develooper Front page | perl.perl5.porters | Postings from September 2014

[perl #122747] Assertion failed in Perl_reg_numbered_buff_fetch, file regcomp.c, line 7459

Thread Previous
From:
Mark Martinec
Date:
September 10, 2014 15:16
Subject:
[perl #122747] Assertion failed in Perl_reg_numbered_buff_fetch, file regcomp.c, line 7459
Message ID:
rt-4.0.18-16350-1410362140-495.122747-75-0@perl.org
# New Ticket Created by  Mark Martinec 
# Please include the string:  [perl #122747]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=122747 >


This is a bug report for perl from Mark.Martinec@ijs.si,
generated with the help of perlbug 1.40 running under perl 5.20.1-RC2.


-----------------------------------------------------------------
[Please describe your issue here]

Have been running 5.20.1-RC2 here under FreeBSD 10.0 for a couple of
days without a problem. The application is a mail content filter
(amavisd-new + SpamAssassin), which means that perl is in heavy use
in a complex situation, involving tainted variables and UTF-8
character strings.

Today one of the forked child process has crashed (SIGABRT)
due Assertion failed:

  Assertion failed:
    ((STRLEN)rx->sublen >= (STRLEN)((s - rx->subbeg) + i)),
    function Perl_reg_numbered_buff_fetch,
    file regcomp.c, line 7459.

Perl is build with gcc 4.8.4 20140828 with debugging enabled,
with -fstack-protector-strong and jmalloc memory protections
enabled (MALLOC_CONF="abort:true,junk:true,redzone:true").

The extra safeguards were there just in case - to rule out
some potential cases of memory corruption, although this crash
does not seem to be related to memory corruption).


The coredump shows the following:
  (some names (plain ascii) were replaced by xxx to preserve
   privacy,the number of characters was not changed)


# gdb /usr/local/bin/perl /var/coredumps/perl-97654.core
GNU gdb (GDB) 7.8 [GDB v7.8 for FreeBSD]
Copyright [...]
Reading symbols from /usr/local/bin/perl...done.
[New process 101359]
[New Thread 802006800 (LWP 101359)]
Core was generated by `perl'.
Program terminated with signal SIGABRT, Aborted.
#0  0x000000080171026a in thr_kill () from /lib/libc.so.7

(gdb) bt
#0  0x000000080171026a in thr_kill () from /lib/libc.so.7
#1  0x00000008017d7ac9 in abort () from /lib/libc.so.7
#2  0x00000008017bb0b1 in __assert () from /lib/libc.so.7
#3  0x0000000800940240 in Perl_reg_numbered_buff_fetch (r=0x817a602b8, paren=1, sv=0x8173c1180) at regcomp.c:7459
#4  0x000000080099668a in Perl_magic_get (sv=0x8173c1180, mg=0x8174b2ed0) at mg.c:805
#5  0x00000008009943a6 in Perl_mg_get (sv=0x8173c1180) at mg.c:201
#6  0x0000000800a72e74 in Perl_save_scalar (gv=0x8021cd990) at scope.c:219
#7  0x0000000800967e60 in Perl_save_re_context () at regcomp.c:16475
#8  0x0000000800b2278c in Perl__core_swash_init (pkg=0x800bf9546 "utf8", name=0x800bf94ff "ToCf", listsv=0x800e273e0 <PL_sv_undef>, minbits=4, none=0,
    invlist=0x0, flags_p=0x0) at utf8.c:2583
#9  0x0000000800b20cc2 in Perl_to_utf8_case (
    p=0x80c8a2f7e "\342\200\234Intelligence without ambition is a bird without wings.\342\200\235 -Salvador Dali Save a tree. Please don't print this e-mail unless it's really necessary\n", ustrp=0x7fffffffd070 " \345\235\a\b", lenp=0x7fffffffcaa8, swashp=0x800e27a68 <PL_utf8_tofold>, normal=0x800bf94ff "ToCf",
    special=0x800bf9212 "") at utf8.c:2028
#10 0x0000000800b22024 in Perl__to_utf8_fold_flags (
    p=0x80c8a2f7e "\342\200\234Intelligence without ambition is a bird without wings.\342\200\235 -Salvador Dali Save a tree. Please don't print this e-mail unless it's really necessary\n", ustrp=0x7fffffffd070 " \345\235\a\b", lenp=0x7fffffffcaa8, flags=2 '\002') at utf8.c:2397
#11 0x0000000800b0aa5a in S_regmatch (reginfo=0x7fffffffd350,
    startpos=0x80c8a2f63 "xxxxx.xxxxxxxx@outlook.com \342\200\234Intelligence without ambition is a bird without wings.\342\200\235 -Salvador Dali Save a tree. Please don't print this e-mail unless it's really necessary\n", prog=0x81811d030) at regexec.c:4207
#12 0x0000000800b05846 in S_regtry (reginfo=0x7fffffffd350, startposp=0x7fffffffd1b8) at regexec.c:3200
#13 0x0000000800b051d5 in Perl_regexec_flags (rx=0x817a602b8,
    stringarg=0x80c8a2e00 "-- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Xxxxx Xxxxxxxx University of Ljubljana Faculty of Natural Sciences and Engineering Department of Geology A\302\271ker\303\250eva xx or Xxxxxx xx SI-1000 Ljubljana Slovenia tel.:"...,
    strend=0x80c8a2f70 "k@outlook.com \342\200\234Intelligence without ambition is a bird without wings.\342\200\235 -Salvador Dali Save a tree. Please don't print this e-mail unless it's really necessary\n",
    strbeg=0x80c8a2e00 "-- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Xxxxx Xxxxxxxx University of Ljubljana Faculty of Natural Sciences and Engineering Department of Geology A\302\271ker\303\250eva xx or Xxxxxx xx SI-1000 Ljubljana Slovenia tel.:"..., minend=0, sv=0x8178d82e8, data=0x0, flags=1) at regexec.c:3058
#14 0x00000008009dc8e1 in Perl_pp_subst () at pp_hot.c:2130
#15 0x00000008009801c0 in Perl_runops_debug () at dump.c:2427
#16 0x00000008008938d9 in S_run_body (oldscope=1) at perl.c:2451
#17 0x0000000800892de7 in perl_run (my_perl=0x802020048) at perl.c:2372
#18 0x000000000040100c in main (argc=4, argv=0x7fffffffd858, env=0x7fffffffd880) at perlmain.c:114

This happened during processing of the first MIME part (a rather
short plain text part, ISO-8859-2, 8bit) of an otherwise rather large
mail message with attachment.

The crash occurs within SpamAssassin code (the last debug
log from SpamAssassin was: SA dbg: FreeMail: From address: ...),
although I can't reproduce the failure when spamassassin is
run from a command line - it only happens (reproducibly) when
the SpamAssassin perl module is spawned from amavisd and given
this particular mail message.


[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl 5.20.1:

Configured by mark at Mon Sep  8 18:40:33 CEST 2014.

Summary of my perl5 (revision 5 version 20 subversion 1) configuration:
   
  Platform:
    osname=freebsd, osvers=10.0-release-p7, archname=amd64-freebsd
    uname='freebsd dorothy.ijs.si 10.0-release-p7 freebsd 10.0-release-p7 #0: tue jul 8 06:37:44 utc 2014 root@amd64-builder.daemonology.net:usrobjusrsrcsysgeneric amd64 '
    config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.20/mach -Dprivlib=/usr/local/lib/perl5/5.20 -Dman3dir=/usr/local/lib/perl5/5.20/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.20/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.20 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.20/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=gcc48 -Duseshrplib -Dinc_version_list=none -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.20/BSDPAN" -Doptimize=-g -fno-omit-frame-pointer -fstack-protector-strong -DDEBUGGING -Ui_gdbm -Duse64bitint -Dusethreads=n -Dusemymalloc=n'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc48', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.20/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-g -fno-omit-frame-pointer -fstack-protector-strong',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.20/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.8.4 20140828 (prerelease)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc48', ldflags ='-pthread -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib /usr/local/lib /usr/local/lib/gcc48/gcc/x86_64-portbld-freebsd10.0/4.8.4/include-fixed /usr/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.20/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib -fstack-protector'

Locally applied patches:
    RC2

---
@INC for perl 5.20.1:
    /usr/local/lib/perl5/5.20/BSDPAN
    /usr/local/lib/perl5/site_perl/5.20/mach
    /usr/local/lib/perl5/site_perl/5.20
    /usr/local/lib/perl5/5.20/mach
    /usr/local/lib/perl5/5.20
    .

---
Environment for perl 5.20.1:
    HOME=/root
    LANG (unset)
    LANGUAGE (unset)
    LC_ALL=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/root/bin:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About