PCRE segfaults readily with default "pcre.backtrack_limit" and "pcre.recursion_limit" values
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	epriestley
	Mar 6 2018, 7:43 PM

Description

An install reported a segfault which I traced to this regex in a Herald rule:

@^((?!xyz/).)*\.abc?$@

I think this simplifies to /^(.)*$/, which captures every character, although I'm not certain that's enough to cause backtracking/recursion on its own.

I avoided this by changing pcre.backtrack_limit and pcre.recursion_limit to 10000. I expect to deploy some flavor of this as a configuration change to the cluster.

Open questions:

What are reasonable limits?
What's a test case for hitting the backtrace limit? The recursion limit?
How can we distinguish between hitting the backtrack/recursion limit and other failures? Does preg_match() just return false nicely?

Revisions and Commits

rARC Arcanist
	D21566	rARCe95afd1d005c Apply "pcre.*_limit" config options at startup in CLI environments
	D21561	rARC9d5802cb9f08 Provide some "preg_*" wrappers which raise exceptions on failure
rP Phabricator
	D21567	rP20a54a3006de Apply "pcre.*_limit" ini options in web environments
	D19178	rPb52783af80bd (stable) Provide a more tailored error message when a Herald rule fails because…
	D19178	rP573bf15124bb Provide a more tailored error message when a Herald rule fails because of PCRE…

Related Objects

Mentioned In: 2021 Week 9 (Very Late February)
T13586: In Herald transcripts, surface exceptions encountered while evaluating fields
T13076: Plans: Phacility cluster caching, renaming, and rebalance/compaction
T13099: Plans: 2018 Week 10 Bonus Content

Event Timeline

epriestley triaged this task as Normal priority.Mar 6 2018, 7:43 PM

epriestley created this task.

Herald added a subscriber: eadler. · View Herald TranscriptMar 6 2018, 7:43 PM

On my system, this script:

<?php

$n = $argv[1];

$backtrack_limit = ini_get('pcre.backtrack_limit');
$recursion_limit = ini_get('pcre.recursion_limit');

echo "Backtrack Limit: {$backtrack_limit}\n";
echo "Recursion Limit: {$recursion_limit}\n";

$pattern = '/^(.)*$/';
$subject = str_repeat('a', $n);

var_dump(preg_match($pattern, $subject));

...reports the default values (1,000,000 and 100,000 respectively) and matches when run with values 0-2729, and fails (returns false) with values 2730+.

Adjusting either limit to 1000 has no effect on when it fails, so this is probably some internal "maximum number of captures" which is unaffected by configuration.

If I change the regexp to /^.*x$/, it begins failing at the backtrack limit. It can still match above this limit if the subject actually matches.

I'm not having much luck tricking PCRE into crashing locally.

Since I can't really figure out how to make this stuff segfault or what reasonable ranges for these values are, I'm tentatively going to lower these values to 10000 in production (based on sage advice from Rasmus in https://bugs.php.net/bug.php?id=36463) and see what that breaks.

I'd ideally like to issue setup guidance about this, too, but I'd like a better understanding of it so I don't just have to write something like "u should probably set this to magic value X or spooky ghosts will attack ur computer".

We can detect this by testing the preg_match() return value for false. Our consistency on doing this isn't great.

epriestley added a revision: D19178: Provide a more tailored error message when a Herald rule fails because of PCRE limits.Mar 6 2018, 8:16 PM

epriestley added a commit: rP573bf15124bb: Provide a more tailored error message when a Herald rule fails because of PCRE….Mar 6 2018, 8:19 PM

epriestley added a commit: rPb52783af80bd: (stable) Provide a more tailored error message when a Herald rule fails because….

epriestley mentioned this in T13099: Plans: 2018 Week 10 Bonus Content.Mar 6 2018, 8:38 PM

I've deployed these configuration changes to production and they appear to have resolved the issue.

epriestley mentioned this in T13076: Plans: Phacility cluster caching, renaming, and rebalance/compaction.Apr 9 2018, 7:10 PM

• pasik added a subscriber: • pasik.May 12 2018, 2:09 PM

epriestley moved this task from Backlog to Do Eventually on the Phacility board.Aug 10 2018, 6:06 PM

epriestley renamed this task from PCRE segfaults readily with default "pcre.backtrace_limit" and "pcre.recursion_limit" values to PCRE segfaults readily with default "pcre.backtrack_limit" and "pcre.recursion_limit" values.Nov 3 2020, 7:36 PM

epriestley updated the task description. (Show Details)

epriestley mentioned this in T13586: In Herald transcripts, surface exceptions encountered while evaluating fields.Nov 7 2020, 12:18 AM

epriestley added a revision: D21561: Provide some "preg_*" wrappers which raise exceptions on failure.Feb 17 2021, 9:37 PM

epriestley added a revision: D21566: Apply "pcre.*_limit" config options at startup in CLI environments.Feb 18 2021, 7:17 PM

epriestley added a revision: D21567: Apply "pcre.*_limit" ini options in web environments.Feb 18 2021, 7:21 PM

epriestley added a commit: rARC9d5802cb9f08: Provide some "preg_*" wrappers which raise exceptions on failure.Feb 19 2021, 7:16 PM

epriestley added a commit: rARCe95afd1d005c: Apply "pcre.*_limit" config options at startup in CLI environments.

epriestley added a commit: rP20a54a3006de: Apply "pcre.*_limit" ini options in web environments.