delete $_[0] + (\$) prototype = bad free #7202

p5pRT · 2004-03-29T00:42:45Z

Migrated from rt.perl.org#28032 (status was 'resolved')

Searchable as RT28032$

p5pRT · 2004-03-29T00:42:46Z

From jahqueel@yahoo.com

Created by jahqueel@yahoo.com

This is a bug report for perl from jahqueel@yahoo.com,
generated with the help of perlbug 1.34 running under perl v5.8.2.

-----------------------------------------------------------------

$ perl -le 'sub foo (\$) { delete $_[0] } foo $bar'
Attempt to free unreferenced scalar: SV 0x81401c8.

The variable passed doesn't matter. Cheers!

Perl Info


Flags:
    category=core
    severity=low

Site configuration information for perl v5.8.2:

Configured by root at Mon Mar 15 06:46:15 PST 2004.

Summary of my perl5 (revision 5.0 version 8 subversion 2)
configuration:
  Platform:
    osname=linux, osvers=2.6.3-rc2-gentoo, archname=i686-linux
    uname='linux riverrun 2.6.3-rc2-gentoo #1 fri feb 13 13:01:14 pst
2004 i686 amd athlon(tm) processor authenticamd gnulinux '
    config_args='-des -Darchname=i686-linux -Dcccdlflags=-fPIC
-Dccdlflags=-rdynamic -Dcc=gcc -Dprefix=/usr -Dvendorprefix=/usr
-Dsiteprefix=/usr -Dlocincpth=  -Doptimize=-O2 -mcpu=i686 -pipe
-Duselargefiles -Dd_dosuid -Dd_semctl_semun -Dscriptdir=/usr/bin
-Dman3ext=3pm -Dcf_by=Gentoo -Ud_csh -Di_gdbm -Di_db -Di_ndbm'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-fno-strict-aliasing -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
    optimize='-O2 -mcpu=i686 -pipe',
    cppflags='-DPERL5 -fno-strict-aliasing'
    ccversion='', gccversion='3.3.2 20031218 (Gentoo Linux 3.3.2-r5,
propolice-3.3-7)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lpthread -lnsl -lndbm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef,
ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.2:
    /etc/perl
    /usr/lib/perl5/site_perl/5.8.2/i686-linux
    /usr/lib/perl5/site_perl/5.8.2
    /usr/lib/perl5/site_perl/5.8.0/i686-linux
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.2/i686-linux
    /usr/lib/perl5/vendor_perl/5.8.2
    /usr/lib/perl5/vendor_perl/5.8.0/i686-linux
    /usr/lib/perl5/vendor_perl/5.8.0
    /usr/lib/perl5/vendor_perl
    /usr/lib/perl5/5.8.2/i686-linux
    /usr/lib/perl5/5.8.2
    /usr/local/lib/site_perl
    /usr/lib/perl5/site_perl/5.8.0/i686-linux
    /usr/lib/perl5/site_perl/5.8.0
    .


Environment for perl v5.8.2:
    HOME=/home/jql
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
   
PATH=/usr/kde/3.2/bin:/bin:/usr/bin:/usr/local/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.3:/opt/ati/bin:/usr/X11R6/bin:/usr/qt/3/bin:/usr/kde/3.2/bin:/usr/kde/3.1/bin:/opt/vmware/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

p5pRT · 2004-03-31T20:56:43Z

From @iabyn

On Mon, Mar 29, 2004 at 12:42:47AM -0000, Ashley Winters wrote:

$ perl -le 'sub foo (\$) { delete $_[0] } foo $bar'
Attempt to free unreferenced scalar: SV 0x81401c8.

The variable passed doesn't matter. Cheers!

Thanks for the report and concise example!

I've found the fault; the special case array code that handles the fact
that @_ doesn't normally refrence-count its elements for efficiency, was
missing from the relatively new av_delete() function. The patch below
to the development version of perl fixes it.

Dave.

--
O Unicef Clearasil!
Gibberish and Drivel!
- "Bored of the Rings"

Change 22624 by davem@davem-percy on 2004/03/31 20:33:52

[perl #28032] delete $_[0] + (\$) prototype = bad free
av_delete() didn't reify. I also updated its description

Affected files ...

... //depot/perl/av.c#76 edit
... //depot/perl/t/op/args.t#8 edit

Differences ...

==== //depot/perl/av.c#76 (text) ====

@@ -782,7 +782,8 @@
=for apidoc av_delete

Deletes the element indexed by C<key> from the array. Returns the
-deleted element. C<flags> is currently ignored.
+deleted element. If C<flags> equals C<G_DISCARD>, the element is freed
+and null is returned.

=cut
*/
@@ -840,6 +841,8 @@
if (key > AvFILLp(av))
return Nullsv;
else {
+ if (!AvREAL(av) && AvREIFY(av))
+ av_reify(av);
sv = AvARRAY(av)[key];
if (key == AvFILLp(av)) {
AvARRAY(av)[key] = &PL_sv_undef;

==== //depot/perl/t/op/args.t#8 (xtext) ====

@@ -6,7 +6,7 @@
}

require './test.pl';
-plan( tests => 20 );
+plan( tests => 23 );

# test various operations on @_

@@ -86,3 +86,22 @@
is(join('',bar('d')),'Dd');
is(join('',baz('e')),'eE');
}
+
+# [perl #28032] delete $_[0] was freeing things too early
+
+{
+ my $flag = 0;
+ sub X::DESTROY { $flag = 1 }
+ sub f {
+ delete $_[0];
+ ok(!$flag, 'delete $_[0] : in f');
+ }
+ {
+ my $x = bless [], 'X';
+ f($x);
+ ok(!$flag, 'delete $_[0] : after f');
+ }
+ ok($flag, 'delete $_[0] : outside block');
+}
+
+

p5pRT · 2004-03-31T20:56:46Z

The RT System itself - Status changed from 'new' to 'open'

p5pRT · 2004-04-01T23:18:49Z

@iabyn - Status changed from 'open' to 'resolved'

p5pRT closed this as completed Apr 1, 2004

p5pRT added Severity Low distro-Linux type-core labels Oct 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

delete $_[0] + (\$) prototype = bad free #7202

delete $_[0] + (\$) prototype = bad free #7202

p5pRT commented Mar 29, 2004

p5pRT commented Mar 29, 2004

p5pRT commented Mar 31, 2004

p5pRT commented Mar 31, 2004

p5pRT commented Apr 1, 2004

delete $_[0] + (\$) prototype = bad free #7202

delete $_[0] + (\$) prototype = bad free #7202

Comments

p5pRT commented Mar 29, 2004

p5pRT commented Mar 29, 2004

From jahqueel@yahoo.com

Created by jahqueel@yahoo.com

p5pRT commented Mar 31, 2004

From @iabyn

p5pRT commented Mar 31, 2004

p5pRT commented Apr 1, 2004