Skip Menu |
Report information
Id: 131085
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: mauke- <l.mai [at] web.de>
Cc:
AdminCc:

Operating System: Linux
PatchStatus: (no value)
Severity: low
Type: core
Perl Version: 5.24.1
Fixed In: (no value)



Subject: segfault with symbol table and coderef
From: l.mai [...] web.de
To: perlbug [...] perl.org
Date: Fri, 31 Mar 2017 20:15:22 +0200
This is a bug report for perl from l.mai@web.de, generated with the help of perlbug 1.40 running under perl 5.24.1. ----------------------------------------------------------------- [Please describe your issue here] $ perl -e '$::{"A"} = sub {}; \&{"A"}' Segmentation fault (core dumped) I haven't done any analysis but this is the stacktrace from 5.25.11: Program received signal SIGSEGV, Segmentation fault. Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>) at gv.c:426 426 || ( HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv)) (gdb) bt #0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>) at gv.c:426 #1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A", full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c:2421 #2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049, sv_type=SVt_PVCV) at gv.c:1569 #3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98, gvp=0xbfffee94, lref=1) at sv.c:9968 #4 0x081865a5 in Perl_pp_rv2cv () at pp.c:468 #5 0x081141d8 in Perl_runops_debug () at dump.c:2451 #6 0x080947f2 in S_run_body (oldscope=1) at perl.c:2524 #7 perl_run (my_perl=0x835f008) at perl.c:2447 #8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:123 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.24.1: Configured by mauke at Sun Feb 19 23:06:44 CET 2017. Summary of my perl5 (revision 5 version 24 subversion 1) configuration: Platform: osname=linux, osvers=4.9.6-1-arch, archname=i686-linux uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux ' config_args='' hint=recommended, useposix=true, d_sigaction=define useithreads=undef, usemultiplicity=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -flto', cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='', gccversion='6.3.1 20170109', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.24.1: /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux /home/mauke/usr/lib/perl5/site_perl/5.24.1 /home/mauke/usr/lib/perl5/5.24.1/i686-linux /home/mauke/usr/lib/perl5/5.24.1 --- Environment for perl 5.24.1: HOME=/home/mauke LANG=en_US.UTF-8 LANGUAGE=en_US LC_COLLATE=C LC_MONETARY=de_DE.UTF-8 LC_TIME=de_DE.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl PERLBREW_BASHRC_VERSION=0.73 PERLBREW_HOME=/home/mauke/.perlbrew PERLBREW_ROOT=/home/mauke/perl5/perlbrew PERL_BADLANG (unset) PERL_UNICODE=SAL SHELL=/bin/bash
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 4.7k
On Fri, 31 Mar 2017 18:15:50 GMT, mauke- wrote: Show quoted text
> > This is a bug report for perl from l.mai@web.de, > generated with the help of perlbug 1.40 running under perl 5.24.1. > > > ----------------------------------------------------------------- > [Please describe your issue here] > > $ perl -e '$::{"A"} = sub {}; \&{"A"}' > Segmentation fault (core dumped) > > I haven't done any analysis but this is the stacktrace from 5.25.11: > > Program received signal SIGSEGV, Segmentation fault. > Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, > name=<optimized out>, len=<optimized out>, flags=<optimized out>) at > gv.c:426 > 426 || ( HEK_LEN(CvNAME_HEK(cv)) == > HEK_LEN(GvNAME_HEK(gv)) > (gdb) bt > #0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, > name=<optimized out>, len=<optimized out>, flags=<optimized out>) > at gv.c:426 > #1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A", > full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c:2421 > #2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049, > sv_type=SVt_PVCV) at gv.c:1569 > #3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98, > gvp=0xbfffee94, lref=1) at sv.c:9968 > #4 0x081865a5 in Perl_pp_rv2cv () at pp.c:468 > #5 0x081141d8 in Perl_runops_debug () at dump.c:2451 > #6 0x080947f2 in S_run_body (oldscope=1) at perl.c:2524 > #7 perl_run (my_perl=0x835f008) at perl.c:2447 > #8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>, > env=<optimized out>) at perlmain.c:123 >
This was a regression between 5.20 and 5.22 (which I *think* means it's not a 5.26.0 blocker). Bisection command: ##### Porting/bisect.pl --crash --start=v5.20.0 -- ./perl -e '$::{"A"} = sub {}; \&{"A"}' ##### Tail of bisection result: ##### Cannot convert a reference to CODE to typeglob at -e line 1. HEAD is now at c831c5e Remove bogus gv-handling code from toke.c good - zero exit from ./perl -e $::{"A"} = sub {}; \&{"A"} 2eaf799e74b14dc77b90d5484a3fd4ceac12b46a is the first bad commit commit 2eaf799e74b14dc77b90d5484a3fd4ceac12b46a Author: Father Chrysostomos <sprout@cpan.org> Date: Sun Aug 31 20:13:21 2014 -0700 Avoid creating GVs when subs are declared This patch changes ‘sub foo {...}’ declarations to store subroutine references in the stash, to save memory. Typeglobs still notionally exist. Accessing CvGV(cv) will reify them. Hence, currently the savings are lost when a sub call is compiled. $ ./miniperl -e 'sub foo{} BEGIN { warn $::{foo} } foo(); BEGIN { warn $::{foo} }' CODE(0x7f8ef082ad98) at -e line 1. *main::foo at -e line 1. This optimisation is skipped if the subroutine declaration contains a package separator. Concerning the changes in caller.t, this code: sub foo { print +(caller(0))[3],"\n" } my $fooref = delete $::{foo}; $fooref -> (); used to crash in 5.7.3 or thereabouts. It was fixed by 16658 (aka 07b8c804e8) to produce ‘(unknown)’ instead. Then in 5.13.3 it was changed (by 803f274) to produce ‘main::__ANON__’ instead. So the tests are really checking that we don’t get a crash. I think it is acceptable that it has now changed to ‘main::foo’. :100644 100644 74f1ba990b5fec64709aa08caa4c9dd1945a2428 4378152a3db27ee3d40e8a12dec07b550541b72f M embed.fnc :100644 100644 7aa9f1ee68bbe9794d8b668c99ab76c4217eb7af 1b490f8366a93b06e46fa1deed0d41e8ed16f667 M gv.c :100644 100644 be9a341e9dd7009e4c654fb260e7c8145266b43b 78407f3520a762c92d556c98df05443ee0e9cf50 M op.c :100644 100644 7cadacea46d2deee3d4902e6403836c06898429a ea05bb49f9de09684b3e59e088ea371927b6436f M pp.c :100644 100644 642823dc434ba4616d96ae9bd42b32f171891422 a540fc76549039530820191135236f76c3f391ff M proto.h :040000 040000 8a139b7878c09394296c6fe04faded005b099282 9125fb9ba794e8f3649f7356c68fee85e33dbf03 M t :100644 100644 ea022f9512d5dddb31b9f415c45df909fba79c26 8a8d187e80756f018daca9a0888bfd3a97b6ce2f M toke.c :100644 100644 200ce875b94bd843d78138841428c7efd07fe8cb 825dff5c42a6528e0bedac427c64e7c2899cbd98 M universal.c bisect run success That took 1182 seconds. ##### Confirmation via building perl at commit before and commit. What was formally an exception became a segfault. ##### [2eaf799^] 514 $ ./bin/perl -v | head -2 | tail -1 This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-637-gc831c5e)) built for x86_64-linux [2eaf799^] 515 $ ./bin/perl -e '$::{"A"} = sub {}; \&{"A"}' Cannot convert a reference to CODE to typeglob at -e line 1. [2eaf799] 509 $ ./bin/perl -v | head -2 | tail -1 This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-638-g2eaf799)) built for x86_64-linux [2eaf799] 510 $ ./bin/perl -e '$::{"A"} = sub {}; \&{"A"}' Segmentation fault (core dumped) ##### Father C, can you take a look? Thank you very much. -- James E Keenan (jkeenan@cpan.org)
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 408b
On Fri, 31 Mar 2017 15:02:43 -0700, jkeenan wrote: Show quoted text
> This was a regression between 5.20 and 5.22 (which I *think* means > it's not a 5.26.0 blocker).
Right. One of the docs says that assigning to stash elements like that results in undefined behaviour. (It still shouldn’t crash, but there is no need for it to be a blocker.) Show quoted text
> Father C, can you take a look?
Patch attached. -- Father Chrysostomos
Subject: open_8lil12km.txt
Download open_8lil12km.txt
text/plain 1.4k
From ea6c8a920fe6433d6e7d190ba0e9aed4f790aaed Mon Sep 17 00:00:00 2001 From: Father Chrysostomos <sprout@cpan.org> Date: Fri, 7 Apr 2017 14:08:02 -0700 Subject: [PATCH] [perl #131085] Crash with sub-in-stash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit $ perl -e '$::{"A"} = sub {}; \&{"A"}' Segmentation fault (core dumped) The code that vivifies a typeglob out of a code ref assumed that the CV had a name hek, which is always the case when perl itself puts the code ref there (via ‘sub A{}’), but is not necessarily the case if someone is insinuating other stuff into the stash. diff --git a/gv.c b/gv.c index d32a9c5..315ec49 100644 --- a/gv.c +++ b/gv.c @@ -421,7 +421,7 @@ Perl_gv_init_pvn(pTHX_ GV *gv, HV *stash, const char *name, STRLEN len, U32 flag /* Not actually a constant. Just a regular sub. */ CV * const cv = (CV *)has_constant; GvCV_set(gv,cv); - if (CvSTASH(cv) == stash && ( + if (CvNAMED(cv) && CvSTASH(cv) == stash && ( CvNAME_HEK(cv) == GvNAME_HEK(gv) || ( HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv)) && HEK_FLAGS(CvNAME_HEK(cv)) != HEK_FLAGS(GvNAME_HEK(gv)) diff --git a/t/op/gv.t b/t/op/gv.t index 8d5e7dc..4fe6b00 100644 --- a/t/op/gv.t +++ b/t/op/gv.t @@ -1187,6 +1187,10 @@ package GV_DOWNGRADE { ::like "$GV_DOWNGRADE::{FOO}", qr/SCALAR/, "gv_downgrade: post"; } +# [perl #131085] This used to crash; no ok() necessary. +$::{"A131085"} = sub {}; \&{"A131085"}; + + __END__ Perl Rules
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 509b
On Fri, 07 Apr 2017 14:10:52 -0700, sprout wrote: Show quoted text
> On Fri, 31 Mar 2017 15:02:43 -0700, jkeenan wrote:
> > This was a regression between 5.20 and 5.22 (which I *think* means > > it's not a 5.26.0 blocker).
> > Right. One of the docs says that assigning to stash elements like > that results in undefined behaviour. > > (It still shouldn’t crash, but there is no need for it to be a > blocker.) >
> > Father C, can you take a look?
> > Patch attached.
Now applied as 790acdd. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 317b
Thank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been resolved. Perl 5.28.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.28.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org