search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.98k stars 558 forks source link

Perl segfaults with a regex_sets error message #14851

Closed p5pRT closed 8 years ago

p5pRT commented 9 years ago

Migrated from rt.perl.org#125805 (status was 'resolved')

Searchable as RT125805$

p5pRT commented 9 years ago

From @dcollinsn

The search on this bug tracker doesn't seem to search issue descriptions\, but in any event I can't figure out how to tell if this is a duplicate or not. Searches for the test case\, regex_sets\, segfault\, and the first bad revision id didn't reveal any obvious duplicates.

Test case is the 12-byte file​:

00./(?[()])/

dcollins@​nagios​:/usr/local/perl-afl/out/allcrash$ ../../bin/perl -w f2i000041 The regex_sets feature is experimental in regex; marked by \<-- HERE in m/(?[ \<-- HERE ()])/ at f2i000041 line 1. Segmentation fault

Git bisect revealed​:

6798c95dd27b33efd71f394c18649af7bbaf42b7 is the first bad commit commit 6798c95dd27b33efd71f394c18649af7bbaf42b7 Author​: Karl Williamson \khw@&#8203;cpan\.org Date​: Wed Feb 25 23​:19​:39 2015 -0700

  Change /(?[...]) to have normal operator precedence  
  This experimental feature now has the intersection operator ("&") higher   precedence than the other binary operators.

:100644 100644 ce36c6c64ad7f52f32f18c3af5faea7782e77f8f a909f7d5bc6cacd8ecd0e292d17587460c2dabf5 M embed.fnc :100644 100644 acbd1ea23a511c4a9573674d10dc6e8577bac513 4d9ca18439ad72b5d955b46ab4fc1ae60fbdab9e M embed.h :040000 040000 abe9c29891251f534ae7654827701484c00e5d5a 56738de91977828568e55a1fa42af9d52602a07c M pod :100644 100644 4bc200dae6b4e45492c0aa6dd8724e44175e1180 f45a4a36173bc16a1e8c9491298708ef75e252a7 M proto.h :100644 100644 d736a0131ac2c50c3753ddd332b3fc524ebe7514 51065d58f2df92a3a2e1ccd520280f4c9e62c952 M regcomp.c :040000 040000 90b8d23d6c4c6de5357d08f14baf1f1e201274c1 487395998bc1558eb521b752f277bac3bdb8e770 M t bisect run success

dcollins@​nagios​:/usr/local/perl-afl/out/allcrash$ ../../bin/perl -V Summary of my perl5 (revision 5 version 23 subversion 2) configuration​:   Derived from​: 9728ed0a4dcaca9d7fddf6ce9c5736ed3aacd487   Platform​:   osname=linux\, osvers=2.6.32-5-686\, archname=i686-linux-64int-ld   uname='linux nagios 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '   config_args=''   hint=recommended\, useposix=true\, d_sigaction=define   useithreads=undef\, usemultiplicity=undef   use64bitint=define\, use64bitall=undef\, uselongdouble=define   usemymalloc=n\, bincompat5005=undef   Compiler​:   cc='afl-gcc'\, ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\,   optimize='-g'\,   cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'   ccversion=''\, gccversion='4.4.5'\, gccosandvers=''   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8\, byteorder=12345678\, doublekind=3   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=12\, longdblkind=3   ivtype='long long'\, ivsize=8\, nvtype='long double'\, nvsize=12\, Off_t='off_t'\, lseeksize=8   alignbytes=4\, prototype=define   Linker and Libraries​:   ld='afl-gcc'\, ldflags =' -fstack-protector -L/usr/local/lib'   libpth=/usr/local/lib /usr/lib/gcc/i486-linux-gnu/4.4.5/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64   libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc   perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc   libc=libc-2.11.3.so\, so=so\, useshrplib=false\, libperl=libperl.a   gnulibc_version='2.11.3'   Dynamic Linking​:   dlsrc=dl_dlopen.xs\, dlext=so\, d_dlsymun=undef\, ccdlflags='-Wl\,-E'   cccdlflags='-fPIC'\, lddlflags='-shared -g -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl)​:   Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE   PERL_DONT_CREATE_GVSV   PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP   PERL_PRESERVE_IVUV USE_64_BIT_INT USE_LARGE_FILES   USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE   USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE   USE_PERLIO USE_PERL_ATOF   Locally applied patches​:   uncommitted-changes   Built under linux   Compiled at Aug 11 2015 16​:38​:21   @​INC​:   /usr/local/perl-afl/lib/site_perl/5.23.2/i686-linux-64int-ld   /usr/local/perl-afl/lib/site_perl/5.23.2   /usr/local/perl-afl/lib/5.23.2/i686-linux-64int-ld   /usr/local/perl-afl/lib/5.23.2   .

(gdb) run Starting program​: /usr/local/perl-afl/bin/perl f2i000041 [Thread debugging using libthread_db enabled] The regex_sets feature is experimental in regex; marked by \<-- HERE in m/(?[ \<-- HERE ()])/ at f2i000041 line 1.

Program received signal SIGSEGV\, Segmentation fault. 0x0827543e in S_invlist_iterinit (pRExC_state=0xbffff024\,   return_invlist=\\, flagp=\\,   depth=5\, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:9122 9122 *get_invlist_iter_addr(invlist) = 0; (gdb) bt #0 0x0827543e in S_invlist_iterinit (pRExC_state=0xbffff024\,   return_invlist=\\, flagp=\\,   depth=5\, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:9122 #1 S_handle_regex_sets (pRExC_state=0xbffff024\,   return_invlist=\\, flagp=\\,   depth=5\, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:13943 #2 0x0825702d in S_reg (pRExC_state=0xbffff024\, paren=\\,   flagp=\\, depth=5) at regcomp.c​:10427 #3 0x08278abe in S_regatom (pRExC_state=0xbffff024\,   flagp=\\, depth=\)   at regcomp.c​:11733 #4 S_regpiece (pRExC_state=0xbffff024\, flagp=\\,   depth=\) at regcomp.c​:10808 #5 0x0828636d in S_regbranch (pRExC_state=0xbffff024\, flagp=0xbfffee18\,   first=\\, depth=2) at regcomp.c​:10733 #6 0x0824fb4b in S_reg (pRExC_state=0xbffff024\, paren=\\,   flagp=\\, depth=1) at regcomp.c​:10483 #7 0x0828a000 in Perl_re_op_compile (patternp=0x0\, pat_count=0\,   expr=0x8743914\, eng=0x870a420\, old_re=0x0\, is_bare_re=0x0\,   orig_rx_flags=0\, pm_flags=0) at regcomp.c​:6881 #8 0x080d50a8 in Perl_pmruntime (o=0x8743934\, expr=0x8743914\, repl=0x0\,   isreg=true\, floor=0) at op.c​:5579 #9 0x081ce568 in Perl_yyparse (gramtype=258) at perly.y​:1038 #10 0x0810f4af in S_parse_body (env=\\,   xsinit=\) at perl.c​:2296 #11 0x081128c9 in perl_parse (my_perl=0x8729008\, xsinit=0x8065dc0 \<xs_init>\,   argc=2\, argv=0xbffff4e4\, env=0x0) at perl.c​:1626 #12 0x08065b85 in main (argc=2\, argv=0xbffff4e4\, env=0xbffff4f0)   at perlmain.c​:114 (gdb) l 9117 PERL_STATIC_INLINE void 9118 S_invlist_iterinit(SV* invlist) /* Initialize iterator for invlist */ 9119 { 9120 PERL_ARGS_ASSERT_INVLIST_ITERINIT; 9121
9122 *get_invlist_iter_addr(invlist) = 0; 9123 } 9124
9125 PERL_STATIC_INLINE void 9126 S_invlist_iterfinish(SV* invlist) (gdb)

==1344== Memcheck\, a memory error detector ==1344== Copyright (C) 2002-2010\, and GNU GPL'd\, by Julian Seward et al. ==1344== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==1344== Command​: ../../bin/perl f2i000041 ==1344== The regex_sets feature is experimental in regex; marked by \<-- HERE in m/(?[ \<-- HERE ()])/ at f2i000041 line 1. ==1344== Invalid write of size 4 ==1344== at 0x827543E​: S_handle_regex_sets (regcomp.c​:9122) ==1344== by 0x825702C​: S_reg (regcomp.c​:10427) ==1344== by 0x8278ABD​: S_regpiece (regcomp.c​:11733) ==1344== by 0x828636C​: S_regbranch (regcomp.c​:10733) ==1344== by 0x824FB4A​: S_reg (regcomp.c​:10483) ==1344== by 0x8289FFF​: Perl_re_op_compile (regcomp.c​:6881) ==1344== by 0x80D50A7​: Perl_pmruntime (op.c​:5579) ==1344== by 0x81CE567​: Perl_yyparse (perly.y​:1038) ==1344== by 0x810F4AE​: S_parse_body (perl.c​:2296) ==1344== by 0x81128C8​: perl_parse (perl.c​:1626) ==1344== by 0x8065B84​: main (perlmain.c​:114) ==1344== Address 0x18 is not stack'd\, malloc'd or (recently) free'd ==1344== ==1344== ==1344== Process terminating with default action of signal 11 (SIGSEGV) ==1344== Access not within mapped region at address 0x18 ==1344== at 0x827543E​: S_handle_regex_sets (regcomp.c​:9122) ==1344== by 0x825702C​: S_reg (regcomp.c​:10427) ==1344== by 0x8278ABD​: S_regpiece (regcomp.c​:11733) ==1344== by 0x828636C​: S_regbranch (regcomp.c​:10733) ==1344== by 0x824FB4A​: S_reg (regcomp.c​:10483) ==1344== by 0x8289FFF​: Perl_re_op_compile (regcomp.c​:6881) ==1344== by 0x80D50A7​: Perl_pmruntime (op.c​:5579) ==1344== by 0x81CE567​: Perl_yyparse (perly.y​:1038) ==1344== by 0x810F4AE​: S_parse_body (perl.c​:2296) ==1344== by 0x81128C8​: perl_parse (perl.c​:1626) ==1344== by 0x8065B84​: main (perlmain.c​:114) ==1344== If you believe this happened as a result of a stack ==1344== overflow in your program's main thread (unlikely but ==1344== possible)\, you can try to increase the size of the ==1344== main thread stack using the --main-stacksize= flag. ==1344== The main thread stack size used in this run was 8388608. ==1344== ==1344== HEAP SUMMARY​: ==1344== in use at exit​: 115\,550 bytes in 667 blocks ==1344== total heap usage​: 754 allocs\, 87 frees\, 120\,444 bytes allocated ==1344== ==1344== LEAK SUMMARY​: ==1344== definitely lost​: 168 bytes in 1 blocks ==1344== indirectly lost​: 2\,683 bytes in 40 blocks ==1344== possibly lost​: 12\,878 bytes in 293 blocks ==1344== still reachable​: 99\,821 bytes in 333 blocks ==1344== suppressed​: 0 bytes in 0 blocks ==1344== Rerun with --leak-check=full to see details of leaked memory ==1344== ==1344== For counts of detected and suppressed errors\, rerun with​: -v ==1344== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 25 from 8) Segmentation fault

p5pRT commented 9 years ago

From @khwilliamson

Thanks for reporting this. I'll fix it -- Karl Williamson

p5pRT commented 9 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 9 years ago

From @khwilliamson

Thanks for finding and reporting this. Now fixed in blead by commit e7cce976d7dd1f4fda1f387d02c6403f43346e9c -- Karl Williamson

p5pRT commented 9 years ago

@khwilliamson - Status changed from 'open' to 'pending release'

p5pRT commented 8 years ago

@mauke - Status changed from 'pending release' to 'resolved'