From: Sjon at react dot com
Operating system: Linux
PHP version: 5.2.6
PHP Bug Type: Reproducible crash
Bug description: preg_replace_callback to non-existing function + custom
errorhandler segfaults
Description:
------------
I have been working many hours to strip a 15000+ lines crashing script to
a short and reproducible crash; so here it is. Unfortunately the code is
still quite long, but anything I change will fix it, including the non-used
function arguments. This code (still) crashes in php5.2-200806261230; so I
hope someone might be able to fix this.
I know that the cause of the problem is that e->f calls a non-existing
callback function ('e', 'x');
Reproduce code:
---------------
The bug can only be reproduced by downloading both
http://home.parse.nl/~sjon/bug-reports/php/waa.txt and
http://home.parse.nl/~sjon/bug-reports/php/meukee.php ; rename them both to
.php and run 'waa.php'
Expected result:
----------------
Just the error 'preg_replace_callback(): Requires argument 2, 'e::x', to
be a valid callback'
Actual result:
--------------
#0 0x080aa31a in preg_replace_impl (ht=3, return_value=0x895a888,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
is_callable_replace=1 '\001')
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1283
#1 0x080aaa08 in zif_preg_replace_callback (ht=3, return_value=0x895a888,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1355
#2 0x0832fb58 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf9768d8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#3 0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbf9768d8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#4 0x0832f6d8 in execute (op_array=0x895bdd8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#5 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf976a78)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#6 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf976a78)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#7 0x0832f6d8 in execute (op_array=0x895b9e8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#8 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf976c38)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#9 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf976c38)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#10 0x0832f6d8 in execute (op_array=0x895fde8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#11 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf976da8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#12 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf976da8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#13 0x0832f6d8 in execute (op_array=0x8958be4)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#14 0x082fe232 in zend_eval_string (str=0x8956c2c "$this->h('waa?
meukee!');",
retval_ptr=0xbf976ea4,
string_name=0x8958b18
"/mnt/serve-a-lot/sjon/public_html/meukee.php(91) : regexp code") at
/tmp/php5.2-200806261230/Zend/zend_execute_API.c:1195
#15 0x080a902e in preg_do_eval (eval_str=0x89589bc "$this->h('$0');",
eval_str_len=15, subject=0x8958aa4 "waa? meukee!", offsets=0x8958ae0,
count=1, result=0xbf976f28)
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:899
#16 0x080a950c in php_pcre_replace_impl (pce=0x8989e08,
subject=0x8958aa4 "waa? meukee!", subject_len=12,
replace_val=0x8958980,
is_callable_replace=0, result_len=0xbf9770b4, limit=-1,
replace_count=0x0)
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1031
#17 0x080a91fe in php_pcre_replace (regex=0x8958a34 "/.+/se", regex_len=6,
subject=0x8958aa4 "waa? meukee!", subject_len=12,
replace_val=0x8958980,
is_callable_replace=0, result_len=0xbf9770b4, limit=-1,
replace_count=0x0)
---Type <return> to continue, or q <return> to quit---
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:933
#18 0x080aa017 in php_replace_in_subject (regex=0x89589f8,
replace=0x8958980,
subject=0x89484dc, result_len=0xbf9770b4, limit=-1,
is_callable_replace=0 '\0', replace_count=0x0)
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1233
#19 0x080aa92f in preg_replace_impl (ht=3, return_value=0x8958944,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
is_callable_replace=0 '\0')
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1331
#20 0x080aa9d1 in zif_preg_replace (ht=3, return_value=0x8958944,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1347
#21 0x0832fb58 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977398)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#22 0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbf977398)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#23 0x0832f6d8 in execute (op_array=0x895f64c)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#24 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977628)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#25 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf977628)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#26 0x0832f6d8 in execute (op_array=0x895f64c)
---Type <return> to continue, or q <return> to quit---
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#27 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf9777a8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#28 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf9777a8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#29 0x0832f6d8 in execute (op_array=0x895ea98)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#30 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977918)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#31 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf977918)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#32 0x0832f6d8 in execute (op_array=0x895e888)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#33 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977af8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#34 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf977af8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#35 0x0832f6d8 in execute (op_array=0x895c1f4)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#36 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977c88)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#37 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf977c88)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#38 0x0832f6d8 in execute (op_array=0x895ec08)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#39 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf977e38)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#40 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf977e38)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#41 0x0832f6d8 in execute (op_array=0x895df68)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#42 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf978038)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#43 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf978038)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#44 0x0832f6d8 in execute (op_array=0x895b708)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#45 0x0832fcc7 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf978218)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#46 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbf978218)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#47 0x0832f6d8 in execute (op_array=0x89561b8)
at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#48 0x0830ab2a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /tmp/php5.2-200806261230/Zend/zend.c:1134
#49 0x082ba6d4 in php_execute_script (primary_file=0xbf97a5a0)
---Type <return> to continue, or q <return> to quit---
at /tmp/php5.2-200806261230/main/main.c:2007
#50 0x083859cf in main (argc=2, argv=0xbf97a6e4)
at /tmp/php5.2-200806261230/sapi/cli/php_cli.c:1140
--
Edit bug report at http://bugs.php.net/?id=45368&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=45368&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=45368&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=45368&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=45368&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=45368&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=45368&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=45368&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=45368&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=45368&r=support
Expected behavior: http://bugs.php.net/fix.php?id=45368&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=45368&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=45368&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=45368&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45368&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=45368&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=45368&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=45368&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=45368&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=45368&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=45368&r=mysqlcfg
