Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

perl -e "open m" crashes Perl with "Out of memory!" message #7247

Closed
p5pRT opened this issue Apr 20, 2004 · 9 comments
Closed

perl -e "open m" crashes Perl with "Out of memory!" message #7247

p5pRT opened this issue Apr 20, 2004 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Apr 20, 2004

Migrated from rt.perl.org#28986 (status was 'resolved')

Searchable as RT28986$

@p5pRT
Copy link
Author

p5pRT commented Apr 20, 2004

From DanVDascalescu@yahoo.com

Created by DanVDascalescu@yahoo.com

Crashed Perl on every version and OS I tried this on.

Hope this helps,
Dan Dascalescu

--
Do You Yahoo?! NO, THANK YOU!
Get rid of ads and banners in e-mail with Proxmail!
http​://proxmail.notlong.com

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.8.3:

Configured by Debian Project at Thu Jan 29 16:05:07 EST 2004.

Summary of my perl5 (revision 5.0 version 8 subversion 3) configuration:
  Platform:
    osname=linux, osvers=2.4.22-xfs+ti1211, archname=i386-linux-thread-multi
    uname='linux kosh 2.4.22-xfs+ti1211 #1 sat oct 25 10:11:37 est 2003 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i386-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.3 -Dsitearch=/usr/local/lib/perl/5.8.3 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.3 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O3',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='3.3.3 20040125 (prerelease) (Debian)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=true, libperl=libperl.so.5.8.3
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:



@INC for perl v5.8.3:
    /etc/perl
    /usr/local/lib/perl/5.8.3
    /usr/local/share/perl/5.8.3
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.8
    /usr/share/perl/5.8
    /usr/local/lib/site_perl
    .


Environment for perl v5.8.3:
    HOME=/home/knoppix
    LANG=C
    LANGUAGE=us
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/knoppix/.dist/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin:/usr/games:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Apr 22, 2004

From guest@guest.guest.xxxxxxxx

I can confirm this with perl5.8.{0,1,3,4} and perl5.005 on i686-linux.
My -DDEBUGGING perl responds with "panic​: realloc at -e line 1".

You can replace "m" with s, tr, y, q, qq, qr or qw - same results.
And something really bizarre happens with
perl -e 'open m

' (that's 5 literal newlines)​:
Unrecognized character \xAC at -e line 6.

You get "Out of memory" because S_scan_str calls SvGROW with a negative
size but I don't know how to fix that.

HTH, Lukas

@p5pRT
Copy link
Author

p5pRT commented Apr 22, 2004

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Apr 27, 2004

From stasis@arcor.de

Now, the story goes like this​: "m" (in "open m") is interpreted,
as it should probably be, as the beginning of a search pattern
and a pointer to the chars after it is passed to S_scan_pat,
which will call, in turn S_scan_str. This last function assumes
(correctly in the vast majority of cases) that the pointer used
by the perl interpreter to know where its current buffer ends
(PL_bufend) is an accurate one​: the only problem is that the
"open" branch repeatedly calls S_skipspace, a helper function
whose side effect is to reset some of the interpreter's pointers
if at EOF (well, the entire story is a bit more complicated).
Anyway, the moral is that​:

1. This behavior is indeed identical for all search modifiers
(m, s, qq, etc.) but (and this is rather important) only if the
"open ." statement is not followed by anything (even "open m;"
would correctly report "Search pattern not terminated.").

2. The above assumption (about PL_bufend) seems to hold true for
any other combination of tokens. So, half a bug, after all :-).

Just in case though, here is a patch​:

Inline Patch
--- toke.c      Sun Oct 19 20:36:32 2003
+++ C:\MyTemp\Perl_SourceCode\perl-5.8.3\toke.c Mon Apr 26 19:01:57 2004
@@ -7026,7 +7026,8 @@
            break;
        }

-       /* extend sv if need be */
+       /* extend sv if need be */
+       if (PL_bufend > s)
        SvGROW(sv, SvCUR(sv) + (PL_bufend - s) + 1);
        /* set 'to' to the next character in the sv's string */
        to = SvPVX(sv)+SvCUR(sv);


Best regards,
Radu Sulita

@p5pRT
Copy link
Author

p5pRT commented Apr 28, 2004

From @Tux

On Tue 20 Apr 2004 10​:09, Dan Dascalescu (via RT) <perlbug-followup@​perl.org> wrote​:

This is a bug report for perl from DanVDascalescu@​yahoo.com,
generated with the help of perlbug 1.34 running under perl v5.8.3.

-----------------------------------------------------------------
[Please enter your report here]

Crashed Perl on every version and OS I tried this on.

Confirm, only I get a Bus error on HP-UX 11.00

The parser is obviously trying to complete the 'm' operator (match)​:

l1​:/pro/3gl/CPAN 124 > perl -le '$| = 1'
l1​:/pro/3gl/CPAN 125 > perl -le '$| = 1; print $]'
5.008003
l1​:/pro/3gl/CPAN 126 > perl -le 'open m'
Bus error (core dumped)
Exit 138
l1​:/pro/3gl/CPAN 127 > perl -le '$| = 1; print $]; open m'
Segmentation fault (core dumped)
Exit 139
l1​:/pro/3gl/CPAN 128 > perl -le '$| = 1; print "$]\n"; open m'
Search pattern not terminated at -e line 1.
Exit 255
l1​:/pro/3gl/CPAN 129 >

it /did/ change in blead, but grew even less informative​:

l1​:/pro/3gl/CPAN 129 > perl5.9.2 -le '$| = 1'
l1​:/pro/3gl/CPAN 130 > perl5.9.2 -le '$| = 1; print $]'
5.009002
l1​:/pro/3gl/CPAN 131 > perl5.9.2 -le 'open m'
panic​: realloc at -e line 1.
Exit 255
l1​:/pro/3gl/CPAN 132 > perl5.9.2 -le '$| = 1; print $]; open m'
panic​: realloc at -e line 1.
Exit 255
l1​:/pro/3gl/CPAN 133 > perl5.9.2 -le '$| = 1; print "$]\n"; open m'
panic​: realloc at -e line 1.
Exit 255
l1​:/pro/3gl/CPAN 134 >

--
H.Merijn Brand Amsterdam Perl Mongers (http​://amsterdam.pm.org/)
using perl-5.6.1, 5.8.3, & 5.9.x, and 809 on HP-UX 10.20 & 11.00, 11i,
  AIX 4.3, SuSE 9.0, and Win2k. http​://www.cmve.net/~merijn/
http​://archives.develooper.com/daily-build@​perl.org/ perl-qa@​perl.org
send smoke reports to​: smokers-reports@​perl.org, QA​: http​://qa.perl.org

@p5pRT
Copy link
Author

p5pRT commented May 3, 2004

From @iabyn

This is caused by the C<case KEY_open​:> code in toke.c, which is scanning
forward to the token following the first arg of open, to see if a
'Possible prcedence' warning needs to be issued. This scanning forward can
follow onto the next line, in which case the PL_linestr buffer is
overwritten with the new line, and nastiness ensues. The patch below,
applied to bleedperl, stops it skipping onto the next line.

I'm not sure where to add a test for this​: it needs a fresh perl (eval
won't do), but there isn't a t/op/open.t, and t/base.lex.t doesn't
look like to sort of place to include test.pl

Dave.

--
"Do not dabble in paradox, Edward, it puts you in danger of fortuitous
wit." -- Lady Croom - Arcadia

Change 22776 by davem@​davem-percy on 2004/05/03 20​:26​:22

  [perl #28986] perl -e "open m" crashes Perl

Affected files ...

... //depot/perl/toke.c#498 edit

Differences ...

==== //depot/perl/toke.c#498 (text) ====

@​@​ -4681,8 +4681,8 @​@​
  if (isIDFIRST_lazy_if(s,UTF)) {
  char *t;
  for (d = s; isALNUM_lazy_if(d,UTF); d++) ;
- t = skipspace(d);
- if (strchr("|&*+-=!?​:.", *t) && ckWARN_d(WARN_PRECEDENCE)
+ for (t=d; *t && isSPACE(*t); t++) ;
+ if ( *t && strchr("|&*+-=!?​:.", *t) && ckWARN_d(WARN_PRECEDENCE)
  /* [perl #16184] */
  && !(t[0] == '=' && t[1] == '>')
  ) {

@p5pRT
Copy link
Author

p5pRT commented May 3, 2004

From @nwc10

On Mon, May 03, 2004 at 09​:54​:28PM +0100, Dave Mitchell wrote​:

This is caused by the C<case KEY_open​:> code in toke.c, which is scanning
forward to the token following the first arg of open, to see if a
'Possible prcedence' warning needs to be issued. This scanning forward can
follow onto the next line, in which case the PL_linestr buffer is
overwritten with the new line, and nastiness ensues. The patch below,
applied to bleedperl, stops it skipping onto the next line.

Nice catch

I'm not sure where to add a test for this​: it needs a fresh perl (eval
won't do), but there isn't a t/op/open.t, and t/base.lex.t doesn't
look like to sort of place to include test.pl

t/io/open.t ?

Nicholas Clark

@p5pRT
Copy link
Author

p5pRT commented May 3, 2004

From @iabyn

On Mon, May 03, 2004 at 09​:52​:26PM +0100, Nicholas Clark wrote​:

On Mon, May 03, 2004 at 09​:54​:28PM +0100, Dave Mitchell wrote​:

I'm not sure where to add a test for this​: it needs a fresh perl (eval
won't do), but there isn't a t/op/open.t, and t/base.lex.t doesn't
look like to sort of place to include test.pl

t/io/open.t ?

Yeah, I realised I was looking in the wrong directory shortly after I
clicked 'send'. Here's the test​:

--
Justice is when you get what you deserve.
Law is when you get what you pay for.

Change 22777 by davem@​davem-percy on 2004/05/03 20​:48​:53

  add test for change #22776 ("open m" crashes Perl)

Affected files ...

... //depot/perl/t/io/open.t#39 edit

Differences ...

==== //depot/perl/t/io/open.t#39 (xtext) ====

@​@​ -12,7 +12,7 @​@​
$Is_VMS = $^O eq 'VMS';
$Is_MacOS = $^O eq 'MacOS';

-plan tests => 105;
+plan tests => 106;

my $Perl = which_perl();

@​@​ -306,3 +306,8 @​@​
  'bad layer "​:c" failure');
}

+# [perl #28986] "open m" crashes Perl
+
+fresh_perl_like('open m', qr/^Search pattern not terminated at/,
+ { stderr => 1 }, 'open m test');
+

@p5pRT
Copy link
Author

p5pRT commented May 3, 2004

@iabyn - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant