@DB::args freed entries #11758

p5pRT · 2011-11-19T22:58:51Z

Migrated from rt.perl.org#104074 (status was 'new')

Searchable as RT104074$

p5pRT · 2011-11-19T22:58:52Z

From zefram@fysh.org

Created by zefram@fysh.org

$ cat t0.pl
use strict;
use warnings;
use Devel::Peek;
my @a = qw(a v);
sub bb {
shift @a;
my @p = do { package DB; caller(0) };
map { Dump $_; my $a = $_; } @DB::args;
1;
}
bb(@a);
$ perl t0.pl
SV = UNKNOWN(0xff) (0xa024218) at 0xa023768
REFCNT = 0
FLAGS = ()
panic: attempt to copy freed scalar a023768 to a045fc8 at t0.pl line 8.

$DB::args[0] is a freed scalar, freed by the "shift @a" while it was
also an argument of bb(). This bug is tickled by Carp, as described in
[rt.cpan.org #72467]. (Whether Carp can work around this is independent
of the core bug.)

Many similar code sequences used to fail in the same way until recently.
For example, if "@DB::args" is replaced by "$DB::args[0]" then the same
failure is observed on perl 5.14.1. 5.14.2 does not exhibit the failure
with "$DB::args[0]". With "@DB::args", the failure is observed on both
5.14.1 and 5.14.2. The change is presumably due to commit ba4a1c0.

Perl Info


Flags:
    category=core
    severity=low

Site configuration information for perl 5.14.2:

Configured by zefram at Mon Sep 26 19:44:21 BST 2011.

Summary of my perl5 (revision 5 version 14 subversion 2) configuration:
   
  Platform:
    osname=linux, osvers=2.6.26-2-686, archname=i386-linux-thread-multi
    uname='linux vigo.rous.org 2.6.26-2-686 #1 smp thu jan 27 00:28:05 utc 2011 i686 gnulinux '
    config_args='-des -Darchname=i386-linux -Dcccdlflags=-fPIC -Dccdlflags=-rdynamic -Dprefix=/home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52 -Dman1ext=1 -Dman3ext=3perl -Duselargefiles -Dusethreads -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dusedevel -Uversiononly -Ui_db'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.5', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/../lib /usr/lib/../lib /lib /usr/lib /usr/lib64
    libs=-lnsl -lgdbm -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.11.2.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.11.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic -Wl,-rpath,/home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/lib/5.14.2/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector'

Locally applied patches:
    


@INC for perl 5.14.2:
    /home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/lib/site_perl/5.14.2/i386-linux-thread-multi
    /home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/lib/site_perl/5.14.2
    /home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/lib/5.14.2/i386-linux-thread-multi
    /home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/lib/5.14.2
    .


Environment for perl 5.14.2:
    HOME=/home/zefram
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/zefram/usr/perl/perl_install/perl-5.14.2-i32-f52/bin:/home/zefram/usr/perl/util:/home/zefram/pub/i686-pc-linux-gnu/bin:/home/zefram/pub/common/bin:/usr/bin:/bin:/usr/local/bin:/usr/games
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

jimav · 2023-02-14T06:52:12Z

This bug is still present in Perl 5.36.0 and also blead (5.37.9)

panic: attempt to copy freed scalar ... occurs when copying @DB::args after some sequence which I can't reproduce in a small program.

The large program executes shift(@_) in a sub called with &subname so it does not have it's own arguments but shifts the caller's @_.

I put Devel::Peek::Dump calls similar to the above and got

(several good-looking members, then...)
SV = UNKNOWN(0xff) (0x56371dea54b8) at 0x56371dea5518
  REFCNT = 1
  FLAGS = ()

before the panic.

I will post instructions for reproducing with a (big) test case...

jimav · 2023-02-14T07:30:53Z

STEPS TO REPRODUCE (tested with Perl v5.36.0 and 5.3.7.9):

cd /tmp/somewhere
git clone git@github.com:jimav/Spreadsheet-Edit.git
cd ./Spreadsheet-Edit
git checkout git checkout Demo_Perlbug_11758
perl -Ilib t/basic.pl

RESULTS: panic: attempt to copy freed scalar 562818a58600 to 562818a584f8 at lib/Spreadsheet/Edit.pm line 239

You will see some commented-out debug printing near that location. Un-commenting makes the panic not happen :-(

I'm hoping a core developer will know how to use a watchpoint or something to see where the specific address is being freed.

demerphq · 2023-02-14T07:32:02Z

On Tue, 14 Feb 2023, 14:52 Jim Avera, ***@***.***> wrote: This bug is still present in Perl 5.36.0 and also blead (5.37.9) panic: attempt to copy freed scalar ... occurs when copying @db::args after some sequence which I can't reproduce in a small program. The large program executes shift(@*) in a sub called with &subname so it does not have it's own arguments but shifts the caller's @*. I put Devel::Peek::Dump calls similar to the above and got (several good-looking members, then...) SV = UNKNOWN(0xff) (0x56371dea54b8) at 0x56371dea5518 REFCNT = 1 FLAGS = () before the panic. What can be done to track this down?

It's a stack refcounting bug. A common pattern here is that something puts an element of a composite structure on the stack, and then something else empties out the composite. Eg ***@***.***) And then f() does @{pop @_} =(); you'll find that $_[0] has been freed. There are *loads* of variants of this, but the general pattern is the same. Something puts an element on the stack and something else clears the object storing the element.. Yves

jimav · 2023-02-15T00:26:59Z

Hi Yves,
It's not bad XS code, unless the bug is in the core. I was able to make a small pure-perl script which causes the bug. It panics like before with perl-5.36.0 . With blead (5.37.9) a slightly different panic occurs "semi-panic: attempt to dup freed string at ./perlbug11758_demo.pl line 10."

Here is the test case [updated to rm unnecessaries]:

#!/usr/bin/env perl
use strict; use warnings; use feature qw(say);

sub cause_bug() {
  () = do{ package DB; caller(0) };
  my @args = @DB::args;  # panic "attempt to copy freed scalar"
  die "bug did not happen";
}

sub preliminary {
  () = do { package DB; caller(0) }; # result must be used
}

preliminary(
  abcd => [
           [], # no panic if args are simpler
          ]
);

&cause_bug; # no panic unless call is args-less

I hope this will help you track it down.

demerphq · 2023-02-15T01:57:23Z

I am in hospital right now. Someone else will have to help you. Sorry.

iabyn · 2023-02-19T22:28:31Z

On Tue, Feb 14, 2023 at 04:27:17PM -0800, Jim Avera wrote: Hi Yves, It's not bad XS code, unless the bug is in the core. I was able to make a small **pure-perl** script which causes the bug.

The bug is well understood and is hard to fix. It's down to a pair of decades-old design flaws in perl: the argument stack isn't reference-counted, and @db::args isn't reference-counted. The combination of these two make it very easy for the contents of @db::args to contain random freed or re-allocated garbage. I've spent the last 6 months working on making perl's stack reference-counted. In several years' time that might actually become the default build configuration for perl. We might then be able to to address the second short-coming in @b::args itself. Until then, I suggest not to spend any more time on it.

…

-- It's not that I'm afraid to die, I just don't want to be there when it happens. -- Woody Allen

p5pRT added Severity Low distro-Linux type-core labels Oct 19, 2019

xenu removed the affects-5.14 label Nov 19, 2021

xenu removed the Severity Low label Dec 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

@DB::args freed entries #11758

@DB::args freed entries #11758

p5pRT commented Nov 19, 2011

p5pRT commented Nov 19, 2011

jimav commented Feb 14, 2023 •

edited

jimav commented Feb 14, 2023 •

edited

demerphq commented Feb 14, 2023 via email

jimav commented Feb 15, 2023 •

edited

demerphq commented Feb 15, 2023

iabyn commented Feb 19, 2023 via email

@DB::args freed entries #11758

@DB::args freed entries #11758

Comments

p5pRT commented Nov 19, 2011

p5pRT commented Nov 19, 2011

From zefram@fysh.org

Created by zefram@fysh.org

jimav commented Feb 14, 2023 • edited

jimav commented Feb 14, 2023 • edited

demerphq commented Feb 14, 2023 via email

jimav commented Feb 15, 2023 • edited

demerphq commented Feb 15, 2023

iabyn commented Feb 19, 2023 via email

jimav commented Feb 14, 2023 •

edited

jimav commented Feb 14, 2023 •

edited

jimav commented Feb 15, 2023 •

edited