This bug is to record the results of fuzzing libc++'s regex with clang's libfuzzer. When a crash is found, it will be added here.
Created attachment 14716 [details] Input to crash regex_match
First crash - in regex_match. Using this target function extern "C" void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { if (size > 0) { try { std::regex::flag_type flag = std::regex_constants::grep; std::string s((const char *)data, size); std::regex re(s, flag); std::regex_match(s, re); } catch (std::regex_error &ex) {} } }
I reduced this test case down to "\\8" and fixed it in 245849. Leaving the bug open b/c I think the fuzzer will find more.
Here's another one the uzzer found (simplified). This one doesn't fail, but it takes minutes to match against itself. const char *bad = "#\\(.*\\)*###################.######.####### ";
Is there still an interest in fuzzing libc++'s regex? We now have https://github.com/google/oss-fuzz, a continuous fuzzing service, where libc++ would be welcome. Fuzzing regex now yield this: projects/libcxx/include/regex:4058:21: runtime error: signed integer overflow: 403809844 * 10 cannot be represented in type 'int' and then quickly gets stuck in timeouts.
We have fixed all the regex crashes that OSS-Fuzz has reported. What's left is stack overflows, large memory usage, and timeouts. Closing this bug, because they're all being tracked over at OSS-Fuzz.