New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perl crashes reading past the end of a heap block while parsing foreach statement #7850
Comments
From John_Sargent@McAfee.comCreated by john_sargent@mcafee.comIn op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that the If this memory happens to be the first element in the allocated chunk, OP* Perl_newFOROP(...) <-snip-> <<<< MEMORY ALLOCATED IN CONVERT HERE IS NOT BIG ENOUGH FOR A LOOP loop = (LOOP*)list(convert(OP_ENTERITER, iterflags, <-snip-> LOOP *tmp; <-snip-> Perl Info
|
From @rgsSargent, John wrote:
I can't figure out a case where this wouldn't be a list op.
|
The RT System itself - Status changed from 'new' to 'open' |
From John_Sargent@McAfee.comIf scalar(sv) is null (not sure why it would be off hand), and expr is The crash is because the code casts a LISTOP to a LOOP which is bigger -----Original Message----- Sargent, John wrote:
I can't figure out a case where this wouldn't be a list op.
|
From spenlow@exchange.microsoft.comThis is a bug report for perl from spenlow@microsoft.com, With version 809 of ActiveState Perl for Win32 I am MSVCRT!memcpy+0x33 Perl appears to be parsing a foreach statement. While it's doing MSVCRT!malloc+0x74 The block appears to be 0x200C in length. This problem occurs intermittently on many different machines. My hunch of the problem is that Perl_Slab_Alloc, VMem::Malloc, This bug is very bad because it is intermittent and hard to I would be happy to talk to anyone about this issue or answer Thank you, Spencer Low Flags: Site configuration information for perl v5.8.3: Configured by ActiveState at Tue Feb 3 00:28:38 2004. Summary of my perl5 (revision 5 version 8 subversion 3) configuration: Locally applied patches: @INC for perl v5.8.3: Environment for perl v5.8.3: PATH=E:\sqlmain\tools\winsdk\tools\perl\bin;C:\WINDOWS\system32;C:\WINDO PERL5LIB=E:\sqlmain\tools\winsdk\tools\perllib;E:\sqlmain\tools\winsdk\t |
From @gsarOn 25 Mar 2005 07:54:22 GMT, "Spencer Low" wrote:
This appears to have been previously reported as bug 34450: http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339.html Some more history: the buggy code has been around for a long time,
Nice analysis. The attached patch against perl 5.8.6 might fix it. Sarathy Inline Patch-----------------------------------8<-----------------------------------
Index: ./op.c
--- ./op.c.~1~ Fri Mar 25 10:25:09 2005
+++ ./op.c Fri Mar 25 10:25:09 2005
@@ -3930,7 +3930,7 @@
{
LOOP *tmp;
NewOp(1234,tmp,1,LOOP);
- Copy(loop,tmp,1,LOOP);
+ Copy(loop,tmp,1,LISTOP);
FreeOp(loop);
loop = tmp;
}
End of Patch. |
The RT System itself - Status changed from 'new' to 'open' |
From @rgarciaOn Fri, 25 Mar 2005 10:31:09 -0800, Gurusamy Sarathy
But, as far as I can tell, in but 34450 PL_OP_SLAB_ALLOC isn't defined...
|
From @gsarOn Fri, 25 Mar 2005 20:25:35 +0100, Rafael Garcia-Suarez wrote:
I don't think that is possible, since the code in question is Sarathy |
From @rgarciaOn Fri, 25 Mar 2005 12:54:39 -0800, Gurusamy Sarathy
Yes, that's more or less what I was saying, thus wondering about the |
From @smpeters
Ticket closed as patch was applied. |
@smpeters - Status changed from 'open' to 'resolved' |
From spenlow@exchange.microsoft.comThank you for the fast reply and patch. When is the next release of Thanks again for the fast response, Spencer -----Original Message----- On 25 Mar 2005 07:54:22 GMT, "Spencer Low" wrote:
This appears to have been previously reported as bug 34450: http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339. Some more history: the buggy code has been around for a long time, but
Nice analysis. The attached patch against perl 5.8.6 might fix it. Sarathy Inline Patch-----------------------------------8<-----------------------------------
Index: ./op.c
--- ./op.c.~1~ Fri Mar 25 10:25:09 2005
+++ ./op.c Fri Mar 25 10:25:09 2005
@@ -3930,7 +3930,7 @@
{
LOOP *tmp;
NewOp(1234,tmp,1,LOOP);
- Copy(loop,tmp,1,LOOP);
+ Copy(loop,tmp,1,LISTOP);
FreeOp(loop);
loop = tmp;
}
End of Patch. |
From @smpeters
Let me clarify. Do you have any Perl and/or XS code that demonstrates this problem? |
From @smpeters
Without a demonstration of the problem mentioned, this ticket will be |
@smpeters - Status changed from 'open' to 'stalled' |
From @doyIf no code can be provided to demonstrate this issue on a more recent |
The RT System itself - Status changed from 'stalled' to 'open' |
From @cpansproutOn Sun Jun 24 15:21:47 2012, doy wrote:
It was fixed in commit bd5f3bc, so this is the same bug as #34568. -- Father Chrysostomos |
@cpansprout - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#34568 (status was 'resolved')
Searchable as RT34568$
The text was updated successfully, but these errors were encountered: