Perl Segmentation Fault using /((\w+ )+)/ on long strings #5141

p5pRT · 2002-02-25T21:15:29Z

Migrated from rt.perl.org#8685 (status was 'resolved')

Searchable as RT8685$

p5pRT · 2002-02-25T21:15:29Z

From suter@zwitterion.humbug.org.au

Created by suter@zwitterion.humbug.org.au

One all the systems I tested the following on, it exits with a
segmentation fault.

perl -e '("bug " x 1E5) =~ /((\w+ )+)/'

Perl Info


Flags:
    category=core
    severity=critical

Site configuration information for perl v5.6.1:

Configured by bod at Fri Jan 11 04:14:18 EST 2002.

Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration:
  Platform:
    osname=linux, osvers=2.4.13, archname=i386-linux
    uname='linux duende 2.4.13 #1 wed oct 31 19:18:07 est 2001 i686 unknown '
    config_args='-Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i386-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.6.1 -Darchlib=/usr/lib/perl/5.6.1 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.6.1 -Dsitearch=/usr/local/lib/perl/5.6.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Duseshrplib -Dlibperl=libperl.so.5.6.1 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
  Compiler:
    cc='cc', ccflags ='-DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-DDEBIAN -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.4  (Debian prerelease)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -ldb -ldl -lm -lc -lcrypt
    perllibs=-ldl -lm -lc -lcrypt
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=true, libperl=libperl.so.5.6.1
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.6.1:
    /usr/local/lib/perl/5.6.1
    /usr/local/share/perl/5.6.1
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.6.1
    /usr/share/perl/5.6.1
    /usr/local/lib/site_perl/i386-linux
    /usr/local/lib/site_perl
    /usr/local/lib/perl/5.6.0
    /usr/local/share/perl/5.6.0
    .


Environment for perl v5.6.1:
    HOME=/home/suter
    LANG=C
    LANGUAGE (unset)
    LC_ALL=C
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:/home/suter/bin:/home/suter/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

p5pRT · 2002-03-02T16:31:45Z

From @nwc10

On Tue, Feb 26, 2002 at 03:15:14PM +1000, Mark Suter wrote:

This is a bug report for perl from suter@zwitterion.humbug.org.au,
generated with the help of perlbug 1.33 running under perl v5.6.1.

-----------------------------------------------------------------
[Please enter your report here]

One all the systems I tested the following on, it exits with a
segmentation fault.
perl \-e '$"bug " x 1E5$ =~ /$\(\\w\+ $\+\)/'

This appears to be a bug introduced between 5.005_03 and 5.6.0

$ perl5.00404 -e '("bug " x 1E5) =~ /((\w+ )+)/'
$ perl5.00503 -e '("bug " x 1E5) =~ /((\w+ )+)/'
$ perl5.6.0 -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault

[on ARM linux, still present at patch 14826]

I've just built 14951 on x86 FreeBSD with -g and I can't get that to SEGV.

In 13520 on ARM with -g it's here:

Program received signal SIGSEGV, Segmentation fault.
0xc140c in Perl_sv_setpvn (sv=0x177200, ptr=0x17d9c4 "Þ-\002", len=131015)
at sv.c:3966
3966 }
(gdb) where
#0 0xc140c in Perl_sv_setpvn (sv=0x177200, ptr=0x17d9c4 "Þ-\002", len=131015)
at sv.c:3966
#1 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#2 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#3 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#4 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#5 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#6 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#7 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#8 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#9 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#10 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#11 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#12 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#13 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#14 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#15 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#16 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#17 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#18 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#19 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#20 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#21 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#22 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#23 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#24 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#25 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#26 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#27 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#28 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#29 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#30 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#31 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#32 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#33 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#34 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#35 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#36 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#37 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#38 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#39 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#40 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#41 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#42 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#43 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#44 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#45 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
#46 0x131614 in S_regmatch (prog=0x17d9c4) at regexec.c:3543
#47 0x12ebc4 in S_regmatch (prog=0x17d9d4) at regexec.c:3026
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) list
3961 void
3962 Perl_sv_setsv_mg(pTHX_ SV *dstr, register SV *sstr)
3963 {
3964 sv_setsv(dstr,sstr);
3965 SvSETMAGIC(dstr);
3966 }
3967
3968 /*
3969 =for apidoc sv_setpvn
3970

In perl with "DEVEL11709" in patchlevel.h it's here:

Program received signal SIGSEGV, Segmentation fault.
0x12feb0 in S_regmatch (prog=0x1751e4) at regexec.c:3183
3183 U8 *s = (U8*)STRING(next);
(gdb) where
#0 0x12feb0 in S_regmatch (prog=0x1751e4) at regexec.c:3183
#1 0x12efec in S_regmatch (prog=0x1751f4) at regexec.c:2932
#2 0x130f00 in S_regmatch (prog=0x1751e4) at regexec.c:3362
#3 0x12efec in S_regmatch (prog=0x1751f4) at regexec.c:2932

(gdb) list
3178 /*
3179 * Lookahead to avoid useless match attempts
3180 * when we know what character comes next.
3181 */
3182 if (PL_regkind[(U8)OP(next)] == EXACT) {
3183 U8 *s = (U8*)STRING(next);
3184 if (!UTF) {
3185 c2 = c1 = *s;
3186 if (OP(next) == EXACTF)
3187 c2 = PL_fold[c1];

(gdb) print next
$1 = (regnode *) 0x1751f4
(gdb) print *next
$2 = {flags = 1 '\001', type = 33 '!', next_off = 2}
(gdb) print ((struct regnode_string *)next)->string
$5 = " "

Odd.

0x12fe90 <S_regmatch+18876>:
ldr r3, [pc, #2a8] ; 0x130140 <S_regmatch+19564>
0x12fe94 <S_regmatch+18880>: ldr r2, [r11, -#28]
0x12fe98 <S_regmatch+18884>: ldrb r1, [r2, #1]
0x12fe9c <S_regmatch+18888>: ldrb r3, [r3, r1]
0x12fea0 <S_regmatch+18892>: cmp r3, #33 ; 0x21
0x12fea4 <S_regmatch+18896>: bne 0x12ff70 <S_regmatch+19100>
0x12fea8 <S_regmatch+18900>: ldr r3, [r11, -#28]
0x12feac <S_regmatch+18904>: add r2, r3, #4 ; 0x4
0x12feb0 <S_regmatch+18908>: str r2, [r11, -#224]
0x12feb4 <S_regmatch+18912>:
ldr r3, [pc, #288] ; 0x130144 <S_regmatch+19568>
0x12feb8 <S_regmatch+18916>: ldr r2, [r3]
0x12febc <S_regmatch+18920>: and r3, r2, #8 ; 0x8
0x12fec0 <S_regmatch+18924>: cmp r3, #0 ; 0x0

This is the SEGV instruction, the the assignment to s.

0x12feb0 <S_regmatch+18908>: str r2, [r11, -#224]

These are the registers

r0 0x1751e4 1528292
r1 0x21 33
r2 0x1751f8 1528312
r3 0x1751f4 1528308
r4 0x170a44 1509956
r5 0xbffffc94 -1073742700
r6 0x1b698 112280
r7 0x4000dd84 1073798532
r8 0x3 3
r9 0x1c55c 116060
r10 0x401ec1a4 1075757476
r11 0xbf800074 -1082130316
r12 0xbf800078 -1082130312
sp 0xbf7fff1c -1082130660
lr 0x12efec 1241068
pc 0x12feb0 1244848
fps 0x0 0
cpsr 0x60000010 1610612752

$ perl -le 'printf "%x\n", 0xbf800074-224'
bf7fff94

So we're string to store the contents of R2 at bf7fff94, which is above
the stack pointer in sp. And yet we get this from dmesg:

perl5.7.2-g: unhandled page fault at pc=0x0012feb0, lr=0x0012efec (bad address=0xbf7fff94, code -1)

And I have no idea what a code -1 is. So I'm going to check with the ARM Linux
folks.

But it's a real bug. Thanks for the report.

Nicholas Clark
--
Even better than the real thing: http://nms-cgi.sourceforge.net/

p5pRT · 2002-03-02T17:41:08Z

From @schwern

On Sun, Mar 03, 2002 at 12:17:01AM +0000, Nicholas Clark wrote:

This appears to be a bug introduced between 5.005_03 and 5.6.0

$ perl5.00404 -e '("bug " x 1E5) =~ /((\w+ )+)/'
$ perl5.00503 -e '("bug " x 1E5) =~ /((\w+ )+)/'
$ perl5.6.0 -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault

[on ARM linux, still present at patch 14826]

I've just built 14951 on x86 FreeBSD with -g and I can't get that to SEGV.

I can. Debian/PowerPC.

$ perl5.6.0 -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault
$ perl5.6.1 -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault
$ bleadperl -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault

that's @14897. Same problem, big stack of S_regmatch calls.

--

Michael G. Schwern <schwern@pobox.com> http://www.pobox.com/~schwern/
Perl Quality Assurance <perl-qa@perl.org> Kwalitee Is Job One
turds slide easily
spooge the paste into my crack
poop falls free no more
-- Schwern

p5pRT · 2002-03-03T03:53:03Z

From @andk

On Sat, 2 Mar 2002 20:40:30 -0500, Michael G Schwern <schwern@pobox.com> said:

> that's @14897. Same problem, big stack of S_regmatch calls.

Is it not the standard out-of-stack problem? I have the impression,
this bug has always been there, e.g.

http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/1999-03/msg00645.html

It's only a matter of the length of the string. If a specific perl
version doesn't SEGV, then all you have to do is make the string
longer.

--
andreas

p5pRT · 2002-03-03T17:46:36Z

From @jhi

On Sun, Mar 03, 2002 at 12:52:07PM +0100, Andreas J. Koenig wrote:

On Sat, 2 Mar 2002 20:40:30 -0500, Michael G Schwern <schwern@pobox.com> said:

that's @14897. Same problem, big stack of S_regmatch calls.

Is it not the standard out-of-stack problem? I have the impression,
this bug has always been there, e.g.

I think it is. It cores on me in Tru64, but simply by growing the
stack I can delay the problem.

http&#8203;://www\.xray\.mpe\.mpg\.de/mailing\-lists/perl5\-porters/1999\-03/msg00645\.html
It's only a matter of the length of the string. If a specific perl
version doesn't SEGV, then all you have to do is make the string
longer.

--
andreas

--
$jhi++; # http://www.iki.fi/jhi/
# There is this special biologist word we use for 'stable'.
# It is 'dead'. -- Jack Cohen

p5pRT · 2006-03-29T16:18:33Z

From @smpeters

[suter@zwitterion.humbug.org.au - Mon Feb 25 13:15:29 2002]:

This is a bug report for perl from suter@zwitterion.humbug.org.au,
generated with the help of perlbug 1.33 running under perl v5.6.1.

-----------------------------------------------------------------
[Please enter your report here]

One all the systems I tested the following on, it exits with a
segmentation fault.
perl \-e '$"bug " x 1E5$ =~ /$\(\\w\+ $\+\)/'

This appears to have been fixed with change #27598.

steve@kirk:~/smoke/perl-current$ perl -e '("bug " x 1E5) =~ /((\w+ )+)/'
Segmentation fault
steve@kirk:~/smoke/perl-current$ ./perl -e '("bug " x 1E5) =~ /((\w+ )+)/'

p5pRT · 2006-03-29T16:18:35Z

@smpeters - Status changed from 'open' to 'resolved'

p5pRT closed this as completed Mar 29, 2006

p5pRT added affects-5.6 distro-Linux type-core labels Oct 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Perl Segmentation Fault using /((\w+ )+)/ on long strings #5141

Perl Segmentation Fault using /((\w+ )+)/ on long strings #5141

p5pRT commented Feb 25, 2002

p5pRT commented Feb 25, 2002

p5pRT commented Mar 2, 2002

p5pRT commented Mar 2, 2002

p5pRT commented Mar 3, 2002

p5pRT commented Mar 3, 2002

p5pRT commented Mar 29, 2006

p5pRT commented Mar 29, 2006

Perl Segmentation Fault using /((\w+ )+)/ on long strings #5141

Perl Segmentation Fault using /((\w+ )+)/ on long strings #5141

Comments

p5pRT commented Feb 25, 2002

p5pRT commented Feb 25, 2002

From suter@zwitterion.humbug.org.au

Created by suter@zwitterion.humbug.org.au

p5pRT commented Mar 2, 2002

From @nwc10

p5pRT commented Mar 2, 2002

From @schwern

p5pRT commented Mar 3, 2002

From @andk

p5pRT commented Mar 3, 2002

From @jhi

p5pRT commented Mar 29, 2006

From @smpeters

p5pRT commented Mar 29, 2006