Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault due to a semicolon inside a dynamic array ref. #8693

Closed
p5pRT opened this issue Nov 27, 2006 · 9 comments
Closed

Segfault due to a semicolon inside a dynamic array ref. #8693

p5pRT opened this issue Nov 27, 2006 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Nov 27, 2006

Migrated from rt.perl.org#40995 (status was 'resolved')

Searchable as RT40995$

@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

From @shlomif

Created by @shlomif

The following script is a test case for a segfault I'm getting in the
compilation phase because of a semicolon inside an dynamic array ref.
The code can be taken out of the eval, but then it would be harder to test,
and with the eval the problem is still reproduced.

<<<<<<<<<<<<<<<<<<

use strict;
use warnings;

use Test​::More tests => 1;

eval <<'EOF';
sub func1
{
  my ($i, $j) = @​_;

  sub { return [ $i->func2(); ]; };
}
EOF

# TEST
ok(1, "Test compilation of semicolon inside [ ... ]");

Regards,

  Shlomi Fish
  http​://www.shlomifish.org/

Perl Info

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.8:

Configured by Mandriva at Fri Sep  8 20:00:54 CEST 2006.

Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
  Platform:
    osname=linux, osvers=2.6.12-12mdksmp, archname=i386-linux
    uname='linux n4.mandriva.com 2.6.12-12mdksmp #1 smp fri sep 9 17:43:23 cest 2005 i686 intel(r) xeon(tm) cpu 2.80ghz gnulinux '
    config_args='-des -Dinc_version_list=5.8.7 5.8.7/i386-linux 5.8.6 5.8.6/i386-linux 5.8.5 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Darchname=i386-linux -Dcc=gcc -Doptimize=-O2  -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fomit-frame-pointer -march=i586 -mtune=pentiumpro -fasynchronous-unwind-tables -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr -Dsitebin=/usr/local/bin -Dsiteman1dir=/usr/local/share/man/man1 -Dsiteman3dir=/usr/local/share/man/man3 -Dman3ext=3pm -Dcf_by=Mandriva -Dmyhostname=localhost -Dperladmin=root@localhost -Dcf_email=root@localhost -Dd_dosuid -Ud_csh -Duseshrplib'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fomit-frame-pointer -march=i586 -mtune=pentiumpro -fasynchronous-unwind-tables',
    cppflags='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='4.1.1 20060724 (prerelease) (4.1.1-3mdk)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.4.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.8/i386-linux/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    Mandriva Linux patches


@INC for perl v5.8.8:
    /home/shlomi/apps/perl/modules/lib/perl5/site_perl/5.8.8//i386-linux
    /home/shlomi/apps/perl/modules/lib/perl5/site_perl/5.8.8/
    /home/shlomi/apps/perl/modules/lib/perl5/5.8.8/i386-linux
    /home/shlomi/apps/perl/modules/lib/perl5/5.8.8
    /usr/lib/perl5/5.8.8/i386-linux
    /usr/lib/perl5/5.8.8
    /usr/lib/perl5/site_perl/5.8.8/i386-linux
    /usr/lib/perl5/site_perl/5.8.8
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.8/i386-linux
    /usr/lib/perl5/vendor_perl/5.8.8
    /usr/lib/perl5/vendor_perl/5.8.7
    /usr/lib/perl5/vendor_perl/5.8.7/i386-linux
    /usr/lib/perl5/vendor_perl/5.8.6
    /usr/lib/perl5/vendor_perl/5.8.6/i386-linux
    /usr/lib/perl5/vendor_perl/5.8.4
    /usr/lib/perl5/vendor_perl
    .


Environment for perl v5.8.8:
    HOME=/home/shlomi
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LC_ADDRESS=en_US.UTF-8
    LC_COLLATE=en_US.UTF-8
    LC_CTYPE=en_US.UTF-8
    LC_IDENTIFICATION=en_US.UTF-8
    LC_MEASUREMENT=en_US.UTF-8
    LC_MESSAGES=en_US.UTF-8
    LC_MONETARY=en_US.UTF-8
    LC_NAME=en_US.UTF-8
    LC_NUMERIC=en_US.UTF-8
    LC_PAPER=en_US.UTF-8
    LC_SOURCED=1
    LC_TELEPHONE=en_US.UTF-8
    LC_TIME=en_US.UTF-8
    LD_LIBRARY_PATH=/usr/local/apps/svn-repos/lib/
    LOGDIR (unset)
    PATH=/home/shlomi/apps/perl/modules/bin:/home/shlomi/apps/latemp/bin:/home/shlomi/apps/file/gringotts/bin:/home/shlomi/apps/gimageview/bin:/home/shlomi/apps/test/quadpres/bin:/usr/local/apps/svn-repos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/games:/usr/lib/qt3//bin:/home/shlomi/bin:/usr/lib/ssh:/usr/lib/qt3//bin
    PERL5LIB=/home/shlomi/apps/perl/modules/lib/perl5/site_perl/5.8.8/:/home/shlomi/apps/perl/modules/lib/perl5/5.8.8
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

From a.r.ferreira@gmail.com

On 11/27/06, via RT Shlomi Fish <perlbug-followup@​perl.org> wrote​:

The following script is a test case for a segfault I'm getting in the
compilation phase because of a semicolon inside an dynamic array ref.
The code can be taken out of the eval, but then it would be harder to test,
and with the eval the problem is still reproduced.

<<<<<<<<<<<<<<<<<<

use strict;
use warnings;

use Test​::More tests => 1;

eval <<'EOF';
sub func1
{
my ($i, $j) = @​_;

sub \{ return \[ $i\->func2\(\); \]; \};

}
EOF

# TEST
ok(1, "Test compilation of semicolon inside [ ... ]");

In Cygwin, I got

$ perl h.pl
  7 [main] perl 1856 _cygtls​::handle_exceptions​: Error while dumping state (
probably corrupted stack)
Segmentation fault (core dumped)

This code still segfault​:

  sub
  {
  my ($i, $j) = @​_;
  sub { [ $i->f(); ] };
  }

but not this

  sub
  {
  my ($i) = @​_;
  sub { [ $i->f(); ] };
  }

which dies

$ perl h.pl
syntax error at h.pl line 6, near ");"
syntax error at h.pl line 7, near "}"
Execution of h.pl aborted due to compilation errors.

@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

From @rgs

From my tests, this appears to be resolved in bleadperl.

@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

@rgs - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Nov 27, 2006
@p5pRT
Copy link
Author

p5pRT commented Nov 27, 2006

From guest@guest.guest.xxxxxxxx

Hi, I see you closed the bug as resolved because it does not happen in
bleadperl. Well, not so fast, please. What still needs to be done is​:

1. Add this as a test-case to the perl 5 test-suite.

2. Write a patch for the perl-5.8.x line. (Which is still heavily
used).

3. Investigate the crash, and see if it poses security risks.

This problem may possibly be used to crash programs that let the user
evaluate Perl code. (such as eval IRC bots, PostgreSQL's PL/Perl
etc.), so it also needs to be fixed in 5.8.x.

Regards,

  Shlomi Fish

On Mon Nov 27 09​:52​:54 2006, rafael wrote​:

From my tests, this appears to be resolved in bleadperl.

@p5pRT
Copy link
Author

p5pRT commented Dec 12, 2006

From @shlomif

Replying to myself I'd like to re-open this bug because it still
affects perl-5.8.x. (per Nicholas Clark's request).

Regards,

  Shlomi Fish

On Mon Nov 27 13​:09​:54 2006, guest wrote​:

Hi, I see you closed the bug as resolved because it does not happen
in
bleadperl. Well, not so fast, please. What still needs to be done
is​:

1. Add this as a test-case to the perl 5 test-suite.

2. Write a patch for the perl-5.8.x line. (Which is still heavily
used).

3. Investigate the crash, and see if it poses security risks.

This problem may possibly be used to crash programs that let the
user
evaluate Perl code. (such as eval IRC bots, PostgreSQL's PL/Perl
etc.), so it also needs to be fixed in 5.8.x.

Regards,

Shlomi Fish

On Mon Nov 27 09​:52​:54 2006, rafael wrote​:

From my tests, this appears to be resolved in bleadperl.

@p5pRT
Copy link
Author

p5pRT commented Mar 12, 2007

From @andk

On Mon, 27 Nov 2006 09​:52​:55 -0800, "Rafael Garcia-Suarez via RT" <perlbug-followup@​perl.org> said​:

FWIW, this is what binary search says​:

----Program----
use strict;
use warnings;

use Test​::More tests => 1;

eval <<'EOF';
sub func1
{
my ($i, $j) = @​_;

sub { return [ $i->func2(); ]; };
}
EOF

# TEST
ok(1, "Test compilation of semicolon inside [ ... ]");

----Output of .../p4uyj6N/perl-5.8.0@​22273/bin/perl----
1..1

----EOF ($?='11')----
----Output of .../pO842AD/perl-5.8.0@​22278/bin/perl----
1..1
ok 1 - Test compilation of semicolon inside [ ... ]

----EOF ($?='0')----

Change 22278 by nicholas@​faith on 2004/02/07 19​:50​:10

  hv_clear_placeholders now manipulates the linked lists directly, rather
  than using the iterator interface and calling hv_delete
  This will allow hv_delete to be simplified to remove most of the
  special casing related to placeholders.

--
andreas

@p5pRT
Copy link
Author

p5pRT commented Mar 12, 2007

From @iabyn

On Mon, Mar 12, 2007 at 07​:01​:22AM +0100, Andreas J. Koenig wrote​:

On Mon, 27 Nov 2006 09​:52​:55 -0800, "Rafael Garcia-Suarez via RT" <perlbug-followup@​perl.org> said​:

FWIW, this is what binary search says​:

In this case, the result is a bit misleading. The actual bug is in using the
wrong pad when freeing ops after a compile error in a sub. Whether it
segfaults is down to luck.

----Program----
use strict;
use warnings;

use Test​::More tests => 1;

eval <<'EOF';
sub func1
{
my ($i, $j) = @​_;

sub { return [ $i->func2(); ]; };
}
EOF

# TEST
ok(1, "Test compilation of semicolon inside [ ... ]");

----Output of .../p4uyj6N/perl-5.8.0@​22273/bin/perl----
1..1

----EOF ($?='11')----
----Output of .../pO842AD/perl-5.8.0@​22278/bin/perl----
1..1
ok 1 - Test compilation of semicolon inside [ ... ]

----EOF ($?='0')----

Change 22278 by nicholas@​faith on 2004/02/07 19​:50​:10

    hv\_clear\_placeholders now manipulates the linked lists directly\, rather
    than using the iterator interface and calling hv\_delete
    This will allow hv\_delete to be simplified to remove most of the
    special casing related to placeholders\.

--
andreas

--
My get-up-and-go just got up and went.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant