develooper Front page | perl.perl5.porters | Postings from July 2013

Re: [perl #115752] crash with invalid free in regex engine

Thread Previous | Thread Next
From:
Andreas Koenig
Date:
July 27, 2013 08:04
Subject:
Re: [perl #115752] crash with invalid free in regex engine
Message ID:
878v0stoo1.fsf@k85.linux.bogus
"Father Chrysostomos via RT" <perlbug-followup@perl.org> writes:

> On Thu Nov 15 17:21:55 2012, mauke- wrote:
>> $ cat irc.pl
>> #!/usr/bin/perl
>> use warnings;
>> use strict;
>> 
>> for my $num ('4000752057698530', '4000608912607415',
>>    '4000966220145415') {
>>     my $tmp = $num;
>>     my $x;
>>     $tmp =~ s/^(.{6})(.*?)(?{ $x = $^N; $x =~ s{.}{%}g;
>>    })(.{4})$/$1#$2/;
>> }
>> __END__
>> $ perl irc.pl
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> Use of uninitialized value $num in substitution (s///) at (re_eval 1)
>>    line 1.
>> *** glibc detected *** perl: double free or corruption (fasttop):
>>    0x08708f68 ***
>
> This appears to be fixed in blead.  Anyone want to do a bisect?

I did not see the double free corruption, just the unini warnings, hope
this would trigger the same result.

commit f5df269c5cef57294662d0b1f80a468b91f13643
Author: Father Chrysostomos <sprout@cpan.org>
Date:   Fri Jul 5 23:59:46 2013 -0700

    [perl #117917] /(?{ m|...| }) (?{ $1 })/
    
    A regular expression invoked inside a regular expression code block
    can cause other code blocks in the same outer regular expression to
    see the wrong values in $1.
    
    PL_curpm holds a pointer to the match operator from which $1, $2, etc.
    get their values.
    
    Normally PL_curpm is set at the end of a match.
    
    When code blocks are embedded inside a regular expression, PL_curpm
    is set during a match to point to PL_reg_curpm, which is a dummy op
    pointing to the current regular expression.
    
    S_setup_eval_state is called at the beginning of regexp execution.
    It is responsible for setting up PL_regcurpm and making PL_curpm
    point to it.
    
    Code blocks are executed using the multicall API.  PUSH_MULTICALL
    records the value of PL_curpm and POP_MULTICALL makes sure that the
    previous value of PL_curpm is restored.
    
    Executing a code block can cause PL_curpm to point to something else.
    Since we don’t necessarily do POP_MULTICALL between code block calls
    within a single regular expression (sometimes we do, depending on
    backtracking), PL_curpm may not have been restored when a second code
    block fires.  So we have to restore it to point to PL_reg_curpm manu-
    ally after calling a code block.

:100644 100644 12548d5d21a3aa0fcbd8ad761725c653f9ee0570 6367e2ee694cc417f1b9af7c034a680de9d9f4ec M      regexec.c
:040000 040000 c78bbe1ce042a4fbb98f17c1296a256f568809d9 08fff18890e8685274e71818159d584c6c32ac08 M      t
bisect run success
That took 459 seconds

-- 
andreas

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About