From @Tux

The code I used to reproduce​:

--8<---
#!perl6

use v6;

my Buf $b = Buf.new(61, ^2048 .map({ 256.rand.Int }));

my Str $q = "\"";
my Str $e = "\"";
my Str $u = $b.decode("utf8-c8");

$u .= subst(/( $q | $e )/, { "$e$0" }, :g);
-->8---

$ p6 --version
This is Rakudo version 2016.03-113-g37857b2 built on MoarVM version 2016.03-104-g10d3971
implementing Perl 6.c.

Linux 3.12.53-40-desktop [openSUSE 13.1 (Bottle)] HP Z220CMT Xeon(R) CPU E3-1245 V2 @​ 3.40GHz/3791(8) x86_64 11913 Mb

In a one-liner​:

$ p6 -e'my$b=Buf.new(61,^2048 .map({256.rand.Int}));my Str $u=$b.decode("utf8-c8");$u.=subst(/("a"|"b")/,{"c$0"},​:g);'
Segmentation fault

or (same code)

$ p6 -e'my$b=Buf.new(61,^2048 .map({256.rand.Int}));my Str $u=$b.decode("utf8-c8");$u.=subst(/("a"|"b")/,{"c$0"},​:g);'
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: free()​: corrupted unsorted chunks​: 0x0000000004a67190 ***
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: malloc()​: memory corruption​: 0x0000000001e700a0 ***

Golfing back, the |"b" is optional, as are $0, and the braces

$ p6 -e'Buf.new(61,^2048 .map({256.rand.Int})).decode("utf8-c8").subst(/"a"/,"c",​:g);'
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: free()​: corrupted unsorted chunks​: 0x00000000037344c0 ***
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: malloc()​: memory corruption​: 0x0000000003faba80 ***

2048 was just a test case. Round about 175 runs sometimes pass and sometimes fail

$ p6 -e'Buf.new(61,^179 .map({256.rand.Int})).decode("utf8-c8").subst(/"a"/,"c",​:g);'
Segmentation fault
$ p6 -e'Buf.new(61,^179 .map({256.rand.Int})).decode("utf8-c8").subst(/"a"/,"c",​:g);'
$ p6 -e'Buf.new(61,^179 .map({256.rand.Int})).decode("utf8-c8").subst(/"a"/,"c",​:g);'
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: munmap_chunk()​: invalid pointer​: 0x00000000049f2fc0 ***
*** Error in `/pro/3gl/CPAN/rakudobrew/moar-nom/install/bin/moar'​: malloc()​: memory corruption​: 0x00000000049f3050 ***

--
H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/
using perl5.00307 .. 5.23 porting perl5 on HP-UX, AIX, and openSUSE
http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/
http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/

From @nwc10

On Mon, Apr 11, 2016 at 04​:39​:59AM -0700, H. Merijn Brand wrote​:

In a one-liner​:

$ p6 -e'my$b=Buf.new(61,^2048 .map({256.rand.Int}));my Str $u=$b.decode("utf8-c8");$u.=subst(/("a"|"b")/,{"c$0"},​:g);'
Segmentation fault

or (same code)

With timotimo's commit from this afternoon​:

commit 808fd05041b3d846b0a54acc4297299af2a1b71d
Author​: Timo Paulssen <timonator@​perpetuum-immobile.de>
Date​: Mon Apr 11 14​:05​:57 2016 +0200

  cope with buffers being too small in re_nfg

  fixes a crash when working with utf8-c8 strings.

that one liner changes from ASAN barfage to no output.
(which means that the SEGV is fixed).

That means it's now "tests needed" ?

Nicholas Clark

The RT System itself - Status changed from 'new' to 'open'

From @moritz

On 04/11/2016 03​:04 PM, Nicholas Clark wrote​:

On Mon, Apr 11, 2016 at 04​:39​:59AM -0700, H. Merijn Brand wrote​:

In a one-liner​:

$ p6 -e'my$b=Buf.new(61,^2048 .map({256.rand.Int}));my Str $u=$b.decode("utf8-c8");$u.=subst(/("a"|"b")/,{"c$0"},​:g);'
Segmentation fault

or (same code)

With timotimo's commit from this afternoon​:

commit 808fd05041b3d846b0a54acc4297299af2a1b71d
Author​: Timo Paulssen <timonator@​perpetuum-immobile.de>
Date​: Mon Apr 11 14​:05​:57 2016 +0200

 cope with buffers being too small in re\_nfg

 fixes a crash when working with utf8\-c8 strings\.

that one liner changes from ASAN barfage to no output.
(which means that the SEGV is fixed).

That means it's now "tests needed" ?

It is.

I'd also be grateful if somebody could provide a deterministic string of
numbers that made Rakudo segfault, because I hate having fuzzy/random
tests in the test suite.

Cheers,
Moritz

From @moritz

On 11.04.2016 17​:00, Moritz Lenz wrote​:

On 04/11/2016 03​:04 PM, Nicholas Clark wrote​:

On Mon, Apr 11, 2016 at 04​:39​:59AM -0700, H. Merijn Brand wrote​:

In a one-liner​:

$ p6 -e'my$b=Buf.new(61,^2048 .map({256.rand.Int}));my Str $u=$b.decode("utf8-c8");$u.=subst(/("a"|"b")/,{"c$0"},​:g);'
Segmentation fault

or (same code)

With timotimo's commit from this afternoon​:

commit 808fd05041b3d846b0a54acc4297299af2a1b71d
Author​: Timo Paulssen <timonator@​perpetuum-immobile.de>
Date​: Mon Apr 11 14​:05​:57 2016 +0200

 cope with buffers being too small in re\_nfg

 fixes a crash when working with utf8\-c8 strings\.

that one liner changes from ASAN barfage to no output.
(which means that the SEGV is fixed).

That means it's now "tests needed" ?

It is.

I'd also be grateful if somebody could provide a deterministic string of
numbers that made Rakudo segfault, because I hate having fuzzy/random
tests in the test suite.

Turns out that somebody is me :-)

This code coredumps reliably on a not-yet-patched rakudo for me​:

use v6;
my @​ints = 103, 248, 111, 217, 210, 97;
my $b = Buf.new(@​ints);
my Str $u=$b.decode("utf8-c8");
$u.=subst("a","b");

Cheers,
Moritz

Cheers,
Moritz

From @moritz

Tested here​: Raku/roast@28274ef712

@moritz - Status changed from 'open' to 'resolved'