From @andk

[Actually this is 5.005_62 with Sarathy's patches up to 4590]

The same program cores with _54, _56, and an unpatched _62 too.
Core seems independent of mymalloc and OS. I have seen it on both
Solaris and Linux.

It is a rather big program that has mod_perl, DBI, Storable,
Image​::Magick, MLDBM, Unicode​::String, and ca hundred perl-only
modules involved.

I see no chance at this point to make a test case out of this
application.

Program received signal SIGSEGV, Segmentation fault.
0x814b6a2 in Perl_newSV (len=0) at sv.c​:2899
2899 new_SV(sv);
(gdb) bt
#0 0x814b6a2 in Perl_newSV (len=0) at sv.c​:2899
#1 0x813e40a in Perl_pp_aassign () at pp_hot.c​:695
#2 0x813b6df in Perl_runops_debug () at run.c​:56
#3 0x80e9219 in S_call_xbody (myop=0xbffff9d4, is_eval=0) at perl.c​:1472
#4 0x80e91cd in S_call_body (args=0xbffff8e8) at perl.c​:1456
#5 0x816ada7 in Perl_vdefault_protect (pcur_env=0xbffff90c, excpt=0xbffff9c0,
  body=0x80e919c <S_call_body>, args=0xbffff8c4) at scope.c​:45
#6 0x816acbd in Perl_default_protect (pcur_env=0xbffff90c, excpt=0xbffff9c0,
  body=0x80e919c <S_call_body>) at scope.c​:26
#7 0x80e8e6f in perl_call_sv (sv=0x82762e4, flags=4) at perl.c​:1390
#8 0x807cd27 in perl_call_handler (sv=0x82762e4, r=0x9367c3c, args=0x0)
  at mod_perl.c​:1511
#9 0x807c487 in perl_run_stacked_handlers (hook=0x81a90fa "PerlHandler",
  r=0x9367c3c, handlers=0x8276290) at mod_perl.c​:1240
#10 0x807a8c5 in perl_handler (r=0x9367c3c) at mod_perl.c​:803
#11 0x80a3aa3 in ap_invoke_handler ()
#12 0x80b6b41 in process_request_internal ()
#13 0x80b6ba0 in ap_process_request ()
#14 0x80ae405 in child_main ()
#15 0x80ae590 in make_child ()
#16 0x80ae6eb in startup_children ()
#17 0x80aecd8 in standalone_main ()
#18 0x80af52b in main ()

FWIW, here the stack trace of the same perl without debugging​:

Program received signal SIGSEGV, Segmentation fault.
0x8112711 in Perl_pp_entersub ()
(gdb) bt
#0 0x8112711 in Perl_pp_entersub ()
#1 0x810d7b6 in Perl_runops_standard ()
#2 0x80d71fe in perl_call_sv ()
#3 0x80d71c4 in perl_call_sv ()
#4 0x8126f9a in Perl_vdefault_protect ()
#5 0x8126f0e in Perl_default_protect ()
#6 0x80d6fd7 in perl_call_sv ()
#7 0x807b806 in perl_call_handler ()
#8 0x807b211 in perl_run_stacked_handlers ()
#9 0x807a149 in perl_handler ()
#10 0x8092e13 in ap_invoke_handler ()
#11 0x80a5eb1 in ap_some_auth_required ()
#12 0x80a5f10 in ap_process_request ()
#13 0x809d775 in ap_child_terminate ()
#14 0x809d900 in ap_child_terminate ()
#15 0x809da5b in ap_child_terminate ()
#16 0x809e048 in ap_child_terminate ()
#17 0x809e89b in main ()

Site configuration information for perl 5.00563:

Configured by k at Thu Nov 18 16:20:57 CET 1999.

Summary of my perl5 (revision 5.0 version 5 subversion 63) configuration:
  Platform:
    osname=linux, osvers=2.2.12, archname=i586-linux
    uname='linux hohenstaufen.in-berlin.de 2.2.12 #2 smp sat oct 2 11:10:42 cest 1999 i586 unknown '
    config_args='-Dprefix=/sources-perl/inst/perl5.005_62..4590g -Doptimize=-g -des -Dusemymalloc'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef useperlio=undef d_sfio=undef
    use64bits=undef usemultiplicity=undef
  Compiler:
    cc='cc', optimize='-g', gccversion=2.7.2.3
    cppflags='-Dbool=char -DHAS_BOOL -DDEBUGGING -I/usr/local/include'
    ccflags ='-Dbool=char -DHAS_BOOL -DDEBUGGING -I/usr/local/include'
    stdchar='char', d_stdstdio=define, usevfork=false
    intsize=4, longsize=4, ptrsize=4, doublesize=8
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    alignbytes=4, usemymalloc=y, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldb -ldl -lm -lc -lposix -lcrypt
    libc=/lib/libc-2.0.7.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.00563:
    /sources-perl/inst/perl5.005_62..4590g/lib/5.00563/i586-linux
    /sources-perl/inst/perl5.005_62..4590g/lib/5.00563
    /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/5.00563/i586-linux
    /sources-perl/inst/perl5.005_62..4590g/lib/site_perl
    .


Environment for perl 5.00563:
    HOME=/home/k
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/k/bin:/usr/local/bin:/usr/bin:/bin:.:/usr/local/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/perl/bin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

From @TimToady

Andreas J. Koenig writes​:
: The same program cores with _54, _56, and an unpatched _62 too.
: Core seems independent of mymalloc and OS. I have seen it on both
: Solaris and Linux.
:
: It is a rather big program that has mod_perl, DBI, Storable,
: Image​::Magick, MLDBM, Unicode​::String, and ca hundred perl-only
: modules involved.
:
: I see no chance at this point to make a test case out of this
: application.

Perhaps you could "use sigtrap" and collect Perl's view of the call stack
with Carp​::confess.

Larry

From @andk

An update and a test case.

On Thu, 18 Nov 1999 11​:24​:49 -0800 (PST), Larry Wall <larry@​wall.org> said​:

Andreas J. Koenig writes​:
: The same program cores with _54, _56, and an unpatched _62 too.
: Core seems independent of mymalloc and OS. I have seen it on both
: Solaris and Linux.

This is still true. 5.00503 seems to be immune against this SEGV.

:
: It is a rather big program that has mod_perl, DBI, Storable,
: Image​::Magick, MLDBM, Unicode​::String, and ca hundred perl-only
: modules involved.

I've got rid of all external modules except for mod_perl and CGI.pm.
So an apache is needed too, of course.

: I see no chance at this point to make a test case out of this
: application.

Perhaps you could "use sigtrap" and collect Perl's view of the call stack
with Carp​::confess.

Thanks for the reminder, but no, that sometimes showed nothing and
sometimes showed

  Out of memory during "large" request for 1073745920 bytes at???` line 48.

It looks to me as if somebody is writing over perl's own memory before
somebody tries to access memory outside perl.

Thanks also to Doug's bag of tricks he sent me. They helped me to keep
a certain amount of sanity while deconstructing my application.

I've reduced everything to *two* files, a handler and an httpd.conf. A
total of 237 lines of extremely simple code. You will note that there
are many stub methods, unused global variables, and unused pseudo hash
keys. They are needed to reproduce the SEGV. At least did I stop the
search for further reduction when the code was easy enough to read and
my trials to cut anything out became so unpleasantly unsuccessful.

During the deconstruction I saw many different SEGVs, but during the
last 100 steps or so I always saw the same. Here is the trace​:

1254 if (HeHASH(entry) != hash) /* strings can't be equal */
(gdb) bt
#0 0x8138a76 in Perl_share_hek (str=0x842f7a8 "delete", len=6,
  hash=4163478448) at hv.c​:1254
#1 0x8136a8b in Perl_hv_store (hv=0x8404218, key=0x842f7a8 "delete", klen=6,
  val=0x83cc588, hash=4163478448) at hv.c​:341
#2 0x81365a2 in Perl_hv_fetch (hv=0x8404218, key=0x842f7a8 "delete", klen=6,
  lval=1) at hv.c​:172
#3 0x80ee9ff in Perl_gv_fetchmeth (stash=0x8404218, name=0x842f7a8 "delete",
  len=6, level=0) at gv.c​:174
#4 0x80ef048 in Perl_gv_fetchmethod_autoload (stash=0x8404218,
  name=0x842f7a8 "delete", autoload=1) at gv.c​:315
#5 0x80eeee2 in Perl_gv_fetchmethod (stash=0x8404218, name=0x842f7a8 "delete")
  at gv.c​:281
#6 0x81446f5 in S_method_common (meth=0x84292fc, hashp=0xbffff838)
  at pp_hot.c​:2775
#7 0x81443cf in Perl_pp_method_named () at pp_hot.c​:2708
#8 0x813b6df in Perl_runops_debug () at run.c​:56
#9 0x80e9219 in S_call_xbody (myop=0xbffff9b4, is_eval=0) at perl.c​:1472
#10 0x80e91cd in S_call_body (args=0xbffff8c8) at perl.c​:1456
#11 0x816ada7 in Perl_vdefault_protect (pcur_env=0xbffff8ec, excpt=0xbffff9a0,
  body=0x80e919c <S_call_body>, args=0xbffff8a4) at scope.c​:45
#12 0x816acbd in Perl_default_protect (pcur_env=0xbffff8ec, excpt=0xbffff9a0,
  body=0x80e919c <S_call_body>) at scope.c​:26
#13 0x80e8e6f in perl_call_sv (sv=0x83cc29c, flags=4) at perl.c​:1390
#14 0x807cd27 in perl_call_handler (sv=0x83cc29c, r=0x83d4c3c, args=0x0)
  at mod_perl.c​:1511
#15 0x807c487 in perl_run_stacked_handlers (hook=0x81a90fa "PerlHandler",
  r=0x83d4c3c, handlers=0x83cc248) at mod_perl.c​:1240
#16 0x807a8c5 in perl_handler (r=0x83d4c3c) at mod_perl.c​:803
#17 0x80a3aa3 in ap_invoke_handler ()
#18 0x80b6b41 in process_request_internal ()
#19 0x80b6ba0 in ap_process_request ()
#20 0x80ae405 in child_main ()
#21 0x80ae590 in make_child ()
#22 0x80ae6eb in startup_children ()
#23 0x80aecd8 in standalone_main ()
#24 0x80af52b in main ()

I'd appreciate if somebody else could look into it, I'm currently at
my wit's end.

--
andreas

#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.2).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 1999-11-22 12​:42 by <k@​hohenstaufen.in-berlin.de>.
# Source directory was `/apache/librondebug'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains​:
# length mode name
# ------ ---------- ------------------------------------------
# 726 -rw-r--r-- map_box/README
# 1633 -rw-r--r-- map_box/segv.pm
# 2823 -rw-r--r-- map_box/httpd.conf
#
save_IFS="${IFS}"
IFS="${IFS}​:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
  && ($dir/gettext --version >/dev/null 2>&1)
  then
  set `$dir/gettext --version 2>&1`
  if test "$3" = GNU
  then
  gettext_dir=$dir
  fi
  fi
  if test "$locale_dir" = FAILED && test -f $dir/shar \
  && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
  then
  locale_dir=`$dir/shar --print-text-domain-dir`
  fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
  echo=echo
else
  TEXTDOMAINDIR=$locale_dir
  export TEXTDOMAINDIR
  TEXTDOMAIN=sharutils
  export TEXTDOMAIN
  echo="$gettext_dir/gettext -s"
fi
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
  shar_touch=touch
else
  shar_touch=​:
  echo
  $echo 'WARNING​: not restoring timestamps. Consider getting and'
  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
fi
rm -f 1231235999 $$.touch
#
if mkdir _sh21998; then
  $echo 'x -' 'creating lock directory'
else
  $echo 'failed to create lock directory'
  exit 1
fi
# ============= map_box/README ==============
if test ! -d 'map_box'; then
  $echo 'x -' 'creating directory' 'map_box'
  mkdir 'map_box'
fi
if test -f 'map_box/README' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'map_box/README' '(file already exists)'
else
  $echo 'x -' extracting 'map_box/README' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'map_box/README' &&
XDemo of a SEGV with perl5.005_{54,56,62,62+} (I haven't tried versions
Xin between)
X
XI've demoed the SEGV with various apaches and various mod_perls.
X
XThe httpd.conf is a httpd.conf. Leave it as it is, any change might be
Xcrucial. I believe you can change the line where an @​INC is assigned
Xto meet your needs. Whenever I tried to remove a global variable
Xthere or just an innocent looking line, the SEGV went away.
X
XThe other file is the package map_box​::segv which contains a couple of
Xpackages. It must be found as a handler.
X
XThe URL that triggers the SEGV on my system is http​://localhost/r99/query
X
XI wanted to change the URL to something easier to remember, like
X/segv, but that didn't work.
X
XEnjoy,
Xandreas, 1999-11-22
SHAR_EOF
  $shar_touch -am 1122124199 'map_box/README' &&
  chmod 0644 'map_box/README' ||
  $echo 'restore of' 'map_box/README' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage​: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
  md5sum -c << SHAR_EOF >/dev/null 2>&1 \
  || $echo 'map_box/README​:' 'MD5 check failed'
a04120e9a829661a9e5a23290c51f291 map_box/README
SHAR_EOF
  else
  shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'map_box/README'`"
  test 726 -eq "$shar_count" ||
  $echo 'map_box/README​:' 'original size' '726,' 'current size' "$shar_count!"
  fi
fi
# ============= map_box/segv.pm ==============
if test -f 'map_box/segv.pm' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'map_box/segv.pm' '(file already exists)'
else
  $echo 'x -' extracting 'map_box/segv.pm' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'map_box/segv.pm' &&
Xpackage map_box​::aplan;
Xuse Apache​::Constants;
Xuse strict;
Xuse vars qw(%FIELDS $VERSION );
Xuse fields ( "A1".."L5");
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+)\.(\d+)/;
X
Xsub new {
X my($class,%opt) = @​_;
X no strict "refs";
X my $self = bless [\%{"$class\​::FIELDS"}], $class;
X $self;
X}
X
Xsub finish {
X my map_box​::aplan $self = shift;
X my $r = $self->{B6};
X eval { require Notexist​::Compress​::Zlib; };
X $r->send_http_header;
X $r->print($self->{A6});
X require Apache​::Constants;
X Apache​::Constants​::DONE();
X}
X
Xsub a1;
X
Xpackage map_box​::zoom_object;
Xuse strict;
Xuse vars qw($VERSION);
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+)\.(\d+)/;
X
Xsub z1;
Xsub z2;
Xsub z3;
Xsub z4;
Xsub z5;
Xsub z6;
Xsub z7;
Xsub z8;
X
Xpackage map_box​::main;
Xuse base 'map_box​::aplan';
Xuse strict;
Xuse vars qw($VERSION);
Xuse fields ("R1".."S2");
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+)\.(\d+)/;
X
Xsub m1;
Xsub m2;
X
Xpackage map_box​::hidden;
Xuse base 'Class​::Singleton';
Xuse strict;
Xuse vars qw($VERSION);
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+).(\d+)/;
X
Xsub h1;
Xsub h2;
X
Xpackage map_box​::ort;
Xuse base 'Class​::Singleton';
Xuse strict;
Xuse vars qw($OrtTable $VERSION);
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+).(\d+)/;
X
Xpackage map_box​::segv;
Xuse strict;
Xuse vars qw($VERSION);
X$VERSION = sprintf "%d.%03d", q$Revision​: 1.4 $ =~ /(\d+)\.(\d+)/;
X
Xsub handler {
X my($r) = @​_;
X use CGI qw(-compile);
X my $self = map_box​::main->new(
X B6 => $r,
X A4 => CGI->new,
X ) or
X die "Could not create an aplan object";
X $self->{A6} = "Hello World,\n";
X $self->finish;
X}
X
X1;
SHAR_EOF
  $shar_touch -am 1122115799 'map_box/segv.pm' &&
  chmod 0644 'map_box/segv.pm' ||
  $echo 'restore of' 'map_box/segv.pm' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage​: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
  md5sum -c << SHAR_EOF >/dev/null 2>&1 \
  || $echo 'map_box/segv.pm​:' 'MD5 check failed'
b72141cad555f3aa80edf9879d19cdab map_box/segv.pm
SHAR_EOF
  else
  shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'map_box/segv.pm'`"
  test 1633 -eq "$shar_count" ||
  $echo 'map_box/segv.pm​:' 'original size' '1633,' 'current size' "$shar_count!"
  fi
fi
# ============= map_box/httpd.conf ==============
if test -f 'map_box/httpd.conf' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'map_box/httpd.conf' '(file already exists)'
else
  $echo 'x -' extracting 'map_box/httpd.conf' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'map_box/httpd.conf' &&
X# -*- Mode​: Cperl; -*-
X
X
X<IfModule noexist.c>
X
X=pod
X
X</IfModule>
X
X<IfModule mod_perl.c>
X
X <Perl>
X
X=head1 SEE ME
X
XA lone =cut _starts_ pod
X
X=cut
X
X #!perl
X
Xuse Apache​::httpd_conf;
X
Xuse strict;
Xuse vars qw(
X $AccessConfig
X $BrowserMatch
X $CoreDumpDirectory
X $DefaultType
X $DocumentRoot
X $ErrorLog
X $Group
X $HostnameLookups
X $KeepAlive
X $KeepAliveTimeout
X $LanguagePriority
X $Listen
X $LogFormat
X $MaxClients
X $MaxKeepAliveRequests
X $MaxRequestsPerChild
X $MaxSpareServers
X $MinSpareServers
X $PassEnv
X $PerlChildInitHandler
X $PerlPostReadRequestHandler
X $PerlSetEnv
X $PerlSetupEnv
X $PerlWarn
X $PidFile
X $Port
X $ResourceConfig
X $ScoreBoardFile
X $ServerAdmin
X $ServerRoot
X $ServerType
X $StartServers
X $Timeout
X $TransferLog
X $User
X %Location
X @​Alias
X @​ScriptAlias
X @​PerlSetEnv
X);
X
X
X$ServerType = "standalone";
X$HostnameLookups = "Off";
X$User = "nobody";
X$Group = "nobody";
X$BrowserMatch = "Mozilla/2 nokeepalive";
X$ServerRoot = "/usr/local/apache";
X$CoreDumpDirectory = "$ServerRoot/cores";
X$LogFormat = ('"%h %l %u %t \\"%r\\" %s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\" %P %T"');
X$KeepAlive = "On";
X$MaxKeepAliveRequests = 100;
X$KeepAliveTimeout = 1;
X$MinSpareServers = 10;
X$MaxSpareServers = 35;
X$StartServers = 25;
X$MaxClients = 36;
X$MaxRequestsPerChild = 1055;
X$PerlWarn = "On";
X
Xmy $SWITCH8000 = Apache->define("SWITCH8000");
X
Xmy $ext = $SWITCH8000 ? ".8000" : "";
X
X$ErrorLog = "logs/error_log$ext";
X$TransferLog = "logs/access_log$ext";
X$PidFile = "logs/httpd.pid$ext";
X$ScoreBoardFile = "logs/apache_status$ext";
X
X$AccessConfig = "/dev/null";
X$ResourceConfig = "/dev/null";
X$DocumentRoot = "/usr/local/apache/htdocs";
X$DefaultType = "text/plain";
X
X$LanguagePriority = "en fr de";
X@​Alias = (
X [qw( /icons/ /usr/local/apache/icons/ )],
X [qw( /perl/ /usr/local/apache/perl/ )]
X );
X@​ScriptAlias = ([qw( /cgi-bin/ /usr/local/apache/cgi-bin/ )]);
X$PassEnv = "Language";
X
Xfor my $loc (qw( /status )){
X $Location{$loc}{SetHandler} = "server-status";
X}
Xfor my $loc (qw( /server-info )){
X $Location{$loc}{SetHandler} = "server-info";
X}
Xfor my $loc (qw( /disabled )){
X $Location{$loc}{SetHandler} = "perl-script";
X $Location{$loc}{PerlHandler} = "perl_pause​::disabled";
X}
X
Xmy $me;
Xchop($me = `uname -n`);
X
Xunless ($me){
X require Net​::Domain; # pollutes namespace like a pig if h2ph has been run
X my $me = Net​::Domain->hostfqdn;
X}
X
Xmy $ord_port = $SWITCH8000 ? 8000 : 81;
X$Port = $ord_port;
X$Listen = $ord_port;
X$Location{"/"}{PerlSetupEnv} = "Off";
X
Xunshift @​INC, "/usr/local/apache/librondebug";
X
X# why two locations having the same handler? Just to demo the SEGV.
Xfor my $loc (qw( /segv1 /r99/query )){
X $Location{$loc}{SetHandler} = "perl-script";
X $Location{$loc}{PerlHandler} = "map_box​::segv";
X}
X
X__END__
X
X
X=pod seen from perls standpoint
X
X</Perl>
X
X</IfModule>
X
X<IfModule noexist.c>
X
X=cut
X
X</IfModule>
X
SHAR_EOF
  $shar_touch -am 1122115799 'map_box/httpd.conf' &&
  chmod 0644 'map_box/httpd.conf' ||
  $echo 'restore of' 'map_box/httpd.conf' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage​: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
  md5sum -c << SHAR_EOF >/dev/null 2>&1 \
  || $echo 'map_box/httpd.conf​:' 'MD5 check failed'
2eaaab4a2b04a617718260bfa579b3ea map_box/httpd.conf
SHAR_EOF
  else
  shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'map_box/httpd.conf'`"
  test 2823 -eq "$shar_count" ||
  $echo 'map_box/httpd.conf​:' 'original size' '2823,' 'current size' "$shar_count!"
  fi
fi
rm -fr _sh21998
exit 0

From [Unknown Contact. See original ticket]

Andreas J. Koenig writes​:

Thanks for the reminder, but no, that sometimes showed nothing and
sometimes showed

Out of memory during "large" request for 1073745920 bytes at=84` lin=
e 48.

PERLDB_OPTS="N f=7 A" ?

Ilya

From @andk

On Mon, 22 Nov 1999 13​:50​:20 -0500 (EST), Ilya Zakharevich <ilya@​math.ohio-state.edu> said​:

Andreas J. Koenig writes​:

Thanks for the reminder, but no, that sometimes showed nothing and
sometimes showed

Out of memory during "large" request for 1073745920 bytes at=84` lin=
e 48.

PERLDB_OPTS="N f=7 A" ?

I had done so several times but not yet on the current destilled code.
This looks like an even faster death than I had under gdb alone.
Does it tell you something?

PERLDB_OPTS="NonStop=1 LineInfo=./perldb.out AutoTrace=1 frame=31" PERL5OPT=-d gdb /usr/local/apache/bin/httpd-1.3.9+p5.00562..4590g+mp1.21-1118ak
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) set args -f /usr/local/apache/librondebug/map_box/httpd.conf -X
(gdb) r
Starting program​: /usr/local/apache/bin/httpd-1.3.9+p5.00562..4590g+mp1.21-1118ak -f /usr/local/apache/librondebug/map_box/httpd.conf -X
Bad free() ignored at /sources-perl/inst/perl5.005_62..4590g/lib/5.00563/perl5db.pl line 1375.
  DB​::dump_trace(0, 1, 0, 1) called at /sources-perl/inst/perl5.005_62..4590g/lib/5.00563/perl5db.pl line 1335
  DB​::print_trace('/sources-perl/inst/perl5.005_62..4590g/lib/5.00563/Carp/Heavy.pm', 'File​::Spec', 'linux') called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec.pm line 44
  require File/Spec.pm called at /sources-perl/inst/perl5.005_62..4590g/lib/5.00563/i586-linux/IO/File.pm line 113
  IO​::File​::BEGIN() called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  eval '0' called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  require IO/File.pm called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/5.00563/i586-linux/Apache/httpd_conf.pm line 6
  Apache​::httpd_conf​::BEGIN(undef, 0, undef, 0) called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  eval '0' called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  require Apache/httpd_conf.pm called at /usr/local/apache/librondebug/map_box/httpd.conf line 22
  ApacheReadConfig​::BEGIN('*ApacheReadConfig​::Files', '*ApacheReadConfig​::FilesMatch', '*ApacheReadConfig​::Limit', 'package ApacheReadConfig;^J^J#line 13 /usr/local/apache/librondebu...') called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  eval '0' called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0
  eval 'package ApacheReadConfig;

#line 13 /usr/local/apache/librondebug/map_box/httpd.conf

=head1 SEE ME

A lone =cut _starts_ pod

=cut

#!perl

use Apache​::httpd_conf;

use strict;
use vars qw(
$AccessConfig
$BrowserMatch
$CoreDumpDirectory
$DefaultType
$DocumentRoot
$ErrorLog
$Group
$HostnameLookups
$KeepAlive
$KeepAliveTimeout
$LanguagePriority
$Listen
$LogFormat
$MaxClients
$MaxKeepAliveRequests
$MaxRequestsPerChild
$MaxSpareServers
$MinSpareServers
$PassEnv
$PerlChildInitHandler
$PerlPostReadRequestHandler
$PerlSetEnv
$PerlSetupEnv
$PerlWarn
$PidFile
$Port
$ResourceConfig
$ScoreBoardFile
$ServerAdmin
$ServerRoot
$ServerType
$StartServers
$Timeout
$TransferLog
$User
%Location
@​Alias
@​ScriptAlias
@​PerlSetEnv
);

$ServerType = "standalone";
$HostnameLookups = "Off";
$User = "nobody";
$Group = "nobody";
$BrowserMatch = "Mozilla/2 nokeepalive";
$ServerRoot = "/usr/local/apache";
$CoreDumpDirectory = "$ServerRoot/cores";
$LogFormat = (\'"%h %l %u %t \\\\"%r\\\\" %s %b \\\\"%{Referer}i\\\\" \\\\"%{User-Agent}i\\\\" %P %T"\');
$KeepAlive = "On";
$MaxKeepAliveRequests = 100;
$KeepAliveTimeout = 1;
$MinSpareServers = 10;
$MaxSpareServers = 35;
$StartServers = 25;
$MaxClients = 36;
$MaxRequestsPerChild = 1055;
$PerlWarn = "On";

my $SWITCH8000 = Apache->define("SWITCH8000");

my $ext = $SWITCH8000 ? ".8000" : "";

$ErrorLog = "logs/error_log$ext";
$TransferLog = "logs/access_log$ext";
$PidFile = "logs/httpd.pid$ext";
$ScoreBoardFile = "logs/apache_status$ext";

$AccessConfig = "/dev/null";
$ResourceConfig = "/dev/null";
$DocumentRoot = "/usr/local/apache/htdocs";
$DefaultType = "text/plain";

$LanguagePriority = "en fr de";
@​Alias = (
[qw( /icons/ /usr/local/apache/icons/ )],
[qw( /perl/ /usr/local/apache/perl/ )]
);
@​ScriptAlias = ([qw( /cgi-bin/ /usr/local/apache/cgi-bin/ )]);
$PassEnv = "Language";

for my $loc (qw( /status )){
$Location{$loc}{SetHandler} = "server-status";
}
for my $loc (qw( /server-info )){
$Location{$loc}{SetHandler} = "server-info";
}
for my $loc (qw( /disabled )){
$Location{$loc}{SetHandler} = "perl-script";
$Location{$loc}{PerlHandler} = "perl_pause​::disabled";
}

my $me;
chop($me = `uname -n`);

unless ($me){
require Net​::Domain; # pollutes namespace like a pig if h2ph has been run
my $me = Net​::Domain->hostfqdn;
}

my $ord_port = $SWITCH8000 ? 8000 : 81;
$Port = $ord_port;
$Listen = $ord_port;
$Location{"/"}{PerlSetupEnv} = "Off";

unshift @​INC, "/usr/local/apache/librondebug";

# why two locations having the same handler? Just to demo the SEGV.
for my $loc (qw( /segv1 /r99/query )){
$Location{$loc}{SetHandler} = "perl-script";
$Location{$loc}{PerlHandler} = "map_box​::segv";
}

__END__

=pod seen from perls standpoint

;' called at /sources-perl/inst/perl5.005_62..4590g/lib/site_perl/File/Spec/Unix.pm line 0

Program received signal SIGSEGV, Segmentation fault.
0x400a8901 in memmove (dest=0x0, src=0x859d508, len=61)
  at ../sysdeps/generic/memmove.c​:69
../sysdeps/generic/memmove.c​:69​: No such file or directory.
(gdb) bt
#0 0x400a8901 in memmove (dest=0x0, src=0x859d508, len=61)
  at ../sysdeps/generic/memmove.c​:69
#1 0x814a885 in Perl_sv_setsv (dstr=0x8569cbc, sstr=0x85ee660) at sv.c​:2643
#2 0x813e61f in Perl_pp_aassign () at pp_hot.c​:741
#3 0x813b6df in Perl_runops_debug () at run.c​:56
#4 0x8176f88 in S_docatch_body (args=0xbfffb444) at pp_ctl.c​:2430
#5 0x816ada7 in Perl_vdefault_protect (pcur_env=0xbfffb450, excpt=0xbfffb508,
  body=0x8176f7c <S_docatch_body>, args=0xbfffb428) at scope.c​:45
#6 0x816acbd in Perl_default_protect (pcur_env=0xbfffb450, excpt=0xbfffb508,
  body=0x8176f7c <S_docatch_body>) at scope.c​:26
#7 0x8177010 in S_docatch (o=0x82fba88) at pp_ctl.c​:2448
#8 0x817a230 in Perl_pp_entertry () at pp_ctl.c​:3171
#9 0x813b6df in Perl_runops_debug () at run.c​:56
#10 0x80e9219 in S_call_xbody (myop=0xbfffb63c, is_eval=0) at perl.c​:1472
#11 0x80e8b93 in perl_call_sv (sv=0x82f4690, flags=2) at perl.c​:1361
#12 0x812dd8f in Perl_vwarn (pat=0x81b8c71 "%s free() ignored",
  args=0xbfffb6b4) at util.c​:1668
#13 0x812df19 in Perl_warn (pat=0x81b8c71 "%s free() ignored") at util.c​:1707
#14 0x80ed6a4 in free (mp=0x85ee8b0) at malloc.c​:1505
#15 0x8130c99 in Perl_mg_free (sv=0x85ee874) at mg.c​:264
#16 0x814cb22 in Perl_sv_clear (sv=0x85ee874) at sv.c​:3328
#17 0x814d0c5 in Perl_sv_free (sv=0x85ee874) at sv.c​:3501
#18 0x8140c56 in Perl_pp_iter () at pp_hot.c​:1578
#19 0x813b6df in Perl_runops_debug () at run.c​:56
#20 0x80e9219 in S_call_xbody (myop=0xbfffb888, is_eval=0) at perl.c​:1472
#21 0x80e8b93 in perl_call_sv (sv=0x83fb290, flags=0) at perl.c​:1361
#22 0x80e8984 in perl_call_method (methname=0x81bf2b7 "FIRSTKEY", flags=0)
  at perl.c​:1311
#23 0x8133589 in Perl_magic_nextpack (sv=0x83cf8c8, mg=0x83bc948,
  key=0x843c20c) at mg.c​:1152
#24 0x81384f5 in Perl_hv_iternext (hv=0x83cf8c8) at hv.c​:1079
#25 0x8138837 in Perl_hv_iternextsv (hv=0x83cf8c8, key=0xbfffb994,
  retlen=0xbfffb990) at hv.c​:1165
#26 0x808095a in perl_urlsection (cmd=0xbffffaf8, dummy=0x81dc04c,
  hv=0x83cf8c8) at perl_config.c​:1240
#27 0x80815a1 in perl_handle_command_hv (hv=0x83cf8c8,
  key=0x8428a90 "LocationMatch", cmd=0xbffffaf8, config=0x81db744)
  at perl_config.c​:1464
#28 0x808256c in perl_section (parms=0xbffffaf8, dummy=0x81db894,
  arg=0xbfffda8e "") at perl_config.c​:1711
#29 0x80a40d8 in invoke_cmd ()
#30 0x80a4b22 in ap_handle_command ()
#31 0x80a4bb8 in ap_srm_command_loop ()
#32 0x80a4fa8 in ap_process_resource_config ()
#33 0x80a5866 in ap_read_config ()
#34 0x80af47a in main ()
(gdb)

From @andk

On 22 Nov 1999 21​:10​:03 +0100, andreas.koenig@​anima.de (Andreas J. Koenig) said​:

Does it tell you something?

PERLDB_OPTS="NonStop=1 LineInfo=./perldb.out AutoTrace=1 frame=31" PERL5OPT=-d gdb /usr/local/apache/bin/httpd-1.3.9+p5.00562..4590g+mp1.21-1118ak

Sorry, I had the LineInfo still redirected for the run. Here is the
end of the run with lineinfo.

40​: my($s, $k) = (shift, shift);
41​: return exists( $s->[0]{$k} ) ? $s->[2][ $s->[0]{$k} ] : undef;
out $=Tie​::IxHash​::FETCH('Tie​::IxHash=ARRAY(0x83f3f50)', '/segv1') from /usr/local/apache/librondebug/map_box/httpd.conf​:137
scalar context return from Tie​::IxHash​::FETCH​: 'SetHandler' => 'perl-script'
135​:
136​:
in $=Tie​::IxHash​::FETCH('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query', 'Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query') from /usr/local/apache/librondebug/map_box/httpd.conf​:136
40​: my($s, $k) = (shift, shift);
41​: return exists( $s->[0]{$k} ) ? $s->[2][ $s->[0]{$k} ] : undef;
out $=Tie​::IxHash​::FETCH('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query', 'Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query') from /usr/local/apache/librondebug/map_box/httpd.conf​:136
scalar context return from Tie​::IxHash​::FETCH​: undef
in $=Tie​::IxHash​::STORE('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query', 'HASH(0x85ee880)') from /usr/local/apache/librondebug/map_box/httpd.conf​:136
45​: my($s, $k, $v) = (shift, shift, shift);
47​: if (exists $s->[0]{$k}) {
54​: push(@​{$s->[1]}, $k);
54​: push(@​{$s->[1]}, $k);
55​: push(@​{$s->[2]}, $v);
55​: push(@​{$s->[2]}, $v);
56​: $s->[0]{$k} = $#{$s->[1]};
56​: $s->[0]{$k} = $#{$s->[1]};
out $=Tie​::IxHash​::STORE('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query', 'HASH(0x85ee880)') from /usr/local/apache/librondebug/map_box/httpd.conf​:136
scalar context return from Tie​::IxHash​::STORE​: 9
137​:
in $=Tie​::IxHash​::FETCH('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query') from /usr/local/apache/librondebug/map_box/httpd.conf​:137
40​: my($s, $k) = (shift, shift);
41​: return exists( $s->[0]{$k} ) ? $s->[2][ $s->[0]{$k} ] : undef;
out $=Tie​::IxHash​::FETCH('Tie​::IxHash=ARRAY(0x83f3f50)', '/r99/query') from /usr/local/apache/librondebug/map_box/httpd.conf​:137
scalar context return from Tie​::IxHash​::FETCH​: 'SetHandler' => 'perl-script'
135​:
in
Program received signal SIGSEGV, Segmentation fault.
0x400a8901 in memmove (dest=0x0, src=0x859e488, len=61)
  at ../sysdeps/generic/memmove.c​:69
../sysdeps/generic/memmove.c​:69​: No such file or directory.

--
andreas

From @TimToady

Andreas J. Koenig writes​:
: >>>>> On Mon, 22 Nov 1999 13​:50​:20 -0500 (EST), Ilya Zakharevich <ilya@​math.ohio-state.edu> said​:
:
: > Andreas J. Koenig writes​:
: >> Thanks for the reminder, but no, that sometimes showed nothing and
: >> sometimes showed
: >>
: >> Out of memory during "large" request for 1073745920 bytes at=84` lin=
: >> e 48.
:
: > PERLDB_OPTS="N f=7 A" ?
:
: I had done so several times but not yet on the current destilled code.
: This looks like an even faster death than I had under gdb alone.
: Does it tell you something?

Looks like you're trying to call malloc/free reentrantly.

: #0 0x400a8901 in memmove (dest=0x0, src=0x859d508, len=61)
: at ../sysdeps/generic/memmove.c​:69
: #1 0x814a885 in Perl_sv_setsv (dstr=0x8569cbc, sstr=0x85ee660) at sv.c​:2643
: #2 0x813e61f in Perl_pp_aassign () at pp_hot.c​:741

...

: #13 0x812df19 in Perl_warn (pat=0x81b8c71 "%s free() ignored") at util.c​:1707
: #14 0x80ed6a4 in free (mp=0x85ee8b0) at malloc.c​:1505

Larry

From [Unknown Contact. See original ticket]

On Mon, Nov 22, 1999 at 12​:26​:25PM -0800, Larry Wall wrote​:

Looks like you're trying to call malloc/free reentrantly.

: #0 0x400a8901 in memmove (dest=0x0, src=0x859d508, len=61)
: at ../sysdeps/generic/memmove.c​:69
: #1 0x814a885 in Perl_sv_setsv (dstr=0x8569cbc, sstr=0x85ee660) at sv.c​:2643
: #2 0x813e61f in Perl_pp_aassign () at pp_hot.c​:741

...

: #13 0x812df19 in Perl_warn (pat=0x81b8c71 "%s free() ignored") at util.c​:1707
: #14 0x80ed6a4 in free (mp=0x85ee8b0) at malloc.c​:1505

This is a Perl's malloc. At this moment it did not touch any state.
I think it should be completely safe.

Ilya

From @TimToady

Ilya Zakharevich writes​:
: On Mon, Nov 22, 1999 at 12​:26​:25PM -0800, Larry Wall wrote​:
: > Looks like you're trying to call malloc/free reentrantly.
: >
: > : #0 0x400a8901 in memmove (dest=0x0, src=0x859d508, len=61)
: > : at ../sysdeps/generic/memmove.c​:69
: > : #1 0x814a885 in Perl_sv_setsv (dstr=0x8569cbc, sstr=0x85ee660) at sv.c​:2643
: > : #2 0x813e61f in Perl_pp_aassign () at pp_hot.c​:741
: >
: > ...
: >
: > : #13 0x812df19 in Perl_warn (pat=0x81b8c71 "%s free() ignored") at util.c​:1707
: > : #14 0x80ed6a4 in free (mp=0x85ee8b0) at malloc.c​:1505
:
: This is a Perl's malloc. At this moment it did not touch any state.
: I think it should be completely safe.

True 'nuff. On the other hand, the fact that it was wanting to
complain about a bad free is perhaps indicative of earlier arena
corruption. And the address of the sstr in #1 appears to be from the
same arena as mp in the free() in #14. The two addresses differ by
less than 0xff.

Larry

From @andk

On 22 Nov 1999 13​:46​:54 +0100, I said​:

: The same program cores with _54, _56, and an unpatched _62 too.
: Core seems independent of mymalloc and OS. I have seen it on both
: Solaris and Linux.

This is still true. 5.00503 seems to be immune against this SEGV.

Now I have seen the core even with 5.00503. The testcase I sent
doesn't show it, but the application in which I encountered it the
first time.

--
andreas

From @andk

On 23 Nov 1999 21​:25​:40 +0100, andreas.koenig@​anima.de (Andreas J. Koenig) said​:

On 22 Nov 1999 13​:46​:54 +0100, I said​:
: The same program cores with _54, _56, and an unpatched _62 too.
: Core seems independent of mymalloc and OS. I have seen it on both
: Solaris and Linux.

This is still true. 5.00503 seems to be immune against this SEGV.

Now I have seen the core even with 5.00503. The testcase I sent
doesn't show it, but the application in which I encountered it the
first time.

FYI,

my test case is now down to 90 lines, no modules needed anymore, but
mod_perl still required for the demo.

The application that caused my investigation is now running on both
Solaris and Linux after I changed a pseudo-hash into a hash (no change
otherwise). This is no proof that pseudo hases are to blame, but it's
an indication.

I'll keep you posted. Just in case somebody wants to look into it,
please contact me for the most recent test scenario. Thanks!

--
andreas