Project

General

Profile

Actions

Bug #20207

closed

Segmentation fault for a regexp containing positive and negative lookaheads

Added by Sundeep (Sundeep Agarwal) 10 months ago. Updated 8 months ago.


Description

I'm getting segmentation fault for the following regexp with Ruby 3.3.0:

puts 'clan'.match?(/(?=.*a)(?!.*n)/)

This is the minimal example for which I was able to produce the issue. a and n in the above example
are just a sample, can be other character combinations too. There has to be at least two characters
before them in the input string (cl in the above example).

The error is seen when the above code is run from a file, but only occasionally from irb.
When run from a file, most of the time I get segmentation fault (see attached log file),
but sometimes I get the following error:

lookaround.rb:1:in `match?': undefined bytecode (bug): /(?=.*a)(?!.*n)/ (RegexpError)
	from lookaround.rb:1:in `<main>'

When asked in the r/ruby forum, somebody else was able to reproduce this issue.
They also mentioned that the issue wasn't seen in the Ruby 3.2.2 version.


Files

lookaround_segfault.log (15.9 KB) lookaround_segfault.log Sundeep (Sundeep Agarwal), 01/24/2024 08:31 AM

Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #20212: Regex match method is crashing - (irb):6: [BUG] Segmentation fault at 0x0000000000000000 ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-darwin22]Closedmake_now_just (Hiroya Fujinami)Actions

Updated by mame (Yusuke Endoh) 10 months ago

  • Assignee set to make_now_just (Hiroya Fujinami)

Updated by nobu (Nobuyoshi Nakada) 10 months ago

FYI, it raises a SystemStackError.

Actions #3

Updated by byroot (Jean Boussier) 10 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONTNEED, 3.3: REQUIRED

Updated by byroot (Jean Boussier) 10 months ago

@nobu (Nobuyoshi Nakada) I do get a SEGV on both x86_64 and ARM64:

-- C level backtrace information -------------------------------------------
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(rb_vm_bugreport+0xb4c) [0x100fd6534]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(rb_bug_for_fatal_signal+0x100) [0x100e197c8]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(sig_do_nothing+0x0) [0x100f3e14c]
/usr/lib/system/libsystem_platform.dylib(_sigtramp+0x38) [0x18494da24]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(match_at+0x21dc) [0x100f1d744]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(onig_search_gpos+0x694) [0x100f25b04]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(rb_reg_match_p+0x1cc) [0x100f09448]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(vm_call_cfunc_with_frame_+0xf0) [0x100fc9228]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(vm_exec_core+0x2048) [0x100faef80]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(rb_vm_exec+0x1ec) [0x100fabdc4]
/opt/rubies/3.3.0/lib/libruby.3.3.dylib(rb_f_eval+0x1d8) [0x100fbaf7c]

Updated by byroot (Jean Boussier) 10 months ago

Also ruby-head backtrace:

BUG] Segmentation fault at 0x0000000000000008
ruby 3.4.0dev (2024-01-24T10:33:25Z master 0f417d640d) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0012 e:000011 CFUNC  :match?
c:0002 p:0007 s:0007 e:000005 EVAL   -:1 [FINISH]
c:0001 p:0000 s:0003 E:001010 DUMMY  [FINISH]
-- Ruby level backtrace information ----------------------------------------
-:1:in `<main>'
-:1:in `match?'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- Machine register context ------------------------------------------------
RIP: 0x00007f7d2e74dfbd RBP: 0x00007ffec7b14a40 RSP: 0x00007ffec7b12a20
RAX: 0x0000000000000008 RBX: 0x00007ffec7b14aa0 RCX: 0x0000000000000000
RDX: 0x0000000000000002 RDI: 0x0000000000000008 RSI: 0x0000000000000008
 R8: 0x00007ffec7b14980  R9: 0x0000000000000001 R10: 0x00005572ce2d8391
R11: 0x0000000000000009 R12: 0x0000000000000000 R13: 0x00005572ce05d500
R14: 0x0000000000000004 R15: 0x00007ffec7b12100 EFL: 0x0000000000010297
-- C level backtrace information -------------------------------------------
/opt/ruby/lib/libruby.so.3.4(rb_print_backtrace+0x14) [0x7f7d2e824371] /ruby/vm_dump.c:820
/opt/ruby/lib/libruby.so.3.4(rb_vm_bugreport) /ruby/vm_dump.c:1151
/opt/ruby/lib/libruby.so.3.4(rb_bug_for_fatal_signal+0x104) [0x7f7d2e617984] /ruby/error.c:1065
/opt/ruby/lib/libruby.so.3.4(sigsegv+0x4d) [0x7f7d2e76fbdd] /ruby/signal.c:926
/lib/x86_64-linux-gnu/libc.so.6(0x7f7d2e152520) [0x7f7d2e152520]
/opt/ruby/lib/libruby.so.3.4(match_at+0x60d) [0x7f7d2e74dfbd] /ruby/regexec.c:4125
/opt/ruby/lib/libruby.so.3.4(onig_search_gpos+0x67d) [0x7f7d2e757d9d] /ruby/regexec.c:5370
/opt/ruby/lib/libruby.so.3.4(onig_search+0x1a) [0x7f7d2e75827a] /ruby/regexec.c:5099
/opt/ruby/lib/libruby.so.3.4(reg_onig_search+0x42) [0x7f7d2e734792] /ruby/re.c:1725
/opt/ruby/lib/libruby.so.3.4(rb_reg_onig_match+0x93) [0x7f7d2e739243] /ruby/re.c:1661
/opt/ruby/lib/libruby.so.3.4(rb_reg_match_p+0xfb) [0x7f7d2e73b96b] /ruby/re.c:3824
/opt/ruby/lib/libruby.so.3.4(vm_cfp_consistent_p+0x0) [0x7f7d2e7f5dc4] /ruby/vm_insnhelper.c:3492

Updated by alanwu (Alan Wu) 10 months ago

I get a SEGV on darwin if I run it repeatedly. With 3.3.0 and Valgrind on Linux I get:

==216941== Invalid read of size 4
==216941==    at 0x4AA75B0: match_at (regexec.c:3894)
==216941==    by 0x4AB0D2C: onig_search_gpos (regexec.c:5361)
==216941==    by 0x4AB1209: onig_search (regexec.c:5090)
==216941==    by 0x4A8D811: reg_onig_search (re.c:1725)
==216941==    by 0x4A922B2: rb_reg_onig_match (re.c:1661)
==216941==    by 0x4A949EA: rb_reg_match_p (re.c:3821)
Actions #7

Updated by byroot (Jean Boussier) 10 months ago

  • Related to Bug #20212: Regex match method is crashing - (irb):6: [BUG] Segmentation fault at 0x0000000000000000 ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-darwin22] added
Actions #8

Updated by make_now_just (Hiroya Fujinami) 10 months ago

  • Status changed from Open to Closed

Applied in changeset git|3e6e3ca2627b1aa71b17de902cc1b8188246a828.


Correctly handle consecutive lookarounds (#9738)

Fix [Bug #20207]
Fix [Bug #20212]

Handling consecutive lookarounds in init_cache_opcodes is buggy, so it
causes invalid memory access reported in [Bug #20207] and [Bug #20212].
This fixes it by using recursive functions to detected lookarounds
nesting correctly.

Updated by naruse (Yui NARUSE) 8 months ago

  • Backport changed from 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONTNEED, 3.3: REQUIRED to 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONE

ruby_3_3 00cb72157a60c20a9b9d9fe81fc974ea83d672b4 merged revision(s) 3e6e3ca2627b1aa71b17de902cc1b8188246a828.

Actions

Also available in: Atom PDF

Like1
Like0Like0Like0Like0Like0Like0Like0Like0Like0