From james@mastros.biz

Created by james@mastros.biz

Hello, everybody. I was recently playing with LVALUEs trying to get
exercise 2 of http​://perlmonks.org/?node=how's+your+perl?+(II), and managed
to get perl to segfault. While I was doing strange things with it at the
time, a segfault isn't a good response, ever.

Code​:
#!/usr/bin/perl
use warnings;
use Devel​::Peek;
$|=1;

{
  local $foo; # Local *foo instead, and it works.
  my $x; # Only to shut up warnings -- both lexical and global $x exhibit this behavior
  *foo=\pos($x); # Neccessary
  Dump *foo;
  print "Got here\n";
}
print "Got here\n";
__DATA__

Output​:
SV = PVGV(0x8192ef8) at 0x8164ee0
  REFCNT = 5
  FLAGS = (GMG,SMG,MULTI,IN_PAD)
  IV = 0
  NV = 0
  MAGIC = 0x8190960
  MG_VIRTUAL = &PL_vtbl_glob
  MG_TYPE = PERL_MAGIC_glob(*)
  MG_OBJ = 0x8164ee0
  NAME = "foo"
  NAMELEN = 3
  GvSTASH = 0x814cb48 "main"
  GP = 0x8192f30
  SV = 0x8164f40
  REFCNT = 1
  IO = 0x0
  FORM = 0x0
  AV = 0x0
  HV = 0x0
  CV = 0x0
  CVGEN = 0x0
  GPFLAGS = 0x0
  LINE = 7
  FILE = "howsyourperl2.pl_segfault"
  FLAGS = 0xa
  EGV = 0x8164ee0 "foo"
Got here
 
Note the lack of the second "Got here" line.

Backtrace​:
(gdb) bt
#0 0x080b27ce in Perl_magic_setpos ()
#1 0x080af335 in Perl_mg_set ()
#2 0x080e76d0 in Perl_leave_scope ()
#3 0x080e5fac in Perl_pop_scope ()
#4 0x080ecfb4 in Perl_pp_leaveloop ()
#5 0x080bbbb9 in Perl_runops_standard ()
#6 0x080635e8 in perl_run ()
#7 0x080633f5 in perl_run ()
#8 0x0805fb9f in main ()

Sorry, I don't have a 5.8.5 or debugging perl handy -- let me know if either
is neccessary.
 
Thanks!
  -=- James Mastros,
  theorbtwo

Flags:
    category=core
    severity=low

Site configuration information for perl v5.8.4:

Configured by Debian Project at Wed May 12 00:32:16 EST 2004.

Summary of my perl5 (revision 5 version 8 subversion 4) configuration:
  Platform:
    osname=linux, osvers=2.4.26-ti1211, archname=i386-linux-thread-multi
    uname='linux kosh 2.4.26-ti1211 #1 sat apr 24 14:46:58 est 2004 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i386-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.4 -Dsitearch=/usr/local/lib/perl/5.8.4 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.4 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='3.3.3 (Debian 20040429)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=true, libperl=libperl.so.5.8.4
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.4:
    /etc/perl
    /usr/local/lib/perl/5.8.4
    /usr/local/share/perl/5.8.4
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.8
    /usr/share/perl/5.8
    /usr/local/lib/site_perl
    /usr/local/lib/perl/5.8.3
    /usr/local/share/perl/5.8.3
    /usr/local/lib/perl/5.8.2
    /usr/local/share/perl/5.8.2
    /usr/local/lib/perl/5.8.1
    /usr/local/share/perl/5.8.1
    /usr/local/lib/perl/5.8.0
    /usr/local/share/perl/5.8.0
    .


Environment for perl v5.8.4:
    HOME=/home/theorb
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/theorb/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @hvds

James Mastros (via RT) <perlbug-followup@​perl.org> wrote​:
:Code​:
:#!/usr/bin/perl
:use warnings;
:use Devel​::Peek;
:$|=1;
:
:{
: local $foo; # Local *foo instead, and it works.
: my $x; # Only to shut up warnings -- both lexical and global $x exhibit this behavior
: *foo=\pos($x); # Neccessary
: Dump *foo;
: print "Got here\n";
:}
:print "Got here\n";
:__DATA__

Segfault confirmed on bleadperl (@​23061)​:

perl -e '{ local $foo; my $x; *foo = \pos($x) }'

#0 Perl_magic_setpos (sv=0x8160330, mg=0x0) at mg.c​:1687
1687 if (SvTYPE(lsv) >= SVt_PVMG && SvMAGIC(lsv))
(gdb) where
#0 Perl_magic_setpos (sv=0x8160330, mg=0x0) at mg.c​:1687
#1 0x080b90d2 in Perl_mg_set (sv=0x8160330) at mg.c​:224
#2 0x080e8440 in Perl_leave_scope (base=6) at scope.c​:788
#3 0x080e96e0 in Perl_pop_scope () at scope.c​:137
#4 0x080efa90 in Perl_pp_leaveloop () at pp_ctl.c​:1870
#5 0x080b301f in Perl_runops_debug () at dump.c​:1564
#6 0x08061ff8 in S_run_body (oldscope=1) at perl.c​:1797
#7 0x08061caa in perl_run (my_perl=0x8153d68) at perl.c​:1715
#8 0x0805e76b in main (argc=3, argv=0xbffffbbc, env=0xbffffbcc)
  at perlmain.c​:86
#9 0x400b0336 in __libc_start_main (main=0x805e6e0 <main>, argc=3,
  ubp_av=0xbffffbbc, init=0x805d860 <_init>, fini=0x812e980 <_fini>,
  rtld_fini=0x4000d2fc <_dl_fini>, stack_end=0xbffffbac)
  at ../sysdeps/generic/libc-start.c​:129

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Thu, Jul 22, 2004 at 03​:41​:59PM +0100, hv@​crypt.org wrote​:

James Mastros (via RT) <perlbug-followup@​perl.org> wrote​:
:Code​:
:#!/usr/bin/perl
:use warnings;
:use Devel​::Peek;
:$|=1;
:
:{
: local $foo; # Local *foo instead, and it works.
: my $x; # Only to shut up warnings -- both lexical and global $x exhibit this behavior
: *foo=\pos($x); # Neccessary
: Dump *foo;
: print "Got here\n";
:}
:print "Got here\n";
:__DATA__

Segfault confirmed on bleadperl (@​23061)​:

It occurs because when unlocalizing, any magic associated with the local
value is copied back to the restored value, but the extra fields
associated with PVLV types, such as LvTARG, aren't copied across.
This results in the restored value being a mangled PVLV (with null
LvTARG). When SvSETMAGIC() is called on this PVLV, it blows up.

Now, I'm not sure why magic is copied across to the restored value; I
guess it's something to do with preserving the magicalness of magic vars
like $/ across localizations? But I'd have thought that for that, it's
important to copy the magic forward in the local() rather than copying
back during the leave_scope() ???

Anyway, I guess the fix is to not copy across the magic if it's a PVLV
in leave_scope().

Dave.

--
print+qq&$}$"$/$s$,$*${d}$g$s$@​$.$q$,$​:$.$q$^$,$@​$*$$;$.$q$m&if+map{m,^\d{0\,},,${$​::{$'}}=chr($"+=$&amp;||1)}q&10m22,42}6​:17*22.3@​3;^2dg3q/s"&=~m*\d\*.*g

From @smpeters

[davem@​iabyn.com - Thu Jul 22 14​:44​:50 2004]​:

On Thu, Jul 22, 2004 at 03​:41​:59PM +0100, hv@​crypt.org wrote​:

James Mastros (via RT) <perlbug-followup@​perl.org> wrote​:
:Code​:
:#!/usr/bin/perl
:use warnings;
:use Devel​::Peek;
:$|=1;
:
:{
: local $foo; # Local *foo instead, and it works.
: my $x; # Only to shut up warnings -- both lexical and
global $x exhibit this behavior
: *foo=\pos($x); # Neccessary
: Dump *foo;
: print "Got here\n";
:}
:print "Got here\n";
:__DATA__

Segfault confirmed on bleadperl (@​23061)​:

It occurs because when unlocalizing, any magic associated with the
local
value is copied back to the restored value, but the extra fields
associated with PVLV types, such as LvTARG, aren't copied across.
This results in the restored value being a mangled PVLV (with null
LvTARG). When SvSETMAGIC() is called on this PVLV, it blows up.

Now, I'm not sure why magic is copied across to the restored value; I
guess it's something to do with preserving the magicalness of magic
vars
like $/ across localizations? But I'd have thought that for that, it's
important to copy the magic forward in the local() rather than copying
back during the leave_scope() ???

Anyway, I guess the fix is to not copy across the magic if it's a PVLV
in leave_scope().

Dave.

Again, not sure what the fix was, but it works just fine in bleadperl.

@smpeters - Status changed from 'open' to 'resolved'