Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86468 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32830 invoked from network); 1 Jun 2015 07:53:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Jun 2015 07:53:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.216.49 as permitted sender) X-PHP-List-Original-Sender: dmitry@zend.com X-Host-Fingerprint: 209.85.216.49 mail-vn0-f49.google.com Received: from [209.85.216.49] ([209.85.216.49:38703] helo=mail-vn0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 25/61-17079-26F0C655 for ; Mon, 01 Jun 2015 03:53:08 -0400 Received: by vnbf190 with SMTP id f190so15056760vnb.5 for ; Mon, 01 Jun 2015 00:53:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=kzXEXEfRIR1DpC0QtZ/IsXbMIshC7IvopN2s7Qt700M=; b=OKv5k5BiP++OYEGw2SNA1S3D8iHSqht9yiEnkRO7UEPmlA83Wj8x87AW9koVWYBUNB CUwczH4Pvxcq3FzIPVGiOoDySQlVbu3KJiqOZIyTlI1VOB1UF4XU+g+7eh0qdi+tY9qx xYpIFl/WDHgtHbWHWy+Gdz/0ardFWu2xupG4QXoU4SGMcYjCh0w/kOKFnwX7DMWZqoGb V+s2UQsdvYRbVUNTjF5/r6H6MhOzyzLwYuthc3gNV6b7KZUcWUScU34yPHN+at/vP3De 6TPIP547R5h2Cx6TQqkYHj2VoEubshfMYkdwoT7bkGtq3xi3slw8JF+areap6fOSR3/J J4JQ== X-Gm-Message-State: ALoCoQlhPaplrc9lMxPFtlUUv5wcCNZj7ZqlvEBOwYLiRrrmNZc/hvTkUv1oxqT2sldTSD6rScevr/2eulJUZOEF3gcxhdtqrPxHH0U/60FhQwXCWzO+XEZomt0sCZWR0D+Qmbk/GvOGJaPSAQA/WfHGHxvsVlbgUryaUT3h2PTvxio2ySJV30E= MIME-Version: 1.0 X-Received: by 10.52.75.170 with SMTP id d10mr26038906vdw.49.1433145183240; Mon, 01 Jun 2015 00:53:03 -0700 (PDT) Received: by 10.52.188.230 with HTTP; Mon, 1 Jun 2015 00:53:03 -0700 (PDT) In-Reply-To: <556BC5A5.8060705@gmail.com> References: <556BC5A5.8060705@gmail.com> Date: Mon, 1 Jun 2015 10:53:03 +0300 Message-ID: To: Stanislav Malyshev Cc: PHP Internals Content-Type: multipart/alternative; boundary=20cf3071cc728f207e0517701df0 Subject: Re: Big hashes problem in master From: dmitry@zend.com (Dmitry Stogov) --20cf3071cc728f207e0517701df0 Content-Type: text/plain; charset=UTF-8 Hi Stas, This should be fixed now. As I understood you already fixed the second problem. Thanks for catching this. Dmitry. On Mon, Jun 1, 2015 at 5:38 AM, Stanislav Malyshev wrote: > Hi! > > Looking into bug #69295 I've noticed the following problem with hashes > on master: if we try to create very large hashtable, on 64-bit build > (e.g. one with 1126626666 elements) then _zend_hash_init would set the > following: > > ht->nTableSize = 0x80000000 > ht->nTableMask = 0xfffffffe > (I'm using hex so that the numbers would be more clear). Then when we > come to zend_hash_real_init_ex, we do allocation of HT_SIZE(ht). But > then after this line: > > HT_SET_DATA_ADDR(ht, pemalloc(HT_SIZE(ht), (ht)->u.flags & > HASH_FLAG_PERSISTENT)); > > I see this: > (gdb) p ht->arData > $37 = (Bucket *) 0xffffffff0a000000 > > Looks like what happened is that whet HT_HASH_SIZE was calculated, > (-(int32_t)(ht)->nTableMask) was calculated as 0x80000000 as signed it, > and then promoted to size_t to multiply it with sizeof, which produces > 0xffffffff80000000. Of course, adding this to a pointer wouldn't do much > good. So the next line, > HT_HASH_RESET(ht); > crashes because the pointer arData is broken. I think this: > > #define HT_HASH_SIZE(ht) \ > ((uint32_t)(-(int32_t)(ht)->nTableMask) * sizeof(uint32_t)) > > Should fix it but would like second pair of eyes on this. > > There's also another problem in the code in zend_hash_real_init_ex - the > initialized flag is set before the address is actually set, so if the > allocation fails, the dtor may get broken array marked as initialized. > This however seems to be easily fixed if flags are moved to be after > allocation. > -- > Stas Malyshev > smalyshev@gmail.com > --20cf3071cc728f207e0517701df0--