GNU bug report logs - #44538
grep -E might exhaust stack space

Previous Next

Package: grep;

Reported by: JIang Yuancheng <0599jiangyc <at> gmail.com>

Date: Mon, 9 Nov 2020 17:45:02 UTC

Severity: wishlist

To reply to this bug, email your comments to 44538 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-grep <at> gnu.org:
bug#44538; Package grep. (Mon, 09 Nov 2020 17:45:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to JIang Yuancheng <0599jiangyc <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-grep <at> gnu.org. (Mon, 09 Nov 2020 17:45:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: JIang Yuancheng <0599jiangyc <at> gmail.com>
To: bug-grep <at> gnu.org
Cc: Kaihang Ji <kaihang <at> comp.nus.edu.sg>
Subject: grep -E might exhaust stack space
Date: Tue, 10 Nov 2020 01:34:47 +0800

[Message part 1 (text/plain, inline)]
Hi,

grep -E “.*{10,}{10,}{10,}{10,}{10,}” can exhaust stack space then stack overflow comes out. (Tested on latest version 3.6)

jyc <at> ubuntu18:~/GREP/grep-3.6/src$ ./grep -E ".*{10,}{10,}{10,}{10,}{10,}" 
grep: stack overflow

Gdb information:

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x20 (' ')
RCX: 0x555555799010 --> 0x705070701010700 
RDX: 0x0 
RSI: 0x8 
RDI: 0x7ffff7b5dc40 --> 0x0 
RBP: 0xffffffffffffffb0 
RSP: 0x7fffff7fefa0 
RIP: 0x7ffff780637e (<_int_malloc+62>:	mov    QWORD PTR [rsp+0x8],rsi)
R8 : 0x68b1d 
R9 : 0x0 
R10: 0x555555799010 --> 0x705070701010700 
R11: 0x0 
R12: 0x7ffff4d228f8 --> 0x0 
R13: 0x3458e8 
R14: 0x0 
R15: 0x55555579e460 --> 0x7ffff545e010 --> 0x2e ('.')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7806373 <_int_malloc+51>:	test   al,al
   0x7ffff7806375 <_int_malloc+53>:	jne    0x7ffff7806a58 <_int_malloc+1816>
   0x7ffff780637b <_int_malloc+59>:	test   rdi,rdi
=> 0x7ffff780637e <_int_malloc+62>:	mov    QWORD PTR [rsp+0x8],rsi
   0x7ffff7806383 <_int_malloc+67>:	mov    r14,rdi
   0x7ffff7806386 <_int_malloc+70>:	je     0x7ffff7806a38 <_int_malloc+1784>
   0x7ffff780638c <_int_malloc+76>:	mov    r15d,ebx
   0x7ffff780638f <_int_malloc+79>:	shr    r15d,0x4
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefa0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff780637e in _int_malloc (av=av <at> entry=0x7ffff7b5dc40 <main_arena>, bytes=bytes <at> entry=0x8)
    at malloc.c:3557
3557	malloc.c: No such file or directory.

ASAN:

=================================================================
==12861==ERROR: AddressSanitizer: stack-overflow on address 0x7fffe9c8afc8 (pc 0x7f9f6989dd2e bp 0x7fffe9c8b060 sp 0x7fffe9c8afd0 T0)
    #0 0x7f9f6989dd2d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27d2d)
    #1 0x7f9f69954b0a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
    #2 0x555aa36928ec in re_node_set_alloc /home/jyc/GREP/grep-3.6/lib/regex_internal.c:973
    #3 0x555aa369f8cf in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1700
    #4 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #5 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #6 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
…
    #248 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #249 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #250 0x555aa369fe25 in calc_eclosure_iter /home/jyc/GREP/grep-3.6/lib/regcomp.c:1737

SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27d2d) 
==12861==ABORTING



Thanks,
Yuancheng
[Message part 2 (text/html, inline)]
Information forwarded to bug-grep <at> gnu.org:
bug#44538; Package grep. (Sat, 28 Aug 2021 01:27:02 GMT) Full text and rfc822 format available.

Message #8 received at 44538 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: JIang Yuancheng <0599jiangyc <at> gmail.com>
Cc: 44538 <at> debbugs.gnu.org, Kaihang Ji <kaihang <at> comp.nus.edu.sg>
Subject: Re: bug#44538: grep -E might exhaust stack space
Date: Fri, 27 Aug 2021 18:25:44 -0700

[Message part 1 (text/plain, inline)]
On 11/9/20 9:34 AM, JIang Yuancheng wrote:
> grep -E “.*{10,}{10,}{10,}{10,}{10,}” can exhaust stack space then stack overflow comes out. (Tested on latest version 3.6)

This is a longstanding issue with the regex matcher. I installed the 
attached patch to document the issue better. Fortunately, the problem is 
mostly limited to contrived examples.

[0001-doc-document-interval-expression-limitations.patch (text/x-patch, attachment)]
Severity set to 'wishlist' from 'normal' Request was from Paul Eggert <eggert <at> cs.ucla.edu> to control <at> debbugs.gnu.org. (Sat, 28 Aug 2021 01:29:01 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 26 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.