php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69149 The PCRE extension crashes seeminglessly due to memory leaks or double free
Submitted: 2015-02-28 23:18 UTC Modified: 2015-06-24 16:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gregory at luni dot fr Assigned: ab (profile)
Status: Closed Package: *Regular Expressions
PHP Version: master-Git-2015-02-28 (Git) OS: OSX, Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: gregory at luni dot fr
New email:
PHP Version: OS:

 

 [2015-02-28 23:18 UTC] gregory at luni dot fr
Description:
------------
There is an error on the PCRE extension and memory management, I can't determine exactly what's happening, I have These 2 types of messages :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

This is the configure command I used on my mac :

./configure --prefix=$HOME/tmp/usr --with-config-file-path=$HOME/tmp/usr/etc --enable-mbstring --enable-zip --enable-bcmath --enable-pcntl --enable-ftp --enable-exif --enable-calendar --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-curl --with-mcrypt --with-iconv --with-gmp --with-gd --with-jpeg-dir=/usr/local/opt/jpeg/include/ --with-png-dir=/usr/local/opt/libpng/include/ --with-zlib-dir=/usr --with-freetype-dir=/usr --with-t1lib=/usr --enable-gd-native-ttf --enable-gd-jis-conv --with-openssl --with-pdo-mysql=mysqlnd --with-gettext=/usr/local/opt/gettext/ --with-zlib=/usr --with-bz2=/usr --with-recode=/usr --with-mysqli=mysqlnd --enable-debug --enable-maintainer-mode

I'm using OSX 10.10 Yosemite, with the latest master (34ff6bbb0df152694e648161b149d41270fccdcb).

Test script:
---------------
<?php

$buffer = 'public function test(){return true;}';

preg_match('/(?:public|protected|private|final|abstract|static)*?'
    . '\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm',
        $buffer, $matches);

var_dump($matches[0]);

Expected result:
----------------
string(36) "public function test(){return true;}"


Actual result:
--------------
Either :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Or either :

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-28 23:19 UTC] gregory at luni dot fr
-Summary: The PCRE extension crashes +Summary: The PCRE extension crashes seeminglessly due to memory leaks or double free
 [2015-02-28 23:19 UTC] gregory at luni dot fr
Changed title
 [2015-02-28 23:49 UTC] gregory at luni dot fr
Added backtrace :

(gdb) backtrace
#0  0x00007fff9b897286 in __pthread_kill () from /usr/lib/system/libsystem_kernel.dylib
#1  0x00007fff9631942f in pthread_kill () from /usr/lib/system/libsystem_pthread.dylib
#2  0x00007fff8d8d3b53 in abort () from /usr/lib/system/libsystem_c.dylib
#3  0x00007fff8d89bc39 in __assert_rtn () from /usr/lib/system/libsystem_c.dylib
#4  0x000000010071c97c in zend_function_dtor (zv=0x7fff5fbfe058) at Zend/zend_opcode.c:122
#5  0x000000010074b680 in _zend_hash_del_el_ex (ht=0x101413a70, idx=1462, p=0x101854ac0, prev=0x0) at Zend/zend_hash.c:845
#6  0x000000010074cb69 in _zend_hash_del_el (ht=0x101413a70, idx=1462, p=0x101854ac0) at Zend/zend_hash.c:869
#7  0x000000010074d33c in zend_hash_reverse_apply (ht=0x101413a70, apply_func=0x1007151a0 <clean_non_persistent_function>) at Zend/zend_hash.c:1384
#8  0x0000000100714e59 in shutdown_executor () at Zend/zend_execute_API.c:345
#9  0x000000010073349e in zend_deactivate () at Zend/zend.c:890
#10 0x00000001006823d2 in php_request_shutdown (dummy=0x0) at main/main.c:1850
#11 0x00000001007fe1be in do_cli (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1156
#12 0x00000001007fc313 in main (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1355
 [2015-03-01 00:15 UTC] gregory at luni dot fr
the error does not occur with this similar regex :

/(?:(?:public|protected|private)\s+)(?:(?:final|abstract|static)\s+)?\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm
 [2015-03-01 15:27 UTC] laruence@php.net
-Status: Open +Status: Verified
 [2015-03-01 15:27 UTC] laruence@php.net
seems it's a bug in pcrelib .. anyway, must related to pcre jit we introduced recently.

php -d pcre.jit=0 runs fine..

==6629== Invalid write of size 8
==6629==    at 0x4DEDE6: _pcre_jit_compile (pcre_jit_compile.c:10313)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)
==6629==    by 0xAE349D: do_cli (php_cli.c:979)
==6629==    by 0xAE452E: main (php_cli.c:1355)
==6629==  Address 0x11a2bc88 is 24 bytes before a block of size 120 alloc'd
==6629==    at 0x4A078B8: malloc (vg_replace_malloc.c:270)
==6629==    by 0x4B701C: sljit_create_compiler (sljitLir.c:335)
==6629==    by 0x4DD55B: _pcre_jit_compile (pcre_jit_compile.c:9964)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)
 [2015-03-04 07:37 UTC] hzmester at freemail dot hu
Which pcre version? As far as I remember 8.35 has an alternative compiling bug.
 [2015-03-04 11:09 UTC] gregory at luni dot fr
This is what the php7 -i command returns about PCRE :

pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.36 2014-09-26
PCRE JIT Support => enabled

Directive => Local Value => Master Value
pcre.backtrack_limit => 1000000 => 1000000
pcre.jit => 1 => 1
pcre.recursion_limit => 100000 => 100000

The version is 8.36, maybe this bug wasn't fixed since 8.35.
 [2015-03-04 18:47 UTC] hzmester at freemail dot hu
This is a valid bug and related to the alternative compiling again, but with recursion. E.g: /(?:a|b|c|d|e)(?R)/ I try to fix it soon. Thank you for finding it.
 [2015-03-05 09:14 UTC] hzmester at freemail dot hu
Fixed in PCRE r1530. I will port the patch to PCRE2 soon. Thank you for the report.
 [2015-06-24 16:02 UTC] ab@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: ab
 [2015-06-24 16:02 UTC] ab@php.net
This fixed with the upgrade to PCRE 8.37.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Dec 04 05:03:37 2021 UTC