 Jun 2004 11:38:30 -0400
User-Agent: KMail/1.6.1
Organization: Prohost.org
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <200406141138.30533.ilia@prohost.org>
Subject: alloca() problem
From: ilia@prohost.org (Ilia Alshanetsky)

There is a rather nasty crash possible in PHP due to the usage of the alloca() 
function as can be demonstrated by bug #28064.
Simpler bug replication case:
php -r ' $a = str_repeat("a", 1024 * 1024 * 6); defined($a); '

The problem is the result of missing checks to determine if alloca() had 
worked or not. The problem is further compounded by the fact that alloca() is 
a dangerous function that will not always return NULL on failure, making the 
return value check unreliable (read alloca manpage excerpt below).
In PHP4 this function is only used about 7 times, while PHP5 uses it a little 
more frequently about 38 times. I think it would be best if do_alloca was 
made to use emalloc that can safely handle allocation failures.
Alloca() is already an emalloc wrapper on Apple, HPUX, Windows, Netware.

Excerpt from alloca manpage:

NOTES ON THE GNU VERSION
       Normally, gcc translates calls to alloca by inlined code. This is not 
done when either the -ansi or the  -fno-builtin  option  is  given.  But  
beware!  By  default  the  glibc  version of <stdlib.h> includes       
<alloca.h> and that contains the line  # define alloca(size)   
__builtin_alloca (size) with messy consequences if one has a private version 
of this function.

       The fact that the code is inlined, means that it is impossible to take 
the address of this function, or to change its behaviour by linking with a 
different library.

       The inlined code often consists of a single instruction adjusting the 
stack pointer, and does not check for stack overflow.  Thus, there is no NULL 
error return.

BUGS
       The alloca function is machine and compiler dependent. On many systems 
its implementation is buggy. Its use is discouraged.

       On  many  systems  alloca  cannot  be used inside the list of arguments 
of a function call, because the stack space reserved by alloca would appear 
on the stack in the middle of the space  for the function arguments

Ilia