PHP :: Bug #47352 :: preg_replace Segmentation fault

Bug #47352	preg_replace Segmentation fault
Submitted:	2009-02-10 14:48 UTC	Modified:	2009-02-11 17:16 UTC
From:	whitephoenix at mail dot ru	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	5.3.0beta1	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	whitephoenix at mail dot ru
New email:
PHP Version:		OS:

New Comment:

[2009-02-10 14:48 UTC] whitephoenix at mail dot ru

Description:
------------
Segmentation fault, core dumped ;)

PCRE 7.8.

Reproduce code:
---------------
http://quicky-tpl.net/files/pcre-bug.php.txt

Expected result:
----------------
Empty.

Actual result:
--------------
Segmentation fault, core dumped.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-02-10 15:07 UTC] scottmac@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I can't reproduce this with a CVS version, can you provide the backtrace.

[2009-02-10 15:40 UTC] whitephoenix at mail dot ru

httpd.exe - Apache 2.2.4.0 on Windows XP.

Thread 250 - System ID 39948
Entry point   msvcrt!_endthreadex+3a 
Create time   10.02.2009 18:35:47 
Time spent in user mode   0 Days 0:0:0.62 
Time spent in kernel mode   0 Days 0:0:0.15 

Function     Arg 1     Arg 2     Arg 3   Source 
ntdll!_SEH_prolog+1a     00270000     00000000     00000090    
msvcrt!_heap_alloc+e0     00000090     05c43098     77c1c42e    
msvcrt!_nh_malloc+13     00000090     00000000     06a524c7    
msvcrt!malloc+27     00000090     05c4323c     00000319    
php5ts!php_pcre_exec+5ad4     00000319     06a524c7     00000018    
0x05c4323c     06a524c7     00000018     00000000    

NTDLL!_SEH_PROLOG+1AIn httpd__PID__39128__Date__02_10_2009__Time_06_36_38PM__718__Second_Chance_Exception_C00000FD.dmp the assembly instruction at ntdll!_SEH_prolog+1a in C:\WINDOWS.0\system32\ntdll.dll from ?????????? ?????????? has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x05c42e24 on thread 250

[2009-02-10 16:17 UTC] whitephoenix at mail dot ru

5.3.0beta2-dev

[2009-02-10 21:58 UTC] felipe@php.net

Try increasing the value of pcre.backtrack_limit directive.
http://docs.php.net/manual/en/pcre.configuration.php

[2009-02-11 10:34 UTC] whitephoenix at mail dot ru

It doesnot work with decreased pcre.backtrack_limit and crushes with increased. What should I do?
Should me rewrite my compiler without pcre? :)

[2009-02-11 11:34 UTC] felipe@php.net

Scott, I got this:

==17735== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 71 from 1)
==17735== malloc/free: in use at exit: 16,528 bytes in 2 blocks.
==17735== malloc/free: 28,132 allocs, 28,130 frees, 3,660,888 bytes allocated.
==17735== For counts of detected errors, rerun with: -v
==17735== searching for pointers to 2 not-freed blocks.
==17735== checked 772,948 bytes.
==17735== 
==17735== 144 bytes in 1 blocks are definitely lost in loss record 1 of 2
==17735==    at 0x402401E: malloc (vg_replace_malloc.c:207)
==17735==    by 0x807C5A9: match (pcre_exec.c:1046)
==17735==    by 0x807C807: match (pcre_exec.c:1107)
==17735==    by 0x807BC10: match (pcre_exec.c:773)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BC10: match (pcre_exec.c:773)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735==    by 0x807CF5B: match (pcre_exec.c:1313)
==17735==    by 0x807BB9E: match (pcre_exec.c:765)
==17735== 
==17735== 
==17735== 16,384 bytes in 1 blocks are still reachable in loss record 2 of 2
==17735==    at 0x402401E: malloc (vg_replace_malloc.c:207)
==17735==    by 0x40D672C: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x40D7718: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x40D78BF: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x40DA1F0: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x40E6944: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x4099030: (within /usr/lib/libfbclient.so.1.5.3)
==17735==    by 0x400DDE3: (within /lib/ld-2.7.so)
==17735==    by 0x400DF13: (within /lib/ld-2.7.so)
==17735==    by 0x400084E: (within /lib/ld-2.7.so)
==17735== 
==17735== LEAK SUMMARY:
==17735==    definitely lost: 144 bytes in 1 blocks.
==17735==      possibly lost: 0 bytes in 0 blocks.
==17735==    still reachable: 16,384 bytes in 1 blocks.
==17735==         suppressed: 0 bytes in 0 blocks.

[2009-02-11 17:16 UTC] felipe@php.net

As it isn't a PHP bug, I've reported it in http://bugs.exim.org/show_bug.cgi?id=809

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 15 20:01:27 2024 UTC