[pcre-dev] [Bug 1803] segfault in pcre jit when running twig…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1803] segfault in pcre jit when running twig test suite (PHP7)
https://bugs.exim.org/show_bug.cgi?id=1803

--- Comment #15 from Zoltan Herczeg <hzmester@???> ---
(In reply to Nish Aravamudan from comment #14)
> (gdb) break ext/pcre/php_pcre.c:1794 if strcmp(subject,
> "\303\251\303\204\303\237\343\201\224a") == 0


strcmp?

Do you mean this line:

count = pcre_exec(pce->re, extra, subject,
                  subject_len, start_offset,
                  exoptions|g_notempty, offsets, size_offsets);


Actually the line 1794 is empty here, so I suspect there is an offset
difference between your source code and the master:

https://github.com/php/php-src/blob/master/ext/pcre/php_pcre.c#L1794

> (gdb) c
> ...
> (gdb) print offsets[0]
> $5 = 2
> (gdb) print last_match
> $6 = 0x7fffed42e248 "\303\251\303\204\303\237\343\201\224a"
> (gdb) print offsets[0]
> $7 = 2
> (gdb) print offsets[1]
> $8 = 2
> (gdb) c
> ...


So the first match is an empty match at offset 2.

> (gdb) print last_match
> $9 = 0x7fffed42e24a "\303\204\303\237\343\201\224a"
> (gdb) print offsets[0]
> $10 = -1
> (gdb) print offsets[1]
> $11 = -1
> ...


Is this a rerun because of:

g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY_ATSTART | PCRE_ANCHORED
: 0;

> (gdb) print last_match
> $12 = 0x7fffed42e24a "\303\204\303\237\343\201\224a"
> (gdb) print offsets[0]
> $13 = 2
> (gdb) print offsets[1]
> $14 = 4
> (gdb) c
> ...


It seems the second character is matched, and offsets updated.

> (gdb) print last_match
> $15 = 0x7fffed42e24c "\303\237\343\201\224a"
> (gdb) print offsets[0]
> $16 = 2
> (gdb) print offsets[1]
> $17 = 4
> (gdb) c
> ...


Hm that is strange, since all offsets are relative to subject, and these
offsets are before last_match.

> SIGSEGV


At this point I suspect something is wrong with start_offset, but it needs a
proof. The last_match seemed to updated to offset 4 (substring
"\303\237\343\201\224a"), but start_offset is below 4, and pcre returns a the
same 2-4 match again. A string from offsets 4-2 cannot be constructed, since
the end is smaller than the start.

Could you also print start_offset and subject as well?

(gdb) print substring
(gdb) print last_match
(gdb) print start_offset
(gdb) print offsets[0]
(gdb) print offsets[1]

For all iterations?

I am sorry for so many debugging requests, but I am not a php developer and
just doing guesses here.

If start_offset is 4, this is likely some PCRE bug, and I need the pattern to
check it here.

--
You are receiving this mail because:
You are on the CC list for the bug.