[pcre-dev] [Bug 1803] New: segfault in pcre jit when running…

https://bugs.exim.org/show_bug.cgi?id=1803

            Bug ID: 1803
           Summary: segfault in pcre jit when running twig test suite
                    (PHP7)
           Product: PCRE
           Version: 8.38
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: nish.aravamudan@???
                CC: pcre-dev@???

I am working on updating Ubuntu 16.04 to PHP7.0 and we are seeing PCRE related
test-suite failures with twig.

Specifically, in a 16.04 VM/chroot/etc, with PHP7, the testsuite is segfaulting
with:

#0  __memcpy_avx_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:273
#1  0x00005555556798d8 in memcpy (__len=18446744073709551614,
    __src=0x7fffed43e1fc, __dest=0x7fffed49e390)
    at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2  zend_string_init (persistent=0, len=18446744073709551614,
    str=0x7fffed43e1fc "\303\237\343\201\224a")
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_string.h:159
#3  php_pcre_split_impl (pce=pce@entry=0x555555d4aea0,
    subject=0x7fffed43e1f8 "\303\251\303\204\303\237\343\201\224a",
    subject_len=10, return_value=return_value@entry=0x7ffff381b240,
    limit_val=-1, flags=<optimized out>)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/ext/pcre/php_pcre.c:1808
#4  0x000055555567a1eb in zif_preg_split (execute_data=<optimized out>,
    return_value=0x7ffff381b240)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/ext/pcre/php_pcre.c:1721
#5  0x000055555579b58a in dtrace_execute_internal (
    execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:107
#6  0x000055555582f5f0 in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:844
#7  0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff381b070)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#8  0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff381b070)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#9  0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#10 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3819ff0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#11 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3819ff0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#12 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#13 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3819e80)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#14 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3819e80)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#15 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#16 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3819db0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#17 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3819db0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#18 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#19 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3819ca0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#20 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3819ca0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#21 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#22 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff38192e0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#23 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff38192e0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#24 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#25 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3819210)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#26 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3819210)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#27 0x000055555579d03c in zend_call_function (fci=fci@entry=0x7fffffff9ae0,
    fci_cache=fci_cache@entry=0x7fffffff9ab0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_execute_API.c:860
#28 0x000055555569e042 in zim_reflection_method_invokeArgs (
    execute_data=<optimized out>, return_value=0x7ffff3818e60)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/ext/reflection/php_reflection.c:3348
#29 0x000055555579b58a in dtrace_execute_internal (
    execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:107
#30 0x000055555582f5f0 in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:844
#31 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3818c60)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#32 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3818c60)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#33 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#34 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3818470)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#35 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3818470)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#36 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#37 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3817880)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#38 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3817880)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#39 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#40 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3816e20)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#41 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3816e20)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#42 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#43 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3816840)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#44 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3816840)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#45 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#46 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3816260)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#47 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3816260)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#48 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#49 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3815c80)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#50 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3815c80)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#51 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#52 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3814640)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#53 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3814640)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#54 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#55 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3814220)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#56 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3814220)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#57 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#58 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3814130)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#59 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3814130)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#60 0x000055555582f72d in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:800
#61 0x00005555557eaedb in execute_ex (ex=ex@entry=0x7ffff3814030)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:414
#62 0x000055555579b421 in dtrace_execute_ex (execute_data=0x7ffff3814030)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_dtrace.c:83
#63 0x000055555583e2b7 in zend_execute (
    op_array=op_array@entry=0x7ffff3883000,
    return_value=return_value@entry=0x0)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend_vm_execute.h:458
#64 0x00005555557ab6b3 in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/Zend/zend.c:1427
#65 0x000055555574c0c0 in php_execute_script (primary_file=0x7fffffffcb10)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/main/main.c:2484
#66 0x000055555583ff84 in do_cli (argc=4, argv=0x555555bab130)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/sapi/cli/php_cli.c:974
#67 0x00005555556364e4 in main (argc=4, argv=0x555555bab130)
    at /build/php7.0-Y7XHJx/php7.0-7.0.3/sapi/cli/php_cli.c:1345

While this fault is not directly in the PCRE code, it was noticed that passing
pcre.jit=0 (a PHP ini value), resulted in no fault. You can see in the trace
above the len value is bogus.

pcre.jit=0 (upon code inspection) simply causes php to not call pcre_study()
from the PHP7 code. I set up an environment with the same runtime and built
pcre from svn. Modifying LD_LIBRARY_PATH to load the svn version (r1640) of
pcre did not fix the issue. The failing twig test case is split_utf8.test:

--TEST--
"split" filter
--CONDITION--
function_exists('mb_get_info')
--TEMPLATE--
{{ "é"|split('', 10)|join('-') }}
{{ foo|split(',')|join('-') }}
{{ foo|split(',', 1)|join('-') }}
{{ foo|split(',', 2)|join('-') }}
{{ foo|split(',', 3)|join('-') }}
{{ baz|split('')|join('-') }}
{{ baz|split('', 1)|join('-') }}
{{ baz|split('', 2)|join('-') }}
--DATA--
return array('foo' => 'Ä,é,Äほ', 'baz' => 'éÄßごa',)
--EXPECT--
é
Ä-é-Äほ
Ä,é,Äほ
Ä-é,Äほ
Ä-é-Äほ
é-Ä-ß-ご-a
é-Ä-ß-ご-a
éÄ-ßご-a

which, as I understand, is splitting these PHP variables as specified (and then
joining them back together).

If I remove the "baz" invocations from the TEMPLATE, the test passes. If I only
add the first "baz" invocation back in, a segmentation fault occurs. valgrind
doesn't indicate any issues beyond those that happen once the length is
invalid, as far as I can tell.

Confusingly, if I recompile pcre to not support jit at all (./configure
--enable-utf --enable-unicode-properties --enable-jit=no), the segmentation
fault persists. So perhaps the bug is somewhere else, rather than in the jit
code itself.

I apologize if this bug report is too vague, I am happy to provide more details
and test fixes, as necessary. This bug does seem similar to

--
You are receiving this mail because:
You are on the CC list for the bug.