Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

panic: end_shift: -9195001193011459005 #16994

Closed
p5pRT opened this issue May 12, 2019 · 4 comments
Closed

panic: end_shift: -9195001193011459005 #16994

p5pRT opened this issue May 12, 2019 · 4 comments
Labels
type-core

Comments

@p5pRT
Copy link

p5pRT commented May 12, 2019

Migrated from rt.perl.org#134097 (status was 'new')

Searchable as RT134097$
@p5pRT
Copy link
Author

p5pRT commented May 12, 2019

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.10-23-g7c0d7520a3 built with afl and run
under libdislocator, I found the following program

/(((00000000000000000(?0)00000000000000(?1)0000000000000){687}){687})/

to emit 'panic​: end_shift​: -9195001193011459005 pattern​:
(((00000000000000000(?0)00000000000000(?1)0000000000000){687}){687}))'
diagnostics on debugging builds and crash on release builds, GDB stack
trace is following​:

Perl_fbm_instr (big=<optimized out>,
bigend=bigend@​entry=0x7f9b8a33802c7576 <error​: Cannot access memory at
address 0x7f9b8a33802c7576>,
  littlestr=littlestr@​entry=0x5555558aede0, flags=flags@​entry=0) at util.c​:992
992 if ((tmp = table[*s])) {
(gdb) bt
#0 Perl_fbm_instr (big=<optimized out>,
bigend=bigend@​entry=0x7f9b8a33802c7576 <error​: Cannot access memory at
address 0x7f9b8a33802c7576>,
  littlestr=littlestr@​entry=0x5555558aede0, flags=flags@​entry=0) at util.c​:992
#1 0x00005555556bd847 in Perl_re_intuit_start
(rx=rx@​entry=0x5555558aed80, sv=sv@​entry=0x55555588a740,
strbeg=strbeg@​entry=0x5555556ec1b9 "",
  strpos=strpos@​entry=0x5555556ec1b9 "",
strend=strend@​entry=0x5555556ec1b9 "", flags=flags@​entry=97, data=0x0)
at regexec.c​:1131
#2 0x00005555556be986 in Perl_regexec_flags (rx=0x5555558aed80,
stringarg=0x5555556ec1b9 "", strend=0x5555556ec1b9 "",
strbeg=0x5555556ec1b9 "", minend=0,
  sv=0x55555588a740, data=0x0, flags=97) at regexec.c​:3335
#3 0x000055555564a33d in Perl_pp_match () at inline.h​:183
#4 0x00005555556448f3 in Perl_runops_standard () at run.c​:42
#5 0x00005555555c53f4 in S_run_body (oldscope=<optimized out>) at perl.c​:2716
#6 perl_run (my_perl=<optimized out>) at perl.c​:2639
#7 0x000055555559f292 in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:127

This has never behaved well.

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented May 12, 2019

From @dur-randir

Sometimes it's caught earlier by different assertions, for example

(0+((000000000000000000000000000(?0)00000000000000000){687}(?1)){687}00000000000(?0)000000000){687}

triggers

perl​: regexec.c​:879​: char *Perl_re_intuit_start(REGEXP *const, SV *, const char *const, char *, char *, const U32, re_scream_pos_data *)​: Assertion `prog->substrs->data[1].min_offset >= 0' failed.

@toddr toddr removed the khw label Oct 25, 2019
@xenu xenu removed the affects-5.29 label Nov 19, 2021
@khwilliamson
Copy link
Contributor

The behavior of this is now
"Regexp out of space", which sounds reasonable to me given that a pattern is repeated 687 squared times
Is this now closable?

@hvds
Copy link
Contributor

hvds commented Mar 21, 2022

Is this now closable?

I think so - "recursive pattern cannot terminate" would probably be a more useful error, but I doubt we'd ever implement that unless it was trivial to do so.

@hvds hvds closed this as completed Mar 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@toddr @khwilliamson @xenu @hvds @p5pRT