Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

undefing function argument references: "Attempt to free unreferenced scalar" #14912

Open
p5pRT opened this issue Sep 16, 2015 · 4 comments
Open

Comments

@p5pRT
Copy link

p5pRT commented Sep 16, 2015

Migrated from rt.perl.org#126071 (status was 'open')

Searchable as RT126071$

@p5pRT
Copy link
Author

p5pRT commented Sep 16, 2015

From pipcet@gmail.com

Created by pipcet@gmail.com

I ran into "Attempt to free unreferenced scalar" errors while running
some code that used Carp​::Always to produce warning messages and also
tried to do some clever (and probably buggy) things with scalar
references. I've tried to narrow it down to a small test case by
copying some code from Carp.pm; the test case is somewhat bizarre, but
it appears to trigger the same bug as my "clever" non-bizarre code
did​:

Test code​:

my $ref;

sub f {
  undef $ref;
  {
  package DB;
  () = caller(0);
  }
  \@​DB​::args;
}

while (1) {
  $ref = \{};
  f($$ref);
}

-----

GDB log​:

(gdb) b Perl_warner
b Perl_warner
Breakpoint 1 at 0x4d275d​: file util.c, line 1934.
(gdb) r
r
Starting program​: /usr/local/bin/perl ./perl-bug.pl
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, Perl_warner (err=24, pat=0x609af0 "Attempt to free
unreferenced scalar​: SV 0x%lx")
  at util.c​:1934
1934 {
(gdb) bt full
bt full
#0 Perl_warner (err=24, pat=0x609af0 "Attempt to free unreferenced scalar​:
SV 0x%lx")
  at util.c​:1934
  args = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x0,
reg_save_area = 0x0}}
#1 0x000000000051a156 in Perl_sv_free2 (sv=0x843358, rc=0) at sv.c​:6917
No locals.
#2 0x0000000000546087 in S_SvREFCNT_dec_NN (sv=0x843358) at inline.h​:177
  rc = 0
#3 0x00000000005466f7 in Perl_free_tmps () at scope.c​:178
  sv = 0x843358
  myfloor = -1
#4 0x00000000004fb985 in Perl_pp_nextstate () at pp_hot.c​:52
No locals.
#5 0x00000000004fb40d in Perl_runops_standard () at run.c​:41
  op = 0x86f668
#6 0x0000000000448122 in S_run_body (oldscope=1) at perl.c​:2456
No locals.
#7 0x0000000000447cdc in perl_run (my_perl=0x841010) at perl.c​:2379
  oldscope = 1
  ret = 0
  cur_env = {je_prev = 0x840b60 <PL_start_env>, je_buf = {{__jmpbuf =
{0, 210917977292959172,
  4319152, 140737488349664, 0, 0, 210917977532034500,
-210917394629628476},
  __mask_was_saved = 0, __saved_mask = {__val =
{140737488349296, 4881972,
  140737488349296, 6149056, 21483542503, 1524, 148565664,
8662960, 140737488349376,
  4475684, 8654864, 8654864, 8662360, 8662384, 0,
18407322498027725056}}}},
  je_ret = 0, je_mustcatch = false}
#8 0x000000000041e9d5 in main (argc=2, argv=0x7fffffffe9e8,
env=0x7fffffffea00) at perlmain.c​:116
  exitstatus = 0
  i = 0

-----

I do not know whether this bug properly belongs to the DB package or
core Perl.

Again, I'd like to stress that while the test case does obviously
inadvisable things, I believe I triggered the same bug attempting to
do perfectly reasonable things; in particular, I was undef'ing
references to avoid leaking memory in circularly-linked structures.

Both the while loop and the last line of f appear to be necessary to
trigger the bug. The obvious workaround of replacing the critical
call to f by f(my $x = $$ref) appears to avoid the bug.

Perl Info

Flags:
    category=library
    severity=medium
    module=DB

Site configuration information for perl 5.23.3:

Configured by pip at Wed Sep 16 16:16:58 UTC 2015.

Summary of my perl5 (revision 5 version 23 subversion 3) configuration:
  Commit id: bc37b130604215b78ec3e03d73b81cb08cfa741e
  Platform:
    osname=linux, osvers=4.1.0-2-amd64, archname=x86_64-linux
    uname='linux ... 4.1.0-2-amd64 #1 smp debian 4.1.6-1 (2015-08-23)
x86_64 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
    optimize='-O0 -ggdb3',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include'
    ccversion='', gccversion='6.0.0 20150912 (experimental)',
gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
longdblkind=3
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib
/usr/local/lib/gcc/x86_64-pc-linux-gnu/6.0.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O0 -ggdb3 -L/usr/local/lib
-fstack-protector-strong'



@INC for perl 5.23.3:
    /usr/local/lib/perl5/site_perl/5.23.3/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.23.3
    /usr/local/lib/perl5/5.23.3/x86_64-linux
    /usr/local/lib/perl5/5.23.3
    /usr/local/lib/perl5/site_perl/5.21.10
    /usr/local/lib/perl5/site_perl/5.19.11
    /usr/local/lib/perl5/site_perl
    .


Environment for perl 5.23.3:
    HOME=/home/pip
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)

PATH=/usr/local/bin:/usr/bin:/bin:/usr/games:/sbin:/usr/local/sbin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Sep 17, 2015

From pipcet@gmail.com

Looking into this a bit more, this appears to be the same old "stack not
ref-counted" issue that was recently discussed for perl #125907. I do not
fully understand how my original code ended up undef'ing elements on the
stack, but it must have done so somehow.

The rest of this message is probably uninteresting.


Here's a modified test case that does not use the DB package at all​:

my $ref;

sub f {
  $ref = 1;
  my ($arg) = @​_;

  $arg;
}

while (1) {
  $ref = \{};
  f($$ref);
}

In fact, this can be obfuscated into a 20-character expression which still
appears to trigger the bug​:
sub{$x=1;\@​_}->($$x)

@p5pRT
Copy link
Author

p5pRT commented Sep 19, 2015

From @iabyn

On Wed, Sep 16, 2015 at 08​:27​:44PM +0000, Pip Cet wrote​:

Looking into this a bit more, this appears to be the same old "stack not
ref-counted" issue that was recently discussed for perl #125907. I do not
fully understand how my original code ended up undef'ing elements on the
stack, but it must have done so somehow.

Agreed, I'll add it to the meta-ticket.

--
The optimist believes that he lives in the best of all possible worlds.
As does the pessimist.

@p5pRT
Copy link
Author

p5pRT commented Sep 19, 2015

The RT System itself - Status changed from 'new' to 'open'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants