From at@altlinux.ru

Created by at@altlinux.ru

Hello,

Recently I reported this bug on perl5-porters mailing list.
Since there seems to be no immediate interest to this bug,
I file it for future revision. I assign severity=high
because it makes perl crash with a simple expression
given on a command line​:

$ perl -MO=Debug /usr/lib/perl5/perl5db.pl >/dev/null
zsh​: segmentation fault perl -MO=Debug /usr/lib/perl5/perl5db.pl > /dev/null
$ perl -MO=Bblock /usr/lib/perl5/perl5db.pl
zsh​: segmentation fault perl -MO=Bblock /usr/lib/perl5/perl5db.pl
$

Detailed explanation and test cases are available via the following
links​:

http​://www.nntp.perl.org/group/perl.perl5.porters/96442
http​://www.nntp.perl.org/group/perl.perl5.porters/96482
http​://www.nntp.perl.org/group/perl.perl5.porters/96485

The problem seems to be somewhere around pmreplroot​: Perl always expects
pmreplroot to be a reference (or a pointer), while occasionally
pmreplroot is a scalar (or an integer).

--
Alexey Tourbin
ALT Linux Team

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.4:

Configured by ALT Linux Team at Mon Aug  9 06:08:01 MSD 2004.

Summary of my perl5 (revision 5 version 8 subversion 4) configuration:
  Platform:
    osname=linux, osvers=2.4.18-alt6master-up, archname=i386-linux-thread-multi
    uname='linux solemn.turbinal.org 2.4.18-alt6master-up #1 tue apr 16 14:50:56 msd 2002 i686 unknown unknown gnulinux '
    config_args='-de -rs -Darchname=i386-linux -Dd_dosuid -Ud_csh -Dlibswanted=dl m c crypt db ndbm gdbm -Duseshrplib -Dlibperl=libperl.so.5.8 -Dcc=gcc -Doptimize=-pipe -mmmx -Wall -Os -march=i686 -D_GNU_SOURCE -momit-leaf-frame-pointer -Dcccdlflags=-fPIC -DPIC -Dccdlflags=-rdynamic -Wl,-O1 -Dlddlflags=-shared -Wl,-O1 -Dldflags=-Wl,-O1 -Dinstallprefix=/usr -Dprefix=/usr -Dprivlib=/usr/lib/perl5 -Darchlib=/usr/lib/perl5/i386-linux -Dvendorprefix=/usr -Dvendorlib=/usr/lib/perl5/vendor_perl -Dvendorarch=/usr/lib/perl5/vendor_perl/i386-linux -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dvendorman1dir=/usr/share/man/man1 -Dvendorman3dir=/usr/share/man/man3 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.4 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.4/i386-linux -Dsiteman1dir=/usr/local/man/man1 -Dsite_man3dir=/usr/local/man/man3 -Dcf_by=ALT Linux Team -Dcf_email=qa@altlinux.org -Dmyhostname=localhost -Dperladmin=root@localhost -Dmyuname=Linux 2.4.18-alt6master-up i686 -Dnewmyuname=Linux 2.4.18-alt6master-up i686 -Dinc_version_list=5.8.3/i386-linux 5.8.2/i386-linux 5.8.1/i386-linux 5.8.0/i386-linux 5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Dpager=/usr/bin/less -isR -Di_shadow -Di_syslog -Dusethreads -Duseithreads -Duselargefiles -Di_db -Di_gdbm -Di_ndbm -Di_sdbm -Ui_odbm'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-pipe -mmmx -Wall -Os -march=i686 -D_GNU_SOURCE -momit-leaf-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='3.3.3 20040412 (ALT Linux, build 3.3.3-alt5)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags ='-Wl,-O1 -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-ldl -lm -lpthread -lc -lcrypt -ldb -lgdbm
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.3.3.so, so=so, useshrplib=true, libperl=libperl.so.5.8
    gnulibc_version='2.3.3'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic -Wl,-O1'
    cccdlflags='-fPIC -DPIC', lddlflags='-shared -Wl,-O1 -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.4:
    /etc/perl5
    /usr/lib/perl5/i386-linux
    /usr/lib/perl5
    /usr/local/lib/perl5/site_perl/5.8.4/i386-linux
    /usr/local/lib/perl5/site_perl/5.8.4
    /usr/local/lib/perl5/site_perl/5.8.2/i386-linux
    /usr/local/lib/perl5/site_perl/5.8.1/i386-linux
    /usr/local/lib/perl5/site_perl/5.8.2
    /usr/local/lib/perl5/site_perl/5.8.1
    /usr/local/lib/perl5/site_perl/5.6.1
    /usr/local/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/i386-linux
    /usr/lib/perl5/vendor_perl
    /usr/lib/perl5/vendor_perl
    .


Environment for perl v5.8.4:
    HOME=/home/at
    LANG=C
    LANGUAGE (unset)
    LC_COLLATE=ru_RU.CP1251
    LC_CTYPE=ru_RU.CP1251
    LC_MESSAGES=C
    LC_MONETARY=ru_RU.CP1251
    LC_NUMERIC=ru_RU.CP1251
    LC_TIME=C
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/at/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/games:/sbin:/usr/sbin:/usr/local/sbin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

From smcc@mit.edu

"AT" == Alexey Tourbin (via RT) writes​:

AT> # New Ticket Created by Alexey Tourbin
AT> # Please include the string​: [perl #32968]
AT> # in the subject line of all future correspondence about this issue.
AT> # <URL​: http​://rt.perl.org​:80/rt3/Ticket/Display.html?id=32968 >

AT> Hello,

AT> Recently I reported this bug on perl5-porters mailing list.
AT> Since there seems to be no immediate interest to this bug,
AT> I file it for future revision. I assign severity=high
AT> because it makes perl crash with a simple expression
AT> given on a command line​:

AT> $ perl -MO=Debug /usr/lib/perl5/perl5db.pl >/dev/null
AT> zsh​: segmentation fault
AT> $ perl -MO=Bblock /usr/lib/perl5/perl5db.pl
AT> zsh​: segmentation fault
AT> $

AT> Detailed explanation and test cases are available via the
AT> following links​:

AT> http​://www.nntp.perl.org/group/perl.perl5.porters/96442
AT> http​://www.nntp.perl.org/group/perl.perl5.porters/96482
AT> http​://www.nntp.perl.org/group/perl.perl5.porters/96485

AT> The problem seems to be somewhere around pmreplroot​: Perl always
AT> expects pmreplroot to be a reference (or a pointer), while
AT> occasionally pmreplroot is a scalar (or an integer).

Try the following patch.

It appears there were two problems with walkoptree and pmreplroot​:
first, there was a logic error in the previous addition of pmreplroot
support​: the code was claiming that the pmreplroot kid of the OP was a
always PMOP, while in general it isn't​: it's only the *parent* we know
to be a PMOP in this branch. This was causing a segfault on a s///.

The second problem was analogous to the change needed in
walkoptree_slow​: when the OP is an OP_PUSHRE (the regex in a split()),
the replroot is sometimes reused to store a pointer to the array being
split into, either as a GV* or as a PADOFFSET under ithreads. In that
case, walkoptree shouldn't recurse. The second hunk adds a comment to
op.h mentioning this weirdness. As the comment implies, it would be
even better documentation to change the code to achieve the reuse with
a union rather than with casts, but maybe that's more work than it's
worth.

This is my first attempt at making a patch against the SVK-mirrored
Subversion repository; let me know if it doesn't apply right.

-- Stephen

Index​: ext/B/B.xs

--- ext/B/B.xs (revision 18175)
+++ ext/B/B.xs (working copy)
@​@​ -408,10 +408,10 @​@​ walkoptree(pTHX_ SV *opsv, char *method)
  walkoptree(aTHX_ opsv, method);
  }
  }
- if (o && (cc_opclass(aTHX_ o) == OPc_PMOP)
+ if (o && (cc_opclass(aTHX_ o) == OPc_PMOP) && o->op_type != OP_PUSHRE
  && (kid = cPMOPo->op_pmreplroot))
  {
- sv_setiv(newSVrv(opsv, opclassnames[OPc_PMOP]), PTR2IV(kid));
+ sv_setiv(newSVrv(opsv, cc_opclassname(aTHX_ kid)), PTR2IV(kid));
  walkoptree(aTHX_ opsv, method);
  }
}
Index​: op.h

--- op.h (revision 18175)
+++ op.h (working copy)
@​@​ -267,7 +267,7 @​@​ struct pmop {
  BASEOP
  OP * op_first;
  OP * op_last;
- OP * op_pmreplroot;
+ OP * op_pmreplroot; /* (type is really union {OP*,GV*,PADOFFSET}) */
  OP * op_pmreplstart;
  PMOP * op_pmnext; /* list of all scanpats */
#ifdef USE_ITHREADS

The RT System itself - Status changed from 'new' to 'open'

From @rgs

Stephen McCamant wrote​:

It appears there were two problems with walkoptree and pmreplroot​:
first, there was a logic error in the previous addition of pmreplroot
support​: the code was claiming that the pmreplroot kid of the OP was a
always PMOP, while in general it isn't​: it's only the *parent* we know
to be a PMOP in this branch. This was causing a segfault on a s///.

The second problem was analogous to the change needed in
walkoptree_slow​: when the OP is an OP_PUSHRE (the regex in a split()),
the replroot is sometimes reused to store a pointer to the array being
split into, either as a GV* or as a PADOFFSET under ithreads. In that
case, walkoptree shouldn't recurse. The second hunk adds a comment to
op.h mentioning this weirdness. As the comment implies, it would be
even better documentation to change the code to achieve the reuse with
a union rather than with casts, but maybe that's more work than it's
worth.

Thanks, applied as change 23983 to bleadperl (after a long delay, sorry...)

@rgs - Status changed from 'open' to 'resolved'