New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assertion failure in Perl_reg_numbered_buff_fetch (regcomp.c:8646) #16952
Comments
From @dur-randirCreated by @dur-randirWhile fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run s/d|(?{})!//.$&>0for$0,l..a0,0..0 to cause an assertion failure perl: regcomp.c:8646: void Perl_reg_numbered_buff_fetch(REGEXP *const, GDB stack trace is following #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 I suspect this being stack-not-refcounted (but not 100% sure), bisect points to commit 13b0f67 re-enable Copy-on-Write by default. Perl Info
|
Should this be a blocker, though? |
Sorry, I don't remember seeing this before. It doesn't look like stack-refcounting to me - this still fails the same way:
That looks quite concerning, I think it should be a blocker for now. |
@khwilliamson thoughts on a fix? |
@hvds is looking into it |
This involves interaction between regexp code blocks and (presumably) copy-on-write, I'm hoping @iabyn will look at it. I can give it a go, but it'll be very much slower for me. |
Strangely I now cannot reproduce the failure with the above, but it does fail if I set At the point of the assertion, the second time round the loop, we are trying to do "get" magic on Effectively reversing the fingered "re-enable Copy-on-Write" commit by building with Here's another way to see the effect:
.. so somehow the presence of the code block is allowing a failed match to update the string in PL_curpm, while retaining the capture offsets of the last successful match, but only when COW is enabled. |
Note that the code block doesn't need to be entered:
Right now I haven't a clue when/how subbeg is supposed to be restored in this case, and I'm dubious whether the current setting of it is valid at all when offs[] still refers to the last successful match rather than the current incomplete match. That's all I have time for for now. |
On second thoughts, since this has been broken since 5.20, it is not a recent regression and should not be a blocker. |
Are you saying it was introduced in 5.20 or that you've detected it at least as far back as 5.20? If it was introduced in 5.20, how did you determine that? (I'm always interested in new bisection techniques; I don't know of any for fuzzer-detected stuff.) Thank you very much. |
I manually ran:
with various installed perls. It passed (ie printed "foo-o" twice) with 5.18, failed with later versions. I also bisected on that code with:
and it fingered 7fa949d, which makes sense since we're working on readonly consts here. |
For what it's worth, that test does give the right answer with the hack below. However a test run gives failures and both malloc and double-free errors: I (clearly) don't understand what RXp_MATCH_COPIED implies or how and when it is intended to be used - its public variant was added back in cf93c79. I think I'm about stuck now.
|
I could've been introduced anytime between creating CoW and enabling builds with it by default. I didn't bisect manually enabled CoW builds of pre-5.20 perls. |
Good point, I was concentrating on default builds, but it would be instructive also to try a bisect with PERL_NEW_COPY_ON_WRITE defined. I'll give that a go later if I can identify suitable start/end points. |
Or maybe not:
fingers f7a8268, so again it's just the point COW becomes enabled for a relevant string. |
It's from the initial implementation:
db2c6cb is the first bad commit
|
This is still a problem in 5.37.12 |
Interesting. I will try to take a look when I get some time. |
Migrated from rt.perl.org#134026 (status was 'new')
Searchable as RT134026$
The text was updated successfully, but these errors were encountered: