[Mono-bugs] [Bug 72989][Blo] New - Stack overflw in RegularExpression parsing

[bugzilla-daemon@bugzilla.ximian.com]

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by eyala@mainsoft.com.

http://bugzilla.ximian.com/show_bug.cgi?id=72989

--- shadow/72989	2005-02-24 15:54:07.000000000 -0500
+++ shadow/72989.tmp.12887	2005-02-24 15:54:07.000000000 -0500
@@ -0,0 +1,104 @@
+Bug#: 72989
+Product: Mono: Class Libraries
+Version: unspecified
+OS: All
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 032 Four days
+Priority: Blocker
+Component: System
+AssignedTo: mono-bugs@ximian.com                            
+ReportedBy: eyala@mainsoft.com               
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+URL: 
+Summary: Stack overflw in RegularExpression parsing
+
+Description of Problem:
+ When running the C# test case in the end of this report (see below for 
+details) one gets a stack overflow. The overflow is in 
+system.Text.RegularExpressions.Interpreter.Eval where the regular 
+expression is evaluated.
+The stack overflow is not because of an infinite recursion but because the 
+recursion used is simply too deep. If the program is given more space it 
+will finally succeed. The depth of the recursion is linear with the 
+parameter to the program and the number of words in the strings that the 
+regular expression parses.
+I ran this on Windows using Mono Regular Expression sources and MS .Net 
+corlib and execution engine. Since the bug is in doing a too deep 
+recursion its exact reproduction will depend upon the OS and the execution 
+engine.
+The bug is blocking for us since we use regular expressions in our Java 
+implementation of System.Data (ADO.Net) connected mode and it crashes in 
+that scenario with farily simple strings (the Java stack is fairly small)
+Steps to reproduce the problem:
+1. compile RegExpTest.cs (code given below)
+2. mono RegExpTest 100
+   You can play with the input number - I got it to overflow with an input 
+of 10.
+3. Then the program prints "ok" - press enter
+   The program always prints "ok" even if there is an exception (it 
+catches the exception)
+
+Actual Results:
+StackOverflowException
+ok
+<waiting for user to press enter>
+
+Expected Results:
+ok
+<waiting for user to press enter>
+
+Additional Information:
+The code of "RegExpTest.cs" (I couldn't find the place to attach the 
+actual file :-(
+using System;
+using System.Text.RegularExpressions;
+
+namespace ConsoleApplication1
+{
+    class RegExpTest
+    {
+        internal static readonly Regex CompoundStatementSplitterReqExp =
+            new
+            Regex(@"(?<STATEMENT>((""([^""]|(""""))*"")|('([^']|(''))*')|
+[^;])*)
+",
+            RegexOptions.Compiled | RegexOptions.IgnoreCase |
+            RegexOptions.ExplicitCapture);
+
+        static void Main(string[] args)
+        {
+            string text = "SELECT     td.TESTCYCL.TC_TEST_ID, 
+td.TESTCYCL.TC_STA
+TUS, td.BUG.BG_STATUS, td.BUG.BG_BUG_ID, td.BUG.BG_USER_03, 
+td.BUG.BG_USER_09,";
+            int n = (args.Length > 0 ? Int32.Parse(args[0]) : 1);
+            for (int i = 0; i < n; i++)
+                text+=  " td.BUG.BG_USER_10, 
+td.BUG.BG_SUMMARY,BG_DETECTION_VERS
+ION";
+            text+= " td.TEST ON td.TESTCYCL.TC_TEST_ID = 
+td.TEST.TS_TEST_ID INNE
+R JOIN";
+            text+= " td.ALL_LISTS ON td.TEST.TS_SUBJECT = 
+td.ALL_LISTS.AL_ITEM_I
+D RIGHT OUTER JOIN";
+            text+= " td.BUG ON td.TEST.TS_TEST_ID = 
+td.BUG.BG_TEST_REFERENCE";
+            try
+            {
+                Match res = CompoundStatementSplitterReqExp.Match(text);
+                Console.WriteLine( res );
+            }
+            catch(Exception e)
+            {
+                Console.WriteLine(e.StackTrace);
+                Console.WriteLine(e.Message);
+            }
+            Console.WriteLine("ok");
+            Console.ReadLine();
+        }
+    }
+}