Skip Menu |
Report information
Id: 131570
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



From: Brian Carpenter <brian.carpenter [...] gmail.com>
Date: Tue, 13 Jun 2017 15:01:45 -0500
Subject: SIGBUS in Perl_leave_adjust_stacks()
To: perlbug [...] perl.org
Download (untitled) / with headers
text/plain 860b
Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian 8 x64.

Program received signal SIGBUS, Bus error.
0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
    to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
    at pp_hot.c:3837
3837                    if (SvTEMP(sv))
(gdb) bt
#0  0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
    to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
    at pp_hot.c:3837
#1  0x0000000000dea68d in Perl_pp_leave () at pp_ctl.c:2117
#2  0x0000000000926e77 in Perl_runops_debug () at dump.c:2451
#3  0x000000000059f02b in S_run_body (oldscope=1) at perl.c:2543
#4  perl_run (my_perl=<optimized out>) at perl.c:2471
#5  0x000000000043506e in main (argc=2, argv=0x7fffffffe6b8,
    env=0x7fffffffe6d0) at perlmain.c:123
Download test314.gz
application/x-gzip 121b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.9k
On Tue, 13 Jun 2017 13:02:33 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on > Debian 8 x64. > > Program received signal SIGBUS, Bus error. > 0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>, > to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>) > at pp_hot.c:3837 > 3837 if (SvTEMP(sv)) > (gdb) bt > #0 0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>, > to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>) > at pp_hot.c:3837 > #1 0x0000000000dea68d in Perl_pp_leave () at pp_ctl.c:2117 > #2 0x0000000000926e77 in Perl_runops_debug () at dump.c:2451 > #3 0x000000000059f02b in S_run_body (oldscope=1) at perl.c:2543 > #4 perl_run (my_perl=<optimized out>) at perl.c:2471 > #5 0x000000000043506e in main (argc=2, argv=0x7fffffffe6b8, > env=0x7fffffffe6d0) at perlmain.c:123
I wasn't able to minimize your test case significantly, but I did track down the cause. The temps stack entry allocated in pp_aassign: /* an unrolled sv_2mortal */ ix = ++PL_tmps_ix; if (UNLIKELY(ix >= PL_tmps_max)) /* speculatively grow enough to cover other * possible refs */ ix = tmps_grow_p(ix + (lastlelem - lelem)); PL_tmps_stack[ix] = ref; wasn't being used, since the value of ix is overwritten by the call to tmps_grow_p().[1] Removing the assignment per the attached patch prevents the crash (and means the temp is actually freed too.) I don't have a test for it at this point, I may end up just using the original test case. Tony [1] I ran until it crashed, saved the value of the top pointer (which is where the sv value came from), and watchpointed that address in a new run, which was only touched when the temps were reallocated my tmps_grow_p().
Subject: 0001-perl-131570-don-t-skip-the-temps-stack-entry-we-just.patch
From 5a9032e65282dceec6d65ee9a6e3abe2b90b9929 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Wed, 21 Jun 2017 15:00:56 +1000 Subject: (perl #131570) don't skip the temps stack entry we just allocated --- pp_hot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp_hot.c b/pp_hot.c index 7c98c90..f445fd9 100644 --- a/pp_hot.c +++ b/pp_hot.c @@ -1736,7 +1736,7 @@ PP(pp_aassign) if (UNLIKELY(ix >= PL_tmps_max)) /* speculatively grow enough to cover other * possible refs */ - ix = tmps_grow_p(ix + (lastlelem - lelem)); + (void)tmps_grow_p(ix + (lastlelem - lelem)); PL_tmps_stack[ix] = ref; } -- 2.1.4
RT-Send-CC: perl5-porters [...] perl.org
Applied my patch as 67c3640a57440a4e9e224e9164ac9f39bdc9376f. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org