Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault when assigning to array that is being iterated over #6079

Open
p5pRT opened this issue Nov 18, 2002 · 8 comments
Open

Segfault when assigning to array that is being iterated over #6079

p5pRT opened this issue Nov 18, 2002 · 8 comments
Labels
distro-Linux hasCoreDump leak/refcount/malloc type-core

Comments

@p5pRT
Copy link

p5pRT commented Nov 18, 2002

Migrated from rt.perl.org#18489 (status was 'open')

Searchable as RT18489$
@p5pRT
Copy link
Author

p5pRT commented Nov 18, 2002

From rune.froysa@usit.uio.no

Created by runefro@ulrik.uio.no

Running the below program results in​:

  Attempt to free unreferenced scalar at ../perl-bug-segfault line 10.
  Segmentation fault

Uncommenting the find line, and commenting the @​files declaration
segfaults with no message.

#!/usr/bin/perl
use File​::Find;

sub wanted{
  push(@​files, $File​::Find​::name);
}

#find(\&wanted, '.');
@​files = ('foo', 'ar', 'gazonk');
for my $path (sort(@​files)) {
  $t = '\0\A';
  $t =~ s/\\([nA])/&convpart($`, $1)/eg;
}

sub convpart {
  my ($dir, $fname) = ( 'foo' =~ m,(.*/)([^/]+)$,);
  opendir(DIR, $dir);
  @​files = sort(grep {/^$fname/} readdir(DIR));
  closedir(DIR);
}

Perl Info 

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.0:

Configured by bhcompile at Sun Sep  1 23:55:07 EDT 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.18-11smp, archname=i386-linux-thread-multi
    uname='linux daffy.perf.redhat.com 2.4.18-11smp #1 smp thu aug 15 06:41:59 edt 2002 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -march=i386 -mcpu=i686 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=de
fine
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -march=i386 -mcpu=i686',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/include/gdbm'
    ccversion='', gccversion='3.2 20020822 (Red Hat Linux Rawhide 3.2-5)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lpthread -lc -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lcrypt -lutil
    libc=/lib/libc-2.2.92.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.2.92'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic -Wl,-rpath,/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.0
    /usr/lib/perl5/vendor_perl
    .


Environment for perl v5.8.0:
    HOME=/home/runefro
    LANG=en_US.iso885915
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/local/runefro/gnu/bin:/home/runefro/bin/linux:/home/runefro/bin:/local2/bin:/usr/bin:/usr/X11R6/bin:/local/gnu/bin:/local/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/runefro/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Nov 19, 2002

From @andk

On 18 Nov 2002 22​:30​:21 -0000, Rune Froysa (via RT) <perlbug@​perl.org> said​:

  > # New Ticket Created by Rune Froysa
  > # Please include the string​: [perl #18489]
  > # in the subject line of all future correspondence about this issue.
  > # <URL​: http​://rt.perl.org/rt2/Ticket/Display.html?id=18489 >

  > This is a bug report for perl from runefro@​ulrik.uio.no,
  > generated with the help of perlbug 1.34 running under perl v5.8.0.

  > -----------------------------------------------------------------
  > [Please enter your report here]

  > Running the below program results in​:

  > Attempt to free unreferenced scalar at ../perl-bug-segfault line 10.
  > Segmentation fault

  > Uncommenting the find line, and commenting the @​files declaration
  > segfaults with no message.

  > #!/usr/bin/perl
  > use File​::Find;

  > sub wanted{
  > push(@​files, $File​::Find​::name);
  > }

  > #find(\&wanted, '.');
  > @​files = ('foo', 'ar', 'gazonk');
  > for my $path (sort(@​files)) {
  > $t = '\0\A';
  > $t =~ s/\\([nA])/&amp;convpart($`, $1)/eg;
  > }

  > sub convpart {
  > my ($dir, $fname) = ( 'foo' =~ m,(.*/)([^/]+)$,);
  > opendir(DIR, $dir);
  > @​files = sort(grep {/^$fname/} readdir(DIR));
  > closedir(DIR);
  > }

SEGV confirmed for shorter test​:

@​files = (1,2);
for (sort @​files) {
  @​files = ();
}

--
andreas

@p5pRT
Copy link
Author

p5pRT commented Nov 25, 2002

From @rspier

Actually, I've just noticed that this bug report is a duplicate of
#18489,

I have merged the tickets.

-R

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2006

From @smpeters

[andk - Tue Nov 19 00​:14​:59 2002]​:

On 18 Nov 2002 22​:30​:21 -0000, Rune Froysa (via RT)
<perlbug@​perl.org> said​:

# New Ticket Created by Rune Froysa
# Please include the string​: [perl #18489]
# in the subject line of all future correspondence about this
issue.
# <URL​: http​://rt.perl.org/rt2/Ticket/Display.html?id=18489 >

This is a bug report for perl from runefro@​ulrik.uio.no,
generated with the help of perlbug 1.34 running under perl v5.8.0.

-----------------------------------------------------------------
[Please enter your report here]

Running the below program results in​:

Attempt to free unreferenced scalar at ../perl-bug-segfault line
10.
Segmentation fault

Uncommenting the find line, and commenting the @​files declaration
segfaults with no message.

#!/usr/bin/perl
use File​::Find;

sub wanted{
push(@​files, $File​::Find​::name);
}

#find(\&wanted, '.');
@​files = ('foo', 'ar', 'gazonk');
for my $path (sort(@​files)) {
$t = '\0\A';
$t =~ s/\\([nA])/&amp;convpart($`, $1)/eg;
}

sub convpart {
my ($dir, $fname) = ( 'foo' =~ m,(.*/)([^/]+)$,);
opendir(DIR, $dir);
@​files = sort(grep {/^$fname/} readdir(DIR));
closedir(DIR);
}

SEGV confirmed for shorter test​:

@​files = (1,2);
for (sort @​files) {
@​files = ();
}

The problem segfault has sometime in the past been replaced with a
troublesome panic. Better, but still a problem.

steve@​kirk​:~/smoke/perl-current$ ./perl rt_18489.pl
Use of freed value in iteration at rt_18489.pl line 5.

steve@​kirk​:~/smoke/perl-current$ cat rt_18489.pl
#!perl -w

@​files = (1,2);
for (sort @​files) {
  @​files = ();
}

@p5pRT
Copy link
Author

p5pRT commented Sep 6, 2010

From @iabyn

This bug is due to the generic issue of the perl stack not being
reference counted, and is essentially unfixable. The workaround is
to not modify arrays whose elements are being iterated.

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2012

From @jkeenan

On Mon Sep 06 08​:40​:29 2010, davem wrote​:

This bug is due to the generic issue of the perl stack not being
reference counted, and is essentially unfixable. The workaround is
to not modify arrays whose elements are being iterated.

If so, do we need to keep this RT open?

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2012

From @cpansprout

On Wed Mar 28 18​:33​:40 2012, jkeenan wrote​:

On Mon Sep 06 08​:40​:29 2010, davem wrote​:

This bug is due to the generic issue of the perl stack not being
reference counted, and is essentially unfixable. The workaround is
to not modify arrays whose elements are being iterated.

If so, do we need to keep this RT open?

I think we ought to, since I have thought about ways to make the stack
reference-counted, and it might actually be doable in the end.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Apr 5, 2012

From @rjbs

* Father Chrysostomos via RT <perlbug-followup@​perl.org> [2012-03-29T01​:56​:51]

On Wed Mar 28 18​:33​:40 2012, jkeenan wrote​:

On Mon Sep 06 08​:40​:29 2010, davem wrote​:

This bug is due to the generic issue of the perl stack not being
reference counted, and is essentially unfixable. The workaround is
to not modify arrays whose elements are being iterated.

If so, do we need to keep this RT open?

I think we ought to, since I have thought about ways to make the stack
reference-counted, and it might actually be doable in the end.

If it's sticking around, it needs a better description than "5.8.0 segfaults"

--
rjbs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux hasCoreDump leak/refcount/malloc type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT