develooper Front page | perl.perl5.porters | Postings from December 2017

[perl #132658] m/\p{<NUL>}/ segfaults

Thread Next
From:
Pip Cet
Date:
December 26, 2017 22:08
Subject:
[perl #132658] m/\p{<NUL>}/ segfaults
Message ID:
rt-4.0.24-4698-1514326123-1949.132658-75-0@perl.org
# New Ticket Created by  Pip Cet 
# Please include the string:  [perl #132658]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=132658 >


This is a bug report for perl from pipcet@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.27.7.


-----------------------------------------------------------------
[Please describe your issue here]

There appear to be fuzzing-triggerable crashes in blead. One of them is:

eval "m/\\p{\0}/";

which causes a segfault. (The eval isn't necessary, but I didn't want
to include a literal nul character in this message).

The gdb backtrace is:

Thread 1 "perl" received signal SIGSEGV, Segmentation fault.
Perl__core_swash_init (pkg=<optimized out>, name=<optimized out>,
    listsv=<optimized out>, minbits=<optimized out>, none=<optimized out>,
    invlist=<optimized out>, flags_p=<optimized out>) at utf8.c:4017
4017            && (int) _invlist_len(swash_invlist) > invlist_swash_boundary)
(gdb) bt
#0  Perl__core_swash_init (pkg=<optimized out>, name=<optimized out>,
    listsv=<optimized out>, minbits=<optimized out>, none=<optimized out>,
    invlist=<optimized out>, flags_p=<optimized out>) at utf8.c:4017
#1  0x0000000000782763 in S_regclass (pRExC_state=<optimized out>,
    flagp=<optimized out>, depth=<optimized out>,
    stop_at_1=<optimized out>, allow_multi_folds=<optimized out>,
    silence_non_portable=<optimized out>, strict=<optimized out>,
    optimizable=false, ret_invlist=<optimized out>,
    return_posix_warnings=<optimized out>) at regcomp.c:16414
#2  0x00000000007792aa in S_regatom (pRExC_state=<optimized out>,
    flagp=0x7fffffffdd9c, depth=<optimized out>) at regcomp.c:12960
#3  0x000000000076c70d in S_regpiece (pRExC_state=<optimized out>,
    flagp=<optimized out>, depth=<optimized out>) at regcomp.c:11731
#4  S_regbranch (pRExC_state=0x7fffffffe150, flagp=<optimized out>,
    first=<optimized out>, depth=<optimized out>) at regcomp.c:11656
#5  0x000000000073f8a6 in S_reg (pRExC_state=<optimized out>, paren=1,
    flagp=<optimized out>, depth=<optimized out>) at regcomp.c:11394
#6  0x000000000073614e in Perl_re_op_compile (patternp=<optimized out>,
    pat_count=<optimized out>, expr=<optimized out>, eng=<optimized out>,
    old_re=<optimized out>, is_bare_re=<optimized out>,
    orig_rx_flags=<optimized out>, pm_flags=<optimized out>)
    at regcomp.c:7377
#7  0x000000000064d0f6 in Perl_pmruntime (o=<optimized out>,
    expr=<optimized out>, repl=<optimized out>, flags=<optimized out>,
    floor=<optimized out>) at op.c:6910
#8  0x0000000000725640 in Perl_yyparse (gramtype=<optimized out>)
    at perly.y:1215
#9  0x00000000008a5c11 in S_doeval_compile (gimme=<optimized out>,
    outside=<optimized out>, seq=<optimized out>, hh=<optimized out>)
    at pp_ctl.c:3451
#10 0x00000000008a4cfb in Perl_pp_entereval () at pp_ctl.c:4427
#11 0x00000000007ed1f9 in Perl_runops_standard () at run.c:44
#12 0x0000000000696dc0 in S_run_body (oldscope=<optimized out>)
    at perl.c:2589
#13 perl_run (my_perl=<optimized out>) at perl.c:2518
#14 0x000000000040c256 in main (argc=<optimized out>, argv=<optimized out>,
    env=<optimized out>) at perlmain.c:126

But I don't immediately understand the code in utf8.c.

Is no one running a fuzzer on blead as part of continuous testing?

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl 5.27.7:

Configured by pip at Fri Dec 22 19:24:17 UTC 2017.

Summary of my perl5 (revision 5 version 27 subversion 7) configuration:

  Platform:
    osname=linux
    osvers=4.13.0-1-amd64
    archname=x86_64-linux
    uname='linux 4.13.0-1-amd64 #1 smp debian 4.13.10-1 (2017-10-30)
x86_64 gnulinux '
    config_args='-d -Dusedevel'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='/home/pip/afl-2.52b/afl-clang-fast++'
    ccflags ='-std=c++11 -fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include
-I/home/pip/git/sm-emacs/js/src/dist/include -g3 -ggdb
-D_FORTIFY_SOURCE=2'
    optimize='-O2'
    cppflags='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include
-I/home/pip/git/sm-emacs/js/src/dist/include -g3 -ggdb
-D_FORTIFY_SOURCE=2 -I/usr/local/include -std=c++11 -fwrapv
-fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include -I/home/pip/git/sm-emacs/js/src/dist/include -g3
-ggdb -D_FORTIFY_SOURCE=2'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 4.0.1 (tags/RELEASE_401/final)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='ld'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /lib64
/usr/lib64 /usr/local/lib64
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/x86_64-pc-linux-gnu
/usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/../../../../include/c++/8.0.0/backward
/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/8.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib
    libs=-lpthread -pthread -lnsl -ldl -lm -lcrypt -lutil -lc
-L/home/pip/git/sm-emacs/js/src/dist/bin -lmozjs-59a1
-Wl,--whole-archive
/home/pip/git/sm-emacs/js/src/mozglue/build/libmozglue.a
-Wl,--no-whole-archive
    perllibs=-lpthread -pthread -lnsl -ldl -lm -lcrypt -lutil -lc
-L/home/pip/git/sm-emacs/js/src/dist/bin -lmozjs-59a1
-Wl,--whole-archive
/home/pip/git/sm-emacs/js/src/mozglue/build/libmozglue.a
-Wl,--no-whole-archive
    libc=libc-2.25.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.25'
  Dynamic Linking:
    dlsrc=dl_none.xs
    dlext=none
    d_dlsymun=undef
    ccdlflags=''
    cccdlflags=''
    lddlflags=''


---
@INC for perl 5.27.7:
    lib
    /usr/local/lib/perl5/site_perl/5.27.7/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.27.7
    /usr/local/lib/perl5/5.27.7/x86_64-linux
    /usr/local/lib/perl5/5.27.7

---
Environment for perl 5.27.7:
    HOME=/home/pip
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH=/home/pip/git/sm-emacs/js/src/dist/bin
    LOGDIR (unset)
    PATH=/home/pip/.cargo/bin:/home/pip/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/sbin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/bin/bash


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About