Fix debug backtrace frame normalization

Author: jturbide

CHANGELOG.md

@@ -15,6 +15,15 @@ history, the old changelog, and committed file changes. Older Zemit-era entries
 are summarized where the commit history is too granular to be useful as
 release notes.
 
+## 3.7.2 - Unreleased
+
+### Fixed
+
+- Kept PhalconKit debug backtrace frame normalization from exhausting PCRE
+  backtracking limits on large runner-generated exception pages.
+- Added a local-only test fixture for visually inspecting rendered debug error
+  pages without packaging it as a public asset.
+
 ## 3.7.1 - 2026-06-23
 
 ### Fixed

phpunit.xml

@@ -16,6 +16,7 @@
       <directory suffix=".php">tests</directory>
       <exclude>tests/Unit/AbstractUnit.php</exclude>
       <exclude>tests/Unit/Provider/ClamavTest.php</exclude>
+      <exclude>tests/Fixtures</exclude>
       <exclude>tests/Unit/Bootstrap/Fixtures</exclude>
       <exclude>tests/Unit/Db/Fixtures</exclude>
       <exclude>tests/Unit/Events/Fixtures</exclude>

src/Support/Debug.php

@@ -222,92 +222,133 @@ static function (array $m): string {
      */
     private static function normalizeBacktraceFrames(string $html): string
     {
-        $html = preg_replace_callback(
-            "#<details class='frame(?P<class>[^']*)'(?P<open>\\s+open)?>(?P<body>.*?)</details>#s",
-            static function (array $match): string {
-                $body = $match['body'];
-
-                if (!preg_match(
-                    "#\\s*<summary>\\s*(<div class='frame-head'>.*?</div>)\\s*</summary>#s",
-                    $body,
-                    $summary
-                )) {
-                    return $match[0];
-                }
+        $offset = 0;
+        $normalized = '';
+        $openNeedle = "<details class='frame";
+        $closeNeedle = '</details>';
 
-                $head = preg_replace("#\\s*<span class='chev'>.*?</span>#s", '', $summary[1]);
-                $head = self::requireRenderedHtml($head, 'removing the frame-level backtrace chevron');
-                $body = str_replace($summary[0], '', $body);
+        while (($start = strpos($html, $openNeedle, $offset)) !== false) {
+            $openEnd = strpos($html, '>', $start);
 
-                $fileBlock = '';
-                $file = null;
-                $line = null;
+            if ($openEnd === false) {
+                break;
+            }
 
-                if (preg_match("#\\s*(<div class='frame-file'[^>]*>.*?</div>)#s", $body, $fileMatch)) {
-                    $fileBlock = $fileMatch[1];
-                    $body = str_replace($fileMatch[0], '', $body);
-                    $file = self::readHtmlAttribute($fileBlock, 'data-file');
-                    $lineValue = self::readHtmlAttribute($fileBlock, 'data-line');
-                    $line = is_numeric($lineValue) ? (int) $lineValue : null;
-                }
+            $closeStart = strpos($html, $closeNeedle, $openEnd + 1);
 
-                $codeBlock = '';
+            if ($closeStart === false) {
+                break;
+            }
 
-                if (preg_match("#\\s*(<div class='code'>.*?</div>)#s", $body, $codeMatch)) {
-                    $codeBlock = $codeMatch[1];
-                    $body = str_replace($codeMatch[0], '', $body);
-                }
+            $closeEnd = $closeStart + strlen($closeNeedle);
+            $openingTag = substr($html, $start, $openEnd - $start + 1);
+            $body = substr($html, $openEnd + 1, $closeStart - $openEnd - 1);
+            $originalFrame = substr($html, $start, $closeEnd - $start);
 
-                $isCodeOpen = ($match['open'] ?? '') !== '';
-                $classes = trim(
-                    'frame'
-                    . $match['class']
-                    . ($codeBlock !== '' ? ' has-source' : ' no-source')
-                    . ($codeBlock !== '' && $isCodeOpen ? ' is-code-open' : '')
-                );
+            $normalized .= substr($html, $offset, $start - $offset);
+            $normalized .= self::normalizeBacktraceFrame($openingTag, $body, $originalFrame);
+            $offset = $closeEnd;
+        }
 
-                if ($codeBlock !== '') {
-                    $head = self::makeBacktraceFrameHeadToggle($head, $isCodeOpen);
-                }
+        if ($offset === 0) {
+            return $html;
+        }
 
-                $frame = "\n        <article class='" . htmlspecialchars($classes, ENT_QUOTES) . "'>\n            {$head}";
+        return $normalized . substr($html, $offset);
+    }
 
-                if ($fileBlock !== '') {
-                    $frame .= "\n            {$fileBlock}";
-                }
+    /**
+     * Normalize one native debug frame after the frame boundary is known.
+     *
+     * Frame extraction intentionally avoids a document-wide regex so large
+     * backtraces cannot exhaust PCRE backtracking before the per-frame rewrite
+     * runs. If Phalcon changes the opening tag shape, the original frame is
+     * preserved instead of dropping debug output.
+     *
+     * @throws RuntimeException When an internal frame rewrite fails.
+     */
+    private static function normalizeBacktraceFrame(string $openingTag, string $body, string $originalFrame): string
+    {
+        if (!preg_match("#^<details class='frame(?P<class>[^']*)'(?P<open>\\s+open)?\\s*>$#s", $openingTag, $match)) {
+            return $originalFrame;
+        }
 
-                if ($codeBlock !== '') {
-                    $fullFileTemplate = self::buildFullFileSourceTemplate($file, $line);
-                    $fullFileButton = $fullFileTemplate !== ''
-                        ? "\n                    <button class='btn code-btn' "
-                            . "data-action='toggle-full-file'>Show full file</button>"
-                        : '';
-
-                    $hidden = $isCodeOpen ? '' : ' hidden';
-                    $frame .= "\n            <div class='frame-code-body'{$hidden}>"
-                        . "\n                <div class='code-shell'>"
-                        . "\n                    {$codeBlock}"
-                        . "\n                    <div class='code-actions'>"
-                        . "\n                        <button class='btn code-btn' data-action='focus-line'>Focus line</button>"
-                        . str_replace("\n                    ", "\n                        ", $fullFileButton)
-                        . "\n                    </div>"
-                        . "\n                </div>"
-                        . $fullFileTemplate
-                        . "\n            </div>";
-                }
+        if (!preg_match(
+            "#\\s*<summary>\\s*(<div class='frame-head'>.*?</div>)\\s*</summary>#s",
+            $body,
+            $summary
+        )) {
+            return $originalFrame;
+        }
 
-                $extra = trim($body);
+        $head = preg_replace("#\\s*<span class='chev'>.*?</span>#s", '', $summary[1]);
+        $head = self::requireRenderedHtml($head, 'removing the frame-level backtrace chevron');
+        $body = str_replace($summary[0], '', $body);
 
-                if ($extra !== '') {
-                    $frame .= "\n            <div class='frame-extra'>{$extra}</div>";
-                }
+        $fileBlock = '';
+        $file = null;
+        $line = null;
 
-                return $frame . "\n        </article>";
-            },
-            $html
+        if (preg_match("#\\s*(<div class='frame-file'[^>]*>.*?</div>)#s", $body, $fileMatch)) {
+            $fileBlock = $fileMatch[1];
+            $body = str_replace($fileMatch[0], '', $body);
+            $file = self::readHtmlAttribute($fileBlock, 'data-file');
+            $lineValue = self::readHtmlAttribute($fileBlock, 'data-line');
+            $line = is_numeric($lineValue) ? (int) $lineValue : null;
+        }
+
+        $codeBlock = '';
+
+        if (preg_match("#\\s*(<div class='code'>.*?</div>)#s", $body, $codeMatch)) {
+            $codeBlock = $codeMatch[1];
+            $body = str_replace($codeMatch[0], '', $body);
+        }
+
+        $isCodeOpen = ($match['open'] ?? '') !== '';
+        $classes = trim(
+            'frame'
+            . $match['class']
+            . ($codeBlock !== '' ? ' has-source' : ' no-source')
+            . ($codeBlock !== '' && $isCodeOpen ? ' is-code-open' : '')
         );
 
-        return self::requireRenderedHtml($html, 'normalizing backtrace frame layout');
+        if ($codeBlock !== '') {
+            $head = self::makeBacktraceFrameHeadToggle($head, $isCodeOpen);
+        }
+
+        $frame = "\n        <article class='" . htmlspecialchars($classes, ENT_QUOTES) . "'>\n            {$head}";
+
+        if ($fileBlock !== '') {
+            $frame .= "\n            {$fileBlock}";
+        }
+
+        if ($codeBlock !== '') {
+            $fullFileTemplate = self::buildFullFileSourceTemplate($file, $line);
+            $fullFileButton = $fullFileTemplate !== ''
+                ? "\n                    <button class='btn code-btn' "
+                    . "data-action='toggle-full-file'>Show full file</button>"
+                : '';
+
+            $hidden = $isCodeOpen ? '' : ' hidden';
+            $frame .= "\n            <div class='frame-code-body'{$hidden}>"
+                . "\n                <div class='code-shell'>"
+                . "\n                    {$codeBlock}"
+                . "\n                    <div class='code-actions'>"
+                . "\n                        <button class='btn code-btn' data-action='focus-line'>Focus line</button>"
+                . str_replace("\n                    ", "\n                        ", $fullFileButton)
+                . "\n                    </div>"
+                . "\n                </div>"
+                . $fullFileTemplate
+                . "\n            </div>";
+        }
+
+        $extra = trim($body);
+
+        if ($extra !== '') {
+            $frame .= "\n            <div class='frame-extra'>{$extra}</div>";
+        }
+
+        return $frame . "\n        </article>";
     }
 
     /**

tests/Fixtures/debug-error-page.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Local-only smoke page for visually inspecting PhalconKit debug HTML.
+ *
+ * Run it from the repository root with:
+ *
+ *     php -S 127.0.0.1:8976 tests/Fixtures/debug-error-page.php
+ *
+ * Then open http://127.0.0.1:8976/ in a browser.
+ */
+
+use PhalconKit\Support\Debug;
+
+require dirname(__DIR__, 2) . '/vendor/autoload.php';
+
+$remoteAddress = $_SERVER['REMOTE_ADDR'] ?? '127.0.0.1';
+
+if (!in_array($remoteAddress, ['127.0.0.1', '::1'], true)) {
+    http_response_code(403);
+    header('Content-Type: text/plain; charset=UTF-8');
+    echo 'This debug smoke page is only available from localhost.';
+    return;
+}
+
+$debug = new Debug();
+
+set_exception_handler(static function (\Throwable $exception) use ($debug): void {
+    if (!headers_sent()) {
+        http_response_code(500);
+        header('Content-Type: text/html; charset=UTF-8');
+    }
+
+    echo $debug->renderHtml($exception);
+});
+
+/**
+ * @param array{class: class-string, message: string} $payload
+ */
+$levelTwo = static function (array $payload): void {
+    throw new \RuntimeException(sprintf(
+        'PhalconKit debug error page smoke test for %s. %s',
+        $payload['class'],
+        $payload['message']
+    ));
+};
+
+$levelOne = static function () use ($levelTwo): void {
+    $levelTwo([
+        'class' => Debug::class,
+        'message' => 'This synthetic payload makes the debug argument table visible.',
+    ]);
+};
+
+$levelOne();

tests/Unit/Support/DebugTest.php

@@ -198,6 +198,36 @@ public function testRenderHtmlLinksPhalconKitClasses(): void
         $this->assertStringContainsString('PhalconKit\\Support\\Debug', $html);
     }
 
+    public function testBacktraceFrameNormalizationAvoidsDocumentWidePcreBacktracking(): void
+    {
+        $previousLimit = ini_get('pcre.backtrack_limit');
+        $method = new \ReflectionMethod(Debug::class, 'normalizeBacktraceFrames');
+        $html = "<section id='backtrace'>"
+            . "<details class='frame app' open>"
+            . "<summary><div class='frame-head'><span class='frame-num'>#0</span>"
+            . "<span class='frame-call'><span class='fn'>demo</span></span>"
+            . "<span class='chev' aria-hidden='true'>x</span></div></summary>"
+            . str_repeat('x', 20_000)
+            . '</details>'
+            . '</section>';
+
+        try {
+            ini_set('pcre.backtrack_limit', '1000');
+
+            $normalized = $method->invoke(null, $html);
+        }
+        finally {
+            if (is_string($previousLimit)) {
+                ini_set('pcre.backtrack_limit', $previousLimit);
+            }
+        }
+
+        $this->assertIsString($normalized);
+        $this->assertStringContainsString("<article class='frame app no-source'>", $normalized);
+        $this->assertStringNotContainsString("<details class='frame", $normalized);
+        $this->assertStringContainsString("class='frame-extra'", $normalized);
+    }
+
     public function testUncaughtExceptionDebugPagesSetServerErrorStatus(): void
     {
         $debug = new class extends Debug {