From inferno@wboys.ru

Created by inferno@wboys.ru

The following code makes perl to dump core​:

sub z{
  #must be local
  my ($ref, $self);

  #must be local _and_ initialized
  #here's version from original code
  #but '= (1..3)' suits as well
  my(@​keys) = keys(%$ref);

  #these 2 lines must be together
  $ref = $ref->{$keys[0]};
  $self->{rootname} = $keys[0];
}

use B​::TerseSize;
#B​::debug(undef, 1);
$cv = B​::svref_2object(\&{"main​::z"});
B​::walkoptree_slow($cv->ROOT, "op_size");

With uncommented B​::debug line, i get​:
walkoptree​: 0. UNOP (0x8069788) leavesub
  walkoptree​: 1. LISTOP (0x8069048) lineseq
  walkoptree​: 2. COP (0x8064d88) nextstate
  walkoptree​: 2. LISTOP (0x8065fc8) list
  walkoptree​: 3. OP (0x8069008) pushmark
  walkoptree​: 3. OP (0x8065f48) padsv
  walkoptree​: 3. OP (0x8065f88) padsv
  walkoptree​: 2. COP (0x8064e08) nextstate
  walkoptree​: 2. BINOP (0x80692c8) aassign
  walkoptree​: 3. UNOP (0x8069248) null
  walkoptree​: 4. OP (0x8069288) pushmark
  walkoptree​: 4. UNOP (0x8069148) keys
  walkoptree​: 5. UNOP (0x8069108) rv2hv
  walkoptree​: 6. OP (0x80690c8) padsv
  walkoptree​: 3. UNOP (0x80691c8) null
  walkoptree​: 4. OP (0x8069208) pushmark
  walkoptree​: 4. OP (0x8069088) padav
  walkoptree​: 2. COP (0x8064e88) nextstate
  walkoptree​: 2. BINOP (0x80694c8) sassign
  walkoptree​: 3. BINOP (0x8069488) helem
  walkoptree​: 4. UNOP (0x8069448) rv2hv
  walkoptree​: 5. OP (0x8069348) padsv
  walkoptree​: 4. UNOP (0x8069408) null
  walkoptree​: 5. SVOP (0x8069388) aelemfast

When trying to detect op size for the last SVOP (inside B​::Size)

sub B​::SVOP​::size {
  B​::Sizeof​::SVOP + shift->sv->size;
}

code "shift->sv" makes perl coredump

Unfortunatelly, i'm not familiar with XS, so couldn't debug deeper into the
B.xs module.

Here is stack trace from gdb​:
#0 0x282ddc09 in make_sv_object (arg=0x82071c8, sv=0x55555555) at B.xs​:231
#1 0x282e3d9f in XS_B__SVOP_sv (cv=0x80f9c68) at B.c​:2007
#2 0x28113f88 in Perl_pp_entersub () at pp_hot.c​:2913
#3 0x280f3ecb in Perl_runops_debug () at dump.c​:1459
#4 0x28099066 in S_run_body (oldscope=1) at perl.c​:2366
#5 0x28098b2a in perl_run (my_perl=0x804d030) at perl.c​:2283
#6 0x08049130 in main ()

PS​:
Original line that leads to segfault is as simple as
perl -e 'use XML​::Simple; use B​::TerseSize; B​::TerseSize​::package_size("XML​::Simple")'

Flags:
    category=core
    severity=low

Site configuration information for perl v5.8.8:

Configured by game at Sun Mar 30 09:52:08 MSD 2008.

Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
  Platform:
    osname=freebsd, osvers=6.1-release, archname=i386-freebsd-64int
    uname='freebsd ru-dealer.com 6.1-release freebsd 6.1-release #0: sun may 7 04:42:56 utc 2006 root@opus.cse.buffalo.edu:usrobjusrsrcsyssmp i386 '
    config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.8.8/mach -Dprivlib=/usr/local/lib/perl5/5.8.8 -Dman3dir=/usr/local/lib/perl5/5.8.8/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.8/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.8 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.8.8/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -Doptimize=-g -DDEBUGGING -Ud_dosuid -Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=undef
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include',
    optimize='-g',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include'
    ccversion='', gccversion='3.4.4 [FreeBSD] 20050518', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -Wl,-E -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib'

Locally applied patches:
    defined-or


@INC for perl v5.8.8:
    /usr/local/lib/perl5/5.8.8/BSDPAN
    /usr/local/lib/perl5/site_perl/5.8.8/mach
    /usr/local/lib/perl5/site_perl/5.8.8
    /usr/local/lib/perl5/site_perl
    /usr/local/lib/perl5/5.8.8/mach
    /usr/local/lib/perl5/5.8.8
    .


Environment for perl v5.8.8:
    HOME=/home/game
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/home/game/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

From @rurban

B​::Size failure. Please report there.

SVOP's are beasts. Esp. with this GV.
See http​://www.perlfoundation.org/perl5/index.cgi?optree_guts

However with my threaded perl aelemfast is no SVOP,
it's a PADOP, so the sv access does not fail. Need to check this with a
non-threaded perl, but I have non.

But I doubt that is a core failure, I would blame B​::Size.
It should check if the op_flag is SPECIAL. Only then there's a SV,
otherwise a PAD at op_targ.

Rather use Devel​::Size, which is much better.
B​::Size should be thrown away. I tried to fix it for recent releases but
gave up.

$ perl bug52284.pl
walkoptree​: 0. UNOP (0x681738) leavesub
walkoptree​: 1. LISTOP (0x681180) lineseq
walkoptree​: 2. COP (0x680eb8) nextstate
walkoptree​: 2. LISTOP (0x675358) list
walkoptree​: 3. OP (0x681140) pushmark
walkoptree​: 3. OP (0x6810c8) padsv
walkoptree​: 3. OP (0x681110) padsv
walkoptree​: 2. COP (0x681308) nextstate
walkoptree​: 2. BINOP (0x6812e0) aassign
walkoptree​: 3. UNOP (0x681298) null
walkoptree​: 4. OP (0x6812c0) pushmark
walkoptree​: 4. UNOP (0x675328) keys
walkoptree​: 5. UNOP (0x6811f8) rv2hv
walkoptree​: 6. OP (0x6811d8) padsv
walkoptree​: 3. UNOP (0x681250) null
walkoptree​: 4. OP (0x681278) pushmark
walkoptree​: 4. OP (0x6811a8) padav
walkoptree​: 2. COP (0x681480) nextstate
walkoptree​: 2. BINOP (0x681458) sassign
walkoptree​: 3. BINOP (0x681430) helem
walkoptree​: 4. UNOP (0x681410) rv2hv
walkoptree​: 5. OP (0x681388) padsv
walkoptree​: 4. UNOP (0x6813e8) null
walkoptree​: 5. PADOP (0x6813a8) aelemfast
walkoptree​: 5. OP (0x6813c8) null
walkoptree​: 3. OP (0x681368) padsv
walkoptree​: 2. COP (0x681608) nextstate
walkoptree​: 2. BINOP (0x6815e0) sassign
walkoptree​: 3. UNOP (0x6815b8) null
walkoptree​: 4. PADOP (0x681578) aelemfast
walkoptree​: 4. OP (0x681598) null
walkoptree​: 3. BINOP (0x681550) helem
walkoptree​: 4. UNOP (0x681530) rv2hv
walkoptree​: 5. OP (0x6814e0) padsv
walkoptree​: 4. SVOP (0x681510) const

--
Reini Urban

The RT System itself - Status changed from 'new' to 'open'

From @rurban

B​::Size failure. Please report there.

SVOP's are beasts. Esp. with this GV.
See http​://www.perlfoundation.org/perl5/index.cgi?optree_guts

However with my threaded perl aelemfast is no SVOP,
it's a PADOP, so the sv access does not fail. Need to check this with a
non-threaded perl, but I have non.

But I doubt that is a core failure, I would blame B​::Size.
It should check if the op_flag is SPECIAL. Only then there's a SV,
otherwise a PAD at op_targ.

Rather use Devel​::Size, which is much better.
B​::Size should be thrown away. I tried to fix it for recent releases but
gave up.

$ perl bug52284.pl
walkoptree​: 0. UNOP (0x681738) leavesub
walkoptree​: 1. LISTOP (0x681180) lineseq
walkoptree​: 2. COP (0x680eb8) nextstate
walkoptree​: 2. LISTOP (0x675358) list
walkoptree​: 3. OP (0x681140) pushmark
walkoptree​: 3. OP (0x6810c8) padsv
walkoptree​: 3. OP (0x681110) padsv
walkoptree​: 2. COP (0x681308) nextstate
walkoptree​: 2. BINOP (0x6812e0) aassign
walkoptree​: 3. UNOP (0x681298) null
walkoptree​: 4. OP (0x6812c0) pushmark
walkoptree​: 4. UNOP (0x675328) keys
walkoptree​: 5. UNOP (0x6811f8) rv2hv
walkoptree​: 6. OP (0x6811d8) padsv
walkoptree​: 3. UNOP (0x681250) null
walkoptree​: 4. OP (0x681278) pushmark
walkoptree​: 4. OP (0x6811a8) padav
walkoptree​: 2. COP (0x681480) nextstate
walkoptree​: 2. BINOP (0x681458) sassign
walkoptree​: 3. BINOP (0x681430) helem
walkoptree​: 4. UNOP (0x681410) rv2hv
walkoptree​: 5. OP (0x681388) padsv
walkoptree​: 4. UNOP (0x6813e8) null
walkoptree​: 5. PADOP (0x6813a8) aelemfast
walkoptree​: 5. OP (0x6813c8) null
walkoptree​: 3. OP (0x681368) padsv
walkoptree​: 2. COP (0x681608) nextstate
walkoptree​: 2. BINOP (0x6815e0) sassign
walkoptree​: 3. UNOP (0x6815b8) null
walkoptree​: 4. PADOP (0x681578) aelemfast
walkoptree​: 4. OP (0x681598) null
walkoptree​: 3. BINOP (0x681550) helem
walkoptree​: 4. UNOP (0x681530) rv2hv
walkoptree​: 5. OP (0x6814e0) padsv
walkoptree​: 4. SVOP (0x681510) const

--
Reini Urban

From @cpansprout

I’ve opened a bug in the CPAN queue for B-Size at
<https://rt.cpan.org/Ticket/Display.html?id=61468>.

@cpansprout - Status changed from 'open' to 'rejected'