| Ticket UUID: | 3610026 | |||
| Title: | A regular expression with > 32k "colors" causes a segfault | |||
| Type: | Bug | Version: | current: 8.5.14 | |
| Submitter: | hlinnaka | Created on: | 2013-04-04 16:50:39 | |
| Subsystem: | 43. Regexp | Assigned To: | dgp | |
| Priority: | 8 | Severity: | ||
| Status: | Closed | Last Modified: | 2013-04-09 03:07:12 | |
| Resolution: | Fixed | Closed By: | dgp | |
| Closed on: | 2013-04-08 20:07:12 | |||
| Description: |
If a regular expression is parsed into more than 32k colors, you get a crash. I initially spotted this in PostgreSQL (http://www.postgresql.org/message-id/[email protected]), but TCL shares the same code and thus has the same bug. Attached is a TCL test script to reproduce this. Here's a link to the PostgreSQL commit that fixed this: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=bf2b0a147857f63daa2e5c17eed0169861371af8. It should apply to TCL sources with minimal changes. | |||
| User Comments: |
dgp added on 2013-04-09 03:07:12:
allow_comments - 1 and 8.5.15 and 8.6.1. dgp added on 2013-04-09 02:45:58: Fix committed for Tcl 8.4.20. dkf added on 2013-04-09 01:59:56: IP - Comment Removed: 82.42.214.208 dkf added on 2013-04-09 01:59:46: It takes 5-6 seconds on this rather elderly machine, which is acceptable. (Your system must be even older, and this machine's now old enough to be of school age!) I don't think the test is looking for the right result though. Either it's looking for a non-crash (in which case we ought to allow for success) or it should look for the specific new error message. I'm cool either way, but the current "gimme an error, any error" feels uncomfortable given that the rest of the file does lots of testing for specific errors. dgp added on 2013-04-08 22:17:41: Branch bug-3610026 contains the test and the (slightly adapted) patch. It's good to stop the crash. The only significant problem with this patch is that the test requires 10s of seconds to run, at least on my machine. I'd like opinions on whether we should constrain it to not run on every make test for that reason. dgp added on 2013-04-08 22:17:31: Branch bug-3610026 contains the test and the (slightly adapted) patch. It's good to stop the crash. The only significant problem with this patch is that the test requires 10s of seconds to run, at least on my machine. I'd like opinions on whether we should constrain it to not run on every make test for that reason. dgp added on 2013-04-05 03:24:31: Simpler demo:
set e {}
set cp 99
while {$cp < 35000} {
append e [format %c [incr cp]]
}
regexp -about $e
dgp added on 2013-04-05 00:27:08: It appears the segfault is avoided in Tcl 8.6, probably due to the DUP_TRAVERSE_MAX_DEPTH limits imposed there. I see the segfault in Tcl 8.5. though. A tidier demo convertible to a test case would be welcome. I will get to it eventually. dgp added on 2013-04-05 00:21:07: What encoding is that demo file in ? It appears mangled. hlinnaka added on 2013-04-04 23:50:40: File Added - 462305: tclcrash.tcl | |||
Attachments:
- tclcrash.tcl [download] added by hlinnaka on 2013-04-04 23:50:40. [details]