|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-01-23 17:56 UTC] samding at ca dot ibm dot com
Description:
------------
Run test cases :
ext/mbstring/tests/mb_ereg.phpt
ext/mbstring/tests/mb_ereg_variation5.phpt
got crashed on s390x (or other Big_Endian platforms).
The gdb backtrack is follows: (macro STATE_CHECK_VAL & STATE_CHECK_POS are replaced)
(gdb) l
2476 // STATE_CHECK_VAL(scv, mem);
2477 do {
2478 if (state_check_buff != NULL) {
2479 // int x = STATE_CHECK_POS(s,mem);
2480 int x = (((s) - str) * num_comb_exp_check + ((mem) - 1));
2481 (scv) = state_check_buff[x/8] & (1<<(x%8));
2482 }
2483 else (scv) = 0;
2484 } while(0);
2485
(gdb) bt
#0 0x00000000803aa344 in match_at (reg=0x815a3650,
str=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, end=0x3fffb602573 "", right_range=0x3fffb602573 "",
sstart=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, sprev=0x3fffb60256d "\244\357\244\361\244", <incomplete sequence \363>, msa=0x3ffffffb110)
at /home/work/php/php/ext/mbstring/oniguruma/src/regexec.c:2481
#1 0x00000000803b0b00 in onig_search (reg=0x815a3650,
str=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, end=0x3fffb602573 "",
start=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, range=0x3fffb602573 "", region=0x815a3310, option=0) at /home/work/php/php/ext/mbstring/oniguruma/src/regexec.c:3664
#2 0x0000000080419d2c in _php_mb_regex_ereg_exec (execute_data=0x3fffb61c3b0, return_value=0x3fffb61c2c0, icase=0)
at /home/work/php/php/ext/mbstring/php_mbregex.c:750
#3 0x0000000080419f0a in zif_mb_ereg (execute_data=0x3fffb61c3b0, return_value=0x3fffb61c2c0)
at /home/work/php/php/ext/mbstring/php_mbregex.c:786
#4 0x000000008094b9f4 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x3fffb61c1d0)
at /home/work/php/php/Zend/zend_vm_execute.h:617
#5 0x0000000080ab5204 in execute_ex (ex=0x3fffb61c030) at /home/work/php/php/Zend/zend_vm_execute.h:59726
#6 0x0000000080ab57b8 in zend_execute (op_array=0x3fffb67c2a0, return_value=0x0) at /home/work/php/php/Zend/zend_vm_execute.h:63763
#7 0x00000000808917c6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/work/php/php/Zend/zend.c:1496
#8 0x00000000807b75b4 in php_execute_script (primary_file=0x3ffffffee18) at /home/work/php/php/main/main.c:2590
#9 0x0000000080ab9e0e in do_cli (argc=2, argv=0x8145ace0) at /home/work/php/php/sapi/cli/php_cli.c:1011
#10 0x0000000080abb076 in main (argc=2, argv=0x8145ace0) at /home/work/php/php/sapi/cli/php_cli.c:1404
Test script:
---------------
on php_src home folder,
gdb sapi/cli/php
r ext/mbstring/tests/mb_ereg.phpt
Actual result:
--------------
crashed at
2481 (scv) = state_check_buff[x/8] & (1<<(x%8));
(gdb) p x
$1 = 196680
(gdb) p x/8
$2 = 24585
It is out of array state_check_buff boundary.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 18:00:01 2025 UTC |
"mem" come from macro 553 #define GET_STATE_CHECK_NUM_INC(num,p) PLATFORM_GET_INC(num, p, StateCheckNumType) 191 #define PLATFORM_GET_INC(val,p,type) do{\ 192 val = *(type* )p;\ 193 (p) += sizeof(type);\ 194 } while(0) Note "type" (StateCheckNumType) is defined as "short", while "mem" is int, so " 193 (p) += sizeof(type);\" causes the issue on Big_Endian platforms. The solution: change "StateCheckNumType" as "int".