Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86465 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13494 invoked from network); 1 Jun 2015 02:38:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Jun 2015 02:38:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.175 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.175 mail-pd0-f175.google.com Received: from [209.85.192.175] ([209.85.192.175:36703] helo=mail-pd0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7F/11-01828-DA5CB655 for ; Sun, 31 May 2015 22:38:37 -0400 Received: by pdjm12 with SMTP id m12so13646082pdj.3 for ; Sun, 31 May 2015 19:38:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=3uyeL6PcCQtxVlM8DQPvEhKOzX7jw82EXADaFnFXUag=; b=07G8IjzmGoCZMB0VJqMV7JWp/lcIJ1UtLDqEKJRQbnNAU1Lj1q/xMuP+0YrzLXlETz UAZViI/OFbh4wMYn32C7Xe3u2GppdyrhxUFbQvojfGRCXi+DgDWvWKIB0HdPaD/QFW2m UfK1BNkaSFu4ardd69eUlPkPc6RfCVpBEY8ZufL/FWFj6B3sjbv4FuTEowtoNM90v8rJ h2kYqf4ZuU5LOiBLI5bW4/RCRIlJHmtw7AvWnqUXqjmc63yNKSy72VzOZPEGYMtsl/nb UdgCn0m5/NL030hh4WbNaxFTYTsPup5Q/WXr6OoUbaJ7keiVDYLeBxljJSeQ2o+A9Vbe FL5A== X-Received: by 10.68.133.131 with SMTP id pc3mr20116397pbb.107.1433126314290; Sun, 31 May 2015 19:38:34 -0700 (PDT) Received: from [192.168.2.145] (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id z12sm12498425pbt.29.2015.05.31.19.38.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 31 May 2015 19:38:33 -0700 (PDT) Message-ID: <556BC5A5.8060705@gmail.com> Date: Sun, 31 May 2015 19:38:29 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: PHP Internals , Dmitry Stogov Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Subject: Big hashes problem in master From: smalyshev@gmail.com (Stanislav Malyshev) Hi! Looking into bug #69295 I've noticed the following problem with hashes on master: if we try to create very large hashtable, on 64-bit build (e.g. one with 1126626666 elements) then _zend_hash_init would set the following: ht->nTableSize = 0x80000000 ht->nTableMask = 0xfffffffe (I'm using hex so that the numbers would be more clear). Then when we come to zend_hash_real_init_ex, we do allocation of HT_SIZE(ht). But then after this line: HT_SET_DATA_ADDR(ht, pemalloc(HT_SIZE(ht), (ht)->u.flags & HASH_FLAG_PERSISTENT)); I see this: (gdb) p ht->arData $37 = (Bucket *) 0xffffffff0a000000 Looks like what happened is that whet HT_HASH_SIZE was calculated, (-(int32_t)(ht)->nTableMask) was calculated as 0x80000000 as signed it, and then promoted to size_t to multiply it with sizeof, which produces 0xffffffff80000000. Of course, adding this to a pointer wouldn't do much good. So the next line, HT_HASH_RESET(ht); crashes because the pointer arData is broken. I think this: #define HT_HASH_SIZE(ht) \ ((uint32_t)(-(int32_t)(ht)->nTableMask) * sizeof(uint32_t)) Should fix it but would like second pair of eyes on this. There's also another problem in the code in zend_hash_real_init_ex - the initialized flag is set before the address is actually set, so if the allocation fails, the dtor may get broken array marked as initialized. This however seems to be easily fixed if flags are moved to be after allocation. -- Stas Malyshev smalyshev@gmail.com