From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#65726: 29.1.50; Crash in regexp engine
Date: Mon, 04 Sep 2023 10:32:38 -0400
Message-ID: <jwv4jkaqawd.fsf-monnier+emacs@gnu.org>
References: <8e1b4e50-0430-3eb3-e486-60def1e4821f@gmx.at>
Reply-To: Stefan Monnier <monnier@iro.umontreal.ca>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="34539"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: 65726@debbugs.gnu.org
To: martin rudalics <rudalics@gmx.at>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Sep 04 16:33:24 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1qdAdo-0008hz-Gl
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 04 Sep 2023 16:33:24 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1qdAdV-00018a-FX; Mon, 04 Sep 2023 10:33:05 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qdAdT-00018C-5J
 for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2023 10:33:03 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qdAdS-0000Wj-Sv
 for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2023 10:33:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qdAdS-00070s-G9
 for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2023 10:33:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Monnier <monnier@iro.umontreal.ca>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 04 Sep 2023 14:33:02 +0000
Resent-Message-ID: <handler.65726.B65726.169383796826933@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 65726
X-GNU-PR-Package: emacs
Original-Received: via spool by 65726-submit@debbugs.gnu.org id=B65726.169383796826933
 (code B ref 65726); Mon, 04 Sep 2023 14:33:02 +0000
Original-Received: (at 65726) by debbugs.gnu.org; 4 Sep 2023 14:32:48 +0000
Original-Received: from localhost ([127.0.0.1]:52133 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qdAdE-00070K-Do
 for submit@debbugs.gnu.org; Mon, 04 Sep 2023 10:32:48 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:45935)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@iro.umontreal.ca>) id 1qdAdB-000707-VN
 for 65726@debbugs.gnu.org; Mon, 04 Sep 2023 10:32:47 -0400
Original-Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 3F51D10006B;
 Mon,  4 Sep 2023 10:32:40 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1693837959;
 bh=z+PZAd55emAMASf3WGMcJZTPHYi5P2OG2XkruUGxAPk=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=jffOQfNz9jOjW/B66GqfKsrOTc2jXN2lbWQmhXyMuIrYaK3LwIIY8zKG4EQ2g/J5I
 mQVm8f9H2PNoqbjEVzMjBjQyXdj7Yeb86WhJS0UFSKNFSNN9dmP6aRv1wo8HsyjXkz
 hmEFi6c8RtgvDOqR+VaAxCulC4WXqu7CTcAVcdEwU3BjRRxu60e7LvvwZxCILjZBMm
 9df22rwhqUx3vg9K716jC5kUivrJXd5O/5il2moiDJ4/y6Tf/AEAPgxKXLp7yYNoNC
 KgrMN/WAwCxS9rZdUlrOdpFeGdV7+fsZlC7to+WigHHp0y6jv4sEXdDayIb+bLi6qo
 sAuQe4T3Syv3A==
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 2DF4F100046;
 Mon,  4 Sep 2023 10:32:39 -0400 (EDT)
Original-Received: from pastel (69-165-136-223.dsl.teksavvy.com [69.165.136.223])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id F10AD120314;
 Mon,  4 Sep 2023 10:32:38 -0400 (EDT)
In-Reply-To: <8e1b4e50-0430-3eb3-e486-60def1e4821f@gmx.at> (martin rudalics's
 message of "Mon, 4 Sep 2023 09:46:24 +0200")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:269243
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/269243>

> Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x7fffff66fff8:
> #0  0x000000000068810a in skip_noops (p=#1  0x0000000000688823 in mutually_exclusive_p (bufp=0xec9c30 <searchbufs+752>, p1=0x1fcee74 "\004\005", p2=0x1fcee81 "\016\063") at ../../src/regex-emacs.c:3665
> #2  0x0000000000688e19 in mutually_exclusive_p (bufp=0xec9c30 <searchbufs+752>, p1=0x1fcee74 "\004\005", p2=0x1fcee81 "\016\063") at ../../src/regex-emacs.c:3838
> #3  0x0000000000688e3c in mutually_exclusive_p (bufp=0xec9c30 <searchbufs+752>, p1=0x1fcee74 "\004\005", p2=0x1fceeba "\004\020") at ../../src/regex-emacs.c:3839
> #4  0x0000000000688e3c in mutually_exclusive_p (bufp=0xec9c30 <searchbufs+752>, p1=0x1fcee74 "\004\005", p2=0x1fcee84 "\002\001@\004\020") at ../../src/regex-emacs.c:3839
> #5  0x0000000000688e19 in mutually_exclusive_p (bufp=0xec9c30 <searchbufs+752>, p1=0x1fcee74 "\004\005", p2=0x1fcee81 "\016\063") at ../../src/regex-emacs.c:3838
> ...

Hmm... the line numbers strongly suggests the inf-recursion happens via
the calls:

    case on_failure_jump:
      {
        int mcnt;
	p2++;
	EXTRACT_NUMBER_AND_INCR (mcnt, p2);
	/* Don't just test `mcnt > 0` because non-greedy loops have
	   their test at the end with an unconditional jump at the start.  */
	if (p2 + mcnt > p2_orig) /* Ensure forward progress.  */
	  return (mutually_exclusive_p (bufp, p1, p2)
		  && mutually_exclusive_p (bufp, p1, p2 + mcnt));
	break;
      }

Re-reading the code I see that `skip_noops` can return a position
smaller than its argument, which makes it possible for `p2` to
be smaller (or equal) to `p2_orig` and hence explain that inf-loop
(that's the only path I can see that explains the inf-loop you're
seeing).

So, the patch below should hopefully fix your problem.


        Stefan


diff --git a/src/regex-emacs.c b/src/regex-emacs.c
index 7e75f0ac597..3a14c10771d 100644
--- a/src/regex-emacs.c
+++ b/src/regex-emacs.c
@@ -3832,7 +3832,8 @@ mutually_exclusive_p (struct re_pattern_buffer *bufp, re_char *p1,
 	EXTRACT_NUMBER_AND_INCR (mcnt, p2);
 	/* Don't just test `mcnt > 0` because non-greedy loops have
 	   their test at the end with an unconditional jump at the start.  */
-	if (p2 + mcnt > p2_orig) /* Ensure forward progress.  */
+	if (p2 + mcnt > p2_orig /* Ensure forward progress.  */
+	    && p2 > p2_orig)    /* Bug#65726  */
 	  return (mutually_exclusive_p (bufp, p1, p2)
 		  && mutually_exclusive_p (bufp, p1, p2 + mcnt));
 	break;