[Issue 18691] New: assigning a std.regex.Captures with 3 or more groups causes double free

[d-bugmail--- via Digitalmars-d-bugs]

https://issues.dlang.org/show_bug.cgi?id=18691

          Issue ID: 18691
           Summary: assigning a std.regex.Captures with 3 or more groups
                    causes double free
           Product: D
           Version: D2
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P1
         Component: phobos
          Assignee: nob...@puremagic.com
          Reporter: martin.do...@hitachivantara.com

This minimal test case crashes:

martind@swiftboat:~/tmp/D134366$ cat utilimal.d 
import std.regex;

void main() {
    auto rx = regex("()()()");
    auto ma = "".matchFirst(rx);
    ma = "".matchFirst(rx);
}
martind@swiftboat:~/tmp/D134366$
~/download/d/dmd/generated/linux/release/64/dmd -g utilimal.d && valgrind
./utilimal
...
==655== Invalid free() / delete / delete[] / realloc()
==655==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==655==    by 0x4C1E26: _D3std5regex__T8CapturesTAyaZQo6__dtorMFNbNiNeZv
(/home/martind/download/d/dmd/generated/linux/release/64/../../../../../phobos/std/regex/package.d:565)
==655==    by 0x48A1CB: _Dmain (utilimal.d:5)
==655==    by 0x4C6F5F:
_D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ6runAllMFZ9__lambda1MFZv (in
/home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6DEF: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ7tryExecMFMDFZvZv
(in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6ECE: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ6runAllMFZv (in
/home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6DEF: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ7tryExecMFMDFZvZv
(in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6D5A: _d_run_main (in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C303D: main (in /home/martind/tmp/D134366/utilimal)
==655==  Address 0x5d2be50 is 0 bytes inside a block of size 64 free'd
==655==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==655==    by 0x4C1E26: _D3std5regex__T8CapturesTAyaZQo6__dtorMFNbNiNeZv
(/home/martind/download/d/dmd/generated/linux/release/64/../../../../../phobos/std/regex/package.d:565)
==655==    by 0x4C2D2F:
_D3std5regex__T8CapturesTAyaZQo__T8opAssignZQkMFNbNiNeSQCbQCa__TQBxTQBrZQCfZQw
(/home/martind/download/d/dmd/generated/linux/release/64/../../../../../phobos/std/regex/package.d:685)
==655==    by 0x48A181: _Dmain (utilimal.d:6)
==655==    by 0x4C6F5F:
_D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ6runAllMFZ9__lambda1MFZv (in
/home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6DEF: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ7tryExecMFMDFZvZv
(in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6ECE: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ6runAllMFZv (in
/home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6DEF: _D2rt6dmain211_d_run_mainUiPPaPUAAaZiZ7tryExecMFMDFZvZv
(in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C6D5A: _d_run_main (in /home/martind/tmp/D134366/utilimal)
==655==    by 0x4C303D: main (in /home/martind/tmp/D134366/utilimal)

My testing suggests that this is a regression in 2.079.0 over 2.078.3-0.  I
might risk a guess that it's due to the addition of opAssign to the Captures
struct in:

https://github.com/dlang/phobos/commit/59520969ef73eaf0691972ee00b389e5bbc4c8fb#diff-4715499b2ff2d74e4eb3c6f3909c611c
in an attempt by @MartinNowak to "fix Issue 18114 - regex performance
regression".  Do we now have big_matches in two Captures objects referring to
the same calloc/free memory but each with their own _refcount?  Have we also
leaked any old memory that (lhs) big_matches owned?

--