/(?[\ &!])/ segfaults

[p5pRT]

Migrated from rt.perl.org#126180 (status was 'resolved')

Searchable as RT126180$

[p5pRT]

From victor@drawall.cc

Created by @Grimy

How to reproduce
----------------

perl5.23.4 -e '/(?[\ &!])/'

Using any of [+-|^] instead of & yields the same results.

Expected behavior
-----------------

Perl should die with the following diagnostics​:

The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.”
Incomplete expression within '(?[ ])' in regex; marked by <-- HERE in m/(?[\ &! <-- HERE ])/ at -e line 1.”

(This was the behavior in perl5.20.2)

Actual behavior
---------------

Perl is forcefully terminated by a SIGSEGV signal.
The actual output is shell-dependant; example output with bash​:

The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.
Segmentation fault (core dumped)

gdb gives the following backtrace​:
#0 0x000000000046face in Perl__invlist_intersection_maybe_complement_2nd ()
#1 0x0000000000478ee6 in S_handle_regex_sets ()
#2 0x0000000000473090 in S_reg ()
#3 0x0000000000479fcd in S_regatom ()
#4 0x000000000047c537 in S_regbranch ()
#5 0x00000000004720ab in S_reg ()
#6 0x00000000004866e1 in Perl_re_op_compile ()
#7 0x00000000004366e8 in Perl_pmruntime ()
#8 0x0000000000466ced in Perl_yyparse ()
#9 0x0000000000441377 in perl_parse ()
#10 0x000000000041fc10 in main ()

Affected versions
-----------------

Current blead (2d9b5f1) is affected.
perl5.22.0 is affected
perl5.20.2 is NOT affected

Perl Info

Flags:
    category=core
    severity=high

Site configuration information for perl 5.23.4:

Configured by grimy at Tue Sep 22 21:18:14 CEST 2015.

Summary of my perl5 (revision 5 version 23 subversion 4) configuration:
  Commit id: 2d9b5f101563ac9fee41e6ca496f79db6222d2e3
  Platform:
    osname=linux, osvers=4.0.7-2-arch, archname=x86_64-linux
    uname='linux localhost 4.0.7-2-arch #1 smp preempt tue jun 30
07:50:21 utc 2015 x86_64 gnulinux '
    config_args='-ds -e -Dusedevel'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='5.1.0', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8,
byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=16, longdblkind=3
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib
/usr/lib/gcc/x86_64-unknown-linux-gnu/5.1.0/include-fixed /usr/lib
/lib/../lib /usr/lib/../lib /lib /lib64 /usr/lib64
    libs=-lpthread -lnsl -lnm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
-lgdbm_compat
    perllibs=-lpthread -lnsl -lnm -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.21.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.21'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector-strong'



@INC for perl 5.23.4:
    /usr/local/lib/perl5/site_perl/5.23.4/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.23.4
    /usr/local/lib/perl5/5.23.4/x86_64-linux
    /usr/local/lib/perl5/5.23.4
    /usr/local/lib/perl5/site_perl
    .


Environment for perl 5.23.4:
    HOME=/home/grimy
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/grimy/bin:/home/grimy/.nvim/scripts:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/opt/plan9/bin
    PERL_BADLANG (unset)
    SHELL (unset)

[p5pRT]

From @dcollinsn

A -DDEBUGGING build of blead reports​:

dcollins@​nightshade​:~/perl$ ./miniperl -e '/(?[\ &!])/'
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.
miniperl​: regcomp.c​:13900​: S_handle_regex_sets​: Assertion `(! ((rhs)->sv_flags & 0x00000100))' failed.
Aborted

Also valgrind on the segfaulting (not debugging) version​:

dcollins@​nightshade​:~/perl$ valgrind --track-origins=yes ./perl -e '/(?[\ &!])/'
==12825== Memcheck, a memory error detector
==12825== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==12825== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==12825== Command​: ./perl -e /(?[\\\ &!])/
==12825==
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.
==12825== Conditional jump or move depends on uninitialised value(s)
==12825== at 0x82188B7​: Perl__invlist_intersection_maybe_complement_2nd (regcomp.c​:8847)
==12825== by 0x823CCA5​: S_handle_regex_sets (regcomp.c​:13914)
==12825== by 0x82577F3​: S_reg (regcomp.c​:10491)
==12825== by 0x824103A​: S_regatom (regcomp.c​:11806)
==12825== by 0x824103A​: S_regpiece (regcomp.c​:10876)
==12825== by 0x8251A93​: S_regbranch (regcomp.c​:10801)
==12825== by 0x8260D2E​: S_reg.constprop.25 (regcomp.c​:10547)
==12825== by 0x8281B94​: Perl_re_op_compile (regcomp.c​:6945)
==12825== by 0x80E3251​: Perl_pmruntime (op.c​:5579)
==12825== by 0x81CE7A5​: Perl_yyparse (perly.y​:1038)
==12825== by 0x81140F7​: S_parse_body (perl.c​:2304)
==12825== by 0x81140F7​: perl_parse (perl.c​:1634)
==12825== by 0x8068741​: main (perlmain.c​:114)
==12825== Uninitialised value was created by a heap allocation
==12825== at 0x402A0DE​: malloc (vg_replace_malloc.c​:296)
==12825== by 0x82B3ED3​: Perl_safesysmalloc (util.c​:153)
==12825== by 0x83B425C​: S_more_sv (sv.c​:304)
==12825== by 0x83B425C​: Perl_newSV_type (sv.c​:9471)
==12825== by 0x80DBA89​: Perl_newXS_len_flags (op.c​:8951)
==12825== by 0x80F71F7​: Perl_newCONSTSUB_flags (op.c​:8855)
==12825== by 0x80F71F7​: Perl_newCONSTSUB (op.c​:8797)
==12825== by 0x8626398​: Perl_boot_core_UNIVERSAL (universal.c​:1111)
==12825== by 0x811375F​: S_parse_body (perl.c​:2205)
==12825== by 0x811375F​: perl_parse (perl.c​:1634)
==12825== by 0x8068741​: main (perlmain.c​:114)
==12825==
==12825==
==12825== HEAP SUMMARY​:
==12825== in use at exit​: 89,121 bytes in 564 blocks
==12825== total heap usage​: 750 allocs, 186 frees, 112,100 bytes allocated
==12825==
==12825== LEAK SUMMARY​:
==12825== definitely lost​: 0 bytes in 0 blocks
==12825== indirectly lost​: 0 bytes in 0 blocks
==12825== possibly lost​: 0 bytes in 0 blocks
==12825== still reachable​: 89,121 bytes in 564 blocks
==12825== suppressed​: 0 bytes in 0 blocks
==12825== Rerun with --leak-check=full to see details of leaked memory
==12825==
==12825== For counts of detected and suppressed errors, rerun with​: -v
==12825== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)

dcollins@​nightshade​:~/perl$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: e120c24
  Platform​:
  osname=linux, osvers=2.6.32-5-686, archname=i686-linux-64int-ld
  uname='linux nightshade 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=undef, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
  ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/i686-pc-linux-gnu/5.2.0/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_INT
  USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME
  USE_LONG_DOUBLE USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 25 2015 09​:13​:06
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/5.23.4
  /usr/local/perl-afl/lib/site_perl/5.23.3
  /usr/local/perl-afl/lib/site_perl/5.23.2
  /usr/local/perl-afl/lib/site_perl
  .

[p5pRT]

From [Unknown Contact. See original ticket]

A -DDEBUGGING build of blead reports​:

dcollins@​nightshade​:~/perl$ ./miniperl -e '/(?[\ &!])/'
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.
miniperl​: regcomp.c​:13900​: S_handle_regex_sets​: Assertion `(! ((rhs)->sv_flags & 0x00000100))' failed.
Aborted

Also valgrind on the segfaulting (not debugging) version​:

dcollins@​nightshade​:~/perl$ valgrind --track-origins=yes ./perl -e '/(?[\ &!])/'
==12825== Memcheck, a memory error detector
==12825== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==12825== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==12825== Command​: ./perl -e /(?[\\\ &!])/
==12825==
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE \ &!])/ at -e line 1.
==12825== Conditional jump or move depends on uninitialised value(s)
==12825== at 0x82188B7​: Perl__invlist_intersection_maybe_complement_2nd (regcomp.c​:8847)
==12825== by 0x823CCA5​: S_handle_regex_sets (regcomp.c​:13914)
==12825== by 0x82577F3​: S_reg (regcomp.c​:10491)
==12825== by 0x824103A​: S_regatom (regcomp.c​:11806)
==12825== by 0x824103A​: S_regpiece (regcomp.c​:10876)
==12825== by 0x8251A93​: S_regbranch (regcomp.c​:10801)
==12825== by 0x8260D2E​: S_reg.constprop.25 (regcomp.c​:10547)
==12825== by 0x8281B94​: Perl_re_op_compile (regcomp.c​:6945)
==12825== by 0x80E3251​: Perl_pmruntime (op.c​:5579)
==12825== by 0x81CE7A5​: Perl_yyparse (perly.y​:1038)
==12825== by 0x81140F7​: S_parse_body (perl.c​:2304)
==12825== by 0x81140F7​: perl_parse (perl.c​:1634)
==12825== by 0x8068741​: main (perlmain.c​:114)
==12825== Uninitialised value was created by a heap allocation
==12825== at 0x402A0DE​: malloc (vg_replace_malloc.c​:296)
==12825== by 0x82B3ED3​: Perl_safesysmalloc (util.c​:153)
==12825== by 0x83B425C​: S_more_sv (sv.c​:304)
==12825== by 0x83B425C​: Perl_newSV_type (sv.c​:9471)
==12825== by 0x80DBA89​: Perl_newXS_len_flags (op.c​:8951)
==12825== by 0x80F71F7​: Perl_newCONSTSUB_flags (op.c​:8855)
==12825== by 0x80F71F7​: Perl_newCONSTSUB (op.c​:8797)
==12825== by 0x8626398​: Perl_boot_core_UNIVERSAL (universal.c​:1111)
==12825== by 0x811375F​: S_parse_body (perl.c​:2205)
==12825== by 0x811375F​: perl_parse (perl.c​:1634)
==12825== by 0x8068741​: main (perlmain.c​:114)
==12825==
==12825==
==12825== HEAP SUMMARY​:
==12825== in use at exit​: 89,121 bytes in 564 blocks
==12825== total heap usage​: 750 allocs, 186 frees, 112,100 bytes allocated
==12825==
==12825== LEAK SUMMARY​:
==12825== definitely lost​: 0 bytes in 0 blocks
==12825== indirectly lost​: 0 bytes in 0 blocks
==12825== possibly lost​: 0 bytes in 0 blocks
==12825== still reachable​: 89,121 bytes in 564 blocks
==12825== suppressed​: 0 bytes in 0 blocks
==12825== Rerun with --leak-check=full to see details of leaked memory
==12825==
==12825== For counts of detected and suppressed errors, rerun with​: -v
==12825== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)

dcollins@​nightshade​:~/perl$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: e120c24
  Platform​:
  osname=linux, osvers=2.6.32-5-686, archname=i686-linux-64int-ld
  uname='linux nightshade 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=undef, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
  ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/i686-pc-linux-gnu/5.2.0/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_INT
  USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME
  USE_LONG_DOUBLE USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 25 2015 09​:13​:06
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/5.23.4
  /usr/local/perl-afl/lib/site_perl/5.23.3
  /usr/local/perl-afl/lib/site_perl/5.23.2
  /usr/local/perl-afl/lib/site_perl
  .

[p5pRT]

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the 11-character file​:

/(?[()-!])/

This segfaults even in perls that have the patch for the very similar bug [perl #125805], which documents a segfault on the 12-character file 00./(?[()])/

The present bug also occurs in a different function and with a different valgrind signature than the remarkably similar [perl #126180], which documents a segfault on the 11-character file /(?[\ &!])/

**GDB**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ gdb --args ../bin/perl -e '/(?[()-!])/'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../bin/perl...done.
(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl -e /\(\?\[\(\)-\!\]\)/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE ()-!])/ at -e line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000610f43 in S__invlist_len (invlist=0xe63ee0 <PL_sv_undef>)
  at invlist_inline.h​:42
42 return (SvCUR(invlist) == 0)
(gdb) bt
#0 0x0000000000610f43 in S__invlist_len (invlist=0xe63ee0 <PL_sv_undef>)
  at invlist_inline.h​:42
#1 Perl__invlist_intersection_maybe_complement_2nd (a=0xe63ee0 <PL_sv_undef>,
  b=0xe7bff8, complement_b=true, i=0x7fffffffd650) at regcomp.c​:8846
#2 0x0000000000636c46 in S_handle_regex_sets (pRExC_state=0x7fffffffdb80,
  return_invlist=0xe7bff8, flagp=0x1, depth=4294956624,
  oregcomp_parse=0xe88890 "\340\277", <incomplete sequence \347>)
  at regcomp.c​:13914
#3 0x0000000000655482 in S_reg (pRExC_state=0x7fffffffdb80, paren=15187960,
  flagp=0x7fffffffd7a4, depth=4294956624) at regcomp.c​:10491
#4 0x0000000000639edd in S_regatom (pRExC_state=0x7fffffffdb80,
  flagp=0x7fffffffd8d4, depth=4) at regcomp.c​:11806
#5 0x0000000000646fb1 in S_regpiece (pRExC_state=0x7fffffffdb80,
  flagp=0x7fffffffd944, depth=1, depth@​entry=3) at regcomp.c​:10876
#6 0x000000000064cfee in S_regbranch (pRExC_state=0x7fffffffdb80,
  flagp=0x7fffffffd994, first=<optimized out>, depth=2) at regcomp.c​:10801
#7 0x0000000000660066 in S_reg (pRExC_state=0x7fffffffdb80,
  pRExC_state@​entry=0x7fffffffdb70, flagp=0x7fffffffda64,
  flagp@​entry=0x7fffffffda54, depth=1, paren=0) at regcomp.c​:10547
#8 0x0000000000684a17 in Perl_re_op_compile (patternp=<optimized out>,
  pat_count=<optimized out>, expr=<optimized out>, eng=<optimized out>,
  old_re=<optimized out>, is_bare_re=<optimized out>,
  orig_rx_flags=<optimized out>, pm_flags=0) at regcomp.c​:6945
#9 0x00000000004b5a57 in Perl_pmruntime (o=0xe856c8, expr=0xe85688, repl=0x0,
---Type <return> to continue, or q <return> to quit---
  isreg=80, floor=6815536) at op.c​:5579
#10 0x00000000005bf316 in Perl_yyparse (gramtype=15221488) at perly.y​:1038
#11 0x00000000004ec861 in S_parse_body (xsinit=0x426330 <xs_init>, env=0x0)
  at perl.c​:2304
#12 perl_parse (my_perl=<optimized out>, xsinit=xsinit@​entry=0x426330 <xs_init>,
  argc=<optimized out>, argv=<optimized out>, env=env@​entry=0x0) at perl.c​:1634
#13 0x0000000000425f58 in main (argc=3, argv=0x7fffffffe338, env=0x7fffffffe358)
  at perlmain.c​:114
(gdb) q
A debugging session is active.

  Inferior 1 [process 60040] will be killed.

Quit anyway? (y or n) y

**VALGRIND**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ valgrind ../bin/perl -e '/(?[()-!])/'
==10431== Memcheck, a memory error detector
==10431== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10431== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10431== Command​: ../bin/perl -e /(?[()-!])/
==10431==
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE ()-!])/ at -e line 1.
==10431== Invalid read of size 8
==10431== at 0x610F43​: S__invlist_len (invlist_inline.h​:42)
==10431== by 0x610F43​: Perl__invlist_intersection_maybe_complement_2nd (regcomp.c​:8846)
==10431== by 0x636C45​: S_handle_regex_sets (regcomp.c​:13914)
==10431== by 0x655481​: S_reg (regcomp.c​:10491)
==10431== by 0x639EDC​: S_regatom (regcomp.c​:11806)
==10431== by 0x646FB0​: S_regpiece (regcomp.c​:10876)
==10431== by 0x64CFED​: S_regbranch (regcomp.c​:10801)
==10431== by 0x660065​: S_reg.constprop.25 (regcomp.c​:10547)
==10431== by 0x684A16​: Perl_re_op_compile (regcomp.c​:6945)
==10431== by 0x4B5A56​: Perl_pmruntime (op.c​:5579)
==10431== by 0x5BF315​: Perl_yyparse (perly.y​:1038)
==10431== by 0x4EC860​: S_parse_body (perl.c​:2304)
==10431== by 0x4EC860​: perl_parse (perl.c​:1634)
==10431== by 0x425F57​: main (perlmain.c​:114)
==10431== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==10431==
==10431==
==10431== Process terminating with default action of signal 11 (SIGSEGV)
==10431== Access not within mapped region at address 0x10
==10431== at 0x610F43​: S__invlist_len (invlist_inline.h​:42)
==10431== by 0x610F43​: Perl__invlist_intersection_maybe_complement_2nd (regcomp.c​:8846)
==10431== by 0x636C45​: S_handle_regex_sets (regcomp.c​:13914)
==10431== by 0x655481​: S_reg (regcomp.c​:10491)
==10431== by 0x639EDC​: S_regatom (regcomp.c​:11806)
==10431== by 0x646FB0​: S_regpiece (regcomp.c​:10876)
==10431== by 0x64CFED​: S_regbranch (regcomp.c​:10801)
==10431== by 0x660065​: S_reg.constprop.25 (regcomp.c​:10547)
==10431== by 0x684A16​: Perl_re_op_compile (regcomp.c​:6945)
==10431== by 0x4B5A56​: Perl_pmruntime (op.c​:5579)
==10431== by 0x5BF315​: Perl_yyparse (perly.y​:1038)
==10431== by 0x4EC860​: S_parse_body (perl.c​:2304)
==10431== by 0x4EC860​: perl_parse (perl.c​:1634)
==10431== by 0x425F57​: main (perlmain.c​:114)
==10431== If you believe this happened as a result of a stack
==10431== overflow in your program's main thread (unlikely but
==10431== possible), you can try to increase the size of the
==10431== main thread stack using the --main-stacksize= flag.
==10431== The main thread stack size used in this run was 8388608.
==10431==
==10431== HEAP SUMMARY​:
==10431== in use at exit​: 130,698 bytes in 645 blocks
==10431== total heap usage​: 732 allocs, 87 frees, 139,244 bytes allocated
==10431==
==10431== LEAK SUMMARY​:
==10431== definitely lost​: 320 bytes in 1 blocks
==10431== indirectly lost​: 2,610 bytes in 38 blocks
==10431== possibly lost​: 16 bytes in 1 blocks
==10431== still reachable​: 127,752 bytes in 605 blocks
==10431== suppressed​: 0 bytes in 0 blocks
==10431== Rerun with --leak-check=full to see details of leaked memory
==10431==
==10431== For counts of detected and suppressed errors, rerun with​: -v
==10431== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ../bin/perl -V
Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 7290064
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='4.9.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 26 2015 14​:13​:20
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.4
  .

[p5pRT]

@khwilliamson - Status changed from 'new' to 'open'

[p5pRT]

From @khwilliamson

Thanks for your report on this regression.

Now fixed by 5a55ed3
--
Karl Williamson

[p5pRT]

@khwilliamson - Status changed from 'open' to 'pending release'

[p5pRT]

From @dcollinsn

This appears to have been fixed in blead, please close.

[p5pRT]

From @khwilliamson

On 10/19/2015 02​:29 PM, Dan Collins via RT wrote​:

This appears to have been fixed in blead, please close.

---
via perlbug​: queue​: perl5 status​: new
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126204

I merged this with #126180, whose fix fixed this one as well. But I
added a test to the suite for the case in this ticket as well
5982ac9

[p5pRT]

@mauke - Status changed from 'pending release' to 'resolved'