[perl #112874] Heap corrupted by regex involving (?| ... ) and ($0)

# New Ticket Created by  Jim Avera 
# Please include the string:  [perl #112874]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=112874 >



This is a bug report for perl from james_avera@yahoo.com,
generated with the help of perlbug 1.39 running under perl 5.12.4.

-----------------------------------------------------------------
The following Perl program causes a fatal error in glibc indicating
that the heap is probably corrupted.  The error messages are written
directly to the terminal (probably /dev/tty), and does not appear on
either stdout or stderr.

#!/usr/bin/perl
use strict; use warnings;

$_ = 'aaa x=${ \$x } bbb a=@a=@{ \@a } ccc';
s{
   ([\$\@])
   (?|   # re-use $1, $2 etc in each alternation
     ([^\w\s\{])
     | ( \{
            (
              (?> \\.
                  | [^\{\}\\]++
                  | \{ (?0) \}
              )*
            )
         \}
       )
   )
  }
  {replacement}xgs;


Here is what appears on the /dev/tty (captured with 'script'):

   *** glibc detected *** /usr/bin/perl: free(): invalid next size 
(fast): 0x0000000001198890 ***
   ======= Backtrace: =========
   /lib/x86_64-linux-gnu/libc.so.6(+0x7a6e6)[0x7f6ca7fdf6e6]
   /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f6ca7fe39cc]
   /usr/lib/libperl.so.5.12(Perl_regexec_flags+0x41c)[0x7f6ca8419e1c]
   /usr/lib/libperl.so.5.12(Perl_pp_subst+0x939)[0x7f6ca83b42c9]
   /usr/lib/libperl.so.5.12(Perl_runops_standard+0x20)[0x7f6ca83adc10]
   /usr/lib/libperl.so.5.12(perl_run+0x35e)[0x7f6ca835782e]
   /usr/bin/perl(main+0x149)[0x400d49]
   /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f6ca7f8630d]
   /usr/bin/perl[0x400d81]
   ======= Memory map: ========
   00400000-00402000 r-xp 00000000 08:15 1851 
     /usr/bin/perl
   00601000-00602000 r--p 00001000 08:15 1851 
     /usr/bin/perl
   00602000-00603000 rw-p 00002000 08:15 1851 
     /usr/bin/perl
   0116c000-011cf000 rw-p 00000000 00:00 0 
     [heap]
   7f6ca0000000-7f6ca0021000 rw-p 00000000 00:00 0
   7f6ca0021000-7f6ca4000000 ---p 00000000 00:00 0
   7f6ca6d88000-7f6ca6d9d000 r-xp 00000000 08:15 137088 
     /lib/x86_64-linux-gnu/libgcc_s.so.1
   7f6ca6d9d000-7f6ca6f9c000 ---p 00015000 08:15 137088 
     /lib/x86_64-linux-gnu/libgcc_s.so.1
   7f6ca6f9c000-7f6ca6f9d000 r--p 00014000 08:15 137088 
     /lib/x86_64-linux-gnu/libgcc_s.so.1
   7f6ca6f9d000-7f6ca6f9e000 rw-p 00015000 08:15 137088 
     /lib/x86_64-linux-gnu/libgcc_s.so.1
   7f6ca6f9e000-7f6ca7687000 r--p 00000000 08:15 7656 
     /usr/lib/locale/locale-archive
   7f6ca7687000-7f6ca7690000 r-xp 00000000 08:15 131553 
     /lib/x86_64-linux-gnu/libcrypt-2.13.so
   7f6ca7690000-7f6ca7890000 ---p 00009000 08:15 131553 
     /lib/x86_64-linux-gnu/libcrypt-2.13.so
   7f6ca7890000-7f6ca7891000 r--p 00009000 08:15 131553 
     /lib/x86_64-linux-gnu/libcrypt-2.13.so
   7f6ca7891000-7f6ca7892000 rw-p 0000a000 08:15 131553 
     /lib/x86_64-linux-gnu/libcrypt-2.13.so
   7f6ca7892000-7f6ca78c0000 rw-p 00000000 00:00 0
   7f6ca78c0000-7f6ca78d8000 r-xp 00000000 08:15 131576 
     /lib/x86_64-linux-gnu/libpthread-2.13.so
   7f6ca78d8000-7f6ca7ad7000 ---p 00018000 08:15 131576 
     /lib/x86_64-linux-gnu/libpthread-2.13.so
   7f6ca7ad7000-7f6ca7ad8000 r--p 00017000 08:15 131576 
     /lib/x86_64-linux-gnu/libpthread-2.13.so
   7f6ca7ad8000-7f6ca7ad9000 rw-p 00018000 08:15 131576 
     /lib/x86_64-linux-gnu/libpthread-2.13.so
   7f6ca7ad9000-7f6ca7add000 rw-p 00000000 00:00 0
   7f6ca7add000-7f6ca7b60000 r-xp 00000000 08:15 131557 
     /lib/x86_64-linux-gnu/libm-2.13.so
   7f6ca7b60000-7f6ca7d5f000 ---p 00083000 08:15 131557 
     /lib/x86_64-linux-gnu/libm-2.13.so
   7f6ca7d5f000-7f6ca7d60000 r--p 00082000 08:15 131557 
     /lib/x86_64-linux-gnu/libm-2.13.so
   7f6ca7d60000-7f6ca7d61000 rw-p 00083000 08:15 131557 
     /lib/x86_64-linux-gnu/libm-2.13.so
   7f6ca7d61000-7f6ca7d63000 r-xp 00000000 08:15 131555 
     /lib/x86_64-linux-gnu/libdl-2.13.so
   7f6ca7d63000-7f6ca7f63000 ---p 00002000 08:15 131555 
     /lib/x86_64-linux-gnu/libdl-2.13.so
   7f6ca7f63000-7f6ca7f64000 r--p 00002000 08:15 131555 
     /lib/x86_64-linux-gnu/libdl-2.13.so
   7f6ca7f64000-7f6ca7f65000 rw-p 00003000 08:15 131555 
     /lib/x86_64-linux-gnu/libdl-2.13.so
   7f6ca7f65000-7f6ca80fc000 r-xp 00000000 08:15 131550 
     /lib/x86_64-linux-gnu/libc-2.13.so
   7f6ca80fc000-7f6ca82fb000 ---p 00197000 08:15 131550 
     /lib/x86_64-linux-gnu/libc-2.13.so
   7f6ca82fb000-7f6ca82ff000 r--p 00196000 08:15 131550 
     /lib/x86_64-linux-gnu/libc-2.13.so
   7f6ca82ff000-7f6ca8300000 rw-p 0019a000 08:15 131550 
     /lib/x86_64-linux-gnu/libc-2.13.so
   7f6ca8300000-7f6ca8306000 rw-p 00000000 00:00 0
   7f6ca8306000-7f6ca8472000 r-xp 00000000 08:15 5423 
     /usr/lib/libperl.so.5.12.4
   7f6ca8472000-7f6ca8671000 ---p 0016c000 08:15 5423 
     /usr/lib/libperl.so.5.12.4
   7f6ca8671000-7f6ca8675000 r--p 0016b000 08:15 5423 
     /usr/lib/libperl.so.5.12.4
   7f6ca8675000-7f6ca867a000 rw-p 0016f000 08:15 5423 
     /usr/lib/libperl.so.5.12.4
   7f6ca867a000-7f6ca869b000 r-xp 00000000 08:15 131226 
     /lib/x86_64-linux-gnu/ld-2.13.so
   7f6ca8871000-7f6ca8876000 rw-p 00000000 00:00 0
   7f6ca8898000-7f6ca889a000 rw-p 00000000 00:00 0
   7f6ca889a000-7f6ca889b000 r--p 00020000 08:15 131226 
     /lib/x86_64-linux-gnu/ld-2.13.so
   7f6ca889b000-7f6ca889d000 rw-p 00021000 08:15 131226 
     /lib/x86_64-linux-gnu/ld-2.13.so
   7fffc1db5000-7fffc1dd6000 rw-p 00000000 00:00 0 
     [stack]
   7fffc1dff000-7fffc1e00000 r-xp 00000000 00:00 0 
     [vdso]
   ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 
     [vsyscall]
   Aborted

-----------------------------------------------------------------
---
Flags:
     category=core
     severity=high
---
Site configuration information for perl 5.12.4:

Configured by Debian Project at Tue Sep  6 08:08:24 UTC 2011.

Summary of my perl5 (revision 5 version 12 subversion 4) configuration:

   Platform:
     osname=linux, osvers=2.6.24-28-server, 
archname=x86_64-linux-gnu-thread-multi
     uname='linux allspice 2.6.24-28-server #1 smp wed aug 18 21:17:51 
utc 2010 x86_64 x86_64 x86_64 gnulinux '
     config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN 
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr 
-Dprivlib=/usr/share/perl/5.12 -Darchlib=/usr/lib/perl/5.12 
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local 
-Dsitelib=/usr/local/share/perl/5.12.4 
-Dsitearch=/usr/local/lib/perl/5.12.4 -Dman1dir=/usr/share/man/man1 
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 
-Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 
-Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm 
-Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib 
-Dlibperl=libperl.so.5.12.4 -des'
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=define, usemultiplicity=define
     useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
     use64bitint=define, use64bitall=define, uselongdouble=undef
     usemymalloc=n, bincompat5005=undef
   Compiler:
     cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN 
-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
     optimize='-O2 -g',
     cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing 
-pipe -fstack-protector -I/usr/local/include'
     ccversion='', gccversion='4.6.1', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
     ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', 
lseeksize=8
     alignbytes=8, prototype=define
   Linker and Libraries:
     ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
     libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib 
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
     libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
     perllibs=-ldl -lm -lpthread -lc -lcrypt
     libc=, so=so, useshrplib=true, libperl=libperl.so.5.12.4
     gnulibc_version='2.13'
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib 
-fstack-protector'

Locally applied patches:


---
@INC for perl 5.12.4:
     /home/jima/local/share/perl/5.12.4
     /home/jima/local/share/perl
     /home/jima/lib/perl
     /etc/perl
     /usr/local/lib/perl/5.12.4
     /usr/local/share/perl/5.12.4
     /usr/lib/perl5
     /usr/share/perl5
     /usr/lib/perl/5.12
     /usr/share/perl/5.12
     /usr/local/lib/site_perl
     .

---
Environment for perl 5.12.4:
     HOME=/home/jima
     LANG=en_US.UTF-8
     LANGUAGE (unset)
     LD_LIBRARY_PATH=/home/jima/local/lib
     LOGDIR (unset)
 
PATH=/home/jima/bin:/home/jima/local/bin:/home/jima/jima_tools/linux86_64/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/bin/X11:/usr/local/bin:/opt/openoffice.org3/program:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/games:.
     PERL5LIB=/home/jima/local/share/perl:/home/jima/lib/perl
     PERL_BADLANG (unset)
     SHELL=/bin/bash

• [perl #112874] Heap corrupted by regex involving (?| ... ) and ($0) by Jim Avera via RT
• [perl #112874] Heap corrupted by regex involving (?| ... ) and ($0) by Jim Avera
• Re: [perl #112874] Heap corrupted by regex involving (?| ... ) and($0) by Dave Mitchell
• Re: [perl #112874] Heap corrupted by regex involving (?| ... ) and ($0) by demerphq
• Re: [perl #112874] Heap corrupted by regex involving (?| ... ) and($0) by Nicholas Clark