Skip Menu |
Report information
Id: 123847
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: hv <hv [at] crypt.org>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: 5.22.0



Download (untitled) / with headers
text/plain 2.3k
AFL (<http://lcamtuf.coredump.cx/afl/>) finds this: % ./miniperl -e '%0=*:=*::::=0' Segmentation fault (core dumped) % The code looks similar to the glob overwriting cases in [perl #123710], but the failure mode is quite different: Program received signal SIGSEGV, Segmentation fault. 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 ":", len=1, flags=0) at hv.c:2342 2342 (HEK_UTF8(*hekp) || (flags & SVf_UTF8)) (gdb) where #0 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 ":", len=1, flags=0) at hv.c:2342 #1 0x000000000055a651 in S_mro_gather_and_rename (stashes=0xa557c0, seen_stashes=0xa55790, stash=0xa56108, oldstash=0x0, namesv=0xa61400) at mro.c:992 #2 0x000000000055953b in Perl_mro_package_moved (stash=0xa56108, oldstash=0x0, gv=0xa613e8, flags=0) at mro.c:844 #3 0x00000000005a9e33 in S_glob_assign_glob (dstr=0xa613e8, sstr=0xa61418, dtype=9) at sv.c:4005 #4 0x00000000005afa88 in Perl_sv_setsv_flags (dstr=0xa613e8, sstr=0xa61418, flags=1538) at sv.c:4426 #5 0x0000000000574add in Perl_pp_sassign () at pp_hot.c:231 #6 0x000000000052a13d in Perl_runops_debug () at dump.c:2231 #7 0x00000000004098c7 in S_run_body (oldscope=1) at perl.c:2423 #8 0x0000000000408f0b in perl_run (my_perl=0xa40010) at perl.c:2346 #9 0x00000000004508d1 in main (argc=3, argv=0x7fffffffe638, env=0x7fffffffe658) at miniperlmain.c:122 (gdb) p hekp $1 = (HEK **) 0xa5f820 (gdb) p *hekp $2 = (HEK *) 0x0 (gdb) p /x *hv $3 = {sv_any = 0xa47ec0, sv_refcnt = 0x1, sv_flags = 0x3200000c, sv_u = { svu_pv = 0xa59150, svu_iv = 0xa59150, svu_uv = 0xa59150, svu_nv = 0x0, svu_rv = 0xa59150, svu_rx = 0xa59150, svu_array = 0xa59150, svu_hash = 0xa59150, svu_gp = 0xa59150, svu_fp = 0xa59150}} (gdb) p *aux $4 = {xhv_name_u = {xhvnameu_name = 0xa5f820, xhvnameu_names = 0xa5f820}, xhv_backreferences = 0x0, xhv_eiter = 0x0, xhv_riter = -1, xhv_name_count = -2, xhv_mro_meta = 0xa5f4e0, xhv_rand = 1738015991, xhv_last_rand = 1738015991, xhv_fill_lazy = 0, xhv_aux_flags = 0} (gdb) p aux->xhv_name_u.xhvnameu_names[0]@2 $5 = {0x0, 0xa4d368} Not sure what's supposed to be happening here - the else branch (when not aux->xhv_name_count) clearly knows when it stores existing_name to xhvnameu_names[0] that it might be NULL, that's why our name_count is -2, so how can it be right to loop as far as xhvnameu_names[0] in the if branch? Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.8k
On Mon Feb 16 04:37:51 2015, hv wrote: Show quoted text
> AFL (<http://lcamtuf.coredump.cx/afl/>) finds this: > > % ./miniperl -e '%0=*:=*::::=0' > Segmentation fault (core dumped) > % > > The code looks similar to the glob overwriting cases in [perl > #123710], but the failure mode is quite different: > > Program received signal SIGSEGV, Segmentation fault. > 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 > ":", > len=1, flags=0) at hv.c:2342 > 2342 (HEK_UTF8(*hekp) || (flags & SVf_UTF8)) > (gdb) where > #0 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, > name=0xa62460 ":", > len=1, flags=0) at hv.c:2342 > #1 0x000000000055a651 in S_mro_gather_and_rename (stashes=0xa557c0, > seen_stashes=0xa55790, stash=0xa56108, oldstash=0x0, > namesv=0xa61400) > at mro.c:992 > #2 0x000000000055953b in Perl_mro_package_moved (stash=0xa56108, > oldstash=0x0, gv=0xa613e8, flags=0) at mro.c:844 > #3 0x00000000005a9e33 in S_glob_assign_glob (dstr=0xa613e8, > sstr=0xa61418, > dtype=9) at sv.c:4005 > #4 0x00000000005afa88 in Perl_sv_setsv_flags (dstr=0xa613e8, > sstr=0xa61418, > flags=1538) at sv.c:4426 > #5 0x0000000000574add in Perl_pp_sassign () at pp_hot.c:231 > #6 0x000000000052a13d in Perl_runops_debug () at dump.c:2231 > #7 0x00000000004098c7 in S_run_body (oldscope=1) at perl.c:2423 > #8 0x0000000000408f0b in perl_run (my_perl=0xa40010) at perl.c:2346 > #9 0x00000000004508d1 in main (argc=3, argv=0x7fffffffe638, > env=0x7fffffffe658) at miniperlmain.c:122 > (gdb) p hekp > $1 = (HEK **) 0xa5f820 > (gdb) p *hekp > $2 = (HEK *) 0x0 > (gdb) p /x *hv > $3 = {sv_any = 0xa47ec0, sv_refcnt = 0x1, sv_flags = 0x3200000c, sv_u > = { > svu_pv = 0xa59150, svu_iv = 0xa59150, svu_uv = 0xa59150, svu_nv = > 0x0, > svu_rv = 0xa59150, svu_rx = 0xa59150, svu_array = 0xa59150, > svu_hash = 0xa59150, svu_gp = 0xa59150, svu_fp = 0xa59150}} > (gdb) p *aux > $4 = {xhv_name_u = {xhvnameu_name = 0xa5f820, xhvnameu_names = > 0xa5f820}, > xhv_backreferences = 0x0, xhv_eiter = 0x0, xhv_riter = -1, > xhv_name_count = -2, xhv_mro_meta = 0xa5f4e0, xhv_rand = > 1738015991, > xhv_last_rand = 1738015991, xhv_fill_lazy = 0, xhv_aux_flags = 0} > (gdb) p aux->xhv_name_u.xhvnameu_names[0]@2 > $5 = {0x0, 0xa4d368} > > Not sure what's supposed to be happening here - the else branch (when > not aux->xhv_name_count) clearly knows when it stores existing_name to > xhvnameu_names[0] that it might be NULL, that's why our name_count is > -2, so how can it be right to loop as far as xhvnameu_names[0] in the > if branch?
Bisect: 1f656fcf060e343780f7a91a2ce567e8a9de9414 is the first bad commit commit 1f656fcf060e343780f7a91a2ce567e8a9de9414 Author: Father Chrysostomos <sprout@cpan.org> Date: Fri Apr 15 22:33:31 2011 -0700 Followup to 088225f/[perl #88132]: packages ending with : -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 3.3k
On Mon Mar 02 22:09:39 2015, sprout wrote: Show quoted text
> On Mon Feb 16 04:37:51 2015, hv wrote:
> > AFL (<http://lcamtuf.coredump.cx/afl/>) finds this: > > > > % ./miniperl -e '%0=*:=*::::=0' > > Segmentation fault (core dumped) > > % > > > > The code looks similar to the glob overwriting cases in [perl > > #123710], but the failure mode is quite different: > > > > Program received signal SIGSEGV, Segmentation fault. > > 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 > > ":", > > len=1, flags=0) at hv.c:2342 > > 2342 (HEK_UTF8(*hekp) || (flags & SVf_UTF8)) > > (gdb) where > > #0 0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, > > name=0xa62460 ":", > > len=1, flags=0) at hv.c:2342 > > #1 0x000000000055a651 in S_mro_gather_and_rename (stashes=0xa557c0, > > seen_stashes=0xa55790, stash=0xa56108, oldstash=0x0, > > namesv=0xa61400) > > at mro.c:992 > > #2 0x000000000055953b in Perl_mro_package_moved (stash=0xa56108, > > oldstash=0x0, gv=0xa613e8, flags=0) at mro.c:844 > > #3 0x00000000005a9e33 in S_glob_assign_glob (dstr=0xa613e8, > > sstr=0xa61418, > > dtype=9) at sv.c:4005 > > #4 0x00000000005afa88 in Perl_sv_setsv_flags (dstr=0xa613e8, > > sstr=0xa61418, > > flags=1538) at sv.c:4426 > > #5 0x0000000000574add in Perl_pp_sassign () at pp_hot.c:231 > > #6 0x000000000052a13d in Perl_runops_debug () at dump.c:2231 > > #7 0x00000000004098c7 in S_run_body (oldscope=1) at perl.c:2423 > > #8 0x0000000000408f0b in perl_run (my_perl=0xa40010) at perl.c:2346 > > #9 0x00000000004508d1 in main (argc=3, argv=0x7fffffffe638, > > env=0x7fffffffe658) at miniperlmain.c:122 > > (gdb) p hekp > > $1 = (HEK **) 0xa5f820 > > (gdb) p *hekp > > $2 = (HEK *) 0x0 > > (gdb) p /x *hv > > $3 = {sv_any = 0xa47ec0, sv_refcnt = 0x1, sv_flags = 0x3200000c, sv_u > > = { > > svu_pv = 0xa59150, svu_iv = 0xa59150, svu_uv = 0xa59150, svu_nv = > > 0x0, > > svu_rv = 0xa59150, svu_rx = 0xa59150, svu_array = 0xa59150, > > svu_hash = 0xa59150, svu_gp = 0xa59150, svu_fp = 0xa59150}} > > (gdb) p *aux > > $4 = {xhv_name_u = {xhvnameu_name = 0xa5f820, xhvnameu_names = > > 0xa5f820}, > > xhv_backreferences = 0x0, xhv_eiter = 0x0, xhv_riter = -1, > > xhv_name_count = -2, xhv_mro_meta = 0xa5f4e0, xhv_rand = > > 1738015991, > > xhv_last_rand = 1738015991, xhv_fill_lazy = 0, xhv_aux_flags = 0} > > (gdb) p aux->xhv_name_u.xhvnameu_names[0]@2 > > $5 = {0x0, 0xa4d368} > > > > Not sure what's supposed to be happening here - the else branch (when > > not aux->xhv_name_count) clearly knows when it stores existing_name to > > xhvnameu_names[0] that it might be NULL, that's why our name_count is > > -2, so how can it be right to loop as far as xhvnameu_names[0] in the > > if branch?
> > Bisect: > > 1f656fcf060e343780f7a91a2ce567e8a9de9414 is the first bad commit > commit 1f656fcf060e343780f7a91a2ce567e8a9de9414 > Author: Father Chrysostomos <sprout@cpan.org> > Date: Fri Apr 15 22:33:31 2011 -0700 > > Followup to 088225f/[perl #88132]: packages ending with :
Here is a clearer example, which goes back to 5.14: $ ./miniperl -e '%0; *bar::=*foo::=0' The %0 hash needs to be vivified beforehand, and the two globs assigned to need to be stash globs (fq names ending in ::). The logic in hv_ename_add is wrong, and probably has been so since I wrote it. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Fixed in 3d50185. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 200b
Thank you for submitting this ticket. The issue should now be resolved with the release today of Perl v5.22, which is available at http://www.perl.org/get.html -- Karl Williamson for the Perl 5 team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org