Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap corruption for glob() on windows #13721

Closed
p5pRT opened this issue Apr 8, 2014 · 9 comments
Closed

Heap corruption for glob() on windows #13721

p5pRT opened this issue Apr 8, 2014 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Apr 8, 2014

Migrated from rt.perl.org#121602 (status was 'open')

Searchable as RT121602$

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

Created by ambrus@math.bme.hu

Perl aborts if I glob a particular pattern on a particular directory.

This is using Activeperl 5.18.1 x86_64 on windows. The command line is simply the following​:

perl -we "@​_t = glob qq(uglydir\\c_* uglydir\\l_*)"

When ran, this makes perl abort. According to visual studio as a debugger, the crash gives the following error message for heap corruption​:

Unhandled exception at 0x00000000779E4102 (ntdll.dll) in perl.exe​: 0xC0000374​: Egy halom s??t (parameters​: 0x0000000077A5B4B0).

The crash probably happens when destroying some objects, because the variant perl -we "warn glob qq(uglydir\\c_* uglydir\\l_*); warn q(ok);" crashes after printing the list of directories but before printing ok.

The contents of the directory uglydir seems to matter. To reproduce, first run the following perl script to create the directory​:

@​l = qw(
c_Snapshotlisttestmmmm-1 c_Snapshotlisttestmmmm-101 c_Snapshotlisttestmmmm-103 c_Snapshotlisttestmmmm-104 c_Snapshotlisttestmmmm-105 c_Snapshotlisttestmmmm-106 c_Snapshotlisttestmmmm-107 c_Snapshotlisttestmmmm-108 c_Snapshotlisttestmmmm-109 c_Snapshotlisttestmmmm-114 c_Snapshotlisttestmmmm-115 c_Snapshotlisttestmmmm-117 c_Snapshotlisttestmmmm-118 c_Snapshotlisttestmmmm-119 c_Snapshotlisttestmmmm-120 c_Snapshotlisttestmmmm-121 c_Snapshotlisttestmmmm-124 c_Snapshotlisttestmmmm-125 c_Snapshotlisttestmmmm-127 c_Snapshotlisttestmmmm-128 c_Snapshotlisttestmmmm-129 c_Snapshotlisttestmmmm-131 c_Snapshotlisttestmmmm-133 c_Snapshotlisttestmmmm-134 c_Snapshotlisttestmmmm-135 c_Snapshotlisttestmmmm-136 c_Snapshotlisttestmmmm-137 c_Snapshotlisttestmmmm-138 c_Snapshotlisttestmmmm-32 c_Snapshotlisttestmmmm-33 c_Snapshotlisttestmmmm-34 c_Snapshotlisttestmmmm-35 c_Snapshotlisttestmmmm-36 c_Snapshotlisttestmmmm-37 c_Snapshotlisttestmmmm-38 c_Snapshotlisttestmmmm-39 c_Snapshotlisttestmmmm-40 c_Snapshotlisttestmmmm-41 c_Snapshotlisttestmmmm-42 c_Snapshotlisttestmmmm-43 c_Snapshotlisttestmmmm-44 c_Snapshotlisttestmmmm-45 c_Snapshotlisttestmmmm-46 c_Snapshotlisttestmmmm-47 c_Snapshotlisttestmmmm-48 c_Snapshotlisttestmmmm-49 c_Snapshotlisttestmmmm-50 c_Snapshotlisttestmmmm-51 c_Snapshotlisttestmmmm-52 c_Snapshotlisttestmmmm-53 c_Snapshotlisttestmmmm-55 c_Snapshotlisttestmmmm-56 c_Snapshotlisttestmmmm-57 c_Snapshotlisttestmmmm-58 c_Snapshotlisttestmmmm-59 c_Snapshotlisttestmmmm-60 c_Snapshotlisttestmmmm-61 c_Snapshotlisttestmmmm-62 c_Snapshotlisttestmmmm-63 c_Snapshotlisttestmmmm-64 c_Snapshotlisttestmmmm-65 c_Snapshotlisttestmmmm-66 c_Snapshotlisttestmmmm-67 c_Snapshotlisttestmmmm-68 c_Snapshotlisttestmmmm-69 c_Snapshotlisttestmmmm-70 c_Snapshotlisttestmmmm-71 c_Snapshotlisttestmmmm-72 c_Snapshotlisttestmmmm-73 c_Snapshotlisttestmmmm-74 c_Snapshotlisttestmmmm-75 c_Snapshotlisttestmmmm-76 c_Snapshotlisttestmmmm-77 c_Snapshotlisttestmmmm-78 c_Snapshotlisttestmmmm-79 c_Snapshotlisttestmmmm-80 c_Snapshotlisttestmmmm-81 c_Snapshotlisttestmmmm-82 c_Snapshotlisttestmmmm-83 c_Snapshotlisttestmmmm-84 c_Snapshotlisttestmmmm-85 c_Snapshotlisttestmmmm-86 c_Snapshotlisttestmmmm-87 c_Snapshotlisttestmmmm-88 c_Snapshotlisttestmmmm-89 c_Snapshotlisttestmmmm-90 c_Snapshotlisttestmmmm-91 c_Snapshotlisttestmmmm-92 c_Snapshotlisttestmmmm-93 c_Snapshotlisttestmmmm-94 c_Snapshotlisttestmmmm-95 c_Snapshotlisttestmmmm-96 c_Snapshotlisttestmmmm-97 c_Snapshotlisttestmmmm-98 c_Snapshotlisttestmmmm-99 l_Snapshotlisttestmmmm-10 l_Snapshotlisttestmmmm-100 l_Snapshotlisttestmmmm-101 l_Snapshotlisttestmmmm-102 l_Snapshotlisttestmmmm-11 l_Snapshotlisttestmmmm-12 l_Snapshotlisttestmmmm-13 l_Snapshotlisttestmmmm-14 l_Snapshotlisttestmmmm-15 l_Snapshotlisttestmmmm-16 l_Snapshotlisttestmmmm-17 l_Snapshotlisttestmmmm-18 l_Snapshotlisttestmmmm-19 l_Snapshotlisttestmmmm-2 l_Snapshotlisttestmmmm-20 l_Snapshotlisttestmmmm-22 l_Snapshotlisttestmmmm-23 l_Snapshotlisttestmmmm-24 l_Snapshotlisttestmmmm-25 l_Snapshotlisttestmmmm-26 l_Snapshotlisttestmmmm-27 l_Snapshotlisttestmmmm-28 l_Snapshotlisttestmmmm-3 l_Snapshotlisttestmmmm-30 l_Snapshotlisttestmmmm-31 l_Snapshotlisttestmmmm-34 l_Snapshotlisttestmmmm-35 l_Snapshotlisttestmmmm-36 l_Snapshotlisttestmmmm-37 l_Snapshotlisttestmmmm-39 l_Snapshotlisttestmmmm-4 l_Snapshotlisttestmmmm-40 l_Snapshotlisttestmmmm-41 l_Snapshotlisttestmmmm-42 l_Snapshotlisttestmmmm-43 l_Snapshotlisttestmmmm-44 l_Snapshotlisttestmmmm-47 l_Snapshotlisttestmmmm-48 l_Snapshotlisttestmmmm-49 l_Snapshotlisttestmmmm-5 l_Snapshotlisttestmmmm-50 l_Snapshotlisttestmmmm-51 l_Snapshotlisttestmmmm-52 l_Snapshotlisttestmmmm-53 l_Snapshotlisttestmmmm-58 l_Snapshotlisttestmmmm-59 l_Snapshotlisttestmmmm-6 l_Snapshotlisttestmmmm-60 l_Snapshotlisttestmmmm-61 l_Snapshotlisttestmmmm-63 l_Snapshotlisttestmmmm-65 l_Snapshotlisttestmmmm-66 l_Snapshotlisttestmmmm-67 l_Snapshotlisttestmmmm-68 l_Snapshotlisttestmmmm-69 l_Snapshotlisttestmmmm-7 l_Snapshotlisttestmmmm-71 l_Snapshotlisttestmmmm-72 l_Snapshotlisttestmmmm-73 l_Snapshotlisttestmmmm-77 l_Snapshotlisttestmmmm-78 l_Snapshotlisttestmmmm-79 l_Snapshotlisttestmmmm-8 l_Snapshotlisttestmmmm-80 l_Snapshotlisttestmmmm-82 l_Snapshotlisttestmmmm-83 l_Snapshotlisttestmmmm-84 l_Snapshotlisttestmmmm-85 l_Snapshotlisttestmmmm-86 l_Snapshotlisttestmmmm-87 l_Snapshotlisttestmmmm-89 l_Snapshotlisttestmmmm-90 l_Snapshotlisttestmmmm-91 l_Snapshotlisttestmmmm-92 l_Snapshotlisttestmmmm-94 l_Snapshotlisttestmmmm-95 l_Snapshotlisttestmmmm-96 l_Snapshotlisttestmmmm-97 l_Snapshotlisttestmmmm-98 l_Snapshotlisttestmmmm-99
);
mkdir "uglydir" or die;
mkdir "uglydir\\$_" or die for @​l;

Perl Info

Flags:
     category=core
     severity=medium

Site configuration information for perl 5.16.1:

Configured by sshd_server at Thu Aug 30 18:36:52 2012.

Summary of my perl5 (revision 5 version 16 subversion 1) configuration:

   Platform:
     osname=MSWin32, osvers=5.2, archname=MSWin32-x64-multi-thread
     uname=''
     config_args='undef'
     hint=recommended, useposix=true, d_sigaction=undef
     useithreads=define, usemultiplicity=define
     useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
     use64bitint=define, use64bitall=undef, uselongdouble=undef
     usemymalloc=n, bincompat5005=undef
   Compiler:
     cc='cl', ccflags ='-nologo -GF -W3 -MD -Zi -DNDEBUG -Ox -GL -fp:precise -DWIN32 -D_CONSOLE -DNO_STRICT -DWIN64 -DCONSERVATIVE -DPERL_TEXTMODE_SCRIPTS -DUSE_SITECUSTOMIZE -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO',
     optimize='-MD -Zi -DNDEBUG -Ox -GL -fp:precise',
     cppflags='-DWIN32'
     ccversion='14.00.40310.41', gccversion='', gccosandvers=''
     intsize=4, longsize=4, ptrsize=8, doublesize=8, byteorder=12345678
     d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8
     ivtype='__int64', ivsize=8, nvtype='double', nvsize=8, Off_t='__int64', lseeksize=8
     alignbytes=8, prototype=define
   Linker and Libraries:
     ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"C:\ActivePerl5.16-amd64\lib\CORE"  -machine:AMD64'
     libpth=\lib
     libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib bufferoverflowU.lib msvcrt.lib
     perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib bufferoverflowU.lib msvcrt.lib
     libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl516.lib
     gnulibc_version=''
   Dynamic Linking:
     dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
     cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"C:\ActivePerl5.16-amd64\lib\CORE"  -machine:AMD64'

Locally applied patches:
     ACTIVEPERL_LOCAL_PATCHES_ENTRY


@INC for perl 5.16.1:
     C:/ActivePerl5.16-amd64/site/lib
     C:/ActivePerl5.16-amd64/lib
     .


Environment for perl 5.16.1:
     HOME=E:\ambrus\local\home
     LANG (unset)
     LANGUAGE (unset)
     LD_LIBRARY_PATH (unset)
     LOGDIR (unset)
     PATH=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\bin
;C:\Program Files\TortoiseSVN\bin;C:\Program Files\doxygen\bin;E:\ambrus\local\bin
     PERL_BADLANG (unset)
     SHELL (unset)

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From @bulk88

no output ==


C​:\Documents and Settings\Administrator\Desktop\plsegv>perl -we "warn glob qq(ug
lydir\\c_* uglydir\\l_*); warn q(ok);"
Warning​: something's wrong at -e line 1.
ok at -e line 1.

C​:\Documents and Settings\Administrator\Desktop\plsegv>


ActivePerl 32 5.10, no crash no output.
VC 32 5.12 DEBUGGING, no crash, no output.
ActivePerl 64 5.14, no crash no output
Strawberry 5.16 32, crash in Perl_pop_scope, with output, caller is probably http​://perl5.git.perl.org/perl.git/blob/06d742c02d396d6515581002f376b55ab1972c1b​:/perl.c#l2324 due to no symbols I can't debug any further.
ActivePerl 32 5.18, no crash, with output
VC 32 5.19.11 no debugging, no crash, with output.

--
bulk88 ~ bulk88 at hotmail.com

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

I could reproduce this bug on Linux with perl 5.16.3 x86_64 vanilla.

For this, first modify the script that creates the subdirectories to
use / instead of \\ as the directory separator. Run it to create the
subdirectories. Then run the following command, which aborts​:

perl -we "@​_t = glob qq(uglydir/c_* uglydir/l_*)"

Below is the full output from the abort, then information about my perl build.

$ perl -we "@​_t = glob qq(uglydir/c_* uglydir/l_*)"; echo
*** glibc detected *** perl​: double free or corruption (!prev)​:
0x0000000001e0db90 ***
======= Backtrace​: =========
/lib/libc.so.6(+0x71e16)[0x7f8f66988e16]
/lib/libc.so.6(cfree+0x6c)[0x7f8f6698db8c]
perl(Perl_av_extend+0x1db)[0x4908eb]
perl(Perl_stack_grow+0x29)[0x4be1a9]
perl(Perl_pp_gv+0x2b)[0x492d3b]
perl(Perl_runops_standard+0x13)[0x492563]
perl(perl_run+0x355)[0x439bc5]
perl(main+0xfd)[0x41f0ad]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f8f66935c8d]
perl[0x41ee21]
======= Memory map​: ========
00400000-00555000 r-xp 00000000 08​:06 3304448
  /usr/local/perl5.16/bin/perl
00754000-00759000 rw-p 00154000 08​:06 3304448
  /usr/local/perl5.16/bin/perl
00759000-0075a000 rw-p 00000000 00​:00 0
01e09000-01e8e000 rw-p 00000000 00​:00 0 [heap]
7f8f60000000-7f8f60021000 rw-p 00000000 00​:00 0
7f8f60021000-7f8f64000000 ---p 00000000 00​:00 0
7f8f65f9a000-7f8f65faf000 r-xp 00000000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7f8f65faf000-7f8f661af000 ---p 00015000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7f8f661af000-7f8f661b0000 rw-p 00015000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7f8f661b0000-7f8f661b6000 r-xp 00000000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7f8f661b6000-7f8f663b5000 ---p 00006000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7f8f663b5000-7f8f663b6000 rw-p 00005000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7f8f663b6000-7f8f66917000 r--p 00000000 08​:06 4467611
  /usr/lib/locale/locale-archive
7f8f66917000-7f8f66a70000 r-xp 00000000 08​:06 6038491
  /lib/libc-2.11.3.so
7f8f66a70000-7f8f66c6f000 ---p 00159000 08​:06 6038491
  /lib/libc-2.11.3.so
7f8f66c6f000-7f8f66c73000 r--p 00158000 08​:06 6038491
  /lib/libc-2.11.3.so
7f8f66c73000-7f8f66c74000 rw-p 0015c000 08​:06 6038491
  /lib/libc-2.11.3.so
7f8f66c74000-7f8f66c79000 rw-p 00000000 00​:00 0
7f8f66c79000-7f8f66c7b000 r-xp 00000000 08​:06 6038495
  /lib/libutil-2.11.3.so
7f8f66c7b000-7f8f66e7a000 ---p 00002000 08​:06 6038495
  /lib/libutil-2.11.3.so
7f8f66e7a000-7f8f66e7b000 r--p 00001000 08​:06 6038495
  /lib/libutil-2.11.3.so
7f8f66e7b000-7f8f66e7c000 rw-p 00002000 08​:06 6038495
  /lib/libutil-2.11.3.so
7f8f66e7c000-7f8f66e84000 r-xp 00000000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7f8f66e84000-7f8f67083000 ---p 00008000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7f8f67083000-7f8f67084000 r--p 00007000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7f8f67084000-7f8f67085000 rw-p 00008000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7f8f67085000-7f8f670b3000 rw-p 00000000 00​:00 0
7f8f670b3000-7f8f67133000 r-xp 00000000 08​:06 6038551
  /lib/libm-2.11.3.so
7f8f67133000-7f8f67333000 ---p 00080000 08​:06 6038551
  /lib/libm-2.11.3.so
7f8f67333000-7f8f67334000 r--p 00080000 08​:06 6038551
  /lib/libm-2.11.3.so
7f8f67334000-7f8f67335000 rw-p 00081000 08​:06 6038551
  /lib/libm-2.11.3.so
7f8f67335000-7f8f67337000 r-xp 00000000 08​:06 6038548
  /lib/libdl-2.11.3.so
7f8f67337000-7f8f67537000 ---p 00002000 08​:06 6038548
  /lib/libdl-2.11.3.so
7f8f67537000-7f8f67538000 r--p 00002000 08​:06 6038548
  /lib/libdl-2.11.3.so
7f8f67538000-7f8f67539000 rw-p 00003000 08​:06 6038548
  /lib/libdl-2.11.3.so
7f8f67539000-7f8f6754e000 r-xp 00000000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7f8f6754e000-7f8f6774d000 ---p 00015000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7f8f6774d000-7f8f6774e000 r--p 00014000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7f8f6774e000-7f8f6774f000 rw-p 00015000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7f8f6774f000-7f8f67751000 rw-p 00000000 00​:00 0
7f8f67751000-7f8f6776f000 r-xp 00000000 08​:06 6037286
  /lib/ld-2.11.3.so
7f8f67947000-7f8f6794c000 rw-p 00000000 00​:00 0
7f8f6796c000-7f8f6796e000 rw-p 00000000 00​:00 0
7f8f6796e000-7f8f6796f000 r--p 0001d000 08​:06 6037286
  /lib/ld-2.11.3.so
7f8f6796f000-7f8f67970000 rw-p 0001e000 08​:06 6037286
  /lib/ld-2.11.3.so
7f8f67970000-7f8f67971000 rw-p 00000000 00​:00 0
7fffda9bf000-7fffda9e0000 rw-p 00000000 00​:00 0 [stack]
7fffda9ff000-7fffdaa00000 r-xp 00000000 00​:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00​:00 0
  [vsyscall]
Aborted

$ perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration​:

  Platform​:
  osname=linux, osvers=2.6.37, archname=x86_64-linux
  uname='linux king 2.6.37 #6 smp sun mar 13 20​:15​:05 cet 2011
x86_64 gnulinux '
  config_args='-der'
  hint=previous, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
  ccversion='', gccversion='4.7.1', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib/../lib /usr/lib/../lib /lib /usr/lib
/lib64 /usr/lib64 /usr/local/lib64
  libs=-lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=/lib/libc-2.11.3.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.11.3'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_DONT_CREATE_GVSV
  PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 12 2013 14​:39​:37
  @​INC​:
  /usr/local/perl5.16/lib/perl5/site_perl/5.16.3/x86_64-linux
  /usr/local/perl5.16/lib/perl5/site_perl/5.16.3
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux
  /usr/local/perl5.16/lib/perl5/5.16.3
  /usr/local/perl5.16/lib/perl5/site_perl/5.16.1
  /usr/local/perl5.16/lib/perl5/site_perl/5.16.1/x86_64-linux
  /usr/local/perl5.16/lib/perl5/site_perl
  .
$ perl -we '@​_d = glob(); print "$_\n" for values %INC; print
"File​::Glob ", File​::Glob->VERSION, "\n";'
/usr/local/perl5.16/lib/perl5/5.16.3/XSLoader.pm
/usr/local/perl5.16/lib/perl5/5.16.3/warnings.pm
/usr/local/perl5.16/lib/perl5/5.16.3/strict.pm
/usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/File/Glob.pm
/usr/local/perl5.16/lib/perl5/5.16.3/feature.pm
File​::Glob 1.17
$

--
Ambrus

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

Here's some clarification. The previous dump crashes during a pp_gv
operation, but that opcode occurs twice in the code. Here's a similar
crash that shows more clearly which opcode crashes. Of course, the
actual bug probably happens earlier.

This is using perl 5.16.3 Linux x86_64 again.

$ perl -MO=Concise -we 'my @​t = glob qq(uglydir/c_* uglydir/l_*);'
a <@​> leave[1 ref] vKP/REFC ->(end)
1 <0> enter ->2
2 <;> nextstate(main 70 -e​:1) v​:{ ->3
9 <2> aassign[t4] vKS ->a
- <1> ex-list lK ->7
3 <0> pushmark s ->4
6 <@​> glob[t3] lK/1 ->7
- <0> ex-pushmark s ->4
4 <$> const(PV "uglydir/c_* uglydir/l_*") s ->5
5 <$> gv(*_GEN_0) s ->6
- <1> ex-list lK ->9
7 <0> pushmark s ->8
8 <0> padav[@​t​:70,71] lRM*/LVINTRO ->9
-e syntax OK
$ perl -we 'my @​t = glob qq(uglydir/c_* uglydir/l_*);'
*** glibc detected *** perl​: double free or corruption (!prev)​:
0x0000000000be7b90 ***
======= Backtrace​: =========
/lib/libc.so.6(+0x71e16)[0x7fa8fd5b6e16]
/lib/libc.so.6(cfree+0x6c)[0x7fa8fd5bbb8c]
perl(Perl_av_extend+0x1db)[0x4908eb]
perl(Perl_stack_grow+0x29)[0x4be1a9]
perl(Perl_pp_padav+0x138)[0x4ae588]
perl(Perl_runops_standard+0x13)[0x492563]
perl(perl_run+0x355)[0x439bc5]
perl(main+0xfd)[0x41f0ad]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fa8fd563c8d]
perl[0x41ee21]
======= Memory map​: ========
00400000-00555000 r-xp 00000000 08​:06 3304448
  /usr/local/perl5.16/bin/perl
00754000-00759000 rw-p 00154000 08​:06 3304448
  /usr/local/perl5.16/bin/perl
00759000-0075a000 rw-p 00000000 00​:00 0
00be3000-00c68000 rw-p 00000000 00​:00 0 [heap]
7fa8f8000000-7fa8f8021000 rw-p 00000000 00​:00 0
7fa8f8021000-7fa8fc000000 ---p 00000000 00​:00 0
7fa8fcbc8000-7fa8fcbdd000 r-xp 00000000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7fa8fcbdd000-7fa8fcddd000 ---p 00015000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7fa8fcddd000-7fa8fcdde000 rw-p 00015000 08​:06 3370976
  /usr/local/gcc481/lib64/libgcc_s.so.1
7fa8fcdde000-7fa8fcde4000 r-xp 00000000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7fa8fcde4000-7fa8fcfe3000 ---p 00006000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7fa8fcfe3000-7fa8fcfe4000 rw-p 00005000 08​:06 3368788
  /usr/local/perl5.16/lib/perl5/5.16.3/x86_64-linux/auto/File/Glob/Glob.so
7fa8fcfe4000-7fa8fd545000 r--p 00000000 08​:06 4467611
  /usr/lib/locale/locale-archive
7fa8fd545000-7fa8fd69e000 r-xp 00000000 08​:06 6038491
  /lib/libc-2.11.3.so
7fa8fd69e000-7fa8fd89d000 ---p 00159000 08​:06 6038491
  /lib/libc-2.11.3.so
7fa8fd89d000-7fa8fd8a1000 r--p 00158000 08​:06 6038491
  /lib/libc-2.11.3.so
7fa8fd8a1000-7fa8fd8a2000 rw-p 0015c000 08​:06 6038491
  /lib/libc-2.11.3.so
7fa8fd8a2000-7fa8fd8a7000 rw-p 00000000 00​:00 0
7fa8fd8a7000-7fa8fd8a9000 r-xp 00000000 08​:06 6038495
  /lib/libutil-2.11.3.so
7fa8fd8a9000-7fa8fdaa8000 ---p 00002000 08​:06 6038495
  /lib/libutil-2.11.3.so
7fa8fdaa8000-7fa8fdaa9000 r--p 00001000 08​:06 6038495
  /lib/libutil-2.11.3.so
7fa8fdaa9000-7fa8fdaaa000 rw-p 00002000 08​:06 6038495
  /lib/libutil-2.11.3.so
7fa8fdaaa000-7fa8fdab2000 r-xp 00000000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7fa8fdab2000-7fa8fdcb1000 ---p 00008000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7fa8fdcb1000-7fa8fdcb2000 r--p 00007000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7fa8fdcb2000-7fa8fdcb3000 rw-p 00008000 08​:06 6038508
  /lib/libcrypt-2.11.3.so
7fa8fdcb3000-7fa8fdce1000 rw-p 00000000 00​:00 0
7fa8fdce1000-7fa8fdd61000 r-xp 00000000 08​:06 6038551
  /lib/libm-2.11.3.so
7fa8fdd61000-7fa8fdf61000 ---p 00080000 08​:06 6038551
  /lib/libm-2.11.3.so
7fa8fdf61000-7fa8fdf62000 r--p 00080000 08​:06 6038551
  /lib/libm-2.11.3.so
7fa8fdf62000-7fa8fdf63000 rw-p 00081000 08​:06 6038551
  /lib/libm-2.11.3.so
7fa8fdf63000-7fa8fdf65000 r-xp 00000000 08​:06 6038548
  /lib/libdl-2.11.3.so
7fa8fdf65000-7fa8fe165000 ---p 00002000 08​:06 6038548
  /lib/libdl-2.11.3.so
7fa8fe165000-7fa8fe166000 r--p 00002000 08​:06 6038548
  /lib/libdl-2.11.3.so
7fa8fe166000-7fa8fe167000 rw-p 00003000 08​:06 6038548
  /lib/libdl-2.11.3.so
7fa8fe167000-7fa8fe17c000 r-xp 00000000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7fa8fe17c000-7fa8fe37b000 ---p 00015000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7fa8fe37b000-7fa8fe37c000 r--p 00014000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7fa8fe37c000-7fa8fe37d000 rw-p 00015000 08​:06 6038501
  /lib/libnsl-2.11.3.so
7fa8fe37d000-7fa8fe37f000 rw-p 00000000 00​:00 0
7fa8fe37f000-7fa8fe39d000 r-xp 00000000 08​:06 6037286
  /lib/ld-2.11.3.so
7fa8fe575000-7fa8fe57a000 rw-p 00000000 00​:00 0
7fa8fe59a000-7fa8fe59c000 rw-p 00000000 00​:00 0
7fa8fe59c000-7fa8fe59d000 r--p 0001d000 08​:06 6037286
  /lib/ld-2.11.3.so
7fa8fe59d000-7fa8fe59e000 rw-p 0001e000 08​:06 6037286
  /lib/ld-2.11.3.so
7fa8fe59e000-7fa8fe59f000 rw-p 00000000 00​:00 0
7fff68b6a000-7fff68b8b000 rw-p 00000000 00​:00 0 [stack]
7fff68bff000-7fff68c00000 r-xp 00000000 00​:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00​:00 0
  [vsyscall]
Aborted
$

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

Could you change the title of the ticket to "Heap corruption for glob()", the operating system and version to Linux 5.16.3 please?

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

It appears that this is a duplicate of the bug #114984 which is fixed in commit a6636b4 , however, that commit isn't applied to the perl 5.16 branch (as of commit 7aa08a0).

Thus, I hereby nominate the patch a6636b4 to get applied to the perl 5.16 branch.

@p5pRT
Copy link
Author

p5pRT commented Apr 8, 2014

From ambrus@math.bme.hu

On Tue Apr 08 14​:02​:54 2014, b_jonas wrote​:

Thus, I hereby nominate the patch a6636b4 to get applied to
the perl 5.16 branch.

@b-jonas0
Copy link
Contributor

Please close this ticket. The ticket only remained left open accidentally because I requested to merge the bugfix to the then oldstable 5.16 branch.

@jkeenan jkeenan closed this as completed Jan 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants