From perl-5.8.0@ton.iguana.be

Created by perl-5.8.0@ton.iguana.be

perl -wle '$_="abcdef\n"; s!.!!g;print "|$`|"'
|abcdef
|

The last succesful match is on the f in abcdef, so why
isn't $` equal to "abcde" ?
(Or, if it would represent the failing match on \n, undef)

Flags:
    category=core
    severity=low

Site configuration information for perl v5.8.0:

Configured by ton at Tue Nov 12 01:56:18 CET 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.19, archname=i686-linux-thread-multi-64int-ld
    uname='linux quasar 2.4.19 #5 wed oct 2 02:34:25 cest 2002 i686 unknown '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=define
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -ldb -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    .


Environment for perl v5.8.0:
    HOME=/home/ton
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ton/bin.Linux:/home/ton/bin:/home/ton/bin.SampleSetup:/usr/local/bin:/usr/local/sbin:/usr/local/jre/bin:/home/oracle/product/9.0.1/bin:/usr/local/ar/bin:/usr/games/bin:/usr/X11R6/bin:/usr/share/bin:/usr/bin:/usr/sbin:/bin:/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @hvds

"perl-5.8.0@​ton.iguana.be (via RT)" <perlbug-followup@​perl.org> wrote​:
:perl -wle '$_="abcdef\n"; s!.!!g;print "|$`|"'
:|abcdef
:|
:
:The last succesful match is on the f in abcdef, so why
:isn't $` equal to "abcde" ?
:(Or, if it would represent the failing match on \n, undef)

It represents the failing match, but the one on the end of the
string rather than on the \n. Not sure why yet ...

Hugo

From alex-p5p@earth.li

This bug seems to continue to be. It's not present in 5.005_03, is
there by 5.6.1. Following test looks for it​:

tortoise perl/current% diff -u t/op/pat.t.old t/op/pat.t

--- t/op/pat.t.old	Fri Jul 11 01:01:51 2003
+++ t/op/pat.t	Fri Jul 11 01:02:25 2003
@@ -6,7 +6,7 @@
 
 $| = 1;
 
-print "1..1006\n";
+print "1..1007\n";
 
 BEGIN {
     chdir 't' if -d 't';
@@ -3189,4 +3189,9 @@
 #$_ = "x"; /x(?{func "in regexp"})/;
 #$_ = "x"; /x(?{func "in multiline regexp"})/m;
 
-# last test 1004
+# bug 19049
+$_="abcdef\n";
+@x = m/./g;
+ok("abcde" eq "$`", '19049 - global match not setting $`');
+
+# last test 1007

From perl-5.8.0@ton.iguana.be

Created by perl-5.8.0@ton.iguana.be

perl -wle '
$i=0;
@​z=("ab", "");
print "\$`=<$`>" while $i<@​z && print 0+$z[$i++]=~s/.\b//g
'

outputs (as expected)​:

1
$`=<a>
0
$`=<a>

Notice how the second match fails and so preserves $`

perl -wle '
$i=0;
@​z=("ab", "");
print "\$`=<$`>" while $i<@​z && print 0+$z[$i++]=~s/.*\b//g
'

outputs​:

2
$`=<ab>
0
$`=<>

so it matched 0 times, but $` was still lost

Flags:
    category=core
    severity=low

Site configuration information for perl v5.8.0:

Configured by ton at Tue Nov 12 01:56:18 CET 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.19, archname=i686-linux-thread-multi-64int-ld
    uname='linux quasar 2.4.19 #5 wed oct 2 02:34:25 cest 2002 i686 unknown '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=define
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -ldb -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:



@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    .


Environment for perl v5.8.0:
    HOME=/home/ton
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ton/bin.Linux:/home/ton/bin:/home/ton/bin.SampleSetup:/usr/local/bin:/usr/local/sbin:/usr/local/jre/bin:/home/oracle/product/9.0.1/bin:/usr/local/ar/bin:/usr/games/bin:/usr/X11R6/bin:/usr/share/bin:/usr/bin:/usr/sbin:/bin:/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @andk

[alex-p5p@​earth.li - Thu Jul 10 17​:13​:03 2003]​:

This bug seems to continue to be. It's not present in 5.005_03, is
there by 5.6.1.

When I see such a bug it urges me to find out the patch that introduced
the bug.

It was the rather small patch 2372.

I hope this helps somebody to find the fix.

From @andk

The following patch *kind* of fixes the bug 19049 and another TODO but
it is incorrect in that it breaks tests op/pat 188 and op/subs_amp 2
thru 13.

Maybe somebody with the right regexp-fu could continue on this?

I merely tried reverting parts of patch 2372 which introduced the bug,
so I have to give up at this point.

#### Patch data follows ####
diff -c '../perl-p-5.8.0@​25977/regexec.c' 'regexec.c'
Index​: ./regexec.c
*** ./regexec.c Thu Nov 3 21​:57​:16 2005
--- ./regexec.c Fri Nov 4 07​:23​:03 2005
***************
*** 2177,2183 ****
  prog->subbeg = PL_bostr;
  prog->sublen = PL_regeol - PL_bostr; /* strend may have been modified */
  }
! prog->startp[0] = startpos - PL_bostr;
  PL_reginput = startpos;
  PL_regstartp = prog->startp;
  PL_regendp = prog->endp;
--- 2177,2183 ----
  prog->subbeg = PL_bostr;
  prog->sublen = PL_regeol - PL_bostr; /* strend may have been modified */
  }
! /* prog->startp[0] = startpos - PL_bostr; */
  PL_reginput = startpos;
  PL_regstartp = prog->startp;
  PL_regendp = prog->endp;
***************
*** 2221,2226 ****
--- 2221,2227 ----
  #endif
  REGCP_SET(lastcp);
  if (regmatch(prog->program + 1)) {
+ prog->startp[0] = startpos - PL_bostr;
  prog->endp[0] = PL_reginput - PL_bostr;
  return 1;
  }
diff -c '../perl-p-5.8.0@​25977/t/op/pat.t' 't/op/pat.t'
Index​: ./t/op/pat.t
*** ./t/op/pat.t Thu Nov 3 21​:57​:02 2005
--- ./t/op/pat.t Fri Nov 4 08​:06​:45 2005
***************
*** 3196,3202 ****
  # bug #19049
  $_="abcdef\n";
  @​x = m/./g;
! ok("abcde" eq "$`", '# TODO #19049 - global match not setting $`');
 
  ok("123\x{100}" =~ /^.*1.*23\x{100}$/, 'uft8 + multiple floating substr');
 
--- 3196,3202 ----
  # bug #19049
  $_="abcdef\n";
  @​x = m/./g;
! ok("abcde" eq "$`", '#19049 - global match not setting $`');
 
  ok("123\x{100}" =~ /^.*1.*23\x{100}$/, 'uft8 + multiple floating substr');
 
***************
*** 3390,3396 ****
  $s = $1;
  $s = $2;
  ok($s eq 'cd',
! "# TODO assigning to original string should not corrupt match vars");
  }
 
  # last test 1187
--- 3390,3396 ----
  $s = $1;
  $s = $2;
  ok($s eq 'cd',
! "# assigning to original string should not corrupt match vars");
  }
 
  # last test 1187
#### End of Patch data ####

--
andreas

From @rgs

Andreas J. Koenig wrote​:

The following patch *kind* of fixes the bug 19049 and another TODO but
it is incorrect in that it breaks tests op/pat 188 and op/subs_amp 2
thru 13.

Thanks, applied as change #25993.

Maybe somebody with the right regexp-fu could continue on this?

I merely tried reverting parts of patch 2372 which introduced the bug,
so I have to give up at this point.

From @rgs

Rafael Garcia-Suarez wrote​:

Andreas J. Koenig wrote​:

The following patch *kind* of fixes the bug 19049 and another TODO but
it is incorrect in that it breaks tests op/pat 188 and op/subs_amp 2
thru 13.

Thanks, applied as change #25993.

Maybe somebody with the right regexp-fu could continue on this?

I merely tried reverting parts of patch 2372 which introduced the bug,
so I have to give up at this point.

Yes. I reverted it again with change #25998. If someone wants to
follow-up... It's a bit late for me to continue.

From @smpeters

[perl-5.8.0@​ton.iguana.be - Thu Sep 18 12​:45​:34 2003]​:

This is a bug report for perl from perl-5.8.0@​ton.iguana.be,
generated with the help of perlbug 1.34 running under perl v5.8.0.

-----------------------------------------------------------------
[Please enter your report here]

perl -wle '
$i=0;
@​z=("ab", "");
print "\$`=<$`>" while $i<@​z && print 0+$z[$i++]=~s/.\b//g
'

outputs (as expected)​:

1
$`=<a>
0
$`=<a>

Notice how the second match fails and so preserves $`

perl -wle '
$i=0;
@​z=("ab", "");
print "\$`=<$`>" while $i<@​z && print 0+$z[$i++]=~s/.*\b//g
'

outputs​:

2
$`=<ab>
0
$`=<>

so it matched 0 times, but $` was still lost

This problem still exists in bleadperl@​27717.

The RT System itself - Status changed from 'new' to 'open'

From @jbenjore

On 4/5/06, Steve Peters via RT <perlbug-followup@​perl.org> wrote​:

[perl-5.8.0@​ton.iguana.be - Thu Sep 18 12​:45​:34 2003]​:

This is a bug report for perl from perl-5.8.0@​ton.iguana.be,
generated with the help of perlbug 1.34 running under perl v5.8.0.
This problem still exists in bleadperl@​27717.

From perlre. This is working as documented and not a bug.

  The numbered match variables ($1, $2, $3, etc.) and the related punctu-
  ation set ($+, $&amp;, $', $', and $^N) are all dynamically scoped until
  the end of the enclosing block or until the next successful match,
  whichever comes first. (See "Compound Statements" in perlsyn.)

  NOTE​: failed matches in Perl do not reset the match variables, which
  makes easier to write code that tests for a series of more specific
  cases and remembers the best match.

Josh

From Steffen_Ullrich@genua.de

Created by steffen@genua.de

The following code causes an segmentation fault on OpenBSD3.9.
The Problem happens with perl5.8.6 and also with perl5.8.8.
It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
(Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).

I guess there is some memory corruption which is detected by the
very strict OpenBSD checking.

my @​list = (
  'ab cd', # matches regex
  ( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
);
foreach (@​list) {
  m/ab(.*)cd/i; # the ignore-case seems to be important
  my $y = $1; # use $1, which might not be from the last match!
}

Stacktrace​:

(gdb) bt
#0 0x0642dca9 in memmove () from /usr/lib/libc.so.39.0
#1 0x076ba597 in Perl_sv_setpvn (sv=0x1, ptr=0x846f2b72 <Address 0x846f2b72 out of bounds>, len=1)
  at /usr/src/gnu/usr.bin/perl/sv.c​:4150
#2 0x076b0b4d in Perl_magic_get (sv=0x8485676c, mg=0x1) at /usr/src/gnu/usr.bin/perl/mg.c​:760
#3 0x076b01d5 in Perl_mg_get (sv=0x8485676c) at /usr/src/gnu/usr.bin/perl/mg.c​:169
#4 0x076ba3f1 in Perl_sv_setsv_flags (dstr=0x84856748, sstr=0x8485676c, flags=2) at /usr/src/gnu/usr.bin/perl/sv.c​:3819
#5 0x076a85b9 in Perl_pp_sassign () at /usr/src/gnu/usr.bin/perl/pp_hot.c​:122
#6 0x07710c29 in Perl_runops_standard () at /usr/src/gnu/usr.bin/perl/run.c​:37
#7 0x076ff457 in S_run_body (oldscope=1) at /usr/src/gnu/usr.bin/perl/perl.c​:1936
#8 0x076ff257 in perl_run (my_perl=0x846f1030) at /usr/src/gnu/usr.bin/perl/perl.c​:1855
#9 0x1c0012e6 in main ()

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.6:

Configured by root at Thu Jan  1  0:00:00 UTC 1970.

Summary of my perl5 (revision 5 version 8 subversion 6) configuration:
  Platform:
    osname=openbsd, osvers=3.9, archname=i386-openbsd
    uname='openbsd'
    config_args='-dsE -Dopenbsd_distribution=defined'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include',
    optimize='-O2',
    cppflags='-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include'
    ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd3.9'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-Wl,-E '
    libpth=/usr/lib
    libs=-lm -lutil -lc
    perllibs=-lm -lutil -lc
    libc=/usr/lib/libc.so.39.0, so=so, useshrplib=true, libperl=libperl.so.10.0
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-R/usr/libdata/perl5/i386-openbsd/5.8.6/CORE'
    cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC '

Locally applied patches:
    SUIDPERLIO1 - fix PERLIO_DEBUG buffer overflow (CAN-2005-0156)
    SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962


@INC for perl v5.8.6:
    /usr/libdata/perl5/i386-openbsd/5.8.6
    /usr/local/libdata/perl5/i386-openbsd/5.8.6
    /usr/libdata/perl5
    /usr/local/libdata/perl5
    /usr/local/libdata/perl5/site_perl/i386-openbsd
    /usr/libdata/perl5/site_perl/i386-openbsd
    /usr/local/libdata/perl5/site_perl
    /usr/libdata/perl5/site_perl
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.8.6:
    HOME=/home/steffen
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/steffen/bin:/home/steffen/bin/OpenBSD.bin:/mount/share/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

From @rgs

Steffen_Ullrich@​genua.de (via RT) wrote​:

The following code causes an segmentation fault on OpenBSD3.9.
The Problem happens with perl5.8.6 and also with perl5.8.8.
It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
(Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).

I guess there is some memory corruption which is detected by the
very strict OpenBSD checking.

my @​list = (
'ab cd', # matches regex
( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
);
foreach (@​list) {
m/ab(.*)cd/i; # the ignore-case seems to be important
my $y = $1; # use $1, which might not be from the last match!
}

Stacktrace​:

Even though this doesn't segfault here on Linux with bleadperl, valgrind
confirms this stacktrace.

The RT System itself - Status changed from 'new' to 'open'

From @ysth

On Wed, Apr 05, 2006 at 01​:53​:12PM -0500, Joshua ben Jore wrote​:

On 4/5/06, Steve Peters via RT <perlbug-followup@​perl.org> wrote​:

[perl-5.8.0@​ton.iguana.be - Thu Sep 18 12​:45​:34 2003]​:

This is a bug report for perl from perl-5.8.0@​ton.iguana.be,
generated with the help of perlbug 1.34 running under perl v5.8.0.
This problem still exists in bleadperl@​27717.

From perlre. This is working as documented and not a bug.

   The numbered match variables \($1\, $2\, $3\, etc\.\) and the related punctu\-
   ation set \($\+\, $&\, $'\, $'\, and $^N\) are all dynamically scoped until
   the end of the enclosing block or until the next successful match\,
   whichever comes first\.  \(See "Compound Statements" in perlsyn\.\)

   NOTE​: failed matches in Perl do not reset the match variables\, which
   makes easier to write code that tests for a series of more specific
   cases and remembers the best match\.

The bug report is that a failed match (actually a failed s///g) *is*
reseting a match variable, so it is not working as documented.

From @rgarcia

On 07/04/06, Rafael Garcia-Suarez <rgarciasuarez@​mandriva.com> wrote​:

Steffen_Ullrich@​genua.de (via RT) wrote​:

The following code causes an segmentation fault on OpenBSD3.9.
The Problem happens with perl5.8.6 and also with perl5.8.8.
It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
(Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).

I guess there is some memory corruption which is detected by the
very strict OpenBSD checking.

my @​list = (
'ab cd', # matches regex
( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
);
foreach (@​list) {
m/ab(.*)cd/i; # the ignore-case seems to be important
my $y = $1; # use $1, which might not be from the last match!
}

Stacktrace​:

Even though this doesn't segfault here on Linux with bleadperl, valgrind
confirms this stacktrace.

I've added an assert() to catch such cases, but the bug should be fixed instead.

Change 29271 by rgs@​stencil on 2006/11/14 11​:35​:04

  Assert that we don't access strings saved for $1 etc. out of bounds

Affected files ...

... //depot/perl/mg.c#455 edit

Differences ...

==== //depot/perl/mg.c#455 (text) ====

@​@​ -854,6 +854,7 @​@​
  i = t1 - s1;
  s = rx->subbeg + s1;
  assert(rx->subbeg);
+ assert(rx->sublen >= s1);

  getrx​:
  if (i >= 0) {

@rgs - Status changed from 'open' to 'resolved'

From @demerphq

Hi,

This bug was fixed by change 29279 (Perl 5.9.5).

Thanks for the report.

Cheers,
Yves