ID: 47520
Comment by: phpwnd at gmail dot com
Reported By: pahan at hubbitus dot spb dot su
Status: Open
Bug Type: PCRE related
Operating System: Linux
PHP Version: 5.3.0beta1
New Comment:
I'd like to add that you don't need such a complicated test case, you
can make preg_* segfault with just something like:
$str = str_repeat(' ', 2490);
preg_match('#(.)+#', $str);
On my computer, a 2490-chars string is long enough to make it segfaults
everytime. For some reason, 2489 chars will make it segfault only 1 out
of 5 runs and 2480 chars are perfectly fine. If I replace the regexp
with more capturing parenthesis such as #((.))+# that limit drops to
1500-or-so and that number decreases as the number of parenthesis
increases. Using non-capturing patterns such as #(?:.)+# doubles that
number.
Obviously, the bug is related to capturing patterns repetition,
assuming we're experiencing the same bug. I'll try to find a place where
to host a core dump.
Previous Comments:
------------------------------------------------------------------------
[2009-02-28 09:00:02] pahan at hubbitus dot spb dot su
Very apologize for mistake.
I'm fix rights now, please recheck.
------------------------------------------------------------------------
[2009-02-28 01:19:21] [email protected]
I cannot download the coredump file: "You don't have permission to
access /_temp/php-pcre-bug/2/core.10135 on this server."
Can you give us a backtrace?
------------------------------------------------------------------------
[2009-02-27 20:06:13] pahan at hubbitus dot spb dot su
I'm thrice check the previous reports about this issue. And what? All
closed as bogus, but segmentatoin fault still here! Where
solution/fix??? Even common workaraund of problem is absent.
Why it is bogus but not bug???
And also, please again read note: I use "Once-only subpattern", so,
this should prevent recursion as I can understand. Or not?
------------------------------------------------------------------------
[2009-02-27 19:37:00] [email protected]
Please, check the previous reports about this issue:
http://bugs.php.net/search.php?search_for=&boolean=1&limit=10&order_by=id&direction=DESC&cmd=display&status=Bogus&bug_type%5B%5D=PCRE+related&php_os=&phpver=&assign=&author_email=&bug_age=0
http://docs.php.net/manual/en/pcre.configuration.php
------------------------------------------------------------------------
[2009-02-27 11:13:58] pahan at hubbitus dot spb dot su
Description:
------------
PHP segfaulted when I try replace in long string by next regexp:
'((?>(?:[^']|(?<=\\\)')*))'
Some comments to reproduce code comments to case 1 and 2 is clearly.
In case 3 and 4 I just run script several times, like (assume file
named test.php):
for (( i=100; i>0; i-- )) ; do echo -n $i: ; ./test.php ; done
Sample results of its run you may see here:
http://ru.bir.ru/_temp/php-pcre-bug/2/4965.log for 3 (files named by
length of tested string), and for 4 -
http://ru.bir.ru/_temp/php-pcre-bug/2/4967.log
Coredump may be downloaded here:
http://ru.bir.ru/_temp/php-pcre-bug/2/core.10135
Also, please note, I add construction (?> ... ) to speedup and
dissallow recursion, so, it is must be different from bugs
http://bugs.php.net/bug.php?id=27492 ,
http://bugs.php.net/bug.php?id=47376 ,
http://bugs.php.net/bug.php?id=47376 and
http://bugs.php.net/bug.php?id=27310 .
Reproduce code:
---------------
<?
$cont = "'" . str_pad('', 5000, '-');<->//1: Always "segmantation
fault"
//$cont = "'" . str_pad('', 4000, '-');>//2: "Never" (Is I can see in
1000 iterations) "segmantation fault"
//$cont = "'" . str_pad('', 4965, '-');>//3: Segfaulted from times to
times ~ 1-2 times from 100 executions
//$cont = "'" . str_pad('', 4967, '-');>//4: Segfaulted 50/50%
$reg = "#'((?>(?:[^']|(?<=\\\)')*))'#";
preg_replace($reg, '', $cont);
echo "OK\n";
?>
Expected result:
----------------
OK
Actual result:
--------------
Segmentation fault
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47520&edit=1
