#48501 [NEW]: Crash with preg_replace_callback
From: cobexer at gmail dot com Operating system: Linux/openSuSE 11.1 PHP version: 5.2.9 PHP Bug Type: PCRE related Bug description: Crash with preg_replace_callback Description: when i tried to match nested patterns my apache2 with php crashed - however for similar inputs a very similar regular expression is in use and causes no problems... (but the crash seems to be related to the number of nesting levels) Reproduce code: --- crash $match= "{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}"; //shorter test string -> still crash, but if 1 remove the first nested {IF... it doesnt crash any more $match= "{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}"; $reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us'; $matches= array(); function cback($t) { global $matches; $matches[]= $t; return '';} preg_replace_callback($reg, 'cback', $match); var_dump($matches); ?> Expected result: array with the mathes of the regExp correctly nested... but i was in the stage of designing the regular expression itself - at least i did not expect a crash... Actual result: -- Apache/2.2.10 (php loaded as module) error_log: without 3rd party extensions: [notice] child pid 11335 exit signal Segmentation fault (11) with XDebug enabled: [error] [client 127.0.0.1] ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker '127.0.0.1', file '/path/file.php') when running php from the command line (no crash -> no backtrace): $ php reproduce.php #same content as the code posted above! array(2) { [0]=> *RECURSION* [1]=> *RECURSION* } ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker 'REMOTE_ADDR not set', file 'unknown') -- Edit bug report at http://bugs.php.net/?id=48501&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48501&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48501&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48501&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48501&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48501&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48501&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48501&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48501&r=needscript Try newer version: http://bugs.php.net/fix.php?id=48501&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48501&r=support Expected behavior: http://bugs.php.net/fix.php?id=48501&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=48501&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=48501&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=48501&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48501&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=48501&r=dst IIS Stability: http://bugs.php.net/fix.php?id=48501&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=48501&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=48501&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=48501&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=48501&r=mysqlcfg
#48501 [Opn]: Crash with preg_replace_callback
ID: 48501 User updated by: cobexer at gmail dot com Reported By: cobexer at gmail dot com Status: Open Bug Type: PCRE related Operating System: Linux/openSuSE 11.1 PHP Version: 5.2.9 New Comment: after submitting I found a similar bug ... #44214 but that one is closed and seems to be "fixed" since one year now... Previous Comments: [2009-06-08 21:33:44] cobexer at gmail dot com Description: when i tried to match nested patterns my apache2 with php crashed - however for similar inputs a very similar regular expression is in use and causes no problems... (but the crash seems to be related to the number of nesting levels) Reproduce code: --- crash $match= "{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}"; //shorter test string -> still crash, but if 1 remove the first nested {IF... it doesnt crash any more $match= "{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}"; $reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us'; $matches= array(); function cback($t) { global $matches; $matches[]= $t; return '';} preg_replace_callback($reg, 'cback', $match); var_dump($matches); ?> Expected result: array with the mathes of the regExp correctly nested... but i was in the stage of designing the regular expression itself - at least i did not expect a crash... Actual result: -- Apache/2.2.10 (php loaded as module) error_log: without 3rd party extensions: [notice] child pid 11335 exit signal Segmentation fault (11) with XDebug enabled: [error] [client 127.0.0.1] ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker '127.0.0.1', file '/path/file.php') when running php from the command line (no crash -> no backtrace): $ php reproduce.php #same content as the code posted above! array(2) { [0]=> *RECURSION* [1]=> *RECURSION* } ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker 'REMOTE_ADDR not set', file 'unknown') -- Edit this bug report at http://bugs.php.net/?id=48501&edit=1
[PHP-BUG] Bug #52368 [NEW]: crash in preg_replace_impl
From: Operating system: Debian Lenny (5.0.5) PHP version: 5.2.13 Package: PCRE related Bug Type: Bug Bug description:crash in preg_replace_impl Description: the crash occuring is most likely related to very high integer/double values(>10M) being inserted in a long string(~20K). the problem does not occur on PHP5.3.something so it might be a simple backport :). unless somebody can tell me how i get more information out of the crashing process this is all i have (trying to print local variables of the crashing function results in: (gdb) p **regex Cannot access memory at address 0x686f72393438343e os similar the regular expression involved is most likely: '/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/' executed by preg_replace_callback, where the callback is an array('class_name', 'some_private_function') if required i try to build a small test script and attach that - but i guess its not required. probably related to http://bugs.php.net/bug.php?id=39016 reproducible: always Test script: --- Expected result: no php crash correctly replaced string Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f877c078750 (LWP 6259)] preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 warning: Source file is more recent than executable. 32 if (zvalue->type <= IS_BOOL) { (gdb) bt #0 preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 #1 0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200 #2 0x7f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #3 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5760) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #4 0x7f8774cd8134 in execute (op_array=0xef48b0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #5 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5e70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #6 0x7f8774cd8134 in execute (op_array=0xf03780) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #7 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff6330) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #8 0x7f8774cd8134 in execute (op_array=0xf02c90) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #9 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff9ac0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #10 0x7f8774cd8134 in execute (op_array=0xa2aa70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #11 0x7f8774cb41c8 in zend_execute_scripts (type=32767, retval=0x0, file_count=-25624) at /usr/src/php5/source/php5-5.2.13/Zend/zend.c:1215 #12 0x7f8774c6e0ea in php_execute_script (primary_file=Cannot access memory at address 0x80008b50 ) at /usr/src/php5/source/php5-5.2.13/main/main.c:2058 #13 0x7f8774d2aa73 in php_handler (r=0x7f877423690a) at /usr/src/php5/source/php5-5.2.13/sapi/apache2handler/sapi_apache2.c:643 #14 0x00438f73 in ap_run_handler (r=0xecc9a8) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:159 #15 0x0043c53f in ap_invoke_handler (r=0xecc9a8) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:373 #16 0x0044970e in ap_process_request (r=0xecc9a8) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_request.c:258 #17 0x00446838 in ap_process_http_connection (c=0xdfec88) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_core.c:190 #18 0x00440493 in ap_run_process_connection (c=0xdfec88) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/connection.c:43 #19 0x0044dd10 in child_main (child_num_arg=) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:680 #20 0x0044e064 in make_child (s=0x675968, slot=1) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:777 #21 0x0044e60c in ap_mpm_run (_pconf=, plog=, s=0x675968) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:795 #22 0x00425be5 in main (argc=3, argv=0x7fffc558) at /build/build
Bug #52368 [Com]: crash in preg_replace_impl
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1 ID: 52368 Comment by: cobexer at gmail dot com Reported by:cobexer at gmail dot com Summary:crash in preg_replace_impl Status: Feedback Type: Bug Package:PCRE related Operating System: Debian Lenny (5.0.5) PHP Version:5.2.13 Block user comment: N New Comment: hmm that crash is hard to nail down, it doesn't crash on all of my computers, therefore i did the following: * created crashing test script (currently ~150 Lines) * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a bit newer than 11.3) * created a core dump * tar'gz ed it together and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz important contents: scrash.php : the php script with the code to crash (run with php -e) scrash.php.log : the output of the script till it crashed php-bt.txt : output of "bt" and "bt full" core : the coredump itself maybe that helps already, regards cobexer Previous Comments: [2010-07-18 19:39:03] fel...@php.net Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with , is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. -------- [2010-07-17 23:48:30] cobexer at gmail dot com Description: the crash occuring is most likely related to very high integer/double values(>10M) being inserted in a long string(~20K). the problem does not occur on PHP5.3.something so it might be a simple backport :). unless somebody can tell me how i get more information out of the crashing process this is all i have (trying to print local variables of the crashing function results in: (gdb) p **regex Cannot access memory at address 0x686f72393438343e os similar the regular expression involved is most likely: '/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/' executed by preg_replace_callback, where the callback is an array('class_name', 'some_private_function') if required i try to build a small test script and attach that - but i guess its not required. probably related to http://bugs.php.net/bug.php?id=39016 reproducible: always Test script: --- Expected result: no php crash correctly replaced string Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f877c078750 (LWP 6259)] preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 warning: Source file is more recent than executable. 32 if (zvalue->type <= IS_BOOL) { (gdb) bt #0 preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 #1 0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200 #2 0x7f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #3 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5760) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #4 0x7f8774cd8134 in execute (op_array=0xef48b0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #5 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5e70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #6 0x7f8774cd8134 in execute (op_array=0xf03780) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #7 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff6330) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #8 0x7f8774cd8134 in execute (op_array=0xf02c90) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #9 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff9ac0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #10 0x7f8774cd8134 in execute (op_array=0xa2aa70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #11 0x7f8774cb41c8 in zend_execute_scripts (type=32
Bug #52368 [Com]: crash in preg_replace_impl
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1 ID: 52368 Comment by: cobexer at gmail dot com Reported by:cobexer at gmail dot com Summary:crash in preg_replace_impl Status: Feedback Type: Bug Package:PCRE related Operating System: Debian Lenny (5.0.5) PHP Version:5.2.13 Block user comment: N New Comment: I did a quick test today using http://snaps.php.net/php5.3-latest.tar.gz (from yesterday) does not crash(as expected since the problem didn't exist there anyway). however using http://snaps.php.net/php5.2-latest.tar.gz (from yesterday) still crashes on the same line as before. (tested on i586 openSuSE 11.4(Factory)) regards cobexer Previous Comments: [2010-08-09 03:19:31] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-07-30 21:24:40] cobexer at gmail dot com hmm that crash is hard to nail down, it doesn't crash on all of my computers, therefore i did the following: * created crashing test script (currently ~150 Lines) * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a bit newer than 11.3) * created a core dump * tar'gz ed it together and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz important contents: scrash.php : the php script with the code to crash (run with php -e) scrash.php.log : the output of the script till it crashed php-bt.txt : output of "bt" and "bt full" core : the coredump itself maybe that helps already, regards cobexer [2010-07-18 19:39:03] fel...@php.net Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with , is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. -------- [2010-07-17 23:48:30] cobexer at gmail dot com Description: the crash occuring is most likely related to very high integer/double values(>10M) being inserted in a long string(~20K). the problem does not occur on PHP5.3.something so it might be a simple backport :). unless somebody can tell me how i get more information out of the crashing process this is all i have (trying to print local variables of the crashing function results in: (gdb) p **regex Cannot access memory at address 0x686f72393438343e os similar the regular expression involved is most likely: '/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/' executed by preg_replace_callback, where the callback is an array('class_name', 'some_private_function') if required i try to build a small test script and attach that - but i guess its not required. probably related to http://bugs.php.net/bug.php?id=39016 reproducible: always Test script: --- Expected result: no php crash correctly replaced string Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f877c078750 (LWP 6259)] preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 warning: Source file is more recent than executable. 32 if (zvalue->type <= IS_BOOL) { (gdb) bt #0 preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 #1 0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200 #2 0x7f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #3 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5760) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234 #4 0x7f8774cd8134 in execute (op_array=0xef48b0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #5 0x7f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5e70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:2
Bug #52368 [Com]: crash in preg_replace_impl
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1 ID: 52368 Comment by: cobexer at gmail dot com Reported by:cobexer at gmail dot com Summary:crash in preg_replace_impl Status: Feedback Type: Bug Package:PCRE related Operating System: Debian Lenny (5.0.5) PHP Version:5.2.13 Block user comment: N New Comment: i found a workaround for the crash: as soon as i removed the $count parameter(and the $limit) tha crash was gone =) mixed preg_replace_callback ( mixed $pattern , callback $callback , mixed $subject [, int $limit = -1 [, int &$count ]] ) regards cobexer Previous Comments: [2010-08-12 21:19:59] cobexer at gmail dot com I did a quick test today using http://snaps.php.net/php5.3-latest.tar.gz (from yesterday) does not crash(as expected since the problem didn't exist there anyway). however using http://snaps.php.net/php5.2-latest.tar.gz (from yesterday) still crashes on the same line as before. (tested on i586 openSuSE 11.4(Factory)) regards cobexer [2010-08-09 03:19:31] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-07-30 21:24:40] cobexer at gmail dot com hmm that crash is hard to nail down, it doesn't crash on all of my computers, therefore i did the following: * created crashing test script (currently ~150 Lines) * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a bit newer than 11.3) * created a core dump * tar'gz ed it together and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz important contents: scrash.php : the php script with the code to crash (run with php -e) scrash.php.log : the output of the script till it crashed php-bt.txt : output of "bt" and "bt full" core : the coredump itself maybe that helps already, regards cobexer [2010-07-18 19:39:03] fel...@php.net Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with , is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. ------------ [2010-07-17 23:48:30] cobexer at gmail dot com Description: the crash occuring is most likely related to very high integer/double values(>10M) being inserted in a long string(~20K). the problem does not occur on PHP5.3.something so it might be a simple backport :). unless somebody can tell me how i get more information out of the crashing process this is all i have (trying to print local variables of the crashing function results in: (gdb) p **regex Cannot access memory at address 0x686f72393438343e os similar the regular expression involved is most likely: '/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/' executed by preg_replace_callback, where the callback is an array('class_name', 'some_private_function') if required i try to build a small test script and attach that - but i guess its not required. probably related to http://bugs.php.net/bug.php?id=39016 reproducible: always Test script: --- Expected result: no php crash correctly replaced string Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f877c078750 (LWP 6259)] preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 warning: Source file is more recent than executable. 32 if (zvalue->type <= IS_BOOL) { (gdb) bt #0 preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32 #1 0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200 #2 0x7f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92 #3 0x7f8774ceecde in z