New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null pointer dereference in S_SvREFCNT_dec #16627
Comments
From @geeknik./perl -e 'for$0(qw(0 0)){push@r,qr/@r(?{})/}' triggers a null pointer ==10676==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 AddressSanitizer can not provide additional info. |
This is still present in v39.10
|
I don't get a null pointer dereference, but I'm not using ASan either.
|
Slightly reduced:
This segfaults about 50% of the time for me. |
... which is what I also get on Ubuntu Linux 22.04 LTS. But on FreeBSD-13, I don't get any message or segfault.
|
n looks like a fill pointer for pRExC_state->code_blocks->cb. It is a local variable in S_concat_pat that is incremented in several places. S_concat_pat also calls itself, but the recursive call has its own n. That feels wrong. Use a pointer to make all recursive invocations of S_concat_pat share the same n, which is actually "allocated" at the top level (where S_concat_pat is invoked with pn = NULL). Cf. Perl#16627.
n looks like a fill pointer for pRExC_state->code_blocks->cb. It is a local variable in S_concat_pat that is incremented in several places. S_concat_pat also calls itself, but the recursive call has its own n. That feels wrong. Use a pointer to make all recursive invocations of S_concat_pat share the same n, which is actually "allocated" at the top level (where S_concat_pat is invoked with pn = NULL). Cf. Perl#16627.
I have a patch that seems to fix this issue: mauke@039cadf However, this patch was written based on vibes, not any deep understanding of the code. I'd appreciate any review of what's going on here. @iabyn ? |
I have a very similar patch in development (passing address of n as a pointer), but there are some subtleties you've missed (notably at line 734, *pn shouldn't be reset to zero). I wasn't entirely happy with my branch, so I was going to leave it until tomorrow to see if there was a more elegant fix. Probably best to leave this one to me - it was my mistake in the first place. |
Migrated from rt.perl.org#133369 (status was 'new')
Searchable as RT133369$
The text was updated successfully, but these errors were encountered: