search

facebook / hhvm

A virtual machine for executing programs written in Hack.
https://hhvm.com
Other
18.12k stars 2.98k forks source link

Segfaults/memory corruption for large containers with size initialized from C++ (insufficient OOM checking) #8861

Open fredemmott opened 3 years ago

fredemmott commented 3 years ago

Describe the bug

Creating a container with a very large number of items can lead to segfaults, if

Standalone code, or other way to reproduce the problem

array_fill(123, (1 << 30), null);

Expected behavior

OOM fatal

Actual behavior

Segfaults, sometimes with an OOM fatal first.

in hphpd

req::malloc fails when parsing the line again

# 0  HPHP::req::malloc(unsigned long, unsigned short)
# 1  HPHP::VariableUnserializer::unserializeVariant(HPHP::tv_val<false, void>, HPHP::UnserializeMode)
# 2  HPHP::VariableUnserializer::unserialize()
# 3  HPHP::(anonymous namespace)::parse_php_serialized(folly::Range<char const*>)
# 4  HPHP::(anonymous namespace)::parse_attribute_list(HPHP::(anonymous namespace)::AsmState&, HPHP::AttrContext, HPHP::UserAttributeMap*) [clone .lto_priv.0]
# 5  HPHP::(anonymous namespace)::parse_function(HPHP::(anonymous namespace)::AsmState&)
# 6  HPHP::(anonymous namespace)::parse(HPHP::(anonymous namespace)::AsmState&)
# 7  HPHP::assemble_string(char const*, int, char const*, HPHP::SHA1 const&, HPHP::Native::FuncTable const&, bool)
# 8  HPHP::(anonymous namespace)::(anonymous namespace)::assemble_string_handle_errors(char const*, char const*, unsigned long, char const*, HPHP::SHA1 const&, HPHP::Native::FuncTable const&, bool&, HPHP::CompileAbortMode) [clone .lto_priv.0]
# 9  HPHP::(anonymous namespace)::hackc_compile(char const*, int, char const*, HPHP::SHA1 const&, HPHP::Native::FuncTable const&, bool, bool&, HPHP::RepoOptions const&, HPHP::CompileAbortMode) [clone .constprop.0]
# 10 HPHP::HackcUnitCompiler::compile(bool&, HPHP::CompileAbortMode)

in standalone script

req-local fini nodes segfault:

# 0  jemalloc_je_large_prof_info_get
# 1  jemalloc_je_sdallocx_default
# 2  HPHP::rds::local::fini(bool)
# 3  HPHP::execute_program_impl(int, char**)
# 4  HPHP::execute_program(int, char**)
# 5  main
# 6  __libc_start_main
# 7  _start
fredemmott commented 3 years ago

Notably the array_fill dict path does have CheckAllocation {} passed to the DArrayInit

fredemmott commented 3 years ago

FB T97062050