GNU bug report logs - #24751
26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")

Previous Next

Package: emacs;

Reported by: npostavs <at> users.sourceforge.net

Date: Fri, 21 Oct 2016 03:54:01 UTC

Severity: normal

Tags: fixed, patch

Found in version 26.0.50

Fixed in version 26.1

Done: npostavs <at> users.sourceforge.net

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: npostavs <at> users.sourceforge.net
Cc: 24751 <at> debbugs.gnu.org
Subject: bug#24751: 26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")
Date: Sun, 06 Nov 2016 17:45:40 +0200

> From: npostavs <at> users.sourceforge.net
> Cc: 24751 <at> debbugs.gnu.org
> Date: Sat, 05 Nov 2016 15:34:29 -0400
> 
> >> #define TYPICAL_FAILURE_SIZE 20
> >> 
> >> Why do we use an "estimate" here?  What's wrong with just using
> >> (re_max_failures * sizeof (fail_stack_elt_t)) as the limit?  Or should
> >> the limit actually be (re_max_failures * TYPICAL_FAILURE_SIZE * sizeof
> >> (fail_stack_elt_t))?
> >
> > I think it should be the latter, indeed.
> >
> > Can you propose a patch along those lines that would remove the
> > infloop in ENSURE_FAIL_STACK?
> >
> > Thanks.
> 
> The below seems to work

Thanks.

I think the patch can be simplified, where we now multiply by the size
of fail_stack_elt_t and then divide by it: simply remove both the
multiplication and the division.  That will make the code easier to
read, and will make the units of each variable clear, something that I
think is at the heart of this issue.

> but effectively increases the size of the failure stack (so the
> sample file size has to be increased 8-fold to get a regex stack
> overflow).

Which IMO is exactly TRT, since re_max_failures was computed given the
runtime stack size of 8MB, so having it bail out after merely 800KB
doesn't sound right to me, don't you agree?

> Strangely, changing the value in the definition of re_max_failures
> doesn't seem to have any effect, it stays 40000 regardless.  I am
> quite confused.

I don't think I follow.  Can you tell what you tried to change, and
where did you see the lack of any effect?
This bug report was last modified 8 years and 196 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.