Skip Menu |

Subject: formline segfaults
Date: Sat, 3 Jan 2015 16:11:53 +0100 (CET)
From: mlelstv [...] serpens.de
To: perlbug [...] perl.org
Download (untitled) / with headers
text/plain 5.5k
This is a bug report for perl from mlelstv@serpens.de, generated with the help of perlbug 1.40 running under perl 5.20.0. ----------------------------------------------------------------- perl -e 'formline("@...", "a");' crashes with a segfault. The core file shows the following backtrace: #0 0xbbb5dfcc in Perl_pp_formline () from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so (gdb) bt #0 0xbbb5dfcc in Perl_pp_formline () from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so #1 0xbbb21869 in Perl_runops_standard () from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so #2 0xbbaa7f6b in perl_run () from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so #3 0x08048e18 in main () The segfault seems to occur at the following code fragment in pp_ctl.c: case FF_MORE: /* replace long end of string with '...' */ { const char *s = chophere; const char *send = item + len; if (chopspace) { while (isSPACE(*s) && (s < send)) s++; } when accessing *s though a NULL pointer. send = item + len 0xbbb5dfb9 <Perl_pp_formline+2592>: mov -0x64(%ebp),%ecx 0xbbb5dfbc <Perl_pp_formline+2595>: add -0x1c(%ebp),%ecx if (chopspace) 0xbbb5dfbf <Perl_pp_formline+2598>: cmpb $0x0,-0x71(%ebp) 0xbbb5dfc3 <Perl_pp_formline+2602>: je 0xbbb5e7c4 <Perl_pp_formline+4651> isSPACE(*s) 0xbbb5dfc9 <Perl_pp_formline+2608>: mov -0x58(%ebp),%edx *0xbbb5dfcc <Perl_pp_formline+2611>: movzbl (%edx),%eax 0xbbb5dfcf <Perl_pp_formline+2614>: mov -0x9c(%ebp),%esi 0xbbb5dfd5 <Perl_pp_formline+2620>: mov (%esi,%eax,4),%eax 0xbbb5dfd8 <Perl_pp_formline+2623>: and $0x8400,%eax 0xbbb5dfdd <Perl_pp_formline+2628>: cmp $0x8400,%eax 0xbbb5dfe2 <Perl_pp_formline+2633>: jne 0xbbb5e7c4 <Perl_pp_formline+4651> s < send 0xbbb5dfe8 <Perl_pp_formline+2639>: cmp %ecx,%edx 0xbbb5dfea <Perl_pp_formline+2641>: jae 0xbbb5d9b0 <Perl_pp_formline+1047> while 0xbbb5dff0 <Perl_pp_formline+2647>: mov %edx,%eax 0xbbb5dff2 <Perl_pp_formline+2649>: jmp 0xbbb5dffc <Perl_pp_formline+2659> s < send 0xbbb5dff4 <Perl_pp_formline+2651>: cmp %eax,%ecx 0xbbb5dff6 <Perl_pp_formline+2653>: jbe 0xbbb5d9b0 <Perl_pp_formline+1047> s++ 0xbbb5dffc <Perl_pp_formline+2659>: add $0x1,%eax isSPACE(*s) 0xbbb5dfff <Perl_pp_formline+2662>: movzbl (%eax),%edx 0xbbb5e002 <Perl_pp_formline+2665>: mov (%esi,%edx,4),%edx 0xbbb5e005 <Perl_pp_formline+2668>: and $0x8400,%edx 0xbbb5e00b <Perl_pp_formline+2674>: cmp $0x8400,%edx 0xbbb5e011 <Perl_pp_formline+2680>: je 0xbbb5dff4 <Perl_pp_formline+2651> The code changed in perl-5.20, the older version 5.18 does not have this problem. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.20.0: Configured by root at Wed Oct 1 15:14:40 UTC 2014. Summary of my perl5 (revision 5 version 20 subversion 0) configuration: Platform: osname=netbsd, osvers=6.0, archname=i386-netbsd-thread-multi uname='netbsd i386-nb6 6.0 netbsd 6.0 (libkver) #0: tue jan 19 00:00:00 utc 2038 root@localhost:sysarchi386compilelibkver i386 ' config_args='-sde -Duseshrplib -Duseithreads -Uusemymalloc' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-O2 -pthread -I/usr/include -fwrapv -fno-strict-aliasing -pipe -fstack-protector', optimize='-O2 -pthread -I/usr/include', cppflags='-O2 -pthread -I/usr/include -fwrapv -fno-strict-aliasing -pipe -fstack-protector' ccversion='', gccversion='4.5.3', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='gcc', ldflags ='-Wl,-rpath,/usr/pkg/lib -fstack-protector -L/usr/pkg/lib' libpth=/lib /usr/lib /usr/pkg/lib libs=-lm -lcrypt -lpthread perllibs=-lm -lcrypt -lpthread libc=/lib/libc.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-R/usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE' cccdlflags='-DPIC -fPIC ', lddlflags='-shared -L/usr/pkg/lib -fstack-protector' --- @INC for perl 5.20.0: /home/mlelstv/plib /home/mlelstv/cvs.xlink.net/DNS/plib/ /usr/pkg/lib/perl5/site_perl/5.20.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/site_perl/5.20.0 /usr/pkg/lib/perl5/vendor_perl/5.20.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/vendor_perl/5.20.0 /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/5.20.0 . --- Environment for perl 5.20.0: HOME=/home/mlelstv LANG (unset) LANGUAGE (unset) LC_CTYPE=de_DE.ISO8859-1 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/mlelstv/bin:/sbin:/usr/sbin:/usr/pkg/sbin:/bin:/usr/bin:/usr/pkg/bin:/usr/pkg/java/sun-1.4.0/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/openpkg/bin:/usr/local/openpkg/sbin:/usr/local/bin:/home/mlelstv/cvs.xlink.net/DNS/pbin PERL5LIB=/home/mlelstv/plib:/home/mlelstv/cvs.xlink.net/DNS/plib/ PERL_BADLANG (unset) SHELL=/usr/pkg/bin/tcsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.6k
On Sat Jan 03 07:12:24 2015, mlelstv@serpens.de wrote: Show quoted text
> > This is a bug report for perl from mlelstv@serpens.de, > generated with the help of perlbug 1.40 running under perl 5.20.0. > > > ----------------------------------------------------------------- > perl -e 'formline("@...", "a");' crashes with a segfault. >
Here's the end of the output I got from running: ##### perl Porting/bisect.pl --start=v5.18.0 -e 'formline("@...", "a");' ##### HEAD is now at 4a73dc0 pp_formline(): document switch cases good - zero exit from ./perl -Ilib -e formline("@...", "a"); 9b4bdfd44e0e6d44a447f231c281f967c7ca35c9 is the first bad commit commit 9b4bdfd44e0e6d44a447f231c281f967c7ca35c9 Author: David Mitchell <davem@iabyn.com> Date: Thu Nov 7 12:17:26 2013 +0000 fix chop formats with non PV vars [perl #119847], [perl #119849], [perl #119851] Strange vars like ties, overloads, or stringified refs (and in recent perls, pure NOK vars) would generally do the wrong thing in formats when the var is treated as a string and repeatedly chopped, as in ^<<<~~ and similar. This would manifest itself in infinite loops, utf8 errors etc. A recent change that stopped a stringified NOK getting converted into a POK made the same badness happen for plain NVs too. This commit contains two main fixes. First, the chopping was done using sv_chop(), which only worked on POK strings. If its !POK, we now do sv_setpvn() instead, which is less efficient, but will ensure the right thing is always done. Secondly, we make sure that the sv is accessed only once per cycle, doing s = SvPV(sv, len) or similar. After that, all access is done only via s and len. One place was using SvPVX(sv), and several places were using the sv for utf8<->byte length conversions, such as sv_pos_b2u(). It turns out that all the complex utf8 handling could be enormously simplified. Since the code that needed to do utf8/byte length conversions already scanned the string looking for suitable split points (such as spaces or \n or \r), it was easiest to include any utf8 processing in the same loop - i.e. incrementing s by UTF8SKIP(s) each time, but incrementing the character count by 1. The original diagnosis and reporting of this issue was done by Nicholas Clark, who also supplied most of the tests. :100644 100644 1ab3f420544ec457c657c55a2565764be2443374 95727f201a6194eb125a2c162892eea538601dc8 M pp_ctl.c :040000 040000 d7ec689df42f7b90beffb116735cd04528bda355 b8b08d0ebb2994f13141c93783cf01fcf01ab7f1 M t bisect run success That took 1222 seconds. ##### -- James E Keenan (jkeenan@cpan.org)
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 835b
On Sat Jan 03 07:12:24 2015, mlelstv@serpens.de wrote: Show quoted text
> perl -e 'formline("@...", "a");' crashes with a segfault. > > The core file shows the following backtrace: > > #0 0xbbb5dfcc in Perl_pp_formline () > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > multi/CORE/libperl.so > (gdb) bt > #0 0xbbb5dfcc in Perl_pp_formline () > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > multi/CORE/libperl.so > #1 0xbbb21869 in Perl_runops_standard () > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > multi/CORE/libperl.so > #2 0xbbaa7f6b in perl_run () > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > multi/CORE/libperl.so > #3 0x08048e18 in main () > > The segfault seems to occur at the following code fragment in > pp_ctl.c:
I think the attached is the correct fix, but it still needs tests. Tony
Subject: 0001-perl-123538-always-set-chophere-and-itembytes-at-the.patch
From 1329d991a175a067c6bf27a6e6128a0c78ba0e20 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 12 Jan 2015 15:10:43 +1100 Subject: [PATCH] [perl #123538] always set chophere and itembytes at the same time --- pp_ctl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/pp_ctl.c b/pp_ctl.c index d69710c..1f77241 100644 --- a/pp_ctl.c +++ b/pp_ctl.c @@ -586,6 +586,7 @@ PP(pp_formline) break; } itembytes = s - item; + chophere = s; break; } -- 1.7.10.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 975b
On Sun Jan 11 20:11:54 2015, tonyc wrote: Show quoted text
> On Sat Jan 03 07:12:24 2015, mlelstv@serpens.de wrote:
> > perl -e 'formline("@...", "a");' crashes with a segfault. > > > > The core file shows the following backtrace: > > > > #0 0xbbb5dfcc in Perl_pp_formline () > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > multi/CORE/libperl.so > > (gdb) bt > > #0 0xbbb5dfcc in Perl_pp_formline () > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > multi/CORE/libperl.so > > #1 0xbbb21869 in Perl_runops_standard () > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > multi/CORE/libperl.so > > #2 0xbbaa7f6b in perl_run () > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > multi/CORE/libperl.so > > #3 0x08048e18 in main () > > > > The segfault seems to occur at the following code fragment in > > pp_ctl.c:
> > I think the attached is the correct fix, but it still needs tests.
With a test, I'll apply it in a couple of days. Tony
Subject: 0001-perl-123538-always-set-chophere-and-itembytes-at-the.patch
From 16c22aedb5255e822176c7ec900471bcb4cb8873 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 12 Jan 2015 15:10:43 +1100 Subject: [PATCH] [perl #123538] always set chophere and itembytes at the same time Previously this would crash in FF_MORE because chophere was still NULL. --- pp_ctl.c | 1 + t/op/write.t | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pp_ctl.c b/pp_ctl.c index 37b822c..c76347b 100644 --- a/pp_ctl.c +++ b/pp_ctl.c @@ -586,6 +586,7 @@ PP(pp_formline) break; } itembytes = s - item; + chophere = s; break; } diff --git a/t/op/write.t b/t/op/write.t index 4b13057..590d658 100644 --- a/t/op/write.t +++ b/t/op/write.t @@ -98,7 +98,7 @@ for my $tref ( @NumTests ){ my $bas_tests = 21; # number of tests in section 3 -my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 4 + 2 + 3 + 96 + 11 + 2; +my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 4 + 2 + 3 + 96 + 11 + 3; # number of tests in section 4 my $hmb_tests = 37; @@ -1960,6 +1960,18 @@ dd| EXPECT { stderr => 1 }, '#123245 different panic in sv_chop'); +fresh_perl_is(<<'EOP', <<'EXPECT', +format STDOUT = +# x at the end to make the spaces visible +@... x +q/a/ +. +write; +EOP +a x +EXPECT + { stderr => 1 }, '#123538 crash in FF_MORE'); + ############################# ## Section 4 ## Add new tests *above* here -- 1.7.10.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Mon Jan 12 16:15:23 2015, tonyc wrote: Show quoted text
> On Sun Jan 11 20:11:54 2015, tonyc wrote:
> > On Sat Jan 03 07:12:24 2015, mlelstv@serpens.de wrote:
> > > perl -e 'formline("@...", "a");' crashes with a segfault. > > > > > > The core file shows the following backtrace: > > > > > > #0 0xbbb5dfcc in Perl_pp_formline () > > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > > multi/CORE/libperl.so > > > (gdb) bt > > > #0 0xbbb5dfcc in Perl_pp_formline () > > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > > multi/CORE/libperl.so > > > #1 0xbbb21869 in Perl_runops_standard () > > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > > multi/CORE/libperl.so > > > #2 0xbbaa7f6b in perl_run () > > > from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread- > > > multi/CORE/libperl.so > > > #3 0x08048e18 in main () > > > > > > The segfault seems to occur at the following code fragment in > > > pp_ctl.c:
> > > > I think the attached is the correct fix, but it still needs tests.
> > With a test, I'll apply it in a couple of days.
Applied as 62db6ea5fed19611596cbc5fc0b8a4df2c604e58. This also fixed 123633 and 123591. I wonder if there was some sort of format tutorial recently - 3 reports for this bug and 123245 in December. Tony
Date: Mon, 19 Jan 2015 07:32:01 +0100
To: Tony Cook via RT <perlbug-followup [...] perl.org>
From: Michael van Elst <mlelstv [...] serpens.de>
Subject: Re: [perl #123538] formline segfaults
Download (untitled) / with headers
text/plain 507b
On Sun, Jan 18, 2015 at 09:32:50PM -0800, Tony Cook via RT wrote: Show quoted text
> > This also fixed 123633 and 123591. > > I wonder if there was some sort of format tutorial recently - 3 reports for this bug and 123245 in December.
This bug here was triggered by the Amanda backup software (http://amanda.org) which uses perl formats for reports. Greetings, -- Michael van Elst Internet: mlelstv@serpens.de "A potential Snark may lurk in every tree."
Subject: Your ticket against Perl 5 has been resolved
Download (untitled) / with headers
text/plain 263b
Thanks for submitting this ticket The issue should be resolved with the release today of Perl v5.22, available at http://www.perl.org/get.html If you find that the problem persists, feel free to reopen this ticket -- Karl Williamson for the Perl 5 porters team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org