php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80523 bogus parse error on >4GB source code
Submitted: 2020-12-16 03:22 UTC Modified: 2020-12-16 09:59 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: divinity76 at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.4.13 OS:
Private report: No CVE-ID: None
 [2020-12-16 03:22 UTC] divinity76 at gmail dot com
Description:
------------
it appears that PHP crash when trying to parse source code above 4GB in size,


notably the code below is not a syntax error if you change it to
$imax = (int)((1*1024*1024*1024)/strlen("'hello',"));

but if you just change the 1* to 4*, it's suddenly a "syntax error",
PS: don't recommend trying this on a system with less than 20GB ram, htop reported over 18GB ram while running..

Test script:
---------------
<?php
$str='<?php return array(';
$imax = (int)((4*1024*1024*1024)/strlen("'hello',"));
echo "generating..";
$str.=str_repeat("'hello',",$imax);
$str.=");";
echo "generated. writing.";
file_put_contents("wtf.php",$str);
echo "written. gcing";
unset($str);gc_collect_cycles(); // << dunno if that actually helps
echo ". done. including.";
require("wtf.php");


Expected result:
----------------
no syntax error

Actual result:
--------------
root@x2ratma:/temp/fag# time php fag.php 
generating..generated. writing.written. gcing. done. including.PHP Parse error:  syntax error, unexpected ''h' (T_ENCAPSED_AND_WHITESPACE), expecting ')' in /temp/fag/wtf.php on line 1

real	0m24.960s
user	0m4.927s
sys	0m17.147s
root@x2ratma:/temp/fag# 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-16 09:21 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=118ff03335d67c19817ff83d89e634fcd39275ff
Log: Fix bug #80523
 [2020-12-16 09:21 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2020-12-16 09:29 UTC] divinity76 at gmail dot com
nikic@php.net 
you said you get OOM killed before being able to test it?
 on how much ram? 
 i have a 64GB ram system to test on, 
 and a 128GB ram system is on the way (should be ready in a couple of days)
 [2020-12-16 09:59 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-12-16 09:59 UTC] nikic@php.net
@divinity76: I've tested this with 64GB RAM, which was not sufficient :) Maybe 128GB will be enough...
 [2021-01-27 20:52 UTC] divinity76+spam at gmail dot com
@nikic indeed it was; seems about 76GB of ram is needed to test this bug, and the current php-8.1.0-dev is immune :) 


quote from testing on a 128GB ram system:



root@localhost:/temp# /usr/bin/time -v /temp/php-src/sapi/cli/php -r 'ini_set("memory_limit","-1");require("wtf.php");echo "it worked!";var_dump(memory_get_peak_usage(false),memory_get_peak_usage(true),memory_get_usage(false),memory_get_usage(true));'
it worked!int(90195052680)
int(90230177792)
int(391088)
int(17223909376)
        Command being timed: "/temp/php-src/sapi/cli/php -r ini_set("memory_limit","-1");require("wtf.php");echo "it worked!";var_dump(memory_get_peak_usage(false),memory_get_peak_usage(true),memory_get_usage(false),memory_get_usage(true));"
        User time (seconds): 330.95
        System time (seconds): 175.72
        Percent of CPU this job got: 96%
        Elapsed (wall clock) time (h:mm:ss or m:ss): 8:47.20
        Average shared text size (kbytes): 0
        Average unshared data size (kbytes): 0
        Average stack size (kbytes): 0
        Average total size (kbytes): 0
        Maximum resident set size (kbytes): 75538080
        Average resident set size (kbytes): 0
        Major (requiring I/O) page faults: 0
        Minor (reclaiming a frame) page faults: 48743267
        Voluntary context switches: 1
        Involuntary context switches: 8120
        Swaps: 0
        File system inputs: 0
        File system outputs: 0
        Socket messages sent: 0
        Socket messages received: 0
        Signals delivered: 0
        Page size (bytes): 4096
        Exit status: 0
root@localhost:/temp# du -h wtf.php
4.1G    wtf.php
root@localhost:/temp# head wtf.php
<?php return array('hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello','hello',(capped)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Feb 25 18:01:23 2021 UTC