From @andk

Properly tested, perl -V output in the link, a potential BBC candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-8424e7b38300

Thanks,
--
andreas
PS​: hopefully this mail contains the word perl often enough for getting
through to rt.perl.

From @khwilliamson

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by (Andreas J. Koenig)
# Please include the string​: [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings, but the
make test crashes before it gets to where the failures in this ticket occur.

The output is attached. The compilation output contains a bunch of
warnings, some of which look, without investigating, like real errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

From @khwilliamson

cd pTk && make DEFINE="" LIBPERL_A="libperl.a" LINKTYPE="dynamic" OPTIMIZE="-O2 -O0 -g" PREFIX="/home/khw/cpanbroken" PASTHRU_DEFINE=' ' PASTHRU_INC=' '
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pod'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pod'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/demos'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/demos'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Xlib'
make[2]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Xlib/X'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- X.bs ../../blib/arch/auto/Tk/X/X.bs 644
make[2]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Xlib/X'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Xlib.bs ../blib/arch/auto/Tk/Xlib/Xlib.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Xlib'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/WinPhoto'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- WinPhoto.bs ../blib/arch/auto/Tk/WinPhoto/WinPhoto.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/WinPhoto'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Tixish'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Tixish'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TixPixmap'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Pixmap.bs ../blib/arch/auto/Tk/Pixmap/Pixmap.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TixPixmap'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TixGrid'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- TixGrid.bs ../blib/arch/auto/Tk/TixGrid/TixGrid.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TixGrid'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TextList'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TextList'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Text'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Text.bs ../blib/arch/auto/Tk/Text/Text.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Text'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TList'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- TList.bs ../blib/arch/auto/Tk/TList/TList.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/TList'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Scrollbar'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Scrollbar.bs ../blib/arch/auto/Tk/Scrollbar/Scrollbar.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Scrollbar'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Scale'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Scale.bs ../blib/arch/auto/Tk/Scale/Scale.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Scale'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/PNG'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- PNG.bs ../blib/arch/auto/Tk/PNG/PNG.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/PNG'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/NBFrame'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- NBFrame.bs ../blib/arch/auto/Tk/NBFrame/NBFrame.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/NBFrame'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Mwm'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Mwm.bs ../blib/arch/auto/Tk/Mwm/Mwm.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Mwm'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Menubutton'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Menubutton.bs ../blib/arch/auto/Tk/Menubutton/Menubutton.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Menubutton'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Listbox'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Listbox.bs ../blib/arch/auto/Tk/Listbox/Listbox.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Listbox'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG'
cd jpeg && make libjpeg.a
make[2]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG/jpeg'
make[2]​: 'libjpeg.a' is up to date.
make[2]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG/jpeg'
make[2]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG/jpeg'
make[2]​: Nothing to be done for 'all'.
make[2]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG/jpeg'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- JPEG.bs ../blib/arch/auto/Tk/JPEG/JPEG.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/JPEG'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/InputO'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- InputO.bs ../blib/arch/auto/Tk/InputO/InputO.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/InputO'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/IO'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- IO.bs ../blib/arch/auto/Tk/IO/IO.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/IO'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/HList'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- HList.bs ../blib/arch/auto/Tk/HList/HList.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/HList'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Event'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Event.bs ../blib/arch/auto/Tk/Event/Event.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Event'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Entry'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Entry.bs ../blib/arch/auto/Tk/Entry/Entry.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Entry'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/DragDrop'
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/DragDrop'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Compound'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Compound.bs ../blib/arch/auto/Tk/Compound/Compound.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Compound'
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Canvas'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Canvas.bs ../blib/arch/auto/Tk/Canvas/Canvas.bs 644
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/Canvas'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- Tk.bs blib/arch/auto/Tk/Tk.bs 644
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/PNG'
"/home/khw/cpanbroken/bin/perl" -MExtUtils​::Command​::MM -e 'cp_nonempty' -- PNG.bs ../blib/arch/auto/Tk/PNG/PNG.bs 644
make[1]​: *** No rule to make target '../perl', needed by 'test_static'.
make[1]​: Target 'test_static' not remade because of errors.
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/PNG'
Makefile​:1459​: recipe for target 'subdirs-test_static' failed
make​: *** [subdirs-test_static] Error 2
Writing "Makefile.aperl" for this perl
PPM for perl5.029001
Test Compiling config/perlrx.c
/home/khw/cpanbroken/bin/perl is installed in /home/khw/cpanbroken/lib/perl5/5.29.1/x86_64-linux-thread-multi okay
Test Compiling config/pmop.c
Test Compiling config/pregcomp2.c
Test Compiling config/regexp511.c
Test Compiling config/signedchar.c
Test Compiling config/Ksprintf.c
Test Compiling config/svtrv.c
Test Compiling config/copstashset.c
Test Compiling config/tod.c
Test Compiling -DTIMEOFDAY_TZ config/tod.c
TZ gettimeofday()
Cannot find X include files via /include
Cannot find freetype.h include file
Using -L/usr/lib/x86_64-linux-gnu to find /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
Using -I/usr/include to find /usr/include/X11/Xlib.h
Finding dependencies for Tk.xs
Finding dependencies for chnGlue.c
Finding dependencies for encGlue.c
Finding dependencies for evtGlue.c
Finding dependencies for objGlue.c
Finding dependencies for tixGlue.c
Finding dependencies for tkGlue.c
Finding dependencies for tkGlue_f.c
Finding dependencies for tkWin32Dll.c
Tests in PNG
Tests in JPEG
Tests in Event
Generating a Unix-style Makefile.aperl
Writing Makefile.aperl for Tk
Writing MYMETA.yml and MYMETA.json
make -f Makefile.aperl perl
make[1]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034'
Writing perlmain.c
mv perlmain.ct perlmain.c
gcc -c -D_REENTRANT -D_GNU_SOURCE -DPERL_BOOL_AS_CHAR -Wno-deprecated -DNO_MATHOMS -fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2 -O2 -O0 -g -DVERSION=\"804.034\" -DXS_VERSION=\"804.034\" -fPIC "-I/home/khw/cpanbroken/lib/perl5/5.29.1/x86_64-linux-thread-multi/CORE" -Wall -Wno-implicit-int -Wno-comment -Wno-unused -D__USE_FIXED_PROTOTYPES__ perlmain.c
cd pTk && make DEFINE="" LIBPERL_A="libperl.a" LINKTYPE="static" OPTIMIZE="-O2 -O0 -g" PREFIX="/home/khw/cpanbroken" PASTHRU_DEFINE=' ' PASTHRU_INC=' '
make[2]​: Entering directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
make[2]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/pTk'
cat /home/khw/.cpanm/work/1530989855.25819/Tk-804.034/blib/arch/auto/Tk/PNG/extralibs.ld >> blib/arch/auto/Tk/extralibs.all
cat blib/arch/auto/Tk/extralibs.ld >> blib/arch/auto/Tk/extralibs.all
gcc -fstack-protector-strong -L/usr/local/lib -Wl,-E Tk.o chnGlue.o encGlue.o evtGlue.o objGlue.o tixGlue.o tkGlue.o tkGlue_f.o tkWin32Dll.o -O2 -O0 -g ./perlmain.o -o perl "blib/arch/auto/Tk/Tk.a" "/home/khw/.cpanm/work/1530989855.25819/Tk-804.034/blib/arch/auto/Tk/PNG/PNG.a" "/home/khw/cpanbroken/lib/perl5/5.29.1/x86_64-linux-thread-multi/CORE/libperl.a" `cat blib/arch/auto/Tk/extralibs.all` -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
To install the new 'perl' binary, call
  make -f Makefile.aperl inst_perl MAP_TARGET=perl
  make -f Makefile.aperl map_clean
make[1]​: Leaving directory '/home/khw/.cpanm/work/1530989855.25819/Tk-804.034'
make​: Target 'test_static' not remade because of errors.

The RT System itself - Status changed from 'new' to 'open'

From @khwilliamson

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings, but the
make test crashes before it gets to where the failures in this ticket
occur.

The output is attached.  The compilation output contains a bunch of
warnings, some of which look, without investigating, like real errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

My previous email included the output after all the files had been
compiled, so none of the warnings were shown. Attached is a compilation
from a clean start.

From @khwilliamson

test.out

From @eserte

Dana Sat, 07 Jul 2018 21​:56​:37 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings, but
the
make test crashes before it gets to where the failures in this ticket
occur.

The output is attached.  The compilation output contains a bunch of
warnings, some of which look, without investigating, like real
errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

My previous email included the output after all the files had been
compiled, so none of the warnings were shown. Attached is a
compilation
from a clean start.

Which EUMM version are you using? This subdirs-test_dynamic failure looks like the ones described in https://rt.cpan.org/Ticket/Display.html?id=117800

From @khwilliamson

On 07/08/2018 12​:53 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 07 Jul 2018 21​:56​:37 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings, but
the
make test crashes before it gets to where the failures in this ticket
occur.

The output is attached.  The compilation output contains a bunch of
warnings, some of which look, without investigating, like real
errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

My previous email included the output after all the files had been
compiled, so none of the warnings were shown. Attached is a
compilation
from a clean start.

Which EUMM version are you using? This subdirs-test_dynamic failure looks like the ones described in https://rt.cpan.org/Ticket/Display.html?id=117800

7.34

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347

From @eserte

Dana Sun, 08 Jul 2018 22​:03​:44 -0700, public@​khwilliamson.com reče​:

On 07/08/2018 12​:53 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 07 Jul 2018 21​:56​:37 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this
issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes,
and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings,
but
the
make test crashes before it gets to where the failures in this
ticket
occur.

The output is attached.  The compilation output contains a bunch of
warnings, some of which look, without investigating, like real
errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

My previous email included the output after all the files had been
compiled, so none of the warnings were shown. Attached is a
compilation
from a clean start.

Which EUMM version are you using? This subdirs-test_dynamic failure
looks like the ones described in
https://rt.cpan.org/Ticket/Display.html?id=117800

7.34

Is libjpeg-devel installed? Maybe the problem does only happen if the bundled libjpeg is used.

From @khwilliamson

On 07/09/2018 12​:28 AM, slaven@​rezic.de via RT wrote​:

Dana Sun, 08 Jul 2018 22​:03​:44 -0700, public@​khwilliamson.com reče​:

On 07/08/2018 12​:53 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 07 Jul 2018 21​:56​:37 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this
issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes,
and
which have finally been removed in 5.29.

I edited encGlue.c to get rid of all these and all the warnings,
but
the
make test crashes before it gets to where the failures in this
ticket
occur.

The output is attached.  The compilation output contains a bunch of
warnings, some of which look, without investigating, like real
errors,
and others, like fragilities.

I'll submit a PR request on encGlue when I get it working.

Any suggestions as to how to get the make test to not die would be
appreciated.

My previous email included the output after all the files had been
compiled, so none of the warnings were shown. Attached is a
compilation
from a clean start.

Which EUMM version are you using? This subdirs-test_dynamic failure
looks like the ones described in
https://rt.cpan.org/Ticket/Display.html?id=117800

7.34

Is libjpeg-devel installed? Maybe the problem does only happen if the bundled libjpeg is used.

Yes, I had previously installed libjpeg-dev. See my comments in
https://rt.cpan.org/Ticket/Display.html?id=109474&results=2577ff96ec829e71e3c5f9e2df164b74

Another option is for me to post a patch on this ticket, and people can
try it.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347

From @khwilliamson

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

There is a comment in the code that says

/* Doing these in-place seems risky ... */

And in inspecting the code for working with Unicode, I realized the API
can't possibly work generally as currently specified.

There are functions to uppercase and lowercase a C string encoded in
UTF-8. These functions work on the assumption that each character in
the case-changed result occupies the same number of bytes as the
original. That simply isn't the case. Perhaps attackers are already
using this.

I don't know how to proceed. The API would have to be redesigned. I
don't know if these functions are called from outside or not. What hits
me first is to have the functions take a parameter like , *&esult".
Upon return, the function would malloc enough memory to hold the changed
result, and store its address into *result. It becomes the caller's
responsibility to free it after use.

From @eserte

Dana Tue, 10 Jul 2018 11​:03​:07 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

There is a comment in the code that says

/* Doing these in-place seems risky ... */

And in inspecting the code for working with Unicode, I realized the
API
can't possibly work generally as currently specified.

There are functions to uppercase and lowercase a C string encoded in
UTF-8. These functions work on the assumption that each character in
the case-changed result occupies the same number of bytes as the
original. That simply isn't the case. Perhaps attackers are already
using this.

Maybe you can try it out? In real-world code, the to_utf8_lower warning appears in text boxes when opening the search dialog (right mouse > Find), choose the settings "exact" and "nocase", and do a search. So if you know some unicode which causes lengthening of the utf8 string when turning into lowercase, then it's possible to exceed the buffer.

For creating a text box, it's enough to write​:

  perl5.28.0 -MTk -e 'tkinit->Text->pack; MainLoop'

I don't know how to proceed. The API would have to be redesigned. I
don't know if these functions are called from outside or not. What
hits
me first is to have the functions take a parameter like , *&esult".
Upon return, the function would malloc enough memory to hold the
changed
result, and store its address into *result. It becomes the caller's
responsibility to free it after use.

Maybe it's worth to see what the original Tcl code does​:
https://www.tcl.tk/man/tcl/TclLib/ToUpper.htm

It seems that
- it's guaranteed here that the utf8 string is never made longer (in terms of bytes)
- it handles only characters in the latin1 range, which are probably unlikely to cause problems (even a upper conversion ß -> SS would not change the utf8 bytes length)

Unfortunately the new to*_utf8_safe functions don't say what's happening in case of exceeding the available space. Maybe it could be done similar as in Encode.pm and the user has some (limited) possibilities to specify the fallback behavior (FB_CROAK + the possibility to set the replacement character). If this possibility exists, then a quick fix would be to just use the replacement character fallback.

What's also interesting --- there's no Perl warning if the Tk​::Text find functionality is set to regexp+nocase. So maybe a simple fix would be to convert the search string from exact to an equivalent regexp (e.g. using something like '^'.quotemeta($string).'$').

From @khwilliamson

On 07/10/2018 04​:14 PM, slaven@​rezic.de via RT wrote​:

Dana Tue, 10 Jul 2018 11​:03​:07 -0700, public@​khwilliamson.com reče​:

On 07/07/2018 10​:37 PM, Karl Williamson wrote​:

On 07/07/2018 12​:05 PM, (Andreas J. Koenig) (via RT) wrote​:

# New Ticket Created by  (Andreas J. Koenig)
# Please include the string​:  [perl #133347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347 >

Properly tested, perl -V output in the link, a potential BBC
candidate​:
http​://www.cpantesters.org/cpan/report/60a41a6a-7d91-11e8-8819-
8424e7b38300

Thanks,

This is using long-deprecated functions that are security holes, and
which have finally been removed in 5.29.

There is a comment in the code that says

/* Doing these in-place seems risky ... */

And in inspecting the code for working with Unicode, I realized the
API
can't possibly work generally as currently specified.

There are functions to uppercase and lowercase a C string encoded in
UTF-8. These functions work on the assumption that each character in
the case-changed result occupies the same number of bytes as the
original. That simply isn't the case. Perhaps attackers are already
using this.

Maybe you can try it out? In real-world code, the to_utf8_lower warning appears in text boxes when opening the search dialog (right mouse > Find), choose the settings "exact" and "nocase", and do a search. So if you know some unicode which causes lengthening of the utf8 string when turning into lowercase, then it's possible to exceed the buffer.

I need a working version to try it out.

But if it were just lowercase, the problem would be manageable, as there
are only three code points that currently expand​: U+0130 (dotted
capital I) used in Turkic languages, and two code points used in
Sencoten, a west-coast Canadian native language. If it is to accept
things beyond Latin1, it would need to be rewritten so that it doesn't
assume that every character's changed case has the same number of bytes
as the original. Some characters contract.

The problem is the uppercasing. There are quite a few characters that
expand when uppercased. Under what circumstances does this get called?

For creating a text box, it's enough to write​:

 perl5\.28\.0 \-MTk \-e 'tkinit\->Text\->pack; MainLoop'

I don't know how to proceed. The API would have to be redesigned. I
don't know if these functions are called from outside or not. What
hits
me first is to have the functions take a parameter like , *&esult".
Upon return, the function would malloc enough memory to hold the
changed
result, and store its address into *result. It becomes the caller's
responsibility to free it after use.

Maybe it's worth to see what the original Tcl code does​:
https://www.tcl.tk/man/tcl/TclLib/ToUpper.htm

It seems that
- it's guaranteed here that the utf8 string is never made longer (in terms of bytes)
- it handles only characters in the latin1 range, which are probably unlikely to cause problems (even a upper conversion ß -> SS would not change the utf8 bytes length)
If we're willing to limit the inputs to Latin1, this is true, and there
is no problem, but there needs to be a check for that. The uppercase
for two Latin1 characters is above Latin1, but still occupy 2 bytes.

Unfortunately the new to*_utf8_safe functions don't say what's happening in case of exceeding the available space. Maybe it could be done similar as in Encode.pm and the user has some (limited) possibilities to specify the fallback behavior (FB_CROAK + the possibility to set the replacement character). If this possibility exists, then a quick fix would be to just use the replacement character fallback.

They currently die, which seems too severe now that you bring it up, but
is in keeping with various other parts of the core. This does seem like
a worthwhile idea you have. Note that there might not be room for a
replacement character, though.

What's also interesting --- there's no Perl warning if the Tk​::Text find functionality is set to regexp+nocase. So maybe a simple fix would be to convert the search string from exact to an equivalent regexp (e.g. using something like '^'.quotemeta($string).'$').

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347

From @ppisar

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the warnings, but the
make test crashes before it gets to where the failures in this ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

  Make utf8_to_uvchr() safer

  This function is deprecated because the API doesn't allow it to
  determine the end of the input string, so it can read off the far end.
  But I just realized that since many strings are NUL-terminated, so we
  can forbid it from reading past the next NUL, and hence make it safe in
  many cases.

to perl-5.28.0. Then unpatched Tk crashed for me in Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
  len = strlen(src);
send = s + len;
len = 0;
while (s < send)
  {
→ s += UTF8SKIP(s);
  len++;
  }
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow; $m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:", len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk (layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38, maxPtr=maxPtr@​entry=0x7ffdcbaaed2c, start=start@​entry=0x55a6feecede0 "Search​:",
  numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27) at tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout (tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:", numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
  wrapLength@​entry=0, justify=justify@​entry=TK_JUSTIFY_CENTER, flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8, heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry (butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged (instanceData=instanceData@​entry=0x55a6feebdf50) at tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton (interp=interp@​entry=0x55a6fec3aea0, butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2, objv=objv@​entry=0x55a6fe685a98)
  at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd (clientData=clientData@​entry=0x55a6feebdf50, interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4, objv=objv@​entry=0x55a6fe685a88)
  at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260, cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub (my_perl=0x55a6fe680260) at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard (my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>, my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the new API
ends with a crash.

-- Petr

From @khwilliamson

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the warnings, but the
make test crashes before it gets to where the failures in this ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

 Make utf8\_to\_uvchr\(\) safer

 This function is deprecated because the API doesn't allow it to
 determine the end of the input string\, so it can read off the far end\.
 But I just realized that since many strings are NUL\-terminated\, so we
 can forbid it from reading past the next NUL\, and hence make it safe in
 many cases\.

to perl-5.28.0. Then unpatched Tk crashed for me in Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow; $m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:", len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk (layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38, maxPtr=maxPtr@​entry=0x7ffdcbaaed2c, start=start@​entry=0x55a6feecede0 "Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27) at tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout (tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:", numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0, justify=justify@​entry=TK_JUSTIFY_CENTER, flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8, heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry (butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged (instanceData=instanceData@​entry=0x55a6feebdf50) at tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton (interp=interp@​entry=0x55a6fec3aea0, butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2, objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd (clientData=clientData@​entry=0x55a6feebdf50, interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4, objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260, cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub (my_perl=0x55a6fe680260) at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard (my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>, my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the new API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show up a bug
in the library.

From @ppisar

On 2018-09-11, Karl Williamson <public@​khwilliamson.com> wrote​:

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the warnings, but the
make test crashes before it gets to where the failures in this ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

 Make utf8\_to\_uvchr\(\) safer

 This function is deprecated because the API doesn't allow it to
 determine the end of the input string\, so it can read off the far end\.
 But I just realized that since many strings are NUL\-terminated\, so we
 can forbid it from reading past the next NUL\, and hence make it safe in
 many cases\.

to perl-5.28.0. Then unpatched Tk crashed for me in Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow; $m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:", len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk (layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38, maxPtr=maxPtr@​entry=0x7ffdcbaaed2c, start=start@​entry=0x55a6feecede0 "Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27) at tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout (tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:", numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0, justify=justify@​entry=TK_JUSTIFY_CENTER, flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8, heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry (butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged (instanceData=instanceData@​entry=0x55a6feebdf50) at tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton (interp=interp@​entry=0x55a6fec3aea0, butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2, objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd (clientData=clientData@​entry=0x55a6feebdf50, interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4, objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260, cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub (my_perl=0x55a6fe680260) at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard (my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>, my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the new API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show up a bug
in the library.

valgrind reports plenty of jumps depending on an unitilaized memory in
Tk-Pod XS code on patched and unpatatched perl. The crash happens on
patched perl randomly. I compared valgrind output between patched and
unpatched perl and found this new error important​:

==PID== Use of uninitialised value of size 8
==PID== at ADDRESS​: Tcl_NumUtfChars (encGlue.c​:117)
==PID== by ADDRESS​: NewChunk (tkFont.c​:3298)
==PID== by ADDRESS​: Tk_ComputeTextLayout (tkFont.c​:1977)
==PID== by ADDRESS​: TkpComputeButtonGeometry (tkUnixButton.c​:602)
==PID== by ADDRESS​: TkButtonWorldChanged (tkButton.c​:1392)
==PID== by ADDRESS​: ConfigureButton (tkButton.c​:1279)
==PID== by ADDRESS​: ButtonWidgetObjCmd (tkButton.c​:823)
==PID== by ADDRESS​: Call_Tk (tkGlue.c​:2260)
==PID== by ADDRESS​: XStoWidget (tkGlue.c​:2627)
==PID== by ADDRESS​: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: perl_run (in /usr/lib64/libperl.so.5.28.0)

The encGlue.c​:117 is at​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
  len = strlen(src);
send = s + len;
len = 0;
while (s < send)
  {
→ s += UTF8SKIP(s);
  len++;
  }
return len;
}

It's the same place found by a debugger. I don't think valgrind provides any
other usefull clues. Here is the complete difference if you are interested​:

--- /tmp/good	2018-09-12 17:47:15.412000000 +0200
+++ /tmp/bad	2018-09-12 17:47:10.412000000 +0200
@@ -14,7 +14,8 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:538)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3641)
+==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -22,7 +23,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3641)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3648)
 ==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
@@ -31,7 +32,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3648)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3651)
 ==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
@@ -40,8 +41,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3651)
-==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
+==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:532)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -49,7 +49,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:532)
+==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:538)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -118,16 +118,277 @@
 ==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_AllocFontFromObj (tkFont.c:1158)
+==PID==    by ADDRESS: DoObjConfig (tkConfig.c:799)
+==PID==    by ADDRESS: Tk_InitOptions (tkConfig.c:569)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:571)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: ListboxComputeGeometry (tkListbox.c:2176)
+==PID==    by ADDRESS: ListboxWorldChanged (tkListbox.c:1798)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1672)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:577)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: ListboxComputeGeometry (tkListbox.c:2176)
+==PID==    by ADDRESS: ListboxWorldChanged (tkListbox.c:1798)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1672)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:577)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:608)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonCreate.isra.5 (tkButton.c:744)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XStoTclCmdNull (tkGlue.c:3039)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_AllocFontFromObj (tkFont.c:1158)
+==PID==    by ADDRESS: DoObjConfig (tkConfig.c:799)
+==PID==    by ADDRESS: Tk_SetOptions (tkConfig.c:1445)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1570)
+==PID==    by ADDRESS: ListboxWidgetObjCmd (tkListbox.c:709)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: EntryWorldChanged (tkEntry.c:1707)
+==PID==    by ADDRESS: ConfigureEntry.isra.5 (tkEntry.c:1668)
+==PID==    by ADDRESS: Tk_EntryObjCmd (tkEntry.c:853)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_entry (Entry.xs:27)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: EntryWorldChanged (tkEntry.c:1707)
+==PID==    by ADDRESS: ConfigureEntry.isra.5 (tkEntry.c:1668)
+==PID==    by ADDRESS: Tk_EntryObjCmd (tkEntry.c:853)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_entry (Entry.xs:27)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1972)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1972)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1976)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:111)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:115)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:115)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Use of uninitialised value of size 8
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:117)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1985)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:2024)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:2048)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1940)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:608)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
 ==PID== 
 ==PID== HEAP SUMMARY:
-==PID==     in use at exit: 7,460,071 bytes in 33,139 blocks
-==PID==   total heap usage: 99,626 allocs, 66,487 frees, 17,400,121 bytes allocated
+==PID==     in use at exit: 7,460,004 bytes in 33,142 blocks
+==PID==   total heap usage: 99,583 allocs, 66,441 frees, 17,389,542 bytes allocated
 ==PID== 
 ==PID== LEAK SUMMARY:
 ==PID==    definitely lost: 23,450 bytes in 41 blocks
 ==PID==    indirectly lost: 69,152 bytes in 33 blocks
-==PID==      possibly lost: 7,166,005 bytes in 28,373 blocks
-==PID==    still reachable: 201,464 bytes in 4,692 blocks
+==PID==      possibly lost: 7,165,906 bytes in 28,376 blocks
+==PID==    still reachable: 201,496 bytes in 4,692 blocks
 ==PID==                       of which reachable via heuristic:
 ==PID==                         newarray           : 24,968 bytes in 764 blocks
 ==PID==         suppressed: 0 bytes in 0 blocks
@@ -135,4 +396,4 @@
 ==PID== 
 ==PID== For counts of detected and suppressed errors, rerun with: -v
 ==PID== Use --track-origins=yes to see where uninitialised values come from
-==PID== ERROR SUMMARY: 175 errors from 12 contexts (suppressed: 0 from 0)
+==PID== ERROR SUMMARY: 255 errors from 31 contexts (suppressed: 0 from 0)

-- Petr

From @jkeenan

On Wed, 12 Sep 2018 16​:03​:42 GMT, ppisar wrote​:

On 2018-09-11, Karl Williamson <public@​khwilliamson.com> wrote​:

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the warnings,
but the
make test crashes before it gets to where the failures in this
ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

Make utf8_to_uvchr() safer

This function is deprecated because the API doesn't allow it to
determine the end of the input string, so it can read off the far
end.
But I just realized that since many strings are NUL-terminated, so
we
can forbid it from reading past the next NUL, and hence make it safe
in
many cases.

to perl-5.28.0. Then unpatched Tk crashed for me in
Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow;
$m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:",
len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk
(layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38,
maxPtr=maxPtr@​entry=0x7ffdcbaaed2c, start=start@​entry=0x55a6feecede0
"Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27) at
tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout
(tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:",
numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0, justify=justify@​entry=TK_JUSTIFY_CENTER,
flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8,
heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry
(butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged
(instanceData=instanceData@​entry=0x55a6feebdf50) at tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton
(interp=interp@​entry=0x55a6fec3aea0,
butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2,
objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd
(clientData=clientData@​entry=0x55a6feebdf50,
interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4,
objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260,
cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub (my_perl=0x55a6fe680260)
at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard
(my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>,
my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>,
argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the new
API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show up a
bug
in the library.

valgrind reports plenty of jumps depending on an unitilaized memory in
Tk-Pod XS code on patched and unpatatched perl. The crash happens on
patched perl randomly. I compared valgrind output between patched and
unpatched perl and found this new error important​:

==PID== Use of uninitialised value of size 8
==PID== at ADDRESS​: Tcl_NumUtfChars (encGlue.c​:117)
==PID== by ADDRESS​: NewChunk (tkFont.c​:3298)
==PID== by ADDRESS​: Tk_ComputeTextLayout (tkFont.c​:1977)
==PID== by ADDRESS​: TkpComputeButtonGeometry (tkUnixButton.c​:602)
==PID== by ADDRESS​: TkButtonWorldChanged (tkButton.c​:1392)
==PID== by ADDRESS​: ConfigureButton (tkButton.c​:1279)
==PID== by ADDRESS​: ButtonWidgetObjCmd (tkButton.c​:823)
==PID== by ADDRESS​: Call_Tk (tkGlue.c​:2260)
==PID== by ADDRESS​: XStoWidget (tkGlue.c​:2627)
==PID== by ADDRESS​: Perl_pp_entersub (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: Perl_runops_standard (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: perl_run (in /usr/lib64/libperl.so.5.28.0)

The encGlue.c​:117 is at​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

It's the same place found by a debugger. I don't think valgrind
provides any
other usefull clues. Here is the complete difference if you are
interested​:

[snip -- moved to attachment]

-- Petr

Could we get an update on the status of this ticket?

khw has mentioned to me​:

"These probably indicate potential security flaws, which the maintainer(s) really should investigate. These are scary, and this code may already be being used as an attack vector."

Speaking of scary ... the other day I attempted to build Tk against perl-5.29.4. My computer crashed during the test suite. Twice.

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

From @jkeenan

--- /tmp/good	2018-09-12 17:47:15.412000000 +0200
+++ /tmp/bad	2018-09-12 17:47:10.412000000 +0200
@@ -14,7 +14,8 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:538)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3641)
+==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -22,7 +23,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3641)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3648)
 ==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
@@ -31,7 +32,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3648)
+==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3651)
 ==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
@@ -40,8 +41,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: LangCmpOpt (tkGlue.c:3651)
-==PID==    by ADDRESS: CreateFrame.isra.3 (tkFrame.c:531)
+==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:532)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -49,7 +49,7 @@
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
 ==PID== Conditional jump or move depends on uninitialised value(s)
-==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:532)
+==PID==    at ADDRESS: CreateFrame.isra.3 (tkFrame.c:538)
 ==PID==    by ADDRESS: XS_Tk__MainWindow_Create (tkGlue.c:2378)
 ==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
@@ -118,16 +118,277 @@
 ==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
 ==PID==    by ADDRESS: main (perlmain.c:122)
 ==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_AllocFontFromObj (tkFont.c:1158)
+==PID==    by ADDRESS: DoObjConfig (tkConfig.c:799)
+==PID==    by ADDRESS: Tk_InitOptions (tkConfig.c:569)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:571)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: ListboxComputeGeometry (tkListbox.c:2176)
+==PID==    by ADDRESS: ListboxWorldChanged (tkListbox.c:1798)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1672)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:577)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: ListboxComputeGeometry (tkListbox.c:2176)
+==PID==    by ADDRESS: ListboxWorldChanged (tkListbox.c:1798)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1672)
+==PID==    by ADDRESS: Tk_ListboxObjCmd (tkListbox.c:577)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_listbox (Listbox.xs:30)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:608)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonCreate.isra.5 (tkButton.c:744)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XStoTclCmdNull (tkGlue.c:3039)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_AllocFontFromObj (tkFont.c:1158)
+==PID==    by ADDRESS: DoObjConfig (tkConfig.c:799)
+==PID==    by ADDRESS: Tk_SetOptions (tkConfig.c:1445)
+==PID==    by ADDRESS: ConfigureListbox.isra.2 (tkListbox.c:1570)
+==PID==    by ADDRESS: ListboxWidgetObjCmd (tkListbox.c:709)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: EntryWorldChanged (tkEntry.c:1707)
+==PID==    by ADDRESS: ConfigureEntry.isra.5 (tkEntry.c:1668)
+==PID==    by ADDRESS: Tk_EntryObjCmd (tkEntry.c:853)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_entry (Entry.xs:27)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: EntryWorldChanged (tkEntry.c:1707)
+==PID==    by ADDRESS: ConfigureEntry.isra.5 (tkEntry.c:1668)
+==PID==    by ADDRESS: Tk_EntryObjCmd (tkEntry.c:853)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XSTkCommand (tkGlue.c:3025)
+==PID==    by ADDRESS: XS_Tk_entry (Entry.xs:27)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:560)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1972)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1972)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1976)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:111)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:115)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:115)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Use of uninitialised value of size 8
+==PID==    at ADDRESS: Tcl_NumUtfChars (encGlue.c:117)
+==PID==    by ADDRESS: NewChunk (tkFont.c:3298)
+==PID==    by ADDRESS: Tk_ComputeTextLayout (tkFont.c:1977)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1985)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:2024)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:2048)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_ComputeTextLayout (tkFont.c:1940)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:602)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
+==PID== Conditional jump or move depends on uninitialised value(s)
+==PID==    at ADDRESS: Tk_MeasureChars (tkUnixXft.c:554)
+==PID==    by ADDRESS: Tk_TextWidth (tkFont.c:1774)
+==PID==    by ADDRESS: TkpComputeButtonGeometry (tkUnixButton.c:608)
+==PID==    by ADDRESS: TkButtonWorldChanged (tkButton.c:1392)
+==PID==    by ADDRESS: ConfigureButton (tkButton.c:1279)
+==PID==    by ADDRESS: ButtonWidgetObjCmd (tkButton.c:823)
+==PID==    by ADDRESS: Call_Tk (tkGlue.c:2260)
+==PID==    by ADDRESS: XStoWidget (tkGlue.c:2627)
+==PID==    by ADDRESS: Perl_pp_entersub (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: Perl_runops_standard (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: perl_run (in /usr/lib64/libperl.so.5.28.0)
+==PID==    by ADDRESS: main (perlmain.c:122)
+==PID== 
 ==PID== 
 ==PID== HEAP SUMMARY:
-==PID==     in use at exit: 7,460,071 bytes in 33,139 blocks
-==PID==   total heap usage: 99,626 allocs, 66,487 frees, 17,400,121 bytes allocated
+==PID==     in use at exit: 7,460,004 bytes in 33,142 blocks
+==PID==   total heap usage: 99,583 allocs, 66,441 frees, 17,389,542 bytes allocated
 ==PID== 
 ==PID== LEAK SUMMARY:
 ==PID==    definitely lost: 23,450 bytes in 41 blocks
 ==PID==    indirectly lost: 69,152 bytes in 33 blocks
-==PID==      possibly lost: 7,166,005 bytes in 28,373 blocks
-==PID==    still reachable: 201,464 bytes in 4,692 blocks
+==PID==      possibly lost: 7,165,906 bytes in 28,376 blocks
+==PID==    still reachable: 201,496 bytes in 4,692 blocks
 ==PID==                       of which reachable via heuristic:
 ==PID==                         newarray           : 24,968 bytes in 764 blocks
 ==PID==         suppressed: 0 bytes in 0 blocks
@@ -135,4 +396,4 @@
 ==PID== 
 ==PID== For counts of detected and suppressed errors, rerun with: -v
 ==PID== Use --track-origins=yes to see where uninitialised values come from
-==PID== ERROR SUMMARY: 175 errors from 12 contexts (suppressed: 0 from 0)
+==PID== ERROR SUMMARY: 255 errors from 31 contexts (suppressed: 0 from 0)

From @eserte

Dana Sat, 27 Oct 2018 10​:15​:02 -0700, jkeenan reče​:

On Wed, 12 Sep 2018 16​:03​:42 GMT, ppisar wrote​:

On 2018-09-11, Karl Williamson <public@​khwilliamson.com> wrote​:

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the warnings,
but the
make test crashes before it gets to where the failures in this
ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

Make utf8_to_uvchr() safer

This function is deprecated because the API doesn't allow it to
determine the end of the input string, so it can read off the far
end.
But I just realized that since many strings are NUL-terminated, so
we
can forbid it from reading past the next NUL, and hence make it
safe
in
many cases.

to perl-5.28.0. Then unpatched Tk crashed for me in
Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow;
$m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:",
len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk
(layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38,
maxPtr=maxPtr@​entry=0x7ffdcbaaed2c,
start=start@​entry=0x55a6feecede0
"Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27) at
tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout
(tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:",
numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0, justify=justify@​entry=TK_JUSTIFY_CENTER,
flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8,
heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry
(butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged
(instanceData=instanceData@​entry=0x55a6feebdf50) at
tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton
(interp=interp@​entry=0x55a6fec3aea0,
butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2,
objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd
(clientData=clientData@​entry=0x55a6feebdf50,
interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4,
objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260,
cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub
(my_perl=0x55a6fe680260)
at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard
(my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>,
my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>,
argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the new
API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show up a
bug
in the library.

valgrind reports plenty of jumps depending on an unitilaized memory
in
Tk-Pod XS code on patched and unpatatched perl. The crash happens on
patched perl randomly. I compared valgrind output between patched and
unpatched perl and found this new error important​:

==PID== Use of uninitialised value of size 8
==PID== at ADDRESS​: Tcl_NumUtfChars (encGlue.c​:117)
==PID== by ADDRESS​: NewChunk (tkFont.c​:3298)
==PID== by ADDRESS​: Tk_ComputeTextLayout (tkFont.c​:1977)
==PID== by ADDRESS​: TkpComputeButtonGeometry (tkUnixButton.c​:602)
==PID== by ADDRESS​: TkButtonWorldChanged (tkButton.c​:1392)
==PID== by ADDRESS​: ConfigureButton (tkButton.c​:1279)
==PID== by ADDRESS​: ButtonWidgetObjCmd (tkButton.c​:823)
==PID== by ADDRESS​: Call_Tk (tkGlue.c​:2260)
==PID== by ADDRESS​: XStoWidget (tkGlue.c​:2627)
==PID== by ADDRESS​: Perl_pp_entersub (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: Perl_runops_standard (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: perl_run (in /usr/lib64/libperl.so.5.28.0)

The encGlue.c​:117 is at​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

It's the same place found by a debugger. I don't think valgrind
provides any
other usefull clues. Here is the complete difference if you are
interested​:

[snip -- moved to attachment]

-- Petr

Could we get an update on the status of this ticket?

khw has mentioned to me​:

"These probably indicate potential security flaws, which the
maintainer(s) really should investigate. These are scary, and this
code may already be being used as an attack vector."

Speaking of scary ... the other day I attempted to build Tk against
perl-5.29.4. My computer crashed during the test suite. Twice.

I see "Out of memory" errors when running the test suite with 5.29.4. Probably it's a good idea to run smokers with memory resource limits (on my systems it's limited to 1 GB memory consumption) to protect the system from such problems.

From @jkeenan

On Sat, 27 Oct 2018 17​:30​:58 GMT, slaven@​rezic.de wrote​:

Dana Sat, 27 Oct 2018 10​:15​:02 -0700, jkeenan reče​:

On Wed, 12 Sep 2018 16​:03​:42 GMT, ppisar wrote​:

On 2018-09-11, Karl Williamson <public@​khwilliamson.com> wrote​:

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com> wrote​:

I edited encGlue.c to get rid of all these and all the
warnings,
but the
make test crashes before it gets to where the failures in this
ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

Make utf8_to_uvchr() safer

This function is deprecated because the API doesn't allow it to
determine the end of the input string, so it can read off the
far
end.
But I just realized that since many strings are NUL-terminated,
so
we
can forbid it from reading past the next NUL, and hence make it
safe
in
many cases.

to perl-5.28.0. Then unpatched Tk crashed for me in
Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow;
$m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m->PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:",
len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk
(layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38,
maxPtr=maxPtr@​entry=0x7ffdcbaaed2c,
start=start@​entry=0x55a6feecede0
"Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27)
at
tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout
(tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:",
numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0,
justify=justify@​entry=TK_JUSTIFY_CENTER,
flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8,
heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry
(butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged
(instanceData=instanceData@​entry=0x55a6feebdf50) at
tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton
(interp=interp@​entry=0x55a6fec3aea0,
butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2,
objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd
(clientData=clientData@​entry=0x55a6feebdf50,
interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4,
objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260,
cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub
(my_perl=0x55a6fe680260)
at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard
(my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized out>,
my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>,
argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the
new
API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show up
a
bug
in the library.

valgrind reports plenty of jumps depending on an unitilaized memory
in
Tk-Pod XS code on patched and unpatatched perl. The crash happens
on
patched perl randomly. I compared valgrind output between patched
and
unpatched perl and found this new error important​:

==PID== Use of uninitialised value of size 8
==PID== at ADDRESS​: Tcl_NumUtfChars (encGlue.c​:117)
==PID== by ADDRESS​: NewChunk (tkFont.c​:3298)
==PID== by ADDRESS​: Tk_ComputeTextLayout (tkFont.c​:1977)
==PID== by ADDRESS​: TkpComputeButtonGeometry
(tkUnixButton.c​:602)
==PID== by ADDRESS​: TkButtonWorldChanged (tkButton.c​:1392)
==PID== by ADDRESS​: ConfigureButton (tkButton.c​:1279)
==PID== by ADDRESS​: ButtonWidgetObjCmd (tkButton.c​:823)
==PID== by ADDRESS​: Call_Tk (tkGlue.c​:2260)
==PID== by ADDRESS​: XStoWidget (tkGlue.c​:2627)
==PID== by ADDRESS​: Perl_pp_entersub (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: Perl_runops_standard (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: perl_run (in /usr/lib64/libperl.so.5.28.0)

The encGlue.c​:117 is at​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

It's the same place found by a debugger. I don't think valgrind
provides any
other usefull clues. Here is the complete difference if you are
interested​:

[snip -- moved to attachment]

-- Petr

Could we get an update on the status of this ticket?

khw has mentioned to me​:

"These probably indicate potential security flaws, which the
maintainer(s) really should investigate. These are scary, and this
code may already be being used as an attack vector."

Speaking of scary ... the other day I attempted to build Tk against
perl-5.29.4. My computer crashed during the test suite. Twice.

I see "Out of memory" errors when running the test suite with 5.29.4.
Probably it's a good idea to run smokers with memory resource limits
(on my systems it's limited to 1 GB memory consumption) to protect the
system from such problems.

These crashes were *not* in the context of smoke-testing. It was a simple attempt to install modules against perl-5.29.4 (or a commit very close to that) using 'cpanm' as the installer. This was done on my laptop which has lots of RAM and swap available.

Over the past year I've done that many times on Linux, so these crashes with Tk are a recent development.

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

From @eserte

Dana Sat, 27 Oct 2018 13​:32​:07 -0700, jkeenan reče​:

On Sat, 27 Oct 2018 17​:30​:58 GMT, slaven@​rezic.de wrote​:

Dana Sat, 27 Oct 2018 10​:15​:02 -0700, jkeenan reče​:

On Wed, 12 Sep 2018 16​:03​:42 GMT, ppisar wrote​:

On 2018-09-11, Karl Williamson <public@​khwilliamson.com> wrote​:

On 09/10/2018 06​:00 AM, Petr Pisar wrote​:

On 2018-07-08, Karl Williamson <public@​khwilliamson.com>
wrote​:

I edited encGlue.c to get rid of all these and all the
warnings,
but the
make test crashes before it gets to where the failures in
this
ticket occur.

I came across this issue when I applied​:

commit aa3c16b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Jul 17 13​:57​:54 2018 -0600

Make utf8_to_uvchr() safer

This function is deprecated because the API doesn't allow it
to
determine the end of the input string, so it can read off the
far
end.
But I just realized that since many strings are NUL-
terminated,
so
we
can forbid it from reading past the next NUL, and hence make
it
safe
in
many cases.

to perl-5.28.0. Then unpatched Tk crashed for me in
Tcl_NumUtfChars() at
encGlue.c​:117​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

when debugigng Tk-Pod-0.9943 test failure like this​:

$ DISPLAY=​:99 perl -Iblib/lib -e 'use Tk​::MainWindow;
$m=Tk​::MainWindow->new; require Tk​::Pod​::Search; $m-

PodSearch'

The backtrace was​:

#0 Tcl_NumUtfChars (src=src@​entry=0x55a6feecede0 "Search​:",
len=25087, len@​entry=1853537494) at encGlue.c​:117
#1 0x00007f076e750fc4 in NewChunk
(layoutPtrPtr=layoutPtrPtr@​entry=0x7ffdcbaaed38,
maxPtr=maxPtr@​entry=0x7ffdcbaaed2c,
start=start@​entry=0x55a6feecede0
"Search​:",
numBytes=numBytes@​entry=1853537494, curX=0, newX=9, y=27)
at
tkFont.c​:3298
#2 0x00007f076e751c93 in Tk_ComputeTextLayout
(tkfont=0x55a6fee8afe0, string=0x55a6feecede0 "Search​:",
numChars=<optimized out>, numChars@​entry=-1, wrapLength=-1,
wrapLength@​entry=0,
justify=justify@​entry=TK_JUSTIFY_CENTER,
flags=1, flags@​entry=0, widthPtr=0x55a6feebe0c8,
heightPtr=0x55a6feebe0cc) at tkFont.c​:1977
#3 0x00007f076e78019e in TkpComputeButtonGeometry
(butPtr=butPtr@​entry=0x55a6feebdf50) at tkUnixButton.c​:602
#4 0x00007f076e749351 in TkButtonWorldChanged
(instanceData=instanceData@​entry=0x55a6feebdf50) at
tkButton.c​:1392
#5 0x00007f076e749928 in ConfigureButton
(interp=interp@​entry=0x55a6fec3aea0,
butPtr=butPtr@​entry=0x55a6feebdf50, objc=objc@​entry=2,
objv=objv@​entry=0x55a6fe685a98)
at tkButton.c​:1279
#6 0x00007f076e74a572 in ButtonWidgetObjCmd
(clientData=clientData@​entry=0x55a6feebdf50,
interp=interp@​entry=0x55a6fec3aea0, objc=objc@​entry=4,
objv=objv@​entry=0x55a6fe685a88)
at tkButton.c​:823
#7 0x00007f076e729560 in Call_Tk () at tkGlue.c​:2260
#8 0x00007f076e729b4d in XStoWidget (my_perl=0x55a6fe680260,
cv=0x55a6fea63e58) at tkGlue.c​:2627
#9 0x00007f076ef91299 in Perl_pp_entersub
(my_perl=0x55a6fe680260)
at pp_hot.c​:5232
#10 0x00007f076ef87485 in Perl_runops_standard
(my_perl=0x55a6fe680260) at run.c​:42
#11 0x00007f076ef03fdd in S_run_body (oldscope=<optimized
out>,
my_perl=<optimized out>) at perl.c​:2689
#12 perl_run (my_perl=0x55a6fe680260) at perl.c​:2617
#13 0x000055a6fd8ab26a in main (argc=<optimized out>,
argv=<optimized out>, env=<optimized out>) at perlmain.c​:122

The "Search​:" string 25087 length seems dubious.

Maybe it's the same reason why your attempt to port Tk to the
new
API
ends with a crash.

-- Petr

Could you run this under valgrind? I suspect this would show
up
a
bug
in the library.

valgrind reports plenty of jumps depending on an unitilaized
memory
in
Tk-Pod XS code on patched and unpatatched perl. The crash happens
on
patched perl randomly. I compared valgrind output between patched
and
unpatched perl and found this new error important​:

==PID== Use of uninitialised value of size 8
==PID== at ADDRESS​: Tcl_NumUtfChars (encGlue.c​:117)
==PID== by ADDRESS​: NewChunk (tkFont.c​:3298)
==PID== by ADDRESS​: Tk_ComputeTextLayout (tkFont.c​:1977)
==PID== by ADDRESS​: TkpComputeButtonGeometry
(tkUnixButton.c​:602)
==PID== by ADDRESS​: TkButtonWorldChanged (tkButton.c​:1392)
==PID== by ADDRESS​: ConfigureButton (tkButton.c​:1279)
==PID== by ADDRESS​: ButtonWidgetObjCmd (tkButton.c​:823)
==PID== by ADDRESS​: Call_Tk (tkGlue.c​:2260)
==PID== by ADDRESS​: XStoWidget (tkGlue.c​:2627)
==PID== by ADDRESS​: Perl_pp_entersub (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: Perl_runops_standard (in
/usr/lib64/libperl.so.5.28.0)
==PID== by ADDRESS​: perl_run (in /usr/lib64/libperl.so.5.28.0)

The encGlue.c​:117 is at​:

int
Tcl_NumUtfChars(CONST char * src, int len)
{
U8 *s = (U8 *) src;
U8 *send;
if (len < 0)
len = strlen(src);
send = s + len;
len = 0;
while (s < send)
{
→ s += UTF8SKIP(s);
len++;
}
return len;
}

It's the same place found by a debugger. I don't think valgrind
provides any
other usefull clues. Here is the complete difference if you are
interested​:

[snip -- moved to attachment]

-- Petr

Could we get an update on the status of this ticket?

khw has mentioned to me​:

"These probably indicate potential security flaws, which the
maintainer(s) really should investigate. These are scary, and this
code may already be being used as an attack vector."

Speaking of scary ... the other day I attempted to build Tk against
perl-5.29.4. My computer crashed during the test suite. Twice.

I see "Out of memory" errors when running the test suite with 5.29.4.
Probably it's a good idea to run smokers with memory resource limits
(on my systems it's limited to 1 GB memory consumption) to protect
the
system from such problems.

These crashes were *not* in the context of smoke-testing. It was a
simple attempt to install modules against perl-5.29.4 (or a commit
very close to that) using 'cpanm' as the installer.

There's actually no difference between smoke-testing and normal installation of CPAN modules (if testing is not turned off). In fact, I use my smoke-test wrapper in normal life to install CPAN modules.

This was done on
my laptop which has lots of RAM and swap available.

And Perl can easily address all of this memory.

Over the past year I've done that many times on Linux, so these
crashes with Tk are a recent development.

A cursory look at the "Out of memory" failures suggest that this is another problem than the one discussed in this ticket. Maybe a bisect would help here (and of course limits have to be set before to protect the system from memory exhaustion).

From @eserte

Dana Sat, 27 Oct 2018 14​:07​:01 -0700, slaven@​rezic.de reče​:
[...]

A cursory look at the "Out of memory" failures suggest that this is
another problem than the one discussed in this ticket. Maybe a bisect
would help here (and of course limits have to be set before to protect
the system from memory exhaustion).

If the deprecated (but still existing) functions in Tk's encGlue.c are replaced, then the Out of memory errors do not happen anymore. These are​:
- Perl_is_uni_alpha
- Perl_is_uni_alnum
- Perl_is_uni_space
- Perl_is_uni_upper
- utf8_to_uvchr
- Perl_to_utf8_lower
- Perl_to_utf8_upper

So it looks like changes in one or more of these functions were causing the problems.

From @khwilliamson

On 12/23/18 2​:41 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 27 Oct 2018 14​:07​:01 -0700, slaven@​rezic.de reče​:
[...]

A cursory look at the "Out of memory" failures suggest that this is
another problem than the one discussed in this ticket. Maybe a bisect
would help here (and of course limits have to be set before to protect
the system from memory exhaustion).

If the deprecated (but still existing) functions in Tk's encGlue.c are replaced, then the Out of memory errors do not happen anymore. These are​:
- Perl_is_uni_alpha
- Perl_is_uni_alnum
- Perl_is_uni_space
- Perl_is_uni_upper
- utf8_to_uvchr
- Perl_to_utf8_lower
- Perl_to_utf8_upper

So it looks like changes in one or more of these functions were causing the problems.

I don't understand what you are replacing them with.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133347

From @eserte

Dana Wed, 26 Dec 2018 15​:55​:55 -0800, public@​khwilliamson.com reče​:

On 12/23/18 2​:41 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 27 Oct 2018 14​:07​:01 -0700, slaven@​rezic.de reče​:
[...]

A cursory look at the "Out of memory" failures suggest that this is
another problem than the one discussed in this ticket. Maybe a
bisect
would help here (and of course limits have to be set before to
protect
the system from memory exhaustion).

If the deprecated (but still existing) functions in Tk's encGlue.c
are replaced, then the Out of memory errors do not happen anymore.
These are​:
- Perl_is_uni_alpha
- Perl_is_uni_alnum
- Perl_is_uni_space
- Perl_is_uni_upper
- utf8_to_uvchr
- Perl_to_utf8_lower
- Perl_to_utf8_upper

So it looks like changes in one or more of these functions were
causing the problems.

I don't understand what you are replacing them with.

The Perl/Tk test suite fails with Out of memory errors since perl 5.29.x. This was not the case with earlier perl versions, and it is not the case after the above mentioned functions are not used anymore in Perl/Tk's encGlue.c. So it looks to me that there was a change in one or more of the mentioned functions which is causing the problems in Perl/Tk's test suite.

From @khwilliamson

On Thu, 27 Dec 2018 01​:25​:03 -0800, slaven@​rezic.de wrote​:

Dana Wed, 26 Dec 2018 15​:55​:55 -0800, public@​khwilliamson.com reče​:

On 12/23/18 2​:41 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 27 Oct 2018 14​:07​:01 -0700, slaven@​rezic.de reče​:
[...]

A cursory look at the "Out of memory" failures suggest that this
is
another problem than the one discussed in this ticket. Maybe a
bisect
would help here (and of course limits have to be set before to
protect
the system from memory exhaustion).

If the deprecated (but still existing) functions in Tk's encGlue.c
are replaced, then the Out of memory errors do not happen anymore.
These are​:
- Perl_is_uni_alpha
- Perl_is_uni_alnum
- Perl_is_uni_space
- Perl_is_uni_upper
- utf8_to_uvchr
- Perl_to_utf8_lower
- Perl_to_utf8_upper

So it looks like changes in one or more of these functions were
causing the problems.

I don't understand what you are replacing them with.

The Perl/Tk test suite fails with Out of memory errors since perl
5.29.x. This was not the case with earlier perl versions, and it is
not the case after the above mentioned functions are not used anymore
in Perl/Tk's encGlue.c. So it looks to me that there was a change in
one or more of the mentioned functions which is causing the problems
in Perl/Tk's test suite.

I tried to update this ticket some time ago, but it didn't take. Here is the commit message.

commit b750228
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Mar 28 18​:22​:11 2019 -0600

  PATCH​: [perl #133347] Tk broken
 
  This was caused by utf8_to_uvchr() failing to set the returned ptr
  in some circumstances, leading to reading uninitialized memory.
 
  A test failure remains, and I'll wait for Slaven's feedback before
  looking further into that. It is in t/photo.t
 
  couldn't recognize image data at blib/lib/Tk/Image.pm line 21.
  # Looks like your test exited with 255 just after 100
 
  And it's trying at that point to look at 'Xcamel.gif'
--
Karl Williamson

From @eserte

Dana Mon, 15 Apr 2019 20​:19​:20 -0700, khw reče​:

On Thu, 27 Dec 2018 01​:25​:03 -0800, slaven@​rezic.de wrote​:

Dana Wed, 26 Dec 2018 15​:55​:55 -0800, public@​khwilliamson.com reče​:

On 12/23/18 2​:41 PM, slaven@​rezic.de via RT wrote​:

Dana Sat, 27 Oct 2018 14​:07​:01 -0700, slaven@​rezic.de reče​:
[...]

A cursory look at the "Out of memory" failures suggest that this
is
another problem than the one discussed in this ticket. Maybe a
bisect
would help here (and of course limits have to be set before to
protect
the system from memory exhaustion).

If the deprecated (but still existing) functions in Tk's
encGlue.c
are replaced, then the Out of memory errors do not happen
anymore.
These are​:
- Perl_is_uni_alpha
- Perl_is_uni_alnum
- Perl_is_uni_space
- Perl_is_uni_upper
- utf8_to_uvchr
- Perl_to_utf8_lower
- Perl_to_utf8_upper

So it looks like changes in one or more of these functions were
causing the problems.

I don't understand what you are replacing them with.

The Perl/Tk test suite fails with Out of memory errors since perl
5.29.x. This was not the case with earlier perl versions, and it is
not the case after the above mentioned functions are not used anymore
in Perl/Tk's encGlue.c. So it looks to me that there was a change in
one or more of the mentioned functions which is causing the problems
in Perl/Tk's test suite.

I tried to update this ticket some time ago, but it didn't take. Here
is the commit message.

commit b750228
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Mar 28 18​:22​:11 2019 -0600

PATCH​: [perl #133347] Tk broken

This was caused by utf8_to_uvchr() failing to set the returned ptr
in some circumstances, leading to reading uninitialized memory.

A test failure remains, and I'll wait for Slaven's feedback before
looking further into that. It is in t/photo.t

couldn't recognize image data at blib/lib/Tk/Image.pm line 21.
# Looks like your test exited with 255 just after 100

And it's trying at that point to look at 'Xcamel.gif'

There are again pass reports for Tk with bleadperl​:
http​://matrix.cpantesters.org/?dist=Tk%20804.034;perl=5.29.10;reports=1

I cannot reproduce the photo.t failure. Possibly a problem limited to a specific system/perl configuration --- this may be discussed in the Tk RT queue.

From my point of view this ticket may be closed.

Regards,
  Slaven

From @khwilliamson

Closed with OP's concurrence
--
Karl Williamson

@khwilliamson - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.30.0, this and 160 other issues have been
resolved.

Perl 5.30.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.30.0

If you find that the problem persists, feel free to reopen this ticket.

@khwilliamson - Status changed from 'pending release' to 'resolved'