|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73483 Segmentation fault
Submitted: 2016-11-09 12:06 UTC Modified: 2016-11-14 04:35 UTC
From: alex at buayacorp dot com Assigned: dmitry (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.12 OS: debian wheezy
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: alex at buayacorp dot com
New email:
PHP Version: OS:


 [2016-11-09 12:06 UTC] alex at buayacorp dot com
We've noticed a few segmentation faults in some of our servers. I am able to consistently reproduce it in a debian wheezy vm with the test script below.

alex@atoq-wheezy:~/php-7.0.12$ uname -a
Linux atoq-wheezy 3.2.0-4-amd64 #1 SMP Debian 3.2.82-1 x86_64 GNU/Linux
alex@atoq-wheezy:~/php-7.0.12$ locale

# PHP compiled with --disable-all flag.
alex@atoq-wheezy:~/php-7.0.12$ sapi/cli/php -v
PHP 7.0.12 (cli) (built: Nov  9 2016 11:29:49) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

The script works fine in the same VM under PHP 5.6.27.
# PHP compiled with --disable-all flag.
alex@atoq-wheezy:~/php-5.6.27$ sapi/cli/php ../segfault.php
string(22) "<p>hola</p><p>hola</p>"

Test script:

Expected result:
string(22) "<p>hola</p><p>hola</p>"

Actual result:
alex@atoq-wheezy:~/php-7.0.12$ sapi/cli/php -dpcre.jit=0 ../segfault.php

alex@atoq-wheezy:~/php-7.0.12$ sapi/cli/php -dpcre.jit=1 ../segfault.php
Segmentation fault


use-regex-cache-key-with-locale (last revision 2016-11-10 15:32 UTC by alex at buayacorp dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-09 15:33 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: dmitry
 [2016-11-09 15:33 UTC]
This issue is apparently locale related. For instance, the script works
fine if the locale is "C", see <>. Alternatively,
commenting out line 58[1] will also let the script succeed.

Anyhow, the behavioral change had been introduced with commit

Dmitry, can you please have a look at this issue?

[1] <>
[2] <;a=commit;h=4514ba016ff158cd113deef1a215fcdcb6913b48>
 [2016-11-10 15:30 UTC] alex at buayacorp dot com
After looking a little bit more into this issue I think this happens because the update logic of already cached items doesn't really take into account locale changes.

For example, if a regex A was cached with locale X, then `pcre_get_compiled_regex_cache ` will store it as `H(x, compiled(A))`. If this cached value is still in use (i.e. preg_replace_callback in the provided script) AND the locale changes to Y, then `pcre_get_compiled_regex_cache` will update the entry `H(x, compiled(B))` (via zend_hash_update_mem), this will override the refere that's still in use for `H(x, compiled(A))`.
 [2016-11-10 15:34 UTC] alex at buayacorp dot com
I added a naive patch that uses a combination of regex+locale (if available) which seems to fix this issue.
 [2016-11-14 04:34 UTC]
I got another patch, which could get rid of the pce->locale checks at all.

 [2016-11-14 04:35 UTC]
And a simpler reproduce script:

$regex = "#dummy#";
setlocale(LC_ALL, "C");
preg_replace_callback($regex, function (array $matches) use($regex) {
    setlocale(LC_ALL, "en_US");
    preg_replace($regex, "A", "A");
    setlocale(LC_ALL, "C");
}, "dummy");
 [2016-11-14 09:05 UTC] alex at buayacorp dot com
Thanks. I am not longer able to reproduce this issue with the patch above.
 [2016-11-20 07:53 UTC]
Automatic comment on behalf of
Log: Fixed bug #73483 (Segmentation fault on pcre_replace_callback)
 [2016-11-20 07:53 UTC]
-Status: Verified +Status: Closed
 [2016-11-22 13:14 UTC]
Automatic comment on behalf of
Log: Fixed bug #73483 (Segmentation fault on pcre_replace_callback)
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Dec 01 01:03:34 2021 UTC