Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regcomp.c:2837: S_make_trie: Assertion `*uc != LATIN_SMALL_LETTER_SHARP_S' failed. #17486

Closed
dur-randir opened this issue Jan 23, 2020 · 0 comments
Closed

regcomp.c:2837: S_make_trie: Assertion `*uc != LATIN_SMALL_LETTER_SHARP_S' failed. #17486

dur-randir opened this issue Jan 23, 2020 · 0 comments
Labels
Needs Triage
Milestone
5.32.0

Comments

@dur-randir
Copy link
Member

This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.31.6.

[Please describe your issue here]

While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run
under libdislocator, I found the following program

0=~/(?iaa)ss\337(?0)|/

to cause an assertion failure on debugging builds

perl: regcomp.c:2837: S_make_trie: Assertion `*uc != LATIN_SMALL_LETTER_SHARP_S' failed.

GDB stack strace is

#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7c24535 in __GI_abort () at abort.c:79
#2 0x00007ffff7c2440f in __assert_fail_base (fmt=0x7ffff7d86ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x555555ad8820 "*uc != LATIN_SMALL_LETTER_SHARP_S", file=0x555555ad7fd0 "regcomp.c", line=2837, function=) at assert.c:92
#3 0x00007ffff7c32102 in __GI___assert_fail (assertion=0x555555ad8820 "*uc != LATIN_SMALL_LETTER_SHARP_S", file=0x555555ad7fd0 "regcomp.c", line=2837,
function=0x555555afb2a0 <PRETTY_FUNCTION.21458> "S_make_trie") at assert.c:101
#4 0x0000555555685ed4 in S_make_trie (pRExC_state=0x7fffffffd620, startbranch=0x555555c121ec, first=0x555555c121ec, last=0x555555c1220c,
tail=0x555555c1220c, word_count=2, flags=45, depth=3) at regcomp.c:2837
#5 0x0000555555695962 in S_study_chunk (pRExC_state=0x7fffffffd620, scanp=0x7fffffffce68, minlenp=0x7fffffffd398, deltap=0x7fffffffce88,
last=0x555555c1220c, data=0x7fffffffd1f0, stopparen=0, recursed_depth=1, and_withp=0x0, flags=8192, depth=2) at regcomp.c:5059
#6 0x000055555569480b in S_study_chunk (pRExC_state=0x7fffffffd620, scanp=0x7fffffffd390, minlenp=0x7fffffffd398, deltap=0x7fffffffd3b8,
last=0x555555c12210, data=0x7fffffffd9b0, stopparen=-1, recursed_depth=0, and_withp=0x0, flags=10240, depth=0) at regcomp.c:4696
#7 0x00005555556a61c6 in Perl_re_op_compile (patternp=0x0, pat_count=1, expr=0x555555c10840, eng=0x555555bd8d20 <PL_core_reg_engine>, old_re=0x0,
is_bare_re=0x0, orig_rx_flags=0, pm_flags=0) at regcomp.c:8253
#8 0x00005555555bd043 in Perl_pmruntime (o=0x555555c10878, expr=0x555555c10840, repl=0x0, flags=1, floor=0) at op.c:8168
#9 0x0000555555672b09 in Perl_yyparse (gramtype=258) at perly.y:1260
#10 0x00005555555f0088 in S_parse_body (env=0x0, xsinit=0x5555555a120f <xs_init>) at perl.c:2601
#11 0x00005555555ee34c in perl_parse (my_perl=0x555555be3260, xsinit=0x5555555a120f <xs_init>, argc=3, argv=0x7fffffffe1b8, env=0x0) at perl.c:1892
#12 0x00005555555a114d in main (argc=3, argv=0x7fffffffe1b8, env=0x7fffffffe1d8) at perlmain.c:132

This is a regression between 5.18 and 5.20, bisect points to

098b07d5cb1d6aa13b81a0f43ea5e151829ad26c is the first bad commit
commit 098b07d5cb1d6aa13b81a0f43ea5e151829ad26c
Author: Karl Williamson <public@khwilliamson.com>
Date:   Tue Aug 20 21:51:23 2013 -0600

    Allow trie use for /iaa matching

    This adds code so that tries can be formed under /iaa, which formerly
    weren't handled.  A problem occurs when the string contains the LATIN
    SMALL LETTER SHARP S when the regex pattern is not UTF-8 encoded.  I
    tried several ways to get this to work easily, but ended up deciding it
    was too hard, to in this one situation, a new regnode is created to
    prevent the trie code from even trying to turn it into a trie.

[Please do not change anything below this line]
Flags:
category=core
severity=medium
Site configuration information for perl 5.31.6:

Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.

Summary of my perl5 (revision 5 version 31 subversion 6) configuration:
Commit id: 1462134
Platform:
osname=darwin
osvers=13.4.0
archname=darwin-2level
uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 '
config_args='-de -Dusedevel -DDEBUGGING'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV'
optimize='-O3 -g'
cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include'
ccversion=''
gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib'
libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib
libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
perllibs=-lpthread -ldl -lm -lutil -lc
libc=
so=dylib
useshrplib=false
libperl=libperl.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=bundle
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'

@inc for perl 5.31.6:
lib
/usr/local/lib/perl5/site_perl/5.31.6/darwin-2level
/usr/local/lib/perl5/site_perl/5.31.6
/usr/local/lib/perl5/5.31.6/darwin-2level
/usr/local/lib/perl5/5.31.6

Environment for perl 5.31.6:
DYLD_LIBRARY_PATH (unset)
HOME=/Users/dur-randir
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=en_US.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin
PERLBREW_HOME=/Users/dur-randir/.perlbrew
PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man
PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin
PERLBREW_PERL=perl-5.26.0
PERLBREW_ROOT=/Users/dur-randir/perlbrew
PERLBREW_SHELLRC_VERSION=0.86
PERLBREW_VERSION=0.86
PERL_BADLANG (unset)
SHELL=/opt/local/bin/zsh
@khwilliamson khwilliamson added this to the 5.32.0 milestone Mar 20, 2020
khwilliamson added a commit that referenced this issue Apr 2, 2020
@khwilliamson
regcomp.c: Handle /ss\xdf/iaa properly
c6d745d 
Having both ss and \xdf in a string caused the node type to be changed
back to a wrong one.

This fixes #17486
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Triage
Projects
None yet
Milestone
5.32.0
Development

No branches or pull requests
2 participants
@khwilliamson @dur-randir