segfault in S_regnode_guts #16011
Comments
From @geeknikTriggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on ./perl -Dt test203.pl eeeeeeeeeeeeueeeeeeeeeeeect l$time )= *hum?▒ Program received signal SIGSEGV, Segmentation fault. |
From @geeknik |
From @khwilliamsonOn 06/09/2017 10:16 PM, Brian Carpenter (via RT) wrote:
Attached is the valgrind output |
From @khwilliamson |
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sat, 10 Jun 2017 08:04:50 -0700, public@khwilliamson.com wrote:
Your case looks like a simple stack overflow from recursion failure: $ gdb -q --args ./perl -e '$x = "(" x 4096; qr/$x/' Program received signal SIGSEGV, Segmentation fault. It's hard to tell if that's the same issue Brian is seeing. Tony |
From @demerphqOn 12 June 2017 at 03:51, Tony Cook via RT <perlbug-followup@perl.org> wrote:
Oooh. Nice catch. Regex execution does not use recursion. Regex Yves -- |
From @tonycozOn Fri, 09 Jun 2017 21:16:13 -0700, brian.carpenter@gmail.com wrote:
Brian, I've only managed to crash this with very deep recursion. Could you please try to reproduce this with more debugging information? That might give us a more useful backtrace. Tony |
From @geeknikWhat more can I do? I compiled it like so: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O2\ Here is the full debug output from my end: ./perl -Dt test203.pl EXECUTING... (test203.pl:0) enter On Mon, Jun 12, 2017 at 7:17 PM, Tony Cook via RT <perlbug-followup@perl.org
|
From @tonycozOn Mon, Jun 12, 2017 at 07:24:25PM -0500, Brian Carpenter wrote:
Are you using the Debian 8 clang, or some other? Which version of afl are you using? What's the output of: ulimit -s What happens if you increase the stack size: ulimit -S -s 32768 If I expand the stack size I get a compilation error from failing to Unknown switch condition (?(...)) in regex; marked by <-- HERE in m/[\\LC4~r� Tony |
From @geeknikAFL 2.41b On Mon, Jun 12, 2017 at 8:21 PM, Tony Cook via RT <perlbug-followup@perl.org
|
From @demerphqOn 12 June 2017 at 18:07, demerphq <demerphq@gmail.com> wrote:
And looking a little closer I remember I added depth counts to all The only question is what should the maximum depth be, and should it I have to admit I lean towards setting it to a number like 1000, where Here is a simple patch: $ git diff Inline Patchdiff --git a/regcomp.c b/regcomp.c
index 8921eed..e1d088c 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -10592,6 +10592,9 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I32
+ if (depth > 4000) /* we increase depth by 4 for each open paren, /* Having this true makes it feasible to have a lot fewer tests for the -- |
From @tonycozOn Tue, 13 Jun 2017 17:14:43 -0700, demerphq wrote:
1000 seems like a reasonable default limit. Making it runtime adjustable would be good if it isn't too much effort, so Tony |
From @geeknikperl v5.27.8-321-ge720636704 compiled with clang 7 trunk and ./perl -e 'm;(((((((((((((((((((((((((((((([' triggers a stack overflow AddressSanitizer:DEADLYSIGNAL==16663==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdcd7a1f00 SUMMARY: AddressSanitizer: stack-overflow /root/perl/regcomp.c:16224 in Worth noting, if we set ulimit -s to 8243 and we put ==6585==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec4f3fc20 |
From @demerphqThis is to a certain extent expected with current code. Every open parents On 20 Feb 2018 07:27, "Brian Carpenter" <perlbug-followup@perl.org> wrote:
|
|
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonOn Mon, 19 Feb 2018 17:03:58 -0800, demerphq wrote:
I think this ticket should be rejected, and will do so in a week unless objection is made |
From @demerphqMaybe change it to a feature request? On 23 Feb 2018 13:57, "Karl Williamson via RT" <perlbug-followup@perl.org> On Mon, 19 Feb 2018 17:03:58 -0800, demerphq wrote:
I think this ticket should be rejected, and will do so in a week unless via perlbug: queue: perl5 status: open |
From @khwilliamsonAdded to wishlist |
From @khwilliamsonOn Thu, 15 Jun 2017 18:02:05 -0700, tonyc wrote:
It seems to me like we should apply the patch. |
From @khwilliamsonThis has been fixed by PATCH: [perl #131551] Too deep regex compilation recursion |
|
@khwilliamson - Status changed from 'open' to 'pending release' |
From @khwilliamsonOn Sun, 04 Mar 2018 08:49:01 -0800, khw wrote:
I believe that perl #131551 addresses this, and will merge this ticket to that one in a month-ish if I don't hear arguments to the contrary |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.30.0, this and 160 other issues have been Perl 5.30.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#131551 (status was 'resolved')
Searchable as RT131551$
The text was updated successfully, but these errors were encountered: