php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36267 Crash (segfault) not reproducible under Win32
Submitted: 2006-02-02 21:06 UTC Modified: 2006-02-02 23:00 UTC
From: mikeb at tracersinfo dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mikeb at tracersinfo dot com
New email:
PHP Version: OS:

 

 [2006-02-02 21:06 UTC] mikeb at tracersinfo dot com 
Description:
------------
I use PCRE's every day to harvest information from webpages (i.e., not a newbie, and I use many very complex expressions regularly).

I recently ran into a problem with an expression I needed to use (essentially, to select a particular <table>, its contents, and everything that follows it on page full of tables -- specifically without allowing an intervening <table> or </table> tag) that worked perfectly throughout my development under Windows XP Home SP2.  As soon as I ported the script to GNU/Linux (3 different machines:  Mandrake 10 [2.6.8 kernel]; 2 Ubuntu 5.10 [2.6.12 kernel]), it segfaults both under the CLI and Apache (1.3.33) SAPI.  (The use of once-only subpattern is not significant -- same result is obtained using merely non-matching subpattern.)

I've simplified the referenced script to what it takes to reproduce the problem, and I note that significant reduction in size of the two <tag> sections can allow this to function properly under Linux, but I do not have that luxury with arbitrary incoming webpages that must be parsed without advance knowledge of their contents.

The same symptom obtains if I attempt to use preg_match instead of preg_replace.

One of the failing PHP's config lines:  --disable-cgi --with-apxs=/www/bin/apxs --enable-magic-quotes --with-openssl --with-zlib --enable-bcmath --with-bz2 --enable-calendar --with-curl --with-curlwrappers --enable-ftp --with-gd --with-mysql --with-mysqli --with-pdo-mysql --with-readline --enable-soap --enable-sockets --with-xsl

Fails with stock php.ini-dist.


Reproduce code:
---------------
http://home.tampabay.rr.com/greenorb/testpregfault2.txt


Expected result:
----------------
I expect to see the first <tag> tag echoed to my screen with a legend that "Stripfootpat worked".  (Note that this IS the result obtained under Win32 [Windows XP Pro/Home SP2].)


Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-02 21:15 UTC] nlopess@php.net 
the url you refer above doesn't work (error 403). please change the permissions.
 [2006-02-02 21:18 UTC] tony2001@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

This is all I can get with valgrind and I can't reproduce the segfault without it.

==3882== Process terminating with default action of signal 11 (SIGSEGV)
==3882==  Access not within mapped region at address 0xBE7FFF24
==3882==    at 0x806D2FD: match (pcre_exec.c:517)
==3882== Stack overflow in thread 1: can't grow stack to 0xBE7FFEAC
 [2006-02-02 22:25 UTC] mikeb at tracersinfo dot com 
I recompiled PHP 5.1.2 with --enable-debug added to my config options on my home machine from the available sources on your site.  Despite this, I wasn't able to get a core file as described in your documentation on backtrace.  However, running the CLI under gdb, I did get the following:

-------------------------------------

(gdb) run testpregfault2.txt
Starting program: /usr/local/bin/php testpregfault2.txt
[Thread debugging using libthread_db enabled]
[New Thread -1215732032 (LWP 18908)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215732032 (LWP 18908)]
0x080a293c in match (
    eptr=0x85f480f "vv wwwww xxxxx yyyyy zzzzz\naaaaa bbbbb ccccc ddddd eeeee fffff ggggg <hhh> iiiii jjjjj kkkkk lllll mmmmm\nnnnnn ooooo ppppp qqqqq rrrrr sssss ttttt uuuuu vvvvv wwwww xxxxx yyyyy zzzzz\naaaaa bbbbb ccccc"...,
    ecode=0x858121a "\027<A", offset_top=2, md=0xbfb7d274, ims=5,
    eptrb=0xbf3803d0, flags=2)
    at /home/mikeb/src/php-5.1.2/ext/pcre/pcrelib/pcre_exec.c:357
357     {

--------------------------------------

Attempts to bt from here yielded thousands (I killed it sometime after 5000) frames similar to:

---------------------------------------

#5835 0x080a67bd in match (
    eptr=0x85f3145 "llll mmmmm\nnnnnn ooooo ppppp qqqqq rrrrr sssss ttttt uuuuu vvvvv wwwww xxxxx yyyyy zzzzz\naaaaa bbbbb ccccc ddddd eeeee fffff ggggg <hhh> iiiii jjjjj kkkkk lllll mmmmm\nnnnnn ooooo ppppp qqqqq rrrrr sss"...,
    ecode=0x8581217 "J", offset_top=2, md=0xbfb7d274, ims=5, eptrb=0xbf726970,
    flags=Variable "flags" is not available.
) at /home/mikeb/src/php-5.1.2/ext/pcre/pcrelib/pcre_exec.c:975

--------------------------------

with the subject string growing one character at a time to the left (next was 'lllll', etc.)

The final commands listed at the bottom of your "generating a gdb backtrace" page yielded the following results:

----------------------------

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8372d23 "preg_replace"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x8584bfc "/home/mikeb/temp/testpregfault2.txt"

-----------------------------------------

I'll be happy to do anything I can to give you more information on this, but there's no telling how many more thousands of match() frames there were, and it seems pretty clear that the last execute() was preg_replace.

Frankly, I'm most puzzled by the fact that this works properly on every Windows machine I've tried it on, and fails consistently identically on at least three separately-compiled Linux machines.

Thanks for your help.

Mike
 [2006-02-02 22:58 UTC] tony2001@php.net 
So it looks like you found another one problem in PCRElib.
Please report it to the author of PCRE: http://pcre.org
Thanks.
 [2006-02-02 23:00 UTC] nlopess@php.net 
I still can't get the reproduce script, but this seems to be the well known PCRE stack overflow problem. Maybe Windows is giving the process more stack than your linux machines, thus PHP doesn't segault there.
 [2006-02-02 23:00 UTC] nlopess@php.net 
ups, sorry.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 03 08:01:29 2024 UTC