[pcre-dev] [Bug 1803] segfault in pcre jit when running twig…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1803] segfault in pcre jit when running twig test suite (PHP7)
https://bugs.exim.org/show_bug.cgi?id=1803

--- Comment #27 from Nish Aravamudan <nish.aravamudan@???> ---
(In reply to Nish Aravamudan from comment #25)
> (In reply to Zoltan Herczeg from comment #23)
> > Thank you!
> >
> > > /(?<!^)(?!$)/u
> >
> > This is a tricky pattern, since it matches to an empty string. But other
> > than that nothing special with it.
> >
> > I tried matching it from offset 4 in UTF mode, and the result was 4,4 here.
> > And that is the expected.
>
> I should reiterate that, here too -- when I run this particular testcase
> from twig on its own (just like `phpunit --process-isolation` does, which
> does work), I don't see any problem. So I'm not 100% sure it's this pattern
> in this execution that is bad, but some state somewhere (could be php, could
> be libpcre) is getting corrupted.
>
> > This is still the most confusing part for me:
> >
> > Breakpoint 8, php_pcre_split_impl (pce=0x555555d33520, 
> >     subject=0x7fffed42e248 "\303\251\303\204\303\237\343\201\224a", 
> >     subject_len=10, return_value=0x7ffff381b240, limit_val=-1, 
> >     flags=<optimized out>)
> >     at /build/php7.0-WHFaJZ/php7.0-7.0.3/ext/pcre/php_pcre.c:1794
> > 1794            if (count == 0) {
> > (gdb) print offsets[0]
> > $52 = -1
> > (gdb) print offsets[1]
> > $53 = -1
> > (gdb) c
> > Continuing.

> >
> > JIT cannot return with -1 in offsets[0], except if the original value was
> > -1, and there is no match.
> >
> > I really would like to see the value of count before the crash, and I think
> > it is in $eax or $rax (disassemble can confirm it).
> >
> > Please print offsets[0] and [1] before and after pcre_exec is called. Please
> > also print g_notempty as well.
>
> Will do!


I *think* this is what you want?

Breakpoint 9, php_pcre_split_impl (pce=0x555555d33810, 
    subject=0x7fffed40b1a8 "\303\251\303\204\303\237\343\201\224a", 
    subject_len=10, return_value=0x7ffff381b240, limit_val=-1, 
    flags=<optimized out>)
    at /build/php7.0-WHFaJZ/php7.0-7.0.3/ext/pcre/php_pcre.c:1786
1786            count = pcre_exec(pce->re, extra, subject,
(gdb) print offsets[0]
$120 = -304455800
(gdb) print offsets[1]
$121 = 32767
(gdb) printf "0x%x\n", g_notempty
0x0
(gdb) step
1794            if (count == 0) {
(gdb) print $eax
$122 = 1
(gdb) print offsets[0]
$123 = 2
(gdb) print offsets[1]
$124 = 2
(gdb) c
Continuing.


Breakpoint 9, php_pcre_split_impl (pce=0x555555d33810, 
    subject=0x7fffed40b1a8 "\303\251\303\204\303\237\343\201\224a", 
    subject_len=10, return_value=0x7ffff381b240, limit_val=-1, 
    flags=<optimized out>)
    at /build/php7.0-WHFaJZ/php7.0-7.0.3/ext/pcre/php_pcre.c:1786
1786            count = pcre_exec(pce->re, extra, subject,
(gdb) print offsets[0]
$125 = 2
(gdb) print offsets[1]
$126 = 2
(gdb) printf "0x%x\n", g_notempty
0x10000010
(gdb) step
1794            if (count == 0) {
(gdb) print $eax
$129 = -1
(gdb) print offsets[0]
$127 = -1
(gdb) print offsets[1]
$128 = -1
(gdb) c   
Continuing.


Breakpoint 9, php_pcre_split_impl (pce=0x555555d33810, 
    subject=0x7fffed40b1a8 "\303\251\303\204\303\237\343\201\224a", 
    subject_len=10, return_value=0x7ffff381b240, limit_val=-1, 
    flags=<optimized out>)
    at /build/php7.0-WHFaJZ/php7.0-7.0.3/ext/pcre/php_pcre.c:1786
1786            count = pcre_exec(pce->re, extra, subject,
(gdb) print offsets[0]
$130 = 2
(gdb) print offsets[1]
$131 = 4
(gdb) printf "0x%x\n", g_notempty
0x0
(gdb) step
1794            if (count == 0) {
(gdb) print $eax
$132 = 0
(gdb) print offsets[0]
$133 = 2
(gdb) print offsets[1]
$134 = 4
(gdb) c
Continuing.


Breakpoint 9, php_pcre_split_impl (pce=0x555555d33810, 
    subject=0x7fffed40b1a8 "\303\251\303\204\303\237\343\201\224a", 
    subject_len=10, return_value=0x7ffff381b240, limit_val=-1, 
    flags=<optimized out>)
    at /build/php7.0-WHFaJZ/php7.0-7.0.3/ext/pcre/php_pcre.c:1786
1786            count = pcre_exec(pce->re, extra, subject,
(gdb) print offsets[0]
$135 = 2
(gdb) print offsets[1]
$136 = 4
(gdb) printf "0x%x\n", g_notempty
0x0
(gdb) step
1794            if (count == 0) {
(gdb) print $eax
$139 = 0
(gdb) print offsets[0]
$137 = 2
(gdb) print offsets[1]
$138 = 4
(gdb) c
Continuing.


Program received signal SIGSEGV, Segmentation fault.
__memcpy_avx_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:271
271    ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or
directory.


--
You are receiving this mail because:
You are on the CC list for the bug.