Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

perl 5.8.8: RT 3.6.0: segfault in perl sv.c:5810 #8538

Closed
p5pRT opened this issue Jul 20, 2006 · 8 comments
Closed

perl 5.8.8: RT 3.6.0: segfault in perl sv.c:5810 #8538

p5pRT opened this issue Jul 20, 2006 · 8 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 20, 2006

Migrated from rt.perl.org#39893 (status was 'resolved')

Searchable as RT39893$

@p5pRT
Copy link
Author

p5pRT commented Jul 20, 2006

From peter.karl.mueller@gmx.de

Hello!

I have installed RT 3.6.0 on top of perl 5.8.8/apache 1.3.36/mod_perl 1.2.29 without problems. After a few days of operation a comment
containing "> · " (greater, blank, bullet, tab) was
put into a ticket. The mysql-db now contains "> · "
in Attachments.Content.

After this, the ticket could no longer be fully displayed,
apache segfaults instead.

Using a debug build of libperl a found the bug occuring
in this while-loop (sv.c)

  5809 while (backw--) {
  5810 p--;
  5811 while (UTF8_IS_CONTINUATION(*p)) {
  5812 p--;
  5813 backw--;
  5814 }
  5815 ubackw++;
  5816 }

backw initially is 1 and then decremented twice resulting
in an underflow.

Unfortunately I could reproduce this neither in CPAN's RT-
installation nor in a previous installation of RT 3.4.1.

Can you give me hint how to localize the perl module which
is interpreted while the segfault happens?

Regards

pkm

PS​:

RT reports the following modules​:
Perl v5.8.8 under linux
  Apache v1.27;
  Apache​::Connection v1.00;
  Apache​::Constants v1.09;
  Apache​::DBI v1.01;
  Apache​::Request v1.33;
  Apache​::Server v1.01;
  Apache​::Session v1.81;
  Apache​::Session​::Generate​::MD5 v2.1;
  Apache​::Session​::Lock​::MySQL v1.00;
  Apache​::Session​::MySQL v1.01;
  Apache​::Session​::Serialize​::Storable v1.00;
  Apache​::Session​::Store​::DBI v1.02;
  Apache​::Session​::Store​::MySQL v1.04;
  Apache​::Status v2.03;
  Apache​::Table v0.01;
  AutoLoader v5.60;
  B v1.09_01;
  base v2.07;
  Benchmark v1.07;
  bytes v1.02;
  Cache​::Simple​::TimedExpiry v0.23;
  Carp v1.04;
  CGI v3.20;
  CGI​::Cookie v1.27;
  CGI​::Util v1.5;
  Class​::Container v0.12;
  Class​::Data​::Inheritable v0.04;
  Class​::ReturnValue v0.53;
  Clone v0.20;
  constant v1.05;
  Cwd v3.18;
  Data​::Dumper v2.121_08;
  DBD​::mysql v3.0003;
  DBI v1.51;
  DBIx​::SearchBuilder v1.44_01;
  DBIx​::SearchBuilder​::Union v0;
  DBIx​::SearchBuilder​::Unique v0.01;
  Devel​::StackTrace v1.13;
  Devel​::StackTraceFrame v0.6;
  Digest​::base v1.00;
  Digest​::MD5 v2.36;
  DynaLoader v1.05;
  Encode v2.18;
  Encode​::Alias v2.06;
  Encode​::Config v2.03;
  Encode​::Encoding v2.04;
  Errno v1.0901;
  Exception​::Class v1.23;
  Exception​::Class​::Base v1.2;
  Exporter v5.58;
  Exporter​::Heavy v5.58;
  Fcntl v1.05;
  File​::Basename v2.74;
  File​::Glob v1.05;
  File​::Path v1.08;
  File​::Spec v3.18;
  File​::Spec​::Unix v1.5;
  File​::Temp v0.16;
  FileHandle v2.01;
  HTML​::Element v3.16;
  HTML​::Entities v1.35;
  HTML​::Formatter v2.04;
  HTML​::FormatText v2.04;
  HTML​::Mason v1.33;
  HTML​::Mason​::ApacheHandler v1.69;
  HTML​::Mason​::Exception v1.1;
  HTML​::Mason​::Exception​::Abort v1.1;
  HTML​::Mason​::Exception​::Compilation v1.1;
  HTML​::Mason​::Exception​::Compilation​::IncompatibleCompiler v1.1;
  HTML​::Mason​::Exception​::Compiler v1.1;
  HTML​::Mason​::Exception​::Decline v1.1;
  HTML​::Mason​::Exception​::Params v1.1;
  HTML​::Mason​::Exception​::Syntax v1.1;
  HTML​::Mason​::Exception​::System v1.1;
  HTML​::Mason​::Exception​::TopLevelNotFound v1.1;
  HTML​::Mason​::Exception​::VirtualMethod v1.1;
  HTML​::Mason​::Exceptions v1.43;
  HTML​::Parser v3.55;
  HTML​::Scrubber v0.08;
  HTML​::Tagset v3.10;
  HTML​::TreeBuilder v3.13;
  I18N​::LangTags v0.35;
  integer v1.00;
  IO v1.22;
  IO​::File v1.13;
  IO​::Handle v1.25;
  IO​::InnerFile v2.110;
  IO​::Lines v2.110;
  IO​::Scalar v2.110;
  IO​::ScalarArray v2.110;
  IO​::Seekable v1.1;
  IO​::Wrap v2.110;
  IO​::WrapTie v2.110;
  IPC​::Open2 v1.02;
  IPC​::Open3 v1.02;
  lib v0.5565;
  List​::Util v1.18;
  Locale​::Maketext v1.09;
  Locale​::Maketext​::Fuzzy v0.02;
  Locale​::Maketext​::Lexicon v0.62;
  Locale​::Maketext​::Lexicon​::Gettext v0.15;
  Log​::Dispatch v2.11;
  Log​::Dispatch​::Base v1.09;
  Log​::Dispatch​::Output v1.26;
  Log​::Dispatch​::Screen v1.17;
  Log​::Dispatch​::Syslog v1.18;
  Mail​::Address v1.74;
  Mail​::Field v1.74;
  Mail​::Field​::AddrList v1.74;
  Mail​::Header v1.74;
  Mail​::Internet v1.74;
  MIME​::Base64 v3.07;
  MIME​::Body v5.420;
  MIME​::Decoder v5.420;
  MIME​::Entity v5.420;
  MIME​::Field​::ContDisp v5.420;
  MIME​::Field​::ConTraEnc v5.420;
  MIME​::Field​::ContType v5.420;
  MIME​::Field​::ParamVal v5.420;
  MIME​::Head v5.420;
  MIME​::Parser v5.420;
  MIME​::QuotedPrint v3.07;
  MIME​::Tools v5.420;
  MIME​::Words v5.420;
  mod_perl v1.29;
  Module​::Versions​::Report v1.02;
  overload v1.04;
  Params​::Validate v0.85;
  POSIX v1.09;
  re v0.05;
  Regexp​::Common v2.120;
  Regexp​::Common​::delimited v2.104;
  RT v3.6.0;
  RT​::Interface​::Email v1.02;
  Scalar​::Util v1.18;
  SelectSaver v1.01;
  Socket v1.78;
  Storable v2.15;
  strict v1.03;
  Symbol v1.06;
  Sys​::Syslog v0.13;
  Text​::Autoformat v1.13;
  Text​::Quoted v1.8;
  Text​::Reform v1.11;
  Text​::Tabs v2007.0711;
  Text​::Template v1.44;
  Text​::Wrapper v1.000;
  Time​::HiRes v1.86;
  Time​::JulianDay v2003.1125;
  Time​::Local v1.11;
  Time​::ParseDate v2003.1126;
  Time​::Timezone v2003.0211;
  UNIVERSAL v1.01;
  utf8 v1.06;
  vars v1.01;
  warnings v1.05;
  warnings​::register v1.01;
  XSLoader v0.06;

--

Echte DSL-Flatrate dauerhaft für 0,- Euro*!
"Feel free" mit GMX DSL! http​://www.gmx.net/de/go/dsl

@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2006

From @nwc10

On Thu, Jul 20, 2006 at 11​:36​:40AM -0700, Peter Karl Mueller wrote​:

Using a debug build of libperl a found the bug occuring
in this while-loop (sv.c)

5809          while \(backw\-\-\) \{
5810              p\-\-;
5811              while \(UTF8\_IS\_CONTINUATION\(\*p\)\) \{
5812             p\-\-;
5813             backw\-\-;
5814              \}
5815              ubackw\+\+;
5816          \}

backw initially is 1 and then decremented twice resulting
in an underflow.

Unfortunately I could reproduce this neither in CPAN's RT-
installation nor in a previous installation of RT 3.4.1.

Can you give me hint how to localize the perl module which
is interpreted while the segfault happens?

I can't think of a good way to cut it down, and I'm not actually sure if that
specific information is useful. The problem seems to be a corrupt value in
a scalar, and that data might have come from outside the module currently
being executed.

The code in question is in Perl_sv_pos_b2u(), which has been re-written
since 5.8.8 was released. However, it's possible that the problem remains.
Are you able to get a debugger attached to the segfaulting program? If so,
what is the output from
  call Perl_sv_dump(sv)
at that point (Or Perl_sv_dump(my_perl, sv) if your perl is threaded - you
didn't send the output of perl -V)

Nicholas Clark

@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2006

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Nov 28, 2006

From guest@guest.guest.xxxxxxxx

On Mon Jul 31 13​:38​:22 2006, nicholas wrote​:

The code in question is in Perl_sv_pos_b2u(), which has been re-
written
since 5.8.8 was released. However, it's possible that the problem
remains.
Are you able to get a debugger attached to the segfaulting program? If
so,
what is the output from
call Perl_sv_dump(sv)
at that point (Or Perl_sv_dump(my_perl, sv) if your perl is threaded -
you
didn't send the output of perl -V)

Hi,

I can reproduce this segfault with the attached simple test case on Perl
5.8.8 (Debian GNU/Linux, testing + unstable). This is also Debian bug
#400733, http​://bugs.debian.org/400733 .

The output of Perl_sv_dump() follows; hopefully it comes through OK. It
can also be found on the Debian bug report.

(gdb) call Perl_sv_dump(my_perl, sv)
SV = PVMG(0x7bdff0) at 0x6c7220
  REFCNT = 1
  FLAGS = (SMG,POK,pPOK,UTF8)
  IV = 0
  NV = 0
  PV = 0x6f6d10 "\303\204T\303\204\\\t"\0 [UTF8 "\x{c4}T\x{c4}\\\t"]
  CUR = 7
  LEN = 8
  MAGIC = 0x6f8c70
  MG_VIRTUAL = &PL_vtbl_utf8
  MG_TYPE = PERL_MAGIC_utf8(w)
  MG_LEN = 5
  MG_PTR = 0x6e9d20
  0​: 4 -> 4
  1​: 0 -> 0
  MAGIC = 0x6f6ab0
  MG_VIRTUAL = &PL_vtbl_mglob
  MG_TYPE = PERL_MAGIC_regex_global(g)
  MG_LEN = 4

Cheers,
--
Niko Tyni
ntyni@​iki.fi

@p5pRT
Copy link
Author

p5pRT commented Nov 28, 2006

From guest@guest.guest.xxxxxxxx

t.pl

@p5pRT
Copy link
Author

p5pRT commented Dec 1, 2006

From @demerphq

This ticket, which amounts to the following script​:

  #!/usr/bin/perl -w
  use strict;
  use Encode;
  my $s = "\x{c3}\x{84}\x{54}\x{c3}\x{84}\x{5c}\x{9}";

  $_ = Encode​::decode('utf8', $s);
  s{\t}{pos()}e;

SEGV's in Perl 5.8.6, and is SEGV free in blead perl. I think some of my
recent patches have fixed, but I havent researched into which.

Id close the ticket except that its a debian bug as well and im not sure
what we do in this type of scenario.

AFAICT this is the same bug that I closed in RT#40989

Cheers,
Yves

@p5pRT
Copy link
Author

p5pRT commented Dec 1, 2006

From [Unknown Contact. See original ticket]

This ticket, which amounts to the following script​:

  #!/usr/bin/perl -w
  use strict;
  use Encode;
  my $s = "\x{c3}\x{84}\x{54}\x{c3}\x{84}\x{5c}\x{9}";

  $_ = Encode​::decode('utf8', $s);
  s{\t}{pos()}e;

SEGV's in Perl 5.8.6, and is SEGV free in blead perl. I think some of my
recent patches have fixed, but I havent researched into which.

Id close the ticket except that its a debian bug as well and im not sure
what we do in this type of scenario.

AFAICT this is the same bug that I closed in RT#40989

Cheers,
Yves

@p5pRT
Copy link
Author

p5pRT commented May 12, 2008

p5p@spam.wizbit.be - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant