Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perl segfaults with a regex_sets error message #14851

Closed
p5pRT opened this issue Aug 13, 2015 · 6 comments
Closed

Perl segfaults with a regex_sets error message #14851

p5pRT opened this issue Aug 13, 2015 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 13, 2015

Migrated from rt.perl.org#125805 (status was 'resolved')

Searchable as RT125805$

@p5pRT
Copy link
Author

p5pRT commented Aug 13, 2015

From @dcollinsn

The search on this bug tracker doesn't seem to search issue descriptions, but in any event I can't figure out how to tell if this is a duplicate or not. Searches for the test case, regex_sets, segfault, and the first bad revision id didn't reveal any obvious duplicates.

Test case is the 12-byte file​:

00./(?[()])/

dcollins@​nagios​:/usr/local/perl-afl/out/allcrash$ ../../bin/perl -w f2i000041
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE ()])/ at f2i000041 line 1.
Segmentation fault

Git bisect revealed​:

6798c95 is the first bad commit
commit 6798c95
Author​: Karl Williamson <khw@​cpan.org>
Date​: Wed Feb 25 23​:19​:39 2015 -0700

  Change /(?[...]) to have normal operator precedence
 
  This experimental feature now has the intersection operator ("&") higher
  precedence than the other binary operators.

:100644 100644 ce36c6c64ad7f52f32f18c3af5faea7782e77f8f a909f7d5bc6cacd8ecd0e292d17587460c2dabf5 M embed.fnc
:100644 100644 acbd1ea23a511c4a9573674d10dc6e8577bac513 4d9ca18439ad72b5d955b46ab4fc1ae60fbdab9e M embed.h
:040000 040000 abe9c29891251f534ae7654827701484c00e5d5a 56738de91977828568e55a1fa42af9d52602a07c M pod
:100644 100644 4bc200dae6b4e45492c0aa6dd8724e44175e1180 f45a4a36173bc16a1e8c9491298708ef75e252a7 M proto.h
:100644 100644 d736a0131ac2c50c3753ddd332b3fc524ebe7514 51065d58f2df92a3a2e1ccd520280f4c9e62c952 M regcomp.c
:040000 040000 90b8d23d6c4c6de5357d08f14baf1f1e201274c1 487395998bc1558eb521b752f277bac3bdb8e770 M t
bisect run success

dcollins@​nagios​:/usr/local/perl-afl/out/allcrash$ ../../bin/perl -V
Summary of my perl5 (revision 5 version 23 subversion 2) configuration​:
  Derived from​: 9728ed0
  Platform​:
  osname=linux, osvers=2.6.32-5-686, archname=i686-linux-64int-ld
  uname='linux nagios 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '
  config_args=''
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=undef, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.4.5', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
  ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='afl-gcc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/i486-linux-gnu/4.4.5/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.11.3.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.11.3'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Locally applied patches​:
  uncommitted-changes
  Built under linux
  Compiled at Aug 11 2015 16​:38​:21
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.2/i686-linux-64int-ld
  /usr/local/perl-afl/lib/site_perl/5.23.2
  /usr/local/perl-afl/lib/5.23.2/i686-linux-64int-ld
  /usr/local/perl-afl/lib/5.23.2
  .

(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl f2i000041
[Thread debugging using libthread_db enabled]
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE ()])/ at f2i000041 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0827543e in S_invlist_iterinit (pRExC_state=0xbffff024,
  return_invlist=<value optimized out>, flagp=<value optimized out>,
  depth=5, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:9122
9122 *get_invlist_iter_addr(invlist) = 0;
(gdb) bt
#0 0x0827543e in S_invlist_iterinit (pRExC_state=0xbffff024,
  return_invlist=<value optimized out>, flagp=<value optimized out>,
  depth=5, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:9122
#1 S_handle_regex_sets (pRExC_state=0xbffff024,
  return_invlist=<value optimized out>, flagp=<value optimized out>,
  depth=5, oregcomp_parse=0x8743a39 "?[()])") at regcomp.c​:13943
#2 0x0825702d in S_reg (pRExC_state=0xbffff024, paren=<value optimized out>,
  flagp=<value optimized out>, depth=5) at regcomp.c​:10427
#3 0x08278abe in S_regatom (pRExC_state=0xbffff024,
  flagp=<value optimized out>, depth=<value optimized out>)
  at regcomp.c​:11733
#4 S_regpiece (pRExC_state=0xbffff024, flagp=<value optimized out>,
  depth=<value optimized out>) at regcomp.c​:10808
#5 0x0828636d in S_regbranch (pRExC_state=0xbffff024, flagp=0xbfffee18,
  first=<value optimized out>, depth=2) at regcomp.c​:10733
#6 0x0824fb4b in S_reg (pRExC_state=0xbffff024, paren=<value optimized out>,
  flagp=<value optimized out>, depth=1) at regcomp.c​:10483
#7 0x0828a000 in Perl_re_op_compile (patternp=0x0, pat_count=0,
  expr=0x8743914, eng=0x870a420, old_re=0x0, is_bare_re=0x0,
  orig_rx_flags=0, pm_flags=0) at regcomp.c​:6881
#8 0x080d50a8 in Perl_pmruntime (o=0x8743934, expr=0x8743914, repl=0x0,
  isreg=true, floor=0) at op.c​:5579
#9 0x081ce568 in Perl_yyparse (gramtype=258) at perly.y​:1038
#10 0x0810f4af in S_parse_body (env=<value optimized out>,
  xsinit=<value optimized out>) at perl.c​:2296
#11 0x081128c9 in perl_parse (my_perl=0x8729008, xsinit=0x8065dc0 <xs_init>,
  argc=2, argv=0xbffff4e4, env=0x0) at perl.c​:1626
#12 0x08065b85 in main (argc=2, argv=0xbffff4e4, env=0xbffff4f0)
  at perlmain.c​:114
(gdb) l
9117 PERL_STATIC_INLINE void
9118 S_invlist_iterinit(SV* invlist) /* Initialize iterator for invlist */
9119 {
9120 PERL_ARGS_ASSERT_INVLIST_ITERINIT;
9121
9122 *get_invlist_iter_addr(invlist) = 0;
9123 }
9124
9125 PERL_STATIC_INLINE void
9126 S_invlist_iterfinish(SV* invlist)
(gdb)

==1344== Memcheck, a memory error detector
==1344== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==1344== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==1344== Command​: ../../bin/perl f2i000041
==1344==
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE ()])/ at f2i000041 line 1.
==1344== Invalid write of size 4
==1344== at 0x827543E​: S_handle_regex_sets (regcomp.c​:9122)
==1344== by 0x825702C​: S_reg (regcomp.c​:10427)
==1344== by 0x8278ABD​: S_regpiece (regcomp.c​:11733)
==1344== by 0x828636C​: S_regbranch (regcomp.c​:10733)
==1344== by 0x824FB4A​: S_reg (regcomp.c​:10483)
==1344== by 0x8289FFF​: Perl_re_op_compile (regcomp.c​:6881)
==1344== by 0x80D50A7​: Perl_pmruntime (op.c​:5579)
==1344== by 0x81CE567​: Perl_yyparse (perly.y​:1038)
==1344== by 0x810F4AE​: S_parse_body (perl.c​:2296)
==1344== by 0x81128C8​: perl_parse (perl.c​:1626)
==1344== by 0x8065B84​: main (perlmain.c​:114)
==1344== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==1344==
==1344==
==1344== Process terminating with default action of signal 11 (SIGSEGV)
==1344== Access not within mapped region at address 0x18
==1344== at 0x827543E​: S_handle_regex_sets (regcomp.c​:9122)
==1344== by 0x825702C​: S_reg (regcomp.c​:10427)
==1344== by 0x8278ABD​: S_regpiece (regcomp.c​:11733)
==1344== by 0x828636C​: S_regbranch (regcomp.c​:10733)
==1344== by 0x824FB4A​: S_reg (regcomp.c​:10483)
==1344== by 0x8289FFF​: Perl_re_op_compile (regcomp.c​:6881)
==1344== by 0x80D50A7​: Perl_pmruntime (op.c​:5579)
==1344== by 0x81CE567​: Perl_yyparse (perly.y​:1038)
==1344== by 0x810F4AE​: S_parse_body (perl.c​:2296)
==1344== by 0x81128C8​: perl_parse (perl.c​:1626)
==1344== by 0x8065B84​: main (perlmain.c​:114)
==1344== If you believe this happened as a result of a stack
==1344== overflow in your program's main thread (unlikely but
==1344== possible), you can try to increase the size of the
==1344== main thread stack using the --main-stacksize= flag.
==1344== The main thread stack size used in this run was 8388608.
==1344==
==1344== HEAP SUMMARY​:
==1344== in use at exit​: 115,550 bytes in 667 blocks
==1344== total heap usage​: 754 allocs, 87 frees, 120,444 bytes allocated
==1344==
==1344== LEAK SUMMARY​:
==1344== definitely lost​: 168 bytes in 1 blocks
==1344== indirectly lost​: 2,683 bytes in 40 blocks
==1344== possibly lost​: 12,878 bytes in 293 blocks
==1344== still reachable​: 99,821 bytes in 333 blocks
==1344== suppressed​: 0 bytes in 0 blocks
==1344== Rerun with --leak-check=full to see details of leaked memory
==1344==
==1344== For counts of detected and suppressed errors, rerun with​: -v
==1344== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 25 from 8)
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Aug 15, 2015

From @khwilliamson

Thanks for reporting this. I'll fix it
--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented Aug 15, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 24, 2015

From @khwilliamson

Thanks for finding and reporting this. Now fixed in blead by commit
e7cce97
--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented Aug 24, 2015

@khwilliamson - Status changed from 'open' to 'pending release'

@p5pRT p5pRT closed this as completed Jan 8, 2016
@p5pRT
Copy link
Author

p5pRT commented Jan 8, 2016

@mauke - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant