User:Reedy/MWRegexSegfault

 Reedy: apt-get install libc6-dbg libpcre3-dbg  TimStarling, installed  then attach to a random thread with gdb, then trigger the segfault in a loop  curl -vvv 'http://77.86.93.55/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page' -F wpName=rjkiugfoeurgy -F wpPassword=piuhmsowiuerw -F 'wpLoginAttempt=Log in' -F wpLoginToken=731d51069384c12275e682714410e4ea -H 'Cookie: wikidb_mw__session=dcb5db152ae0e064e7d32bc9010c47c1'  did you get that whole line?  Up to the end of the cookie, yeah  yeah, that's right, running that will trigger the segfault  so: while true; do ; done  do you know how to use gdb?  Nope, was just going to ask that..  /google  first you need the PID, so: ps -C apache2  that should show a lot of processes since you're using prefork  yup  pick any process other than the parent <Reedy> parent i guess is lowest pid? <TimStarling> usually <TimStarling> start gdb with no arguments <TimStarling> if you don't have it, apt-get install gdb <Reedy> that looks to be under user root, everything else is ww-wdata <TimStarling> yeah, sounds right <TimStarling> then: attach <Reedy> yup <TimStarling> cont <TimStarling> then run the loop, then it should drop out to a prompt when it segfaults <TimStarling> cont is short for continue, it continues the process <TimStarling> then "bt" gives you a backtrace <Reedy> that didn't take long <TimStarling> with debug symbols installed, you should now be able to see the arguments to the PCRE functions <TimStarling> so that tells you what regex it's segfaulting on, and so what part of the MW code is the problem <Reedy> #5 0x00007f6062a86767 in pcre_compile2 ( <Reedy>     pattern=0x7f6064763e28 "^(?:::|:(?::([0-9A-Fa-f]{1,4})){1,7}|([0-9A-Fa-f]{1,4})(?::([0-9A-Fa-f]{1,4})){0,6}::|([0-9A-Fa-f]{1,4})(?::([0-9A-Fa-f]{1,4})){7}|([0-9A-Fa-f]{1,4})(?::(?P (?!(?P=abn)):(?P ))?([0-9A-Fa-f]{1"..., <TimStarling> crikey <Reedy> AaronSchulz! <Reedy> IPV6 at a guess <OverlordQ> jesus <Reedy> TimStarling, that's rather cool <Reedy> AaronSchulz, you about? :D <TimStarling> easier than $wgDebugFunctionEntry, which is what I used to use for this when I was a poor Windows user <Reedy> 76876 or 76928 at a guess <Reedy> just waiting for svn up to work <OverlordQ> the latest one <OverlordQ> 76927 works <TimStarling> btw a double free means a dangling pointer, which means a potential security vulnerability <TimStarling> if your PCRE library is up to date, you should probably report it