Skip Menu |
Report information
Id: 132598
Status: new
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: zefram [at] fysh.org
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: core
Perl Version: 5.27.6
Fixed In: (no value)



From: zefram [...] fysh.org
Subject: index() confused by tie side effects
CC: zefram [...] fysh.org
To: perlbug [...] perl.org
Date: Mon, 18 Dec 2017 02:05:22 +0000
Download (untitled) / with headers
text/plain 4.9k
This is a bug report for perl from zefram@fysh.org, generated with the help of perlbug 1.41 running under perl 5.27.6. ----------------------------------------------------------------- [Please describe your issue here] Here's an index() operation in which the fetching of the value of one operand alters the other operand: $ perl -lwe 'package T { sub TIESCALAR { bless({}, $_[0]) } sub FETCH { $::haystack="cc"; $::haystack = ""; "c" } } $haystack = "ppcp"; chop $haystack; tie $needle, "T"; print index($haystack, $needle)' 1 The answer that this produces is quite surprising. If the search used the $haystack value that prevailed before the tied fetch, "ppc", index() would yield 2. If it used the $haystack value that prevailed after the tied fetch, "", index() would yield -1. For the behaviour to qualify as sane it ought to be one of those two. Venturing into less sane behaviour, if the search used the value of $haystack that briefly applies during the tied fetch before being overwritten, "cc", index() would yield 0. But what it actually yields, 1, doesn't correspond to any value that $haystack ever had. This is surely a bug. What's going on is that pp_index first fetches a pointer to the $haystack string and the length of that string, before invoking the get magic on $needle. The get magic overwrites the string and changes the length of $haystack, but pp_index doesn't notice. It searches in the mutated $haystack buffer, with the original $haystack length, and that buffer content is now "\0c\0". Variations on this could obviously read from a buffer that has been freed. The chop() in the test case is required to defeat COW. Without it, pp_index searches the COW-shared buffer, getting a sane result. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.27.6: Configured by zefram at Tue Nov 21 05:42:59 GMT 2017. Summary of my perl5 (revision 5 version 27 subversion 6) configuration: Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux-thread-multi uname='linux barba.rous.org 3.16.0-4-amd64 #1 smp debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 gnulinux ' config_args='-des -Dprefix=/home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52 -Duselargefiles -Dusethreads -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dusedevel -Uversiononly -Ui_db' hint=recommended useposix=true d_sigaction=define useithreads=define usemultiplicity=define use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O2' cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.9.2' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldb -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.19.so so=so useshrplib=true libperl=libperl.so gnulibc_version='2.19' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E -Wl,-rpath,/home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/lib/5.27.6/x86_64-linux-thread-multi/CORE' cccdlflags='-fPIC' lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.27.6: /home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/lib/site_perl/5.27.6/x86_64-linux-thread-multi /home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/lib/site_perl/5.27.6 /home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/lib/5.27.6/x86_64-linux-thread-multi /home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/lib/5.27.6 --- Environment for perl 5.27.6: HOME=/home/zefram LANG (unset) LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/zefram/usr/perl/perl_install/perl-5.27.6-i64-f52/bin:/home/zefram/usr/perl/util:/home/zefram/pub/x86_64-unknown-linux-gnu/bin:/home/zefram/pub/common/bin:/usr/bin:/bin:/usr/local/bin:/usr/games PERLDOC=-oman PERL_BADLANG (unset) SHELL=/usr/bin/zsh


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org