SEGV in free_subpats_table (PCRE call in header_register_callback) #21302
Description
Description
Haven't been able to reproduce in 8.3, but still breaks in 8.5. This bug is preventing us from updating our instances to new aarch64 images with 8.4 installed.
MRE created using a preg_match_all call extracted from the symfony/http-foundation HeaderUtils::split() method (analogous to our app's usage in some way):
<?php
header_register_callback(function () {
$quotedSeparators = preg_quote(',=', '/');
preg_match_all('/
(?!\s)
(?:
# quoted-string
"(?:[^"\\\\]|\\.)(?:"|\\|$)
|
# token
[^"'.$quotedSeparators.']+
)+
(?<!\s)
|
# separator
\s
(?<separator>['.$quotedSeparators.'])
\s*
/x', 'cache-control: max-age=0, private, must-revalidate', $matches, \PREG_SET_ORDER);
});In production, this manifests in such a way as to break our php-fpm service, which then returns 502s and occasionally recovers itself, other times it stays broken until php-fpm is restarted.
We also believe we've seen this manifest in more than one place previously. We encountered a bug in our app that manifested in the same way, though we no longer have logs to confirm it. We got around it by restructuring some code and it no longer manifested. Unclear as to why, would guess it had something to do with memory layout at that time.
We're using remi's binaries, but as part of debugging this issue, we have built PHP 8.4.18 with ASAN. Simulating the exact http request causing us problems with php-cgi gave us this:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==284221==ERROR: AddressSanitizer: SEGV on unknown address 0xffff8d8fd2b0 (pc 0x00000061a1dc bp 0xfffffaff3a00 sp 0xfffffaff3a00 T0)
==284221==The signal is caused by a READ memory access.
#0 0x61a1dc in free_subpats_table /root/asan/php-src-php-8.4.18/ext/pcre/php_pcre.c:523
#1 0x61bda4 in php_free_pcre_cache /root/asan/php-src-php-8.4.18/ext/pcre/php_pcre.c:175
#2 0x12dfb88 in zend_hash_destroy /root/asan/php-src-php-8.4.18/Zend/zend_hash.c:1781
#3 0x61bca4 in zm_globals_dtor_pcre /root/asan/php-src-php-8.4.18/ext/pcre/php_pcre.c:316
#4 0x1064ba0 in module_destructor /root/asan/php-src-php-8.4.18/Zend/zend_API.c:3353
#5 0x13b0d60 in module_destructor_zval /root/asan/php-src-php-8.4.18/Zend/zend.c:904
#6 0x12e2c80 in _zend_hash_del_el_ex /root/asan/php-src-php-8.4.18/Zend/zend_hash.c:1494
#7 0x12e2c80 in _zend_hash_del_el /root/asan/php-src-php-8.4.18/Zend/zend_hash.c:1521
#8 0x12e2c80 in zend_hash_graceful_reverse_destroy /root/asan/php-src-php-8.4.18/Zend/zend_hash.c:2046
#9 0x1060be0 in zend_destroy_modules /root/asan/php-src-php-8.4.18/Zend/zend_API.c:2594
#10 0x13b4430 in zend_shutdown /root/asan/php-src-php-8.4.18/Zend/zend.c:1166
#11 0xf1a1e4 in php_module_shutdown /root/asan/php-src-php-8.4.18/main/main.c:2449
#12 0x13c40ec in main /root/asan/php-src-php-8.4.18/sapi/cgi/cgi_main.c:2670
#13 0xffff9607953c in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#14 0xffff96079614 in __libc_start_main_impl ../csu/libc-start.c:389
#15 0x480dac in _start (/usr/local/bin/php-cgi+0x480dac)
SUMMARY: AddressSanitizer: SEGV /root/asan/php-src-php-8.4.18/ext/pcre/php_pcre.c:523 in free_subpats_table
I am in unfamiliar territory, I do not know much about php internals, nor have I touched C/gdb/valgrind/etc very much. Hopefully this is enough but if there is anything you need from me that would be of help, I will gladly do my best to provide! As mentioned, this is preventing us from upgrading to php 8.4 (or 8.5) at this moment
PHP Version
PHP 8.4.18 (cgi-fcgi) (built: Feb 26 2026 13:16:29) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.18, Copyright (c) Zend Technologies
Modules:
[PHP Modules]
cgi-fcgi
Core
date
hash
json
pcre
random
Reflection
SPL
standard
[Zend Modules]
Operating System
AlmaLinux 9.7 (Moss Jungle Cat) AARCH64