Control: severity -1 serious Control: tags -1 -moreinfo Control: found -1 2:8.35-3.3
On Tue, Oct 10, 2017 at 11:47:31AM +0100, Matthew Vernon wrote: > severity 878107 important > tags 878107 + upstream moreinfo > quit > Hi, > > On 09/10/17 21:23, Ondřej Surý wrote: > > > the system-wide pcre3 library stack frame size detection is broken as > > described in > > https://bugs.exim.org/show_bug.cgi?id=2173 > > I note that upstream aren't proposing to address this. Upstream says: PCRE1 (the 8.xx series) is very much in "maintenance only" mode. PCRE2 (the 10.xx series) has been out for nearly 3 years now, and its most recent release, 10.30, no longer uses the stack for remembering backtracking points. That's fair enough, especially considering that a proper fix might be hard. But it doesn't help existing software that cannot immediately be ported to PCRE2 (even more in stable releases). Upstream also says: This was always somewhat dodgy code, and since it was released I have discovered that all kinds of compiler variations can alter the answer that you get. With hindsight, it should never have been released. One real-world problem where this dodgy code does break has been found to affect real software, and the suggested patch that disables some otherwise possible optimizations for one function is confirmed to workaround this specific breakage. This is a quite minimal workaround for this specific breakage. MariaDB has now made the step of using a bundled copy of PCRE when at build time the system version of PCRE is found to have this problem. That's a reasonable decision, but obviously lacks fixes from the Debian package and using it would increase the amount of work for PCRE security updates. > > and that breaks at least ppc64el and s390x build causing segfaults in the > > test suite (+ autopkgtest). > > It's not clear to me that this couldn't be addressed by increasing the > stack ulimit for the build (hence my request for moreinfo on 876299). Doesn't fix the MariaDB test, and wouldn't fix it for all users of PCRE. > > The patch from Sergei @ MariaDB is quite simple at it should pose no risk > > applying it: > > ...and presumably won't work with clang? clang knows about noinline (and implements it properly), and gives a warning for the noclone it doesn't know: $ cat test.c #include <stdio.h> static void printit(void) __attribute__((noinline,noclone)); static void printit(void) { printf("Hello, world!\n"); } int main(void) { printit(); return 0; } $ clang -O2 -Wall test.c -o test && ./test test.c:3:51: warning: unknown attribute 'noclone' ignored [-Wunknown-attributes] static void printit(void) __attribute__((noinline,noclone)); ^ 1 warning generated. Hello, world! $ > Regards, > > Matthew cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
