From @Etsukata

PoC

```

[eiichi@​x1 ~]$ valgrind perl5/perlbrew/perls/perl-5.28.2/bin/perl -e
'qr/(?[\p{])()​::isp}/'                                   
==12754== Memcheck, a memory error detector
==12754== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12754== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==12754== Command​: perl5/perlbrew/perls/perl-5.28.2/bin/perl -e
qr/(?[\\p{])()​::isp}/
==12754==
The regex_sets feature is experimental in regex; marked by <-- HERE in
m/(?[ <-- HERE \p{])()​::isp}/ at -e line 1.
==12754== Invalid read of size 8
==12754==    at 0x483F6E7​: memmove (vg_replace_strmem.c​:1271)
==12754==    by 0x47E29D​: Perl_reg_temp_copy (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4C1CC6​: Perl_pp_qr (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4BC6E2​: Perl_runops_standard (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4452F6​: perl_run (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x420289​: main (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==  Address 0x1296b508 is 0 bytes after a block of size 24 alloc'd
==12754==    at 0x483AB1A​: calloc (vg_replace_malloc.c​:762)
==12754==    by 0x4A14DA​: Perl_safesyscalloc (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x497105​: Perl_re_op_compile (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x439919​: Perl_pmruntime (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x46FA7D​: Perl_yyparse (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4442D5​: perl_parse (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4201FF​: main (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==
==12754== Invalid read of size 8
==12754==    at 0x483F725​: memmove (vg_replace_strmem.c​:1271)
==12754==    by 0x47E29D​: Perl_reg_temp_copy (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4C1CC6​: Perl_pp_qr (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4BC6E2​: Perl_runops_standard (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4452F6​: perl_run (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x420289​: main (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==  Address 0x1296b510 is 8 bytes after a block of size 24 alloc'd
==12754==    at 0x483AB1A​: calloc (vg_replace_malloc.c​:762)
==12754==    by 0x4A14DA​: Perl_safesyscalloc (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x497105​: Perl_re_op_compile (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x439919​: Perl_pmruntime (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x46FA7D​: Perl_yyparse (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4442D5​: perl_parse (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==    by 0x4201FF​: main (in
/home/eiichi/perl5/perlbrew/perls/perl-5.28.2/bin/perl)
==12754==
==12754==
==12754== HEAP SUMMARY​:
==12754==     in use at exit​: 1,984,172 bytes in 12,710 blocks
==12754==   total heap usage​: 43,884 allocs, 31,174 frees, 4,860,995
bytes allocated
==12754==
==12754== LEAK SUMMARY​:
==12754==    definitely lost​: 0 bytes in 0 blocks
==12754==    indirectly lost​: 0 bytes in 0 blocks
==12754==      possibly lost​: 408,441 bytes in 405 blocks
==12754==    still reachable​: 1,575,731 bytes in 12,305 blocks
==12754==                       of which reachable via heuristic​:
==12754==                         newarray           : 2,864 bytes in 89
blocks
==12754==         suppressed​: 0 bytes in 0 blocks
==12754== Rerun with --leak-check=full to see details of leaked memory
==12754==
==12754== For lists of detected and suppressed errors, rerun with​: -s
==12754== ERROR SUMMARY​: 3 errors from 2 contexts (suppressed​: 0 from 0)

```

From @iabyn

On Fri, May 24, 2019 at 11​:03​:43AM -0600, Karl Williamson wrote​:

On 5/23/19 11​:55 PM, Eiichi Tsukata (via RT) wrote​:

[eiichi@​x1 ~]$ valgrind perl5/perlbrew/perls/perl-5.28.2/bin/perl -e
'qr/(?[\p{])()​::isp}/'
==12754== Memcheck, a memory error detector
==12754== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12754== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==12754== Command​: perl5/perlbrew/perls/perl-5.28.2/bin/perl -e
qr/(?[\\p{])()​::isp}/

This was fixed by the very large commit
commit 7c932d0
Author​: Karl Williamson <khw@​cpan.org>
Date​: Fri Oct 19 09​:48​:34 2018 -0600

This message above from Karl doen't seem to have reached the RT ticket, so I've quoted it again.

I assume this ticket can be closed and moved to the public queue.

--
Diplomacy is telling someone to go to hell in such a way that they'll
look forward to the trip

The RT System itself - Status changed from 'new' to 'open'

@iabyn - Status changed from 'open' to 'resolved'