From barries@jester.slaysys.com

Created by barries@slaysys.com

Get the file http​://slaysys.com​:81/regexp_corer and do​:

  perl -le '$/=undef; $_=<>; s/(\@​\@​|.)*//s' regexp_corer

This produces a segfault in 5.6.0 and 5.8.0. Using a bigger
chunk of that file can trigger it in 5.6.1. Can't get 5.004
to hork.

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.0:

Configured by barries at Sat Sep 14 09:39:54 EDT 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.7-10, archname=i686-linux
    uname='linux jester.slaysys.com 2.4.7-10 #1 thu sep 6 17:27:27 edt 2001 i686 unknown '
    config_args='-de'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2',
    cppflags='-fno-strict-aliasing -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='2.96 20000731 (Red Hat Linux 7.2 2.96-108.7.2)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldl -lm -lc -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lc -lcrypt -lutil
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.0:
    /home/barries/src/VCP/lib
    /usr/local/lib/perl5/5.8.0/i686-linux
    /usr/local/lib/perl5/5.8.0
    /usr/local/lib/perl5/site_perl/5.8.0/i686-linux
    /usr/local/lib/perl5/site_perl/5.8.0
    /usr/local/lib/perl5/site_perl/5.6.1
    /usr/local/lib/perl5/site_perl/5.6.0
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.8.0:
    HOME=/home/barries
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/barries/src/VCP/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/Office51/bin:~/bin:/sbin:/usr/sbin:/home/barries/bin:~/bin:/sbin:/usr/sbin:~/bin:/sbin:/usr/sbin
    PERL5LIB=/home/barries/src/VCP/lib
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @rspier

Able to replicate with 5.8.1.

This is a stack size issue​:

[robert@​x1 /tmp]$ /big/robert/perl-5.8.1/bin/perl -le '$/=undef; $_=<>;
s/(\@​\@​|.)*//s' regexp_corer
[robert@​x1 /tmp]$ ulimit -s 8192
[robert@​x1 /tmp]$ /big/robert/perl-5.8.1/bin/perl -le '$/=undef; $_=<>;
s/(\@​\@​|.)*//s' regexp_corer
Segmentation fault

(The regex causes the engine to recurse in S_regmatch a _lot_, and kaboom.)

Closing ticket, because I don't think there's anything perl can do about
this.

@rspier - Status changed from 'new' to 'resolved'

From @hvds

Robert (via RT) <perlbug-followup@​perl.org> wrote​:
:Able to replicate with 5.8.1.
:
:This is a stack size issue​:
:
:[robert@​x1 /tmp]$ /big/robert/perl-5.8.1/bin/perl -le '$/=undef; $_=<>;
:s/(\@​\@​|.)*//s' regexp_corer
:[robert@​x1 /tmp]$ ulimit -s 8192
:[robert@​x1 /tmp]$ /big/robert/perl-5.8.1/bin/perl -le '$/=undef; $_=<>;
:s/(\@​\@​|.)*//s' regexp_corer
:Segmentation fault
:
:(The regex causes the engine to recurse in S_regmatch a _lot_, and kaboom.)
:
:Closing ticket, because I don't think there's anything perl can do about
:this.

I think it is possible to avoid using the C stack for such recursion,
and I plan to attempt that for 5.10. In principle, I think the C stack
requirements for matching should at worst be proportional to the
complexity of the regexp.

But there are many similar reports in the bug database, and it might be
more useful to relate them to each other than to close some randomly
selected ones.

Hugo

From @smpeters

[barries@​jester.slaysys.com - Thu Sep 26 19​:09​:46 2002]​:

This is a bug report for perl from barries@​slaysys.com,
generated with the help of perlbug 1.34 running under perl v5.8.0.

-----------------------------------------------------------------
[Please enter your report here]

Get the file http​://slaysys.com​:81/regexp_corer and do​:

perl \-le '$/=undef; $\_=\<>; s/\(\\@&#8203;\\@&#8203;|\.\)\*//s' regexp\_corer

This produces a segfault in 5.6.0 and 5.8.0. Using a bigger
chunk of that file can trigger it in 5.6.1. Can't get 5.004
to hork.

I don't have access to your original file, but perl.c seems to work just fine.

perl -le '$/=undef; $_=<>; s/(\@​\@​|.)*//s' perl.c
Segmentation fault (core dumped)

After change #27598, this core dump has been stopped.

./perl -le '$/=undef; $_=<>; s/(\@​\@​|.)*//s' perl.c

@smpeters - Status changed from 'open' to 'resolved'