ID: 48153 User updated by: raul dot gigea at directmedia dot de Reported By: raul dot gigea at directmedia dot de -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: FreeBSD 7.1-RELEASE-p4 PHP Version: 5.2.9 New Comment:
Ok, i tried using the CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz Which by the way was only 1 day newer than the one I tried. I used your configure line: 'configure' \ '--disable-all' \ '--enable-debug' \ '--disable-reflection' \ '--disable-cgi' \ '--with-curl' \ '--with-curlwrappers' \ '--with-pcre-regex' \ '--with-mhash' And its still segfaulting Previous Comments: ------------------------------------------------------------------------ [2009-05-06 18:37:28] j...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ I can not reproduce this with linux and latest PHP_5_2 snapshot using this configure line: '/usr/src/php-5.2CVS/configure' \ '--disable-all' \ '--enable-debug' \ '--disable-reflection' \ '--disable-cgi' \ '--with-curl' \ '--with-curlwrappers' \ '--with-pcre-regex' \ '--with-mhash' ------------------------------------------------------------------------ [2009-05-05 18:36:26] f...@php.net verified with FreeBSD 7.1-RELEASE-p4 and current snapshot: "Segmentation fault: 11 (core dumped)" Although I didn't examine the coredump in detail HEAD works fine ------------------------------------------------------------------------ [2009-05-05 16:22:03] raul dot gigea at directmedia dot de Description: ------------ Hi, i mananged to reproduce this bug on various clean FreeBSD systems with php version 5.2.9, than compiled todays cvs snapshot version and the bug is still reproducible. Memory limit was 128MB which should be more than enough for the code that produced the crash. Stacksize was 64MB. ( ulimit -s ) 5.2.6 works fine. Also, disabling mhash extension fixes the problem. Reducing pcre.recursion_limit and pcre.backtrack_limit in php.ini also fixes the problem, but creates a new one, because the preg_replace function doesn't produce the expected results any more. ( They have to be reduced to about 50, so that the segfault doesn't occur ) Details follow. Configure Line: ./configure --with-mhash List of modules: List of Modules: ./sapi/cli/php -m [PHP Modules] ctype date dom filter hash iconv json libxml mhash pcre PDO pdo_sqlite posix Reflection session SimpleXML SPL SQLite standard tokenizer xml xmlreader xmlwriter [Zend Modules] Reproduce code: --------------- $contents = 'd' . str_repeat('a', 1900) . 'b'; $contents = preg_replace('/d(a)+b/', '', $contents); Expected result: ---------------- $contents should be empty. Actual result: -------------- segmentation fault (core dumped) ./sapi/cli/php ~/test.php --------- Backtrace --------- ... starts with 1400 times the same call to match ... ( stack overflow ) #1400 0x0808e030 in match (eptr=0x28923db9 'a' <repeats 200 times>..., ecode=0x28a1666d "_", mstart=0x28923db8 "d", 'a' <repeats 199 times>..., offset_top=2, md=0xbfbfcc30, ims=0, eptrb=0x0, flags=0, rdepth=0) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:720 #1401 0x0809b118 in php_pcre_exec (argument_re=0x28a16640, extra_data=0xbfbfcd80, subject=0x28923db8 "d", 'a' <repeats 199 times>..., length=1902, start_offset=0, options=0, offsets=0x2892253c, offsetcount=6) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:4895 #1402 0x080a10e6 in php_pcre_replace_impl (pce=0x28a15d40, subject=0x28923db8 "d", 'a' <repeats 199 times>..., subject_len=1902, replace_val=0x28921db4, is_callable_replace=0, result_len=0xbfbfcf04, limit=-1, replace_count=0x0) at /usr/home/raul/php- snapshot/php5.2-200905051430/ext/pcre/php_pcre.c:1045 #1403 0x080a0e86 in php_pcre_replace (regex=0x28923d80 "/d(a)+b/", regex_len=8, subject=0x28923db8 "d", 'a' <repeats 199 times>..., subject_len=1902, replace_val=0x28921db4, is_callable_replace=0, result_len=0xbfbfcf04, limit=-1, replace_count=0x0) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/php_pcre.c:955 ---Type <return> to continue, or q <return> to quit--- #1404 0x080a1d66 in php_replace_in_subject (regex=0x28921e2c, replace=0x28921db4, subject=0x28917a60, result_len=0xbfbfcf04, limit=- 1, is_callable_replace=0 '\0', replace_count=0x0) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/php_pcre.c:1272 #1405 0x080a2684 in preg_replace_impl (ht=3, return_value=0x28923378, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, is_callable_replace=0 '\0') at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/php_pcre.c:1370 #1406 0x080a2735 in zif_preg_replace (ht=3, return_value=0x28923378, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/php_pcre.c:1386 #1407 0x083373d0 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfbfd128) at zend_vm_execute.h:200 #1408 0x0833cff9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfbfd128) at zend_vm_execute.h:1739 #1409 0x08336f22 in execute (op_array=0x28922580) at zend_vm_execute.h:92 #1410 0x08311592 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/home/raul/php-snapshot/php5.2- 200905051430/Zend/zend.c:1134 #1411 0x082bd926 in php_execute_script (primary_file=0xbfbfe7d4) at /usr/home/raul/php-snapshot/php5.2-200905051430/main/main.c:2025 #1412 0x08390d62 in main (argc=2, argv=0xbfbfe8bc) at /usr/home/raul/php-snapshot/php5.2- 200905051430/sapi/cli/php_cli.c:1162 ----------------------------------------------------------------- The match function recursively calls itself until stack overflow: ----------------------------------------------------------------- #1400 0x0808e030 in match (eptr=0x28923db9 'a' <repeats 200 times>..., ecode=0x28a1666d "_", mstart=0x28923db8 "d", 'a' <repeats 199 times>..., offset_top=2, md=0xbfbfcc30, ims=0, eptrb=0x0, flags=0, rdepth=0) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:720 720 RMATCH(eptr, ecode + _pcre_OP_lengths[*ecode], offset_top, md, (gdb) frame 1399 #1399 0x0808f793 in match (eptr=0x28923dba 'a' <repeats 200 times>..., ecode=0x28a16674 "V", mstart=0x28923db8 "d", 'a' <repeats 199 times>..., offset_top=4, md=0xbfbfcc30, ims=0, eptrb=0x0, flags=0, rdepth=1) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:1361 1361 RMATCH(eptr, prev, offset_top, md, ims, eptrb, flags, RM13); (gdb) frame 1398 #1398 0x0808e030 in match (eptr=0x28923dba 'a' <repeats 200 times>..., ecode=0x28a1666d "_", mstart=0x28923db8 "d", 'a' <repeats 199 times>..., offset_top=4, md=0xbfbfcc30, ims=0, eptrb=0x0, flags=0, rdepth=2) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:720 720 RMATCH(eptr, ecode + _pcre_OP_lengths[*ecode], offset_top, md, ---------------------------------------------------------------------- More info on php_pcre_exec: (gdb) frame 1401 #1401 0x0809b118 in php_pcre_exec (argument_re=0x28a16640, extra_data=0xbfbfcd80, subject=0x28923db8 "d", 'a' <repeats 199 times>..., length=1902, start_offset=0, options=0, offsets=0x2892253c, offsetcount=6) at /usr/home/raul/php-snapshot/php5.2- 200905051430/ext/pcre/pcrelib/pcre_exec.c:4895 4895 rc = match(start_match, md->start_code, start_match, 2, md, ims, NULL, 0, 0); (gdb) p start_match $1 = (const unsigned char *) 0x28923db8 "d", 'a' <repeats 199 times>... (gdb) p md->start_code $2 = (const uschar *) 0x28a16668 "^" (gdb) p md $3 = (match_data *) 0xbfbfcc30 (gdb) p *md $4 = {match_call_count = 1401, match_limit = 100000, match_limit_recursion = 100000, offset_vector = 0x2892253c, offset_end = 6, offset_max = 4, nltype = 0, nllen = 1, nl = "\n\000\000", lcc = 0x8392880 "", ctypes = 0x8392bc0 "\200", offset_overflow = 0, notbol = 0, noteol = 0, utf8 = 0, jscript_compat = 0, endonly = 0, notempty = 0, partial = 0, hitend = 0, bsr_anycrlf = 0, start_code = 0x28a16668 "^", start_subject = 0x28923db8 "d", 'a' <repeats 199 times>..., end_subject = 0x28924526 "", start_match_ptr = 0x28923db8 "d", 'a' <repeats 199 times>..., end_match_ptr = 0xf0c <Address 0xf0c out of bounds>, end_offset_top = 199340, capture_last = 1, start_offset = 0, eptrchain = 0x0, eptrn = 0, recursive = 0x0, callout_data = 0x0} (gdb) p ims $5 = 0 . Hope this helps. Mail me for the full core file. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48153&edit=1
