New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

t/1-basic.t segfaults randomly if PCRE2 is compiled with --enable-jit-sealloc #29

Open
ppisar opened this Issue Aug 2, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@ppisar
Contributor

ppisar commented Aug 2, 2017

I have PCRE2 10.30-RC1 built with --enable-jit-sealloc option. This option enabled an alternative JIT memory allocator based on mmaped temporary files. Running t/1-basic.t against such PCRE2 usually results to a segfault:

#0  0xb7f336fb in sljit_free_exec (ptr=0xb775fca0)
    at src/sljit/sljitProtExecAllocator.c:367
#1  0xb7f33b0d in sljit_free_code (code=0xb775fca0) at src/sljit/sljitLir.c:486
#2  0xb7f5973c in _pcre2_jit_free_8 (executable_jit=0x80030540, memctl=0x80293b90)
    at src/pcre2_jit_misc.c:92
#3  0xb7f199f8 in pcre2_code_free_8 (code=0x80293b90) at src/pcre2_compile.c:1183
#4  0xb7771609 in PCRE2_free (my_perl=0x80004160, rx=0x80024e64) at PCRE2.xs:520
#5  0xb7d84e95 in Perl_pregfree2 () from /lib/libperl.so.5.26
#6  0xb7de4640 in Perl_sv_clear () from /lib/libperl.so.5.26
#7  0xb7de4d40 in Perl_sv_free2 () from /lib/libperl.so.5.26
#8  0xb7d149e4 in Perl_op_clear () from /lib/libperl.so.5.26
#9  0xb7d14b20 in Perl_op_free () from /lib/libperl.so.5.26
#10 0xb7d3adb8 in perl_destruct () from /lib/libperl.so.5.26
#11 0x800009ce in main ()

This is bacuse sljit_free_exec() does this assignment:

    if (SLJIT_UNLIKELY(!free_block->header.size)) {
        free_block->size += header->size;
        header = AS_BLOCK_HEADER(free_block, free_block->size);
→       header->prev_size = free_block->size;
    }

and the memory pointed by header is read-only at the moment.

A minimal reproducer is:

use Test::More tests => 1;
use re::engine::PCRE2;

"Hello, world" !~ /(?<=Moose|Mo), (world)/;
"Hello, world" =~ /(?<=Hello|Hi), (world)/;
fork;

ok(1);

Removing any line (fork(), use Test::More; etc.) mitigates the crash. It's probably some kind of a race condition when the two processes deallocates the memory regions backed by the same file. But I don't understand how that could be possible.

I will forward it to PCRE2 authors as this is probably a PCRE2 bug. If you could reduce the reproducer to a pure PCRE2 C code, it would be great.

@ppisar

This comment has been minimized.

Show comment
Hide comment
@ppisar
Contributor

ppisar commented Aug 2, 2017

@rurban

This comment has been minimized.

Show comment
Hide comment
@rurban

rurban Aug 2, 2017

Owner

Thanks, I'll try.
Cannot repro on my darwin laptop, need to wait until getting back from my holidays in greece.
But found a somewhat related bug on sealloc bug on darwin https://bugs.exim.org/show_bug.cgi?id=2155

Owner

rurban commented Aug 2, 2017

Thanks, I'll try.
Cannot repro on my darwin laptop, need to wait until getting back from my holidays in greece.
But found a somewhat related bug on sealloc bug on darwin https://bugs.exim.org/show_bug.cgi?id=2155

rurban added a commit that referenced this issue Aug 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment