Skip Menu |
Report information
Id: 54934
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: ntyni [at] debian.org
Cc:
AdminCc:

Operating System: Linux
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.10.0
Fixed In: (no value)



Subject: Attempt to free unreferenced scalar fiddling with the symbol table
Date: Tue, 27 May 2008 22:02:10 +0300
To: perlbug [...] perl.org
From: ntyni [...] cc.helsinki.fi
This is a bug report for perl from Niko Tyni <ntyni@debian.org>, generated with the help of perlbug 1.36 running under perl 5.10.0. ----------------------------------------------------------------- As seen in <http://cpantesters.perl.org/show/PerlIO-via-dynamic.html>, the test suite of the PerlIO::via::dynamic CPAN module generates 'Attempt to free unreferenced scalar' warnings with recent perl versions, including 5.10.0 but not 5.8.8. The warnings are still there on blead @33937; bisecting shows the warnings started with Change 24966 by nicholas@ship-in-a-bottle on 2005/06/23 21:30:33 Remove the reference loop between symbol tables and typeglobs. Typeglobs now have a weak reference onto their symbol table. This snippet is the smallest I can make it. The original code deletes a dynamically created package instead which makes more sense than this. #!/usr/bin/perl package test; sub PUSHED { return \*FOO; } 1; package main; { open my $fh, '</'; binmode($fh, ':via(test)'); } delete $::{'test::'}; __END__ ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.10.0: Configured by Debian Project at Thu May 8 11:57:24 UTC 2008. Summary of my perl5 (revision 5 version 10 subversion 0) configuration: Platform: osname=linux, osvers=2.6.18-6-xen-amd64, archname=x86_64-linux-gnu-thread-multi uname='linux sid 2.6.18-6-xen-amd64 #1 smp thu apr 24 05:10:26 utc 2008 x86_64 gnulinux ' config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.0 -Dsitearch=/usr/local/lib/perl/5.10.0 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.0 -Dd_dosuid -des' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -g', cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include' ccversion='', gccversion='4.2.3 (Debian 4.2.3-5)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64 libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt perllibs=-ldl -lm -lpthread -lc -lcrypt libc=/lib/libc-2.7.so, so=so, useshrplib=true, libperl=libperl.so.5.10.0 gnulibc_version='2.7' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib' Locally applied patches: --- @INC for perl 5.10.0: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl . --- Environment for perl 5.10.0: HOME=/home/niko LANG=en_US.UTF-8 LANGUAGE (unset) LC_CTYPE=fi_FI.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/niko/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:/sbin:/usr/sbin PERL_BADLANG (unset) SHELL=/bin/zsh
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Fri, 30 May 2008 14:55:22 +0200
To: perl5-porters [...] perl.org
From: "Rafael Garcia-Suarez" <rgarciasuarez [...] gmail.com>
Download (untitled) / with headers
text/plain 1.5k
2008/5/27 via RT Niko Tyni <perlbug-followup@perl.org>: Show quoted text
> As seen in <http://cpantesters.perl.org/show/PerlIO-via-dynamic.html>, > the test suite of the PerlIO::via::dynamic CPAN module generates > 'Attempt to free unreferenced scalar' warnings with recent perl versions, > including 5.10.0 but not 5.8.8. > > The warnings are still there on blead @33937; bisecting shows the warnings > started with > > Change 24966 by nicholas@ship-in-a-bottle on 2005/06/23 21:30:33 > > Remove the reference loop between symbol tables and typeglobs. Typeglobs > now have a weak reference onto their symbol table. > > This snippet is the smallest I can make it. The original code deletes > a dynamically created package instead which makes more sense than this. > > #!/usr/bin/perl > package test; > sub PUSHED { > return \*FOO; > } > 1; > package main; > { > open my $fh, '</'; > binmode($fh, ':via(test)'); > } > delete $::{'test::'};
Good catch. I've traced the double-freed scalar; the patch below fixes the error. However I'm not sure at all it creates no leak. --- ext/PerlIO/via/via.xs.orig 2008-01-25 10:00:53.000000000 +0100 +++ ext/PerlIO/via/via.xs 2008-05-30 14:43:11.000000000 +0200 @@ -89,7 +89,7 @@ PerlIOVia_method(pTHX_ PerlIO * f, const if (!s->fh) { GV *gv = newGVgen(HvNAME_get(s->stash)); GvIOp(gv) = newIO(); - s->fh = newRV_noinc((SV *) gv); + s->fh = newRV((SV *) gv); s->io = GvIOp(gv); } IoIFP(s->io) = PerlIONext(f); End of Patch. So what leaks is a gv generated to hold the "FOO" reference. (Its name is "_GEN_0".)
CC: perl5-porters [...] perl.org
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Fri, 30 May 2008 14:28:32 -0400
To: Rafael Garcia-Suarez <rgarciasuarez [...] gmail.com>
From: Alex Vandiver <alexmv [...] bestpractical.com>
Download (untitled) / with headers
text/plain 364b
On Fri, 2008-05-30 at 14:55 +0200, Rafael Garcia-Suarez wrote: Show quoted text
> Good catch. I've traced the double-freed scalar; the patch below fixes > the error. However I'm not sure at all it creates no leak.
This bug also causes segfaults in SVK under 5.10 and blead. Getting this patch (or whatever it ends up as) into 5.10.1 would be much appreciated. Thanks! - Alex
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Fri, 30 May 2008 20:03:53 +0300
To: perl5-porters [...] perl.org
From: Niko Tyni <ntyni [...] debian.org>
Download (untitled) / with headers
text/plain 757b
On Fri, May 30, 2008 at 02:55:22PM +0200, Rafael Garcia-Suarez wrote: Show quoted text
> 2008/5/27 via RT Niko Tyni <perlbug-followup@perl.org>:
> > As seen in <http://cpantesters.perl.org/show/PerlIO-via-dynamic.html>, > > the test suite of the PerlIO::via::dynamic CPAN module generates > > 'Attempt to free unreferenced scalar' warnings with recent perl versions, > > including 5.10.0 but not 5.8.8.
Show quoted text
> Good catch. I've traced the double-freed scalar; the patch below fixes > the error. However I'm not sure at all it creates no leak.
I'm happy to report that the patch fixes all the numerous failures in the SVK v2.0.2 test suite on Perl 5.10.0. http://cpantesters.perl.org/show/SVK.html#SVK-v2.0.2 Many thanks for looking at this. -- Niko Tyni ntyni@debian.org
CC: 479698 [...] bugs.debian.org
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Fri, 6 Jun 2008 14:34:30 +0300
To: perl5-porters [...] perl.org
From: Niko Tyni <ntyni [...] debian.org>
Download (untitled) / with headers
text/plain 1.3k
On Fri, May 30, 2008 at 02:55:22PM +0200, Rafael Garcia-Suarez wrote: Show quoted text
> 2008/5/27 via RT Niko Tyni <perlbug-followup@perl.org>:
> > As seen in <http://cpantesters.perl.org/show/PerlIO-via-dynamic.html>, > > the test suite of the PerlIO::via::dynamic CPAN module generates > > 'Attempt to free unreferenced scalar' warnings with recent perl versions, > > including 5.10.0 but not 5.8.8.
Show quoted text
> Good catch. I've traced the double-freed scalar; the patch below fixes > the error. However I'm not sure at all it creates no leak. > > --- ext/PerlIO/via/via.xs.orig 2008-01-25 10:00:53.000000000 +0100 > +++ ext/PerlIO/via/via.xs 2008-05-30 14:43:11.000000000 +0200 > @@ -89,7 +89,7 @@ PerlIOVia_method(pTHX_ PerlIO * f, const > if (!s->fh) { > GV *gv = newGVgen(HvNAME_get(s->stash)); > GvIOp(gv) = newIO(); > - s->fh = newRV_noinc((SV *) gv); > + s->fh = newRV((SV *) gv); > s->io = GvIOp(gv); > } > IoIFP(s->io) = PerlIONext(f); > End of Patch. > > So what leaks is a gv generated to hold the "FOO" reference. (Its name > is "_GEN_0".)
Hi, I don't see this applied yet, hope it isn't falling through the cracks. While PerlIO-via-dynamic-0.13 now has a workaround for 5.10.0, Bastian Blank raised concerns about possible security implications of the double frees in <http://bugs.debian.org/479698> (Cc'd). Again, many thanks for looking at this. -- Niko Tyni ntyni@debian.org
CC: perl5-porters [...] perl.org, 479698 [...] bugs.debian.org
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Fri, 6 Jun 2008 15:40:08 +0200
To: "Niko Tyni" <ntyni [...] debian.org>
From: "Rafael Garcia-Suarez" <rgarciasuarez [...] gmail.com>
2008/6/6 Niko Tyni <ntyni@debian.org>: Show quoted text
>> --- ext/PerlIO/via/via.xs.orig 2008-01-25 10:00:53.000000000 +0100 >> +++ ext/PerlIO/via/via.xs 2008-05-30 14:43:11.000000000 +0200 >> @@ -89,7 +89,7 @@ PerlIOVia_method(pTHX_ PerlIO * f, const >> if (!s->fh) { >> GV *gv = newGVgen(HvNAME_get(s->stash)); >> GvIOp(gv) = newIO(); >> - s->fh = newRV_noinc((SV *) gv); >> + s->fh = newRV((SV *) gv); >> s->io = GvIOp(gv); >> } >> IoIFP(s->io) = PerlIONext(f); >> End of Patch. >> >> So what leaks is a gv generated to hold the "FOO" reference. (Its name >> is "_GEN_0".)
> > Hi, > > I don't see this applied yet, hope it isn't falling through the cracks. > While PerlIO-via-dynamic-0.13 now has a workaround for 5.10.0, Bastian > Blank raised concerns about possible security implications of the double > frees in <http://bugs.debian.org/479698> (Cc'd).
No. Nicholas commented on IRC that this apparently creates no link, and I'm not able to prove him false, so I'll probably apply this patch. (or someone could beat me to it)
Subject: Re: [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table
Date: Sun, 8 Jun 2008 16:01:58 +0200
To: perl5-porters [...] perl.org
From: "Rafael Garcia-Suarez" <rgarciasuarez [...] gmail.com>
Download (untitled) / with headers
text/plain 1.1k
2008/5/30 Rafael Garcia-Suarez <rgarciasuarez@gmail.com>: Show quoted text
> Good catch. I've traced the double-freed scalar; the patch below fixes > the error. However I'm not sure at all it creates no leak.
I've now applied this and bumped the version of PerlIO::via, so this bug can be closed: Change 34025 by rgs@scipion on 2008/06/08 14:00:59 Fix for bug [perl #54934] Attempt to free unreferenced scalar fiddling with the symbol table Keep the refcount of the globs generated by PerlIO::via balanced. Affected files ... ... //depot/perl/ext/PerlIO/via/via.pm#9 edit ... //depot/perl/ext/PerlIO/via/via.xs#17 edit Differences ... ==== //depot/perl/ext/PerlIO/via/via.pm#9 (text) ==== @@ -1,5 +1,5 @@ package PerlIO::via; -our $VERSION = '0.05'; +our $VERSION = '0.06'; use XSLoader (); XSLoader::load 'PerlIO::via'; 1; ==== //depot/perl/ext/PerlIO/via/via.xs#17 (text) ==== @@ -89,7 +89,7 @@ if (!s->fh) { GV *gv = newGVgen(HvNAME_get(s->stash)); GvIOp(gv) = newIO(); - s->fh = newRV_noinc((SV *) gv); + s->fh = newRV((SV *) gv); s->io = GvIOp(gv); } IoIFP(s->io) = PerlIONext(f);


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org