From @andk

bisect

commit 6768377
Author​: David Mitchell <davem@​iabyn.com>
Date​: Mon Sep 7 15​:00​:32 2015 +0100

  make EXTEND() and stack_grow() safe(r)

cpantesters

http​://www.cpantesters.org/cpan/report/e72309ea-69bf-11e5-8aef-d8dbd0d03245

perl -V

Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 0358bab
  Platform​:
  osname=linux, osvers=4.1.0-2-amd64, archname=x86_64-linux-thread-multi
  uname='linux k83 4.1.0-2-amd64 #1 smp debian 4.1.6-1 (2015-08-23) x86_64 gnulinux '
  config_args='-Dprefix=/home/sand/src/perl/repoperls/installed-perls/perl/v5.23.3-48-g0358bab/9980 -Dmyhostname=k83 -Dinstallusrbinperl=n -Uversiononly -Dusedevel -des -Ui_db -Duseithreads -Uuselongdouble -DDEBUGGING=-g'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2 -g',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.1 20150911', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/5/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
  PERL_COPY_ON_WRITE PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
  PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
  USE_PERL_ATOF USE_REENTRANT_API
  Built under linux
  Compiled at Oct 3 2015 01​:26​:29
  %ENV​:
  PERL5LIB="/tmp/loop_over_bdir-27038-18H9o6/Alien-ActiveMQ-0.00005-OlLB74/blib/arch​:/tmp/loop_over_bdir-27038-18H9o6/Alien-ActiveMQ-0.00005-OlLB74/blib/lib"
  PERL5OPT=""
  PERL5_CPANPLUS_IS_RUNNING="22274"
  PERL5_CPAN_IS_RUNNING="22274"
  PERL_MM_USE_DEFAULT="1"
  @​INC​:
  /tmp/loop_over_bdir-27038-18H9o6/Alien-ActiveMQ-0.00005-OlLB74/blib/arch
  /tmp/loop_over_bdir-27038-18H9o6/Alien-ActiveMQ-0.00005-OlLB74/blib/lib
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.23.3-48-g0358bab/9980/lib/site_perl/5.23.4/x86_64-linux-thread-multi
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.23.3-48-g0358bab/9980/lib/site_perl/5.23.4
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.23.3-48-g0358bab/9980/lib/5.23.4/x86_64-linux-thread-multi
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.23.3-48-g0358bab/9980/lib/5.23.4
  .

--
andreas

From @iabyn

On Wed, Oct 28, 2015 at 12​:02​:40AM -0700, Andreas J. Koenig via RT wrote​:

commit 6768377
Author​: David Mitchell <davem@​iabyn.com>
Date​: Mon Sep 7 15​:00​:32 2015 +0100

make EXTEND\(\) and stack\_grow\(\) safe\(r\)                            

As a side effect, this commit made perl skip calling EXTEND($obj, 0)
on @​tied = (). It was originally part of my effort to avoid the (C-level
macro) EXTEND() from wrapping with negative indices; then I realised it
wasn't needed for that, but I left it in as a useful optimisation.

Tie-Simple has a test that expects its EXTEND() method to be called
on @​tied = (), and fails when it isn't called. I think Tie-Simple's
t/array.t test just needs updating.

--
O Unicef Clearasil!
Gibberish and Drivel!
  -- "Bored of the Rings"

The RT System itself - Status changed from 'new' to 'open'

From @andk

On Wed, 28 Oct 2015 13​:55​:43 +0000, Dave Mitchell <davem@​iabyn.com> said​:

  > Tie-Simple has a test that expects its EXTEND() method to be called
  > on @​tied = (), and fails when it isn't called. I think Tie-Simple's
  > t/array.t test just needs updating.

Forwarded to https://rt.cpan.org/Ticket/Display.html?id=108096

--
andreas

From @andk

Also affected​: TONYC/Imager-1.003.tar.gz

cpantesters​: http​://www.cpantesters.org/cpan/report/110c2ba4-69a9-11e5-ad0a-bddad0d03245

--
andreas

From @andk

Also affected​: BKB/Text-Fuzzy-0.22.tar.gz
cpantesters​: not yet populated

From the output​:

t/private-functions.t ... 1/? panic​: stack_grow() negative count (-1) at t/private-functions.t line 32.
# Tests were run but no plan was declared and done_testing() was not seen.
# Looks like your test exited with 255 just after 3.
t/private-functions.t ... Dubious, test returned 255 (wstat 65280, 0xff00)
All 3 subtests passed
t/return-array.t ........ 1/? panic​: stack_grow() negative count (-1) at t/return-array.t line 57.
# Tests were run but no plan was declared and done_testing() was not seen.
# Looks like your test exited with 255 just after 5.
t/return-array.t ........ Dubious, test returned 255 (wstat 65280, 0xff00)
All 5 subtests passed

--
andreas

From @tonycoz

On Thu, Oct 29, 2015 at 06​:41​:50PM +0100, Andreas Koenig wrote​:

Also affected​: TONYC/Imager-1.003.tar.gz

cpantesters​: http​://www.cpantesters.org/cpan/report/110c2ba4-69a9-11e5-ad0a-bddad0d03245

Yeah, that's my bug, in https://rt.cpan.org/Ticket/Display.html?id=107900

Tony

From @eserte

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-build/2015103106/Gtk2-Ex-ListModelConcat-10-4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

From @eserte

Dana Sub 31. Lis 2015, 02​:01​:14, slaven@​rezic.de reče​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-
build/2015103106/Gtk2-Ex-ListModelConcat-10-
4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

Same error message in Catalyst while running the TERENCEMO/Catalyst-View-SVG-TT-Graph-0.0226.tar.gz test suite​:

panic​: av_extend_guts() negative count (-9223372036854775679) at /opt/perl-5.23.4/lib/site_perl/5.23.4/Catalyst/DispatchType/Chained.pm line 101.

From @iabyn

On Thu, Oct 29, 2015 at 06​:56​:39PM +0100, Andreas Koenig wrote​:

Also affected​: BKB/Text-Fuzzy-0.22.tar.gz
cpantesters​: not yet populated

This appears to be an off-by-one error in the module​:

  EXTEND (SP, av_len (wantarray));
  for (i = 0; i <= av_len (wantarray); i++) {
  ...
  PUSHs (sv_2mortal (e));
  }

it pushes avlen()+1 elements but only extends the stack by av_len()
elements. I think it should be

  EXTEND(SP, av_len(wantarray) + 1);

--
I before E. Except when it isn't.

From @iabyn

On Sat, Oct 31, 2015 at 02​:01​:15AM -0700, slaven@​rezic.de via RT wrote​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-build/2015103106/Gtk2-Ex-ListModelConcat-10-4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

I can't get all the dependencies to build for this, but based on the
file name line of that error message, I guess it's calling
gtk_tree_model_get() in Gtk2's xs/GtkTreeModel.xs, which has this​:

  /* extend the stack so it can handle 'n_columns' items in
  * total. the stack already contains 'items' elements so make
  * room for 'n_columns - items' more, move our local stack
  * pointer forward to the new end, and update the global stack
  * pointer. this way, xsubs called by gtk_tree_model_get_value
  * don't overwrite what we put on the stack. */
  SPAGAIN;
  EXTEND (SP, n_columns - items);

which by the sound of it may be possible to have n_columns < items,
which would call EXTEND() with a -ve count. But without running it,
that's just a guess.

--
Little fly, thy summer's play my thoughtless hand
has terminated with extreme prejudice.
  (with apologies to William Blake)

From @iabyn

On Sun, Nov 01, 2015 at 12​:16​:25AM -0700, slaven@​rezic.de via RT wrote​:

Dana Sub 31. Lis 2015, 02​:01​:14, slaven@​rezic.de reče​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-
build/2015103106/Gtk2-Ex-ListModelConcat-10-
4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

Same error message in Catalyst while running the TERENCEMO/Catalyst-View-SVG-TT-Graph-0.0226.tar.gz test suite​:

panic​: av_extend_guts() negative count (-9223372036854775679) at /opt/perl-5.23.4/lib/site_perl/5.23.4/Catalyst/DispatchType/Chained.pm line 101.

After a few hours in dependency hell I failed to to get
Catalyst-View-SVG-TT-Graph installed, finally giving up after trying to
install Image-LibRSVG-0.07 which required librsvg which required​:

configure​: error​: Package requirements ( gdk-pixbuf-2.0 >= 2.20 glib-2.0 >= 2.12.0 gio-2.0 >= 2.24.0 libxml-2.0 >= 2.7.0 pangocairo >= 1.32.6 cairo >= 1.2.0 cairo-png >= 1.2.0
  libcroco-0.6 >= 0.6.1) were not met​:

Looking at the line in question​:

  my @​parts = (defined($endpoint->attributes->{Args}[0]) ? (("*") x $args) : '...');

One would suspect that $args has gone wild, and holds
0x8000000000000081.

--
A major Starfleet emergency breaks out near the Enterprise, but
fortunately some other ships in the area are able to deal with it to
everyone's satisfaction.
  -- Things That Never Happen in "Star Trek" #13

From @eserte

Dana Sub 31. Lis 2015, 02​:01​:14, slaven@​rezic.de reče​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-
build/2015103106/Gtk2-Ex-ListModelConcat-10-
4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

Another Gtk2 application, JHALLOCK/Gapp-0.60.tar.gz
panic​: stack_grow() negative count (-1) at t/004_gtk_simple_list.t line 13.

From @iabyn

On Mon, Nov 02, 2015 at 03​:33​:21PM +0000, Dave Mitchell wrote​:

On Sat, Oct 31, 2015 at 02​:01​:15AM -0700, slaven@​rezic.de via RT wrote​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-build/2015103106/Gtk2-Ex-ListModelConcat-10-4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

I can't get all the dependencies to build for this, but based on the
file name line of that error message, I guess it's calling
gtk_tree_model_get() in Gtk2's xs/GtkTreeModel.xs, which has this​:

    /\* extend the stack so it can handle 'n\_columns' items in
     \* total\.  the stack already contains 'items' elements so make
     \* room for 'n\_columns \- items' more\, move our local stack
     \* pointer forward to the new end\, and update the global stack
     \* pointer\.  this way\, xsubs called by gtk\_tree\_model\_get\_value
     \* don't overwrite what we put on the stack\. \*/
    SPAGAIN;
    EXTEND \(SP\, n\_columns \- items\);

which by the sound of it may be possible to have n_columns < items,
which would call EXTEND() with a -ve count. But without running it,
that's just a guess.

I've now managed to get all dependencies installed, and indeed, it is
what I speculated above​: n_columns == 1 and items == 2, so it's calling
EXTEND() with a negative count.

--
The Enterprise successfully ferries an alien VIP from one place to another
without serious incident.
  -- Things That Never Happen in "Star Trek" #7

From @iabyn

On Tue, Nov 03, 2015 at 02​:05​:46PM -0800, slaven@​rezic.de via RT wrote​:

Dana Sub 31. Lis 2015, 02​:01​:14, slaven@​rezic.de reče​:

Same error message in KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz​:

panic​: stack_grow() negative count (-1) at /tmpfs/.cpan-
build/2015103106/Gtk2-Ex-ListModelConcat-10-
4FBE0J/blib/lib/Gtk2/Ex/ListModelConcat.pm line 813.

Another Gtk2 application, JHALLOCK/Gapp-0.60.tar.gz
panic​: stack_grow() negative count (-1) at t/004_gtk_simple_list.t line 13.

This is caused by the same bug in Gtk2's gtk_tree_model_get() as I just
diagnosed for Gtk2-Ex-ListModelConcat.

--
The warp engines start playing up a bit, but seem to sort themselves out
after a while without any intervention from boy genius Wesley Crusher.
  -- Things That Never Happen in "Star Trek" #17

From @tonycoz

On Thu Oct 29 10​:42​:50 2015, andreas.koenig.7os6VVqR@​franz.ak.mind.de wrote​:

Also affected​: TONYC/Imager-1.003.tar.gz

cpantesters​: http​://www.cpantesters.org/cpan/report/110c2ba4-69a9-
11e5-ad0a-bddad0d03245

Fixed in 1.004.

It was https://rt.cpan.org/Ticket/Display.html?id=107900

Tony

From @tonycoz

On Wed Oct 28 00​:02​:40 2015, andreas.koenig.7os6VVqR@​franz.ak.mind.de wrote​:

bisect
------
commit 6768377
Author​: David Mitchell <davem@​iabyn.com>
Date​: Mon Sep 7 15​:00​:32 2015 +0100

make EXTEND() and stack_grow() safe(r)

The following now work​:

HANENKAMP/Tie-Simple-1.03.tar.gz

was fixed in 1.04.

TONYC/Imager-1.003.tar.gz

was fixed in 1.004

BKB/Text-Fuzzy-0.22.tar.gz

was fixed in 0.24.

KRYDE/Gtk2-Ex-ListModelConcat-10.tar.gz

passes its tests with the latest Gtk2, for which the Chnages for 1.2497 claims​:

* Avoid a stack handling error in Gtk2​::TreeModel​::get on perl >= 5.23

Leaving as not working​:

TERENCEMO/Catalyst-View-SVG-TT-Graph-0.0226.tar.gz

depends on List​::MoreUtils which fails its tests

JHALLOCK/Gapp-0.60.tar.gz

depends on List​::MoreUtils, and is probably otherwise fixed by release 1.2497 of Gtk2.

Tony

From @rjbs

I believe this is fixed. Thoughts?

--
rjbs

From @tonycoz

On Thu Feb 11 17​:21​:32 2016, rjbs wrote​:

I believe this is fixed. Thoughts?

I think so, closing.

The failures in the mentioned modules are due to an old bug in List​::MoreUtils.

Tony

@tonycoz - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for submitting this report. You have helped make Perl better.
 
With the release of Perl 5.24.0 on May 9, 2016, this and 149 other issues have been resolved.

Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0

@khwilliamson - Status changed from 'pending release' to 'resolved'