New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
segfault in Perl_mg_magical (mg.c:144) #15759
Comments
From @geeknikTriggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL. od -tx1 test332 ASAN:SIGSEGV==32602==ERROR: AddressSanitizer: SEGV on unknown address 0x00205fff8001 AddressSanitizer can not provide additional info. Perl 5.20.2 fails with many lines of this: |
From @geeknik |
From @iabynOn Sun, Dec 11, 2016 at 01:40:31PM -0800, Brian Carpenter wrote:
Looks like another stack-not-refcounted issue. Reduces to: map( ); -- |
The RT System itself - Status changed from 'new' to 'open' |
From @LeontOn Mon, Dec 12, 2016 at 12:18 PM, Dave Mitchell <davem@iabyn.com> wrote:
My number one regret of the hackathon must be that we didn't sit down and Leon |
From @xsawyerxOn 12/13/2016 10:02 PM, Leon Timmermans wrote:
I think we raised that originally as a conversation topic, but I guess I wonder if there is value is having a meeting over IRC (or some other [1] Hackathon report still pending. |
From @iabynOn Thu, Dec 15, 2016 at 01:15:59PM +0100, Sawyer X wrote:
I think FC started some work on this (origin/sprout/rstack), but I don't I don't think there's much point in a discussion until someone has some -- |
From @xsawyerxOn 12/25/2016 11:19 AM, Dave Mitchell wrote:
Makes sense to me. Without a plan, little discussion can be had, unless |
From @demerphqOn 26 December 2016 at 17:47, Sawyer X <xsawyerx@gmail.com> wrote:
My understanding is that we have a good idea why these happen, but Here is my very superficial understanding of the matter: When we place something on the stack we do not increment its refcount An obvious solution to this would be to refcount the stack. However You can see this in a reduced/modified version of the bug report in this thread: $ cat t_refcount.pl ); # this hash seed is for One-At-A-time, my tests are from Perl v5.18.4 If you uncomment the modification of $^H you can see a different At least part of this bug is due to the following rather insane piece of code: map { whatever() } that is, we populate %_ with 'D', 'E','F','G', which then puts the It is hard to say what we can do about insane stuff like this without As for this particular bug I think it warrants further attention if use Devel::Peek; SV = PV(0x187dd80) at 0x187cfc8 to use Devel::Peek; SV = PV(0xb13d80) at 0xb12fc8 I can understand the SV = UNKNOWN(0xff) (0x1893328) at 0x18932f8 in the first dump, but why do we see 'D', 'P', 'F', 'Q', 'P', 'Q'. I Also why is it when we change it to use Devel::Peek; Why do we get: SV = PV(0x233dd80) at 0x233cfc8 And why is it that when I remove the Dump we end up with a segfault use Devel::Peek; PERL_HASH_SEED=0xc717eb9fe97a9788 perl t_refcount.pl Some of this is easily explained by stack-not-refcounted, but some of How does the return of the the map end up polluting the stack that we Yves -- |
From @iabynOn Mon, Dec 26, 2016 at 10:18:05PM +0100, demerphq wrote:
But in practice large chunks of pp code mortalise the values they push on So making the args stack ref counted would quite likely be a net The insanely difficult bit is that we currently have nearly 30K lines of
It's quite easy to tickle stack-not-refcounted issues. E.g. @a = (1,2,3); which croaks with Use of freed value in iteration at ... or sub f { @a = (1,2,3); which prints nothing, but can easily print garbage if the freed SV happens -- |
From @demerphqOn 26 December 2016 at 22:44, Dave Mitchell <davem@iabyn.com> wrote:
Ok, color me convinced. 30k lines of pp code sounds less like a Do you have any insight on the other issues I mentioned? Yves -- |
From @LeontOn Mon, Dec 26, 2016 at 10:44 PM, Dave Mitchell <davem@iabyn.com> wrote:
I also tend to think less mortalization will help performance, but wouldn't
I imagined we'd have a bunch of macros that communicate intent, and those Leon |
From zefram@fysh.orgdemerphq wrote:
On the contrary, stack refcounting bugs have been encountered in real,
The memory used by the prematurely-freed 'E' and 'G' was reused to store
More memory reuse, transforming the prematurely-freed 'E' into $^H{M},
The segv arises from sv_clear() getting called on an UNKNOWN, which This too is an unsurprising failure mode. Generally, premature freeing As for why removing the Dump() specifically invokes this failure mode,
It doesn't. The corruption initially results from the premature freeing -zefram |
From @iabynOn Mon, Dec 26, 2016 at 11:41:52PM +0100, demerphq wrote:
Dealing with XS in the short term is fairly trivial. Have a flag on each
I haven't looked at it yet. Anything involving %^H makes my eyes glaze -- |
From @iabynOn Tue, Dec 27, 2016 at 12:20:41AM +0100, Leon Timmermans wrote:
But the tricky bit is seeing whether pp functions converted so far have -- |
From @demerphqOn 27 December 2016 at 12:24, Zefram <zefram@fysh.org> wrote:
Well, thanks to you and Dave I know understand this a lot better. Cheers, |
From @LeontOn Tue, Dec 27, 2016 at 12:24 PM, Dave Mitchell <davem@iabyn.com> wrote:
It helps that the most common case (CODE instead of PPCODE, and fixed Leon |
Migrated from rt.perl.org#130318 (status was 'open')
Searchable as RT130318$
The text was updated successfully, but these errors were encountered: