PHP :: Bug #63913 :: Segfault on preg_replace with some weird conditions

Bug #63913

Segfault on preg_replace with some weird conditions

Submitted:

2013-01-06 00:15 UTC

Modified:

2013-01-08 15:06 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 3 (66.7%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

seld@php.net

Assigned:

seld (profile)

Status:

Closed

Package:

PCRE related

PHP Version:

5.5.0alpha2

OS:

Windows 7 x64

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	seld@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-01-06 00:15 UTC] seld@php.net

Description:
------------
The composer test suite segfaults on 5.5 as you can see on https://travis-ci.org/composer/composer/jobs/3971664

I tried investigating on my machine and could not get to the bottom of it, so here are my findings, I hope someone else can reproduce and will have more of a clue than I do.

The weirdest thing is that *sometimes* depending on the code changes I make to runme.php (see https://gist.github.com/7f465d4109d667a73984) it actually runs through fine, but most of the time it crashes. Then a bit later if I try and do a similar change it crashes again, either it's an intermittent system issue or something's very wrong. Since it also segfaults on travis I would assume the latter.

Note that tweaking the input to the preg_replace call (by removing bits and pieces of testcase.php) also tends to make it work sometimes. For example removing the "}" at line 15 makes it work for me.


Test script:
---------------
Run these commands:

git clone https://gist.github.com/7f465d4109d667a73984.git reproduce
cd reproduce/
php runme.php


Expected result:
----------------
With 5.4.8 VC9 TS I get the following:

$ php runme.php
string(8) "content:"
string(103) "<?php\n namespace Foo; class StripNoise { public function test() { return <<<A\nclass Fail23\n{\n}\nA\n; }
} "
string(4) "test"
string(2) "aa"
string(8) "starting"
string(4) "done"
bool(true)

Actual result:
--------------
With 5.5.0-alpha2 V9 TS I get this:

$ php runme.php
string(8) "content:"
string(103) "<?php
 namespace Foo; class StripNoise { public function test() { return <<<A
class Fail23
{
}
A
; } } "
string(4) "test"

 --- then the process crashes and I get a crash window with the following details ---

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	php.exe
  Application Version:	5.5.0.0
  Application Timestamp:	50d1254a
  Fault Module Name:	php5ts.dll
  Fault Module Version:	5.5.0.0
  Fault Module Timestamp:	50d13446
  Exception Code:	c0000005
  Exception Offset:	0004762d
  OS Version:	6.1.7601.2.1.0.256.1
  Locale ID:	4108
  Additional Information 1:	0a9e
  Additional Information 2:	0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:	0a9e
  Additional Information 4:	0a9e372d3b4ad19135b953a78882e789

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-01-06 10:15 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2013-01-06 10:15 UTC] pajoye@php.net

Can you provide a full BT please? Debug 
symbols must be loaded or the symbol path.

Also I suspect the classic pcre stack limit 
crash issue here. Can you try to increase it 
using edit in and run the test again? If you 
could provide  the simple pcre call, if it us 
actually a pcre crash.

[2013-01-06 16:01 UTC] seld@php.net

Regarding the stack limit, I don't think so for two reasons: 1) it works on 5.4, 2) if you look at the code I tried a very simple .* pattern and that seems to trigger a failure too. I tried to increase pcre stuff to 10million and it still fails.

As I said I couldn't reduce it further, if I tweak the code too much it stops crashing, and I could not really pinpoint it to an exact line that makes it fail. All it does is preg_replace calls though so I guess that's it.

Anyway here is the stack trace, not sure it's any help:

Full Call Stack

Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
ntdll!NtRaiseException+12     0094efa4     0094eff4     00000000     c0000005    
ntdll!KiUserExceptionDispatcher+29     0094efa4     0094eff4     00000000     c0000005    


Exception Information
PHP5TS!ZEND_DO_FCALL_COMMON_HELPER_SPEC+E7DIn php__PID__248__Date__01_06_2013__Time_04_57_23PM__236__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!zend_do_fcall_common_helper_SPEC+e7d in c:\Users\seld\Apps\Server\PHP\php\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x05f804c8 on thread 0

[2013-01-08 04:42 UTC] aharvey@php.net

-Status: Feedback +Status: Open -Package: *Regular Expressions +Package: PCRE related

[2013-01-08 13:58 UTC] ab@php.net

-Status: Open +Status: Feedback

[2013-01-08 13:58 UTC] ab@php.net

I've just took the latest 5.5 snap http://windows.php.net/downloads/snaps/php-5.5/rcde53e7/ and ran your code against it - see no segfaults with CLI. Could you please try this snap?

The trace is kind of a bit too short :) May be you'll have more luck using this guide? https://bugs.php.net/bugs-generating-backtrace-win32.php

[2013-01-08 15:06 UTC] seld@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

OK the latest snap seems to work indeed, so I am closing this. I will try the nest release for sure and hopefully once it trickles down to travis-ci we will have a green build again.

[2013-01-08 15:06 UTC] seld@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: seld

[2013-01-08 15:07 UTC] seld@php.net

OK the latest snap seems to work indeed, so I closed. I will try the nest release for sure and hopefully once it trickles down to travis-ci we will have a green build again.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 20:01:45 2024 UTC