Skip Menu |
Report information

Subject: null ptr deref, segfault in Perl_pp_subtract pp.c:1894
Download (untitled) / with headers
text/plain 2.4k
Perl v5.25.4-27-gf16e7fa ./perl -e '@0=()-splice@a,$#a=0or@0' ==35420==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x0000009bcd41 bp 0x0c32000012d2 sp 0x7ffe63e7dbd0 T0) #0 0x9bcd40 in Perl_pp_subtract /home/geeknik/perl/pp.c:1894:5 #1 0x7f2623 in Perl_runops_debug /home/geeknik/perl/dump.c:2234:23 #2 0x5a10c6 in S_run_body /home/geeknik/perl/perl.c:2525:2 #3 0x5a10c6 in perl_run /home/geeknik/perl/perl.c:2448 #4 0x4de6cd in main /home/geeknik/perl/perlmain.c:123:9 #5 0x7f501b7f1b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #6 0x4de33c in _start (/home/geeknik/perl/perl+0x4de33c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/geeknik/perl/pp.c:1894 Perl_pp_subtract ==35420==ABORTING Program received signal SIGSEGV, Segmentation fault. 0x00000000009bcdc1 in Perl_pp_subtract () at pp.c:1894 1894 tryAMAGICbin_MG(subtr_amg, AMGf_assign|AMGf_numeric); (gdb) bt #0 0x00000000009bcdc1 in Perl_pp_subtract () at pp.c:1894 #1 0x00000000007f26a4 in Perl_runops_debug () at dump.c:2234 #2 0x00000000005a10c7 in S_run_body (oldscope=<optimized out>) at perl.c:2525 #3 perl_run (my_perl=<optimized out>) at perl.c:2448 #4 0x00000000004de6ce in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:123 ==17125== Invalid read of size 4 ==17125== at 0x54A013: Perl_pp_subtract (pp.c:1894) ==17125== by 0x4D6261: Perl_runops_debug (dump.c:2234) ==17125== by 0x452E96: S_run_body (perl.c:2525) ==17125== by 0x452E96: perl_run (perl.c:2448) ==17125== by 0x421834: main (perlmain.c:123) ==17125== Address 0xc is not stack'd, malloc'd or (recently) free'd ==17125== ==17125== ==17125== Process terminating with default action of signal 11 (SIGSEGV) ==17125== Access not within mapped region at address 0xC ==17125== at 0x54A013: Perl_pp_subtract (pp.c:1894) ==17125== by 0x4D6261: Perl_runops_debug (dump.c:2234) ==17125== by 0x452E96: S_run_body (perl.c:2525) ==17125== by 0x452E96: perl_run (perl.c:2448) ==17125== by 0x421834: main (perlmain.c:123) ==17125== If you believe this happened as a result of a stack ==17125== overflow in your program's main thread (unlikely but ==17125== possible), you can try to increase the size of the ==17125== main thread stack using the --main-stacksize= flag. ==17125== The main thread stack size used in this run was 8388608. Segmentation fault
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 311b
./perl -e '$#a=0;0-splice@a' Also segfaults. The root cause of #129164, #129166, and #129167 is almost certainly something in Perl_pp_splice when called on a zero-length array. $ ./perl -Ilib -MDevel::Peek -e '$#a=0; Dump(splice @a);' SV = 0 Looks like a good starting point. -- Respectfully, Dan Collins
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 549b
On Thu Sep 01 11:56:00 2016, dcollinsn@gmail.com wrote: Show quoted text
> ./perl -e '$#a=0;0-splice@a' > > Also segfaults. > > The root cause of #129164, #129166, and #129167 is almost certainly > something in Perl_pp_splice when called on a zero-length array.
Not zero-length, but one with a single null entry. Show quoted text
> > $ ./perl -Ilib -MDevel::Peek -e '$#a=0; Dump(splice @a);' > SV = 0 > > Looks like a good starting point.
I think splice needs to do the same null checks that other array functions do, and push &PL_sv_undef for null. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 647b
On Thu Sep 01 21:30:30 2016, sprout wrote: Show quoted text
> On Thu Sep 01 11:56:00 2016, dcollinsn@gmail.com wrote:
> > ./perl -e '$#a=0;0-splice@a' > > > > Also segfaults. > > > > The root cause of #129164, #129166, and #129167 is almost certainly > > something in Perl_pp_splice when called on a zero-length array.
> > Not zero-length, but one with a single null entry. >
> > > > $ ./perl -Ilib -MDevel::Peek -e '$#a=0; Dump(splice @a);' > > SV = 0 > > > > Looks like a good starting point.
> > I think splice needs to do the same null checks that other array > functions do, and push &PL_sv_undef for null.
Now fixed in 92b69f6. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org