php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47520 PHP segfaulted in preg_replace on processing long string
Submitted: 2009-02-27 11:13 UTC Modified: 2009-03-03 13:15 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: pahan at hubbitus dot spb dot su Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.0beta1 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pahan at hubbitus dot spb dot su
New email:
PHP Version: OS:

 

 [2009-02-27 11:13 UTC] pahan at hubbitus dot spb dot su 
Description:
------------
PHP segfaulted when I try replace in long string by next regexp: '((?>(?:[^']|(?<=\\\)')*))'

Some comments to reproduce code comments to case 1 and 2 is clearly.
In case 3 and 4 I just run script several times, like (assume file named test.php):
for (( i=100; i>0; i-- )) ; do echo -n $i: ; ./test.php ; done

Sample results of its run you may see here: http://ru.bir.ru/_temp/php-pcre-bug/2/4965.log for 3 (files named by length of tested string), and for 4 - http://ru.bir.ru/_temp/php-pcre-bug/2/4967.log

Coredump may be downloaded here: http://ru.bir.ru/_temp/php-pcre-bug/2/core.10135

Also, please note, I add construction (?> ... ) to speedup and dissallow recursion, so, it is must be different from bugs http://bugs.php.net/bug.php?id=27492 , http://bugs.php.net/bug.php?id=47376 , http://bugs.php.net/bug.php?id=47376 and http://bugs.php.net/bug.php?id=27310 .

Reproduce code:
---------------
<?
$cont = "'" . str_pad('', 5000, '-');<->//1: Always "segmantation fault"                                                                                       
//$cont = "'" . str_pad('', 4000, '-');>//2: "Never" (Is I can see in 1000 iterations) "segmantation fault"                                                    
//$cont = "'" . str_pad('', 4965, '-');>//3: Segfaulted from times to times ~ 1-2 times from 100 executions                                                    
//$cont = "'" . str_pad('', 4967, '-');>//4: Segfaulted 50/50%                                                                                                 
                                                                                                                                                               
                                                                                                                                                               
$reg = "#'((?>(?:[^']|(?<=\\\)')*))'#";                                                                                                                        
preg_replace($reg, '', $cont);                                                                                                                                 
echo "OK\n";
?>

Expected result:
----------------
OK

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-27 19:37 UTC] felipe@php.net 
Please, check the previous reports about this issue:
http://bugs.php.net/search.php?search_for=&boolean=1&limit=10&order_by=id&direction=DESC&cmd=display&status=Bogus&bug_type%5B%5D=PCRE+related&php_os=&phpver=&assign=&author_email=&bug_age=0

http://docs.php.net/manual/en/pcre.configuration.php
 [2009-02-27 20:06 UTC] pahan at hubbitus dot spb dot su 
I'm thrice check the previous reports about this issue. And what? All closed as bogus, but segmentatoin fault still here! Where solution/fix??? Even common workaraund of problem is absent.

Why it is bogus but not bug???

And also, please again read note: I use "Once-only subpattern", so, this should prevent recursion as I can understand. Or not?
 [2009-02-28 01:19 UTC] felipe@php.net 
I cannot download the coredump file: "You don't have permission to access /_temp/php-pcre-bug/2/core.10135 on this server."

Can you give us a backtrace?
 [2009-02-28 09:00 UTC] pahan at hubbitus dot spb dot su 
Very apologize for mistake.
I'm fix rights now, please recheck.
 [2009-03-02 10:01 UTC] phpwnd at gmail dot com 
I'd like to add that you don't need such a complicated test case, you can make preg_* segfault with just something like:

$str = str_repeat(' ', 2490);
preg_match('#(.)+#', $str);


On my computer, a 2490-chars string is long enough to make it segfaults everytime. For some reason, 2489 chars will make it segfault only 1 out of 5 runs and 2480 chars are perfectly fine. If I replace the regexp with more capturing parenthesis such as #((.))+# that limit drops to 1500-or-so and that number decreases as the number of parenthesis increases. Using non-capturing patterns such as #(?:.)+# doubles that number.

Obviously, the bug is related to capturing patterns repetition, assuming we're experiencing the same bug. I'll try to find a place where to host a core dump.
 [2009-03-02 10:09 UTC] phpwnd at gmail dot com 
I forgot to add that in my case, lowering the value the pcre.recursion_limit INI setting make preg_* functions fail instead of making PHP segfault.
 [2009-03-03 01:40 UTC] iliaa@php.net 
There is not much we can do about recursion limits other then suggest 
the lowering of the pcre.recursion_limit setting. The basic problem is 
that PCRE library (not PHP) is eating up the system stack during 
recursion and subsequently crashes when it runs out of room.

This is not a PHP bug.
 [2009-03-03 13:15 UTC] pahan at hubbitus dot spb dot su 
Problem in pcre library is a problem of pcre library.
BUT segmentation fault of PHP is a bug PHP itself in any case!!!

I can understand what it may be very hard to fix, but completely do not understand why you mark it as Bogus!
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 15:01:36 2025 UTC