develooper Front page | perl.perl5.porters | Postings from January 2013

[perl #76538] Assertion failed: (rx->sublen >= (s - rx->subbeg) + i), function Perl_reg_numbered_buff_fetch

Thread Next
From:
Karl Williamson via RT
Date:
January 27, 2013 17:17
Subject:
[perl #76538] Assertion failed: (rx->sublen >= (s - rx->subbeg) + i), function Perl_reg_numbered_buff_fetch
Message ID:
rt-3.6.HEAD-27190-1359307054-700.76538-15-0@perl.org
On Tue May 17 03:38:38 2011, davem wrote:
> I'm just forwarding this message with a [perl #...] added in the
> subject
> line so that it gets picked up by RT.
> 
> ----- Forwarded message from Michael Schroeder <mls@suse.de> -----
> 
> Date: Thu, 28 Apr 2011 12:45:40 +0200
> From: Michael Schroeder <mls@suse.de>
> To: perl5-porters@perl.org
> Subject: 5.14.0 assertion failure (RT#76538)
> Message-ID: <20110428104540.GA31563@suse.de>
> 
> 
> Hi Porters,
> 
> This is about RT#76538, "Assertion failed: (rx->sublen >= (s
> - rx->subbeg) + i), function Perl_reg_numbered_buff_fetch"
> 
> The following little test program still crashes for me:
> 
>     my @x = ("AX=B","AAAAAAX=");
>     utf8::upgrade($x[1]);
>     for (@x) {
>       m{^([^=]+?)X\s*=.+$};
>       print "-> $1\n";
>     }
> 
> What happens is that $1 is already set when "AAAAAAX=" is
> matched against the ^([^=]+?) part of the regexp, then
> the swash needs to be created and Perl_save_re_context() is
> called. save_re_context tries to save $1, but $1 is not
> usable at the moment - it contains the new offsets (0-6), but
> subbeg and sublen still point to the old match, as they
> only get set at the end of the match.
> 
> I'm not sure about the best way to fix this. A quick and dirty
> fix is to modify Perl_save_re_context() to not use save_scalar(),
> but to use a variant that doesn't call SvGETMAGIC(). (The
> current content of $1 needs to be saved, see #18107.)
> 
> --- ./regcomp.c.orig	2011-04-27 14:19:37.000000000 +0000
> +++ ./regcomp.c	2011-04-27 14:21:58.000000000 +0000
> @@ -9912,8 +9912,23 @@ Perl_save_re_context(pTHX)
> 
>  		if (gvp) {
>  		    GV * const gv = *gvp;
> -		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
> -			save_scalar(gv);
> +		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
> +			/* this is a copy of save_scalar() without the GETMAGIC call,
> RT#76538 */
> +			SV ** const sptr = &GvSVn(gv);
> +			SV * osv = *sptr;
> +			SV * nsv = newSV(0);
> +			save_pushptrptr(SvREFCNT_inc_simple(gv), SvREFCNT_inc(osv),
> SAVEt_SV);
> +			if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) && SvTYPE(osv) !=
> SVt_PVGV) {
> +			    if (SvGMAGICAL(osv)) {
> +				const bool oldtainted = PL_tainted;
> +				SvFLAGS(osv) |= (SvFLAGS(osv) &
> +				    (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
> +				PL_tainted = oldtainted;
> +			    }
> +			    mg_localize(osv, nsv, 1);
> +			}
> +			*sptr = nsv;
> +		    }
>  		}
>  	    }
>  	}
> 
> 
> A saner way would probably be to avoid the inconsistency between
> offs and subbeg/sublen.
> 
> Cheers,
>   Michael.
> 

This test program no longer panics.  The reason is that \s no longer
loads a swash, and so save_re_context() is not called in this example.
Other programs that fail could still be generated. \w and \d still load
swashes, though that may change in the future.  Likely to "always" load
swashes are [:alnum:] and similar.  
-- 
Karl Williamson

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org:443/rt3/Ticket/Display.html?id=76538

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About