Zend: Add `ZEND_BYTES_SWAP32`/`ZEND_BYTES_SWAP64` (#14910)

zend_alloc: remove duplicate zend_mm_alloc_large definition (#14880)

The two parts of the #if condition are the same.

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists and the ptr did not belong to any block.

show more ...

Compute the size of pages before allocating memory (#14650)

`start_memory_manager()` calls `zend_mm_init()` via `alloc_globals_ctor()`
before setting `REAL_PAGE_SIZE` to the right value.

Compute the size of pages before allocating memory (#14650)

`start_memory_manager()` calls `zend_mm_init()` via `alloc_globals_ctor()`
before setting `REAL_PAGE_SIZE` to the right value. Moving the `REAL_PAGE_SIZE`
setting block before the call to `alloc_globals_ctor()` makes the allocator
behave properly on systems with a page size different than 4k.

Suggested-by: arnaud-lb

show more ...

Add `gc` and `shutdown` callbacks to ZendMM custom handlers (#13432)

Detect heap freelist corruption (#14054)

We keep track of free slots by organizing them in a linked list, with the
first word of every free slot being a pointer to the next one.

Detect heap freelist corruption (#14054)

We keep track of free slots by organizing them in a linked list, with the
first word of every free slot being a pointer to the next one.

In order to make corruptions more difficult to exploit, we check the consistency
of these pointers before dereference by comparing them with a shadow. The shadow
is a copy of the pointer, stored at the end of the slot.

Before this change, an off-by-1 write is enough to produce a valid freelist
pointer. After this change, a bigger out of bound write is required for that.
The difficulty is increase further by mangling the shadow with a secret, and
byte-swapping it, which increases the minimal required out of bound write
length.

Closes GH-14054

show more ...

Add two checks for zend_mm_heap's integrity (#13943)

zend_alloc trailing 1 calculation helper ZEND_ATTRIBUTE_CONST addition. (#13874)

Drop zend_mm_set_custom_debug_handlers() (#13457)

Simplifies zend_mm_set_custom_debug_handlers to just use zend_mm_set_custom_handlers(), saving some conditionals when the Zend allocator is

Drop zend_mm_set_custom_debug_handlers() (#13457)

Simplifies zend_mm_set_custom_debug_handlers to just use zend_mm_set_custom_handlers(), saving some conditionals when the Zend allocator is not used.

show more ...

Fix asan false positive for mmap

For some reason, mmap regions which are repeatedly munmapped are not correctly
unpoisoned. See https://github.com/google/sanitizers/issues/1705.

Fix asan false positive for mmap

For some reason, mmap regions which are repeatedly munmapped are not correctly
unpoisoned. See https://github.com/google/sanitizers/issues/1705.

Fixes GH-12756
Closes GH-12848

show more ...

Fix unspecified behaviour in zend_alloc in heap->limit computation

Right-shifting a negative number is unspecified (i.e.
implementation-defined) behaviour [1]. If we take a look at the

Fix unspecified behaviour in zend_alloc in heap->limit computation

Right-shifting a negative number is unspecified (i.e.
implementation-defined) behaviour [1]. If we take a look at the
generated assembly [2], we see that the wrong value is computed.
Fix it by using Z_UL instead of Z_L.

While we're at it, just change every occurrence of this pattern to use
Z_UL instead of casting.

[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1548.pdf §6.5.7.5
[2] https://godbolt.org/z/4Y1qKKjsh

Closes GH-12613.

show more ...

Fix noreturn with warning that should be an error

E_WARNING does not actually abort.

Add block size support for tracked_malloc (#11856)

This does still deviate from USE_ZEND_ALLOC=0 in that we're not rounding up the
size of the allocation to fixed sizes. Doing so would s

Add block size support for tracked_malloc (#11856)

This does still deviate from USE_ZEND_ALLOC=0 in that we're not rounding up the
size of the allocation to fixed sizes. Doing so would suppress some
out-of-bounds errors checked by ASAN. Rounding up the size in
_zend_mm_block_size would not be good either as it would break code like
memset(ptr, 0 _zend_mm_block_size(ptr)).

show more ...

Fixed incorrect tracked malloc deallocation

Fixes ext/ffi/tests/list.phpt failure

Add zend_alloc XLEAK support

In the future we may want to use a different exit code to warn for tests that
didn't leak.

Closes GH-10999

Zend/zend_alloc: make stderr_last_error() static (#10587)

This function is only used internally.

Zend/zend_types.h: deprecate zend_bool, zend_intptr_t, zend_uintptr_t (#10597)

These types are standard C99.

For compatibility with out-of-tree extensions, keep the typedefs
in

Zend/zend_types.h: deprecate zend_bool, zend_intptr_t, zend_uintptr_t (#10597)

These types are standard C99.

For compatibility with out-of-tree extensions, keep the typedefs
in main/php.h.

show more ...

Revert "#include cleanup (#10216)"

Cf. <https://github.com/php/php-src/pull/10220#issuecomment-1383739816>.

This reverts commit e628c66f9d4173e585081ddef358505433f9a288.

#include cleanup (#10216)

Shift header include

In the C file, include the header first so missing #includes are
detected by the compiler, and use lighter header dependencies in

#include cleanup (#10216)

Shift header include

In the C file, include the header first so missing #includes are
detected by the compiler, and use lighter header dependencies in the
header, to speed up compile times.

show more ...

Fix GH-9650: Can't initialize heap: [0x000001e7]

Closes GH-9721.

Make pestr[n]dup infallible (#9295)

Fixes GH-9128
Closes GH-9295

Specify unit in out of memory error (#8820)

Closes GH-8808

Zend, ext/opcache: use PR_SET_VMA_ANON_NAME (Linux 5.17) (#8234)

The new Linux 5.17 feature PR_SET_VMA_ANON_NAME can give names to
anonymous private memory, see:

https://lwn.ne

Zend, ext/opcache: use PR_SET_VMA_ANON_NAME (Linux 5.17) (#8234)

The new Linux 5.17 feature PR_SET_VMA_ANON_NAME can give names to
anonymous private memory, see:

https://lwn.net/Articles/867818/

It can be useful while debugging, to identify which portion of the
process's memory belongs to which subsystem.

This is how /proc/PID/maps can look like:

555ccd400000-555ccdc00000 r-xp 00000000 00:00 0 [anon:huge_code_pages]
7f6ec6600000-7f6ec6800000 rw-p 00000000 00:00 0 [anon:zend_alloc]

The first mapping is the PHP executable copied to anonymous memory by
option "opcache.huge_code_pages". The second one is a memory area for
the "zend_alloc.h" memory allocator library.

Unfortunately, it is not possible to give names to shared memory
(MAP_SHARED), because Linux MAP_SHARED really maps /dev/zero (see
shmem_zero_setup()), which makes madvise_vma_anon_name() believe this
is a file mapping, failing the prctl() with EBADF.

show more ...

Panic with abort() (#8590)

Support zend alloc USE_ZEND_ALLOC_HUGE_PAGES option on MacOS

ZEND_MM_CHUNK_SIZE fits the VM_FLAGS_SUPERPAGE_SIZE_2MB special
file descriptor for mmap call.