Question
I recently ran into memory allocation problems, so I started experimenting with the ini_set('memory_limit', value); directive where I tried to enter values incrementaly. Now, searching through the web (and SO) I found out that I can put -1 as the value. So, I did and now the script runs fully to the end without breaking (before I used to get the memory allocation error).
What I don't understand, however, is that given these two lines at the end of the script's file:
https://stackoverflow.com/questions/13495281
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$mem = memory_get_peak_usage(true);
echo "Peak mem. usage: <b>" . round($mem / 1024 / 10124, 2) . "</b> MB";
produce around 10.8MB and when I look into the /var/log/messages I can see this line:
Nov 21 13:52:26 mail suhosin[1153]: ALERT-SIMULATION - script tried to increase
memory_limit to 4294967295 bytes which is above the allowed value (attacker
'xx.xxx.xxx.xxx', file '/var/www/html/file.php', line 5)
which means the script tried to alocate 4096MB!
How can this be? And also, what interest me the most is why didn't the script execution stop in this case? Is it because of the ini_set('memory_limit', '-1');? I mean, I did read that putting -1 as the value is not recomended and I know where the problem lies in the script (reading too big amount of data at once in the memory), and I will go and fix it with sequential reading, but I'm just baffled about these data differences, so I would be gratefull if someone can shed some light on it.
Solution
It is because the suhosin patch uses its own "hard" maximum memory limit, suhosin.memory_limit.
From the configuration reference:
Suhosin [...] disallows setting the
memory_limitto a value greater than the one the script started with, when this option is left at 0.
In other words, if you change the memory_limit so that it is bigger than suhosin's upper limit then it will simply assume that you are an "attacker" trying to do something suspicious.
OTHER TIPS
think you used 10MB but by putting -1 as value you allowed your script to use maxmimum memory available, say 4GB.
Using ini_set('memory_limit', '-1'); will not set a limit for the scripts - of course it'll still be restricted to hardware, but from the manual;
Note that to have no memory limit, set this directive to -1
What interest me the most is why didn't the script execution stop in this case?
The script didn't stop execution because it didn't reach the maximum memory limit, as it's set to -1.
As describe here : http://www.hardened-php.net/suhosin/configuration.html#suhosin.memory_limit
Suhosin will not let you set a value greater than the one the script started with.
If you set the suhosin.memory_limit to 4096 then you'll be able to increase your memory usage without getting this alert
My guess is the script didn't try to allocate 4096MB but its a wrong alert of shuosin showing the maximum addressable memory limit of a 32 bit system on which the php server is running that is 2^32
Hope this answers your doubts
$mem / 1024 / 10124
should be
$mem / 1024 / 1024
So we're talking about a 100 MB peak.
Then 4,294,967,295 = 4 GB. I guess that's all you have (i.e. the -1).
This means these output messages have nothing to do with each other. If you want the warning to disappear, set the Suhosin memory limit higher than the PHP memory limit or disable Suhosin.
Suhosin has a simulation mode which seems to be ON. If this is turned OFF, the ALERT should stop the script.
memory_get_peak_usage — Returns the peak of memory allocated by PHP.
memory_limit - increase maximum memory allocation
<?php
if(ini_set('memory_limit', '-1'))
{
echo "memory_limit set to -1B";
}
else
{
echo "ini_set() failed!"
}
?>
