From @cpansprout

Oops. I sent this first to p5p instead of perlbug!

The segmentation violation actually happens when the glob is stringified, and only if the $fh has been printed to.

This crashes as of perl5.10.0​:

$ perl5.8.9 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
*main​::STDOUT
$ perl5.13.4 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
Segmentation fault

I believe it was change 22315/4ce457a648 that caused this. A patch is forthcoming.

Flags​:
  category=core
  severity=medium

Site configuration information for perl 5.13.4​:

Configured by sprout at Fri Aug 20 23​:24​:53 PDT 2010.

Summary of my perl5 (revision 5 version 13 subversion 4 patch v5.13.4-16-g16c9153) configuration​:
Snapshot of​: 9b47cdd
Platform​:
  osname=darwin, osvers=10.4.0, archname=darwin-2level
  uname='darwin pint.local 10.4.0 darwin kernel version 10.4.0​: fri apr 23 18​:28​:53 pdt 2010; root​:xnu-1504.7.4~1release_i386 i386 '
  config_args='-de -Dusedevel'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
Compiler​:
  cc='cc', ccflags ='-fno-common -DPERL_DARWIN -no-cpp-precomp -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
  optimize='-O3',
  cppflags='-no-cpp-precomp -fno-common -DPERL_DARWIN -no-cpp-precomp -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.2.1 (Apple Inc. build 5664)', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
Linker and Libraries​:
  ld='env MACOSX_DEPLOYMENT_TARGET=10.3 cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib
  libs=-ldbm -ldl -lm -lutil -lc
  perllibs=-ldl -lm -lutil -lc
  libc=/usr/lib/libc.dylib, so=dylib, useshrplib=false, libperl=libperl.a
  gnulibc_version=''
Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
  cccdlflags=' ', lddlflags=' -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector'

Locally applied patches​:

@​INC for perl 5.13.4​:
  /usr/local/lib/perl5/site_perl/5.13.4/darwin-2level
  /usr/local/lib/perl5/site_perl/5.13.4
  /usr/local/lib/perl5/5.13.4/darwin-2level
  /usr/local/lib/perl5/5.13.4
  /usr/local/lib/perl5/site_perl
  .

Environment for perl 5.13.4​:
  DYLD_LIBRARY_PATH (unset)
  HOME=/Users/sprout
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/usr/bin​:/bin​:/usr/sbin​:/sbin​:/usr/local/bin​:/usr/X11/bin​:/usr/local/bin
  PERL_BADLANG (unset)
  SHELL=/bin/bash

From @cpansprout

On Aug 29, 2010, at 1​:25 PM, Father Chrysostomos wrote​:

The segmentation violation actually happens when the glob is stringified, and only if the $fh has been printed to.

This crashes as of perl5.10.0​:

$ perl5.8.9 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
*main​::STDOUT
$ perl5.13.4 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
Segmentation fault

I believe it was change 22315/4ce457a648 that caused this. A patch is forthcoming.

Here it is.

From @cpansprout

From​: Father Chrysostomos <sprout@​cpan.org>

[perl #77492] open $fh, ">", \*glob causes SEGV

PerlIO_layer_from_ref must not treat a real glob as a scalar. This
function was not updated when SVt_PVGV was moved before SVt_PVLV.

diff -Nup blead/perlio.c blead-fh-segv/perlio.c
--- blead/perlio.c	2010-08-18 14:37:10.000000000 -0700
+++ blead-fh-segv/perlio.c	2010-08-28 17:18:51.000000000 -0700
@@ -1449,7 +1449,7 @@ PerlIO_layer_from_ref(pTHX_ SV *sv)
     /*
      * For any scalar type load the handler which is bundled with perl
      */
-    if (SvTYPE(sv) < SVt_PVAV) {
+    if (SvTYPE(sv) < SVt_PVAV && !isGV_with_GP(sv)) {
 	PerlIO_funcs *f = PerlIO_find_layer(aTHX_ STR_WITH_LEN("scalar"), 1);
 	/* This isn't supposed to happen, since PerlIO::scalar is core,
 	 * but could happen anyway in smaller installs or with PAR */
diff -Nurp blead/t/io/open.t blead-fh-segv/t/io/open.t
--- blead/t/io/open.t	2010-04-13 03:07:10.000000000 -0700
+++ blead-fh-segv/t/io/open.t	2010-08-28 17:49:02.000000000 -0700
@@ -10,7 +10,7 @@ $|  = 1;
 use warnings;
 use Config;
 
-plan tests => 109;
+plan tests => 110;
 
 my $Perl = which_perl();
 
@@ -324,3 +324,16 @@ like($@, qr/Modification of a read-only 
 
     ok( open(my $f, '-|', $p),     'open -| magic');
 }
+
+# [perl #77492] Crash when stringifying a glob, a reference to which has
+#               been opened and written to.
+fresh_perl_is(
+    '
+      open my $fh, ">", \*STDOUT;
+      print $fh "hello";
+     "".*STDOUT;
+      print "ok";
+      unlink \*STDOUT;
+    ',
+    'ok', { stderr => 1 },
+    '[perl #77492]: open $fh, ">", \*glob causes SEGV');

From @rafl

Father Chrysostomos <sprout@​cpan.org> writes​:

The segmentation violation actually happens when the glob is stringified, and only if the $fh has been printed to.

This crashes as of perl5.10.0​:

$ perl5.8.9 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
*main​::STDOUT
$ perl5.13.4 -le' open my $fh, ">", \*STDOUT; print $fh "hello"; print *STDOUT'
Segmentation fault

I believe it was change 22315/4ce457a648 that caused this. A patch is forthcoming.

Here it is.

Thanks! Applied as 10cea94.

The RT System itself - Status changed from 'new' to 'open'

@rafl - Status changed from 'open' to 'resolved'