regexec.c - incredibly inefficient solution to backref problem

Backrefs to unclosed parens inside of a quantified group were not being
properly handled, which revealed we are not unrolling the paren state properly
on failure and backtracking.

Much of the code assumes that when we execute a "conditional" operation (where
more than one thing could match) that we need not concern ourself with the
paren state unless the conditional operation itself represents a paren, and
that generally opcodes only needed to concern themselves with parens to their
right. When you exclude backrefs from the equation this is broadly reasonable
(i think), as on failure we typically dont care about the state of the paren
buffers. They either get reset as we find a new different accepting pathway,
or their state is irrelevant if the overal match is rejected (eg it fails).

However backreferences are different. Consider the following pattern
from the tests

    "xa=xaaa" =~ /^(xa|=?\1a){2}\z/

in the first iteration through this the first branch matches, and in fact
because the \1 is in the second branch it can't match on the first iteration
at all. After this $1 = "xa". We then perform the second iteration. "xa" does
not match "=xaaa" so we fall to the second branch. The '=?' matches, but sets
up a backtracking action to not match if the rest of the pattern does not
match. \1 matches 'xa', and then the 'a' matches, leaving an unmatched 'a' in
the string, we exit the quantifier loop with $1 = "=xaa" and match \z against
the remaining "a" in the pattern, and fail.

Here is where things go wrong in the old code, we unwind to the outer loop,
but we do not unwind the paren state. We then unwind further into the 2nds
iteration of the loop, to the '=?' where we then try to match the tail with
the quantifier matching the empty string. We then match the old $1 (which was
not unwound) as "=xaa", and then the "a" matches, and we are the end of the
string and we have incorrectly accpeted this string as matching the pattern.

What should have happend was when the \1 was resolved the second time it
should have returned the same string as it did when the =? matched '=', which
then would have resulted in the tail matching again, and etc, eventually
unwinding the entire pattern when the second iteration failed entirely.

This patch is very crude. It simple pushes the state of the parens and creates
and unwind point for every case where we do a transition to a B or _next
operation, and we make the corresponding _next_fail do the appropriate
unwinding. The objective was to achieve correctness and then work towards
making it more efficient. We almost certainly overstore items on the stack.

In a future patch we can perhaps keep track of the unclosed parens before the
relevant operators and make sure that they are properly pushed and unwound at
the correct times.

Author: demerphq

regexec.c

@@ -290,6 +290,13 @@ S_regcppush(pTHX_ const regexp *rex, I32 parenfloor, U32 maxopenparen _pDEPTH)
     SSPUSHINT(rex->lastcloseparen);
     SSPUSHUV(SAVEt_REGCONTEXT | elems_shifted); /* Magic cookie. */
 
+
+    DEBUG_BUFFERS_r({
+        Perl_re_exec_indentf(aTHX_
+                "finished regcppush returning %" IVdf " cur: %" IVdf "\n",
+                depth, retval, PL_savestack_ix);
+    });
+
     return retval;
 }
 
@@ -421,6 +428,13 @@ S_regcppop(pTHX_ regexp *rex, U32 *maxopenparen_p _pDEPTH)
 
     PERL_ARGS_ASSERT_REGCPPOP;
 
+
+    DEBUG_BUFFERS_r({
+        Perl_re_exec_indentf(aTHX_
+                "starting regcppop at %" IVdf "\n",
+                depth, PL_savestack_ix);
+    });
+
     /* Pop REGCP_OTHER_ELEMS before the parentheses loop starts. */
     i = SSPOPUV;
     assert((i & SAVE_MASK) == SAVEt_REGCONTEXT); /* Check that the magic cookie is there. */
@@ -496,6 +510,11 @@ S_regcppop(pTHX_ regexp *rex, U32 *maxopenparen_p _pDEPTH)
         ));
     }
 #endif
+    DEBUG_BUFFERS_r({
+        Perl_re_exec_indentf(aTHX_
+                "finished regcppop at %" IVdf "\n",
+                depth, PL_savestack_ix);
+    });
 }
 
 /* restore the parens and associated vars at savestack position ix,
@@ -6865,6 +6884,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
         case TRIE_next_fail: /* we failed - try next alternative */
         {
             U8 *uc;
+            REGCP_UNWIND(ST.lastcp);
+            regcppop(rex,&maxopenparen);
             if ( ST.jump ) {
                 /* undo any captures done in the tail part of a branch,
                  * e.g.
@@ -6987,6 +7008,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
             });
 
             if ( ST.accepted > 1 || has_cutgroup || ST.jump ) {
+                (void)regcppush(rex, 0, maxopenparen);
+                REGCP_SET(ST.lastcp);
                 PUSH_STATE_GOTO(TRIE_next, scan, (char*)uc, loceol,
                                 script_run_begin);
                 NOT_REACHED; /* NOTREACHED */
@@ -9068,6 +9091,8 @@ NULL
             ST.lastcloseparen = rex->lastcloseparen;
             ST.next_branch = next;
             REGCP_SET(ST.cp);
+            regcppush(rex, 0, maxopenparen);
+            REGCP_SET(ST.lastcp);
 
             /* Now go into the branch */
             if (has_cutgroup) {
@@ -9104,6 +9129,8 @@ NULL
                 do_cutgroup = 0;
                 no_final = 0;
             }
+            REGCP_UNWIND(ST.lastcp);
+            regcppop(rex,&maxopenparen);
             REGCP_UNWIND(ST.cp);
             UNWIND_PAREN(ST.lastparen, ST.lastcloseparen);
             CAPTURE_CLEAR(ST.before_paren+1,ST.after_paren,"BRANCH_next_fail");
@@ -9468,7 +9495,8 @@ NULL
 
         case CURLY_B_min_fail:
             /* failed to find B in a non-greedy match. */
-
+            REGCP_UNWIND(ST.lastcp);
+            regcppop(rex, &maxopenparen); /* Restore some previous $<digit>s? */
             REGCP_UNWIND(ST.cp);
             if (ST.paren) {
                 UNWIND_PAREN(ST.lastparen, ST.lastcloseparen);
@@ -9581,6 +9609,8 @@ NULL
             }
 
           curly_try_B_min:
+            (void)regcppush(rex, 0, maxopenparen);
+            REGCP_SET(ST.lastcp);
             CURLY_SETPAREN(ST.paren, ST.count);
             PUSH_STATE_GOTO(CURLY_B_min, ST.B, locinput, loceol,
                             script_run_begin);
@@ -9594,16 +9624,22 @@ NULL
                     &&  locinput + ST.Binfo.min_length <= loceol
                     &&  S_test_EXACTISH_ST(locinput, ST.Binfo)))
             {
+                (void)regcppush(rex, 0, maxopenparen);
+                REGCP_SET(ST.lastcp);
                 CURLY_SETPAREN(ST.paren, ST.count);
                 PUSH_STATE_GOTO(CURLY_B_max, ST.B, locinput, loceol,
                                 script_run_begin);
                 NOT_REACHED; /* NOTREACHED */
             }
-            /* FALLTHROUGH */
+            goto CURLY_B_all_failed;
+            NOT_REACHED; /* NOTREACHED */
 
         case CURLY_B_max_fail:
             /* failed to find B in a greedy match */
 
+            REGCP_UNWIND(ST.lastcp);
+            regcppop(rex, &maxopenparen); /* Restore some previous $<digit>s? */
+          CURLY_B_all_failed:
             REGCP_UNWIND(ST.cp);
             if (ST.paren) {
                 UNWIND_PAREN(ST.lastparen, ST.lastcloseparen);

regexp.h

@@ -840,6 +840,7 @@ typedef struct regmatch_state {
             U32 lastparen;
             U32 lastcloseparen;
             CHECKPOINT cp;
+            CHECKPOINT lastcp;
             U16 before_paren;
             U16 after_paren;
 
@@ -851,6 +852,7 @@ typedef struct regmatch_state {
             U32 lastparen;
             U32 lastcloseparen;
             CHECKPOINT cp;
+            CHECKPOINT lastcp;
             U16 before_paren;
             U16 after_paren;
 
@@ -863,6 +865,7 @@ typedef struct regmatch_state {
             U32 lastparen;
             U32 lastcloseparen;
             CHECKPOINT cp;
+            CHECKPOINT lastcp;
             U16 before_paren;
             U16 after_paren;
 
@@ -926,6 +929,7 @@ typedef struct regmatch_state {
             regnode	*me;	/* the CURLYX node  */
             regnode	*B;	/* the B node in /A*B/  */
             CHECKPOINT	cp;	/* remember current savestack index */
+            CHECKPOINT	lastcp;	/* remember current savestack index */
             bool	minmod;
             int		parenfloor;/* how far back to strip paren data */
 
@@ -949,6 +953,7 @@ typedef struct regmatch_state {
             /* this first element must match u.yes */
             struct regmatch_state *prev_yes_state;
             CHECKPOINT cp;
+            CHECKPOINT	lastcp;	/* remember current savestack index */
             U32 lastparen;
             U32 lastcloseparen;
             I32 alen;		/* length of first-matched A string */
@@ -962,6 +967,7 @@ typedef struct regmatch_state {
         struct {
             U32 paren;
             CHECKPOINT cp;
+            CHECKPOINT	lastcp;	/* remember current savestack index */
             U32 lastparen;
             U32 lastcloseparen;
             char *maxpos;	/* highest possible point in string to match */

t/re/re_tests

@@ -2132,6 +2132,22 @@ AB\s+\x{100}	AB \x{100}X	y	-	-
 /(([ab]+)|([cd]+)|([ef]+))+/	acebd	y	$1-$2-$3-$4=$&	d--d-=acebd
 /(([ab]+)|([cd]+)|([ef]+))+/	acebdf	y	$1-$2-$3-$4=$&	f---f=acebdf
 /((a)(b)(c)|(a)(b)|(a))+/	abcaba	y	$1+$2-$3-$4+$5-$6+$7=$&	a+--+-+a=abcaba
+
+/^(xa|=?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:=|zzzz|)\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:=|zzzz)?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|[Z=]?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|([Z=])?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|([Z=]|zzzz)?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(=|)\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:[Z=])?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:[Z=]|zzzz)?\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:=|)\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|=*\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|[Z=]*\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:[Z=])*\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+/^(xa|(?:[Z=]|zzzz)*\1a){2}$/	xa=xaaa	n	-	-	# GH 10073 - RT72020
+
 # Keep these lines at the end of the file
 # pat	string	y/n/etc	expr	expected-expr	skip-reason	comment
 # vim: softtabstop=0 noexpandtab