Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backported pcre-anchor tests and fixes, found while fuzzing on capture branch. #453

Merged
merged 18 commits into from
Jan 3, 2024
Merged

Backported pcre-anchor tests and fixes, found while fuzzing on capture branch. #453

merged 18 commits into from
Jan 3, 2024

Conversation

silentbicycle
Copy link
Collaborator

This PR adds tests/pcre-anchor/ tests 82-100, which are hand-reduced versions of incorrectly handled regex inputs found during fuzzing.

Most of these have to do with:

  • non-local interactions between one or more anchors and the rest of the regex (e.g. how the ^ anchor in (a|$)(b|^) should not link to the unanchored start loop ("pincer anchors"))
  • repeat{0,_} nodes with unsatisfiable, unsupported, etc. subtrees that should be pruned by setting their max count to 0 rather than bubbling their error up further
  • incorrect handling of PCRE's anchors ignoring a single trailing newline
  • returning an unsupported PCRE behavior error for some cases that are too obscure and too tricky to be worth handling properly, such as how $[^a] should not match "x" but should match "x\n" according to PCRE

@silentbicycle
tests/pcre-anchor: Add regression tests 82-86.
ca3bdbf 
These are anchoring edge cases found by fuzzing. They have to do
with incomplete pruning of repeated nodes that are unsatisfiable due to
anchoring, nesting of anchors inside groups and/or ALT subtrees, etc.

The fixes will go in their own commit.
@silentbicycle
tests/pcre-anchor/in87.re: bubble up anchor flags to group node.
c070d01
@silentbicycle
More pcre and pcre-anchor test cases from fuzzing.
bcda0a9
@silentbicycle
new pcre-anchor tests
de62ccf
@silentbicycle
pcre-anchor/in94.re: One more test from fuzzing.
9dbc4f6
@silentbicycle
pcre-anchor/in95-98.re: More anchoring tests from fuzzing.
d8d7109
@silentbicycle
Add error code for unsupported PCRE cases (RE_EUNSUPPPCRE), reject one.
6999d24 
There's extra error codes in #440 for regexes that aren't UNSATISFIABLE
per se, but depend on particular corner cases in PCRE that probably
aren't worth supporting in an automata-based implementation.

Add a test case for one, tests/pcre/in48.re: ^a|$[^x]b*

This is a tricky one to handle properly; according to PCRE it should
match either "a<anything...>" OR "\n", but nothing else. The newline
match is because $ is a non-input-consuming check that evaluation is
either at the end of input, or at a newline immediately before the end.
In this case `$[^x]b*` matches exactly one newline; it's equivalent to
"$\n". This probably isn't worth supporting, but we can detect cases
where a potential newline match appears after a $ and reject them as
an unsupported PCRE behavior.
@silentbicycle
Analysis/linkage updates to fix new pcre-anchor tests.
087bd06
@silentbicycle
tests/pcre-anchor/in{99,100}.re: '^(?:$^|a)(?:$^|^)*' and '$[^a]*^|$^'
7683c6a 
`^(?:$^|a)(?:$^|^)*`: This should be equivalent to `^(?:^$|a)` because
the first group is always either fully anchored (making the second
redundant) or must match 'a' (making it being anchored at the start
impossible), but that information wasn't being passed properly to the
second group.

`$[^a]*` was returning AST_ANALYSIS_ERROR_UNSUPPORTED_PCRE while
inside the repeat node (`[]*`), so it didn't flag the `^` immediately
after. If a repeat node that can match 0 times is unsupported,
unsatisfiable, etc., just set its max count to 0 and continue. With
this change analysis finds the `^` and treats the whole regex overall
like `$^|$^`, which reduces to `^$`.

The fixes for both of these will be integrated in later commits -- I'm
integrating changes from a working branch that had several intermediate
steps committed to push to another computer for fuzzing.
@silentbicycle
ast_analysis: Fix for tests/pcre-anchor/in100.fsm.
2d401f6 
If a repeat node's subtree returns an error but has a min count of
0, then prune it by setting its max count to 0. If its error is
returned directly then the analysis won't see nodes that appear
after it.
@silentbicycle
ast_analysis: Update incorrect assertion and comment.
d650b8e
@silentbicycle
Silence warnings about unused (log-only) variables.
bab24d4
@silentbicycle
ast_analysis: Always check analysis_iter's result.
bafc3cd 
Found while fuzzing.
@silentbicycle
re.c: AST_ANALYSIS_ERROR_MEMORY => Set err->e to RE_EERRNO.
04fe43f 
This should normally be set when allocation fails, but when built
for fuzzing analysis can pre-emptively reject inputs that would
need excessive memory due to large repetition counts (for example),
so in that case make sure an error code is set to avoid triggering
an assertion later on.
@silentbicycle
ast_compile: ALT nodes should pass top-down linking along unmodified.
6708aad 
Lots of other bugs in linking have been indirect consequences of an
ancestor ALT node that changed its top-down x,y linkage to global
or the global start loop instead. Avoiding modification here eliminates
a lot of noise. While trying to simultaneously satisfy the pcre-anchor
tests 92, 99, and 100 I took a step back, thought through the system as
a whole, and realized this was where their linkage was getting messed up.
@silentbicycle
ast.h: Add comments for AST_FLAG_CONSTRAINED_AT_{START,END}.
f99dc46
@silentbicycle silentbicycle requested a review from katef December 20, 2023 17:13
@silentbicycle
ast_analysis: Remove tautological comparisons (unsigned >= 0).
fb39937
@silentbicycle
ast_analysis: Add prune_repeat_node.
270f163 
Rather than modifying this directly, add a function, which has
its own asserts and logging.
@katef katef merged commit 0f5a966 into main Jan 3, 2024
322 checks passed
@katef katef deleted the sv/backported-fixes-from-fuzzing-on-capture-branch branch January 3, 2024 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katef katef katef approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@silentbicycle @katef