From fox@scene.pl

This is a bug report for perl from fox@​scene.pl,
generated with the help of perlbug 1.34 running under perl v5.8.0.

The "x" operator gives an unexpected result (i.e. null string)
with large right side operands.

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

perl580 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

perl580 -le "print 1x1e12 ne '' ? 'ok' : 'not ok'"
not ok

perl586 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl586 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

perl586 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
(crash)

perl586 -le "print 1x1e12 ne '' ? 'ok' : 'not ok'"
not ok

Flags​:
category=core
severity=low

Site configuration information for perl v5.8.0​:

Configured by ActiveState at Mon Mar 31 00​:45​:28 2003.

Summary of my perl5 (revision 5 version 8 subversion 0) configuration​:
Platform​:
osname=MSWin32, osvers=4.0, archname=MSWin32-x86-multi-thread
uname=''
config_args='undef'
hint=recommended, useposix=true, d_sigaction=undef
usethreads=undef use5005threads=undef useithreads=define
usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler​:
cc='cl', ccflags ='-nologo -Gf -W3 -MD -Zi -DNDEBUG -O1 -DWIN32 -D_CONSOLE
-DNO_STRICT -DHAVE_DES_FCRYPT -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS
-DUSE_PERLIO -DPERL_MSVCRT_READFIX',
optimize='-MD -Zi -DNDEBUG -O1',
cppflags='-DWIN32'
ccversion='', gccversion='', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=10
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='__int64',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries​:
ld='link', ldflags ='-nologo -nodefaultlib -debug -opt​:ref,icf
-libpath​:"C​:jPerllibCORE" -machine​:x86'
libpth="D​:Program FilesMicrosoft.NETFrameworkSDKLib" "D​:Program
FilesMicrosoft.NetOdbc.Net" "C​:jPerllibCORE"
libs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib
uuid.lib wsock32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib
msvcrt.lib
perllibs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib
uuid.lib wsock32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib
msvcrt.lib
libc=msvcrt.lib, so=dll, useshrplib=yes, libperl=perl58.lib
gnulibc_version='undef'
Dynamic Linking​:
dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt​:ref,icf
-libpath​:"C​:jPerllibCORE" -machine​:x86'

Locally applied patches​:
ACTIVEPERL_LOCAL_PATCHES_ENTRY

@​INC for perl v5.8.0​:
C​:/j/Perl/lib
C​:/j/Perl/site/lib
.

Environment for perl v5.8.0​:
HOME (unset)
LANG (unset)
LANGUAGE (unset)
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=C​:WINDOWS;C​:WINDOWSCOMMAND;C​:U;C​:JAVAJDKBIN;C​:CDJGPPBIN;C​:JPERLBIN;C​:JMYSQLBIN;C​:UTEXMFMAINMIKTEXBIN;C​:UGSGS8.11BIN;C​:CCYGWINBIN;C​:WINDOWS;C​:WINDOWSCOMMAND;C​:UANTBIN
PERL_BADLANG (unset)
SHELL (unset)

From @schwern

On Wed, Jun 22, 2005 at 11​:24​:12AM -0000, Piotr Fusik wrote​:

The "x" operator gives an unexpected result (i.e. null string)
with large right side operands.

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

I believe the issue is you're trying to allocate a string of 1 billion
characters, consuming about a gig of memory, and simply running out.
This falls under the "don't do that" category.

perl580 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

Though I can't explain why this doesn't crash, too.

--
Michael G Schwern schwern@​pobox.com http​://www.pobox.com/~schwern
Ahh email, my old friend. Do you know that revenge is a dish that is best
served cold? And it is very cold on the Internet!

The RT System itself - Status changed from 'new' to 'open'

From @salva

Michael G Schwern wrote​:

On Wed, Jun 22, 2005 at 11​:24​:12AM -0000, Piotr Fusik wrote​:

The "x" operator gives an unexpected result (i.e. null string)
with large right side operands.

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

I believe the issue is you're trying to allocate a string of 1 billion
characters, consuming about a gig of memory, and simply running out.
This falls under the "don't do that" category.

perl580 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

Though I can't explain why this doesn't crash, too.

1e9 < 2**31 but 1e10 > 2**31 so it overflows when converted to an IV on
32 bits platforms.

Cheers,

  - Salvador

From fox@scene.pl

This patch fixes the following​:

perl -le "print 1x1e12 ne '' ? 'ok' : 'not ok'"
not ok

perl -le "print 1x(1x12) ne '' ? 'ok' : 'not ok'"
not ok

perl -le "print +(1)x1e12"
(no output)

perl -le "print +(1)x(1x12)"
(no output)

From fox@scene.pl

diff -ruN perl-current/pp.c perl-patched/pp.c
--- perl-current/pp.c	Wed Jun 22 14:23:34 2005
+++ perl-patched/pp.c	Thu Jun 23 12:14:04 2005
@@ -1399,30 +1399,12 @@
     dPOPss;
     if (SvGMAGICAL(sv))
 	 mg_get(sv);
-    if (SvIOKp(sv)) {
-	 if (SvUOK(sv)) {
-	      UV uv = SvUV(sv);
-	      if (uv > IV_MAX)
-		   count = IV_MAX; /* The best we can do? */
-	      else
-		   count = uv;
-	 } else {
-	      IV iv = SvIV(sv);
-	      if (iv < 0)
-		   count = 0;
-	      else
-		   count = iv;
-	 }
-    }
-    else if (SvNOKp(sv)) {
-	 NV nv = SvNV(sv);
-	 if (nv < 0.0)
-	      count = 0;
-	 else
-	      count = (IV)nv;
-    }
-    else
-	 count = SvIVx(sv);
+
+    SvIV_please(sv);
+    count = SvIVX(sv);
+    if (SvIsUV(sv) && count < 0)
+	count = IV_MAX;
+
     if (GIMME == G_ARRAY && PL_op->op_private & OPpREPEAT_DOLIST) {
 	dMARK;
 	I32 items = SP - MARK;

From @rgarcia

On 6/23/05, Piotr Fusik <fox@​scene.pl> wrote​:

This patch fixes the following​:

perl -le "print 1x1e12 ne '' ? 'ok' : 'not ok'"
not ok

perl -le "print 1x(1x12) ne '' ? 'ok' : 'not ok'"
not ok

perl -le "print +(1)x1e12"
(no output)

perl -le "print +(1)x(1x12)"
(no output)

With your patch, I get :

$ ./perl -e 'print "-" x undef'
Segmentation fault

The problem coming from the line :

count = SvIVX(sv);

when sv is &PL_sv_undef.

Moreover you shouldn't be setting count = IV_MAX in all cases, I think.
So, not applied as is.

From pfusik@op.pl

With your patch, I get :

$ ./perl -e 'print "-" x undef'
Segmentation fault

The problem coming from the line :

count = SvIVX(sv);

when sv is &PL_sv_undef.

Moreover you shouldn't be setting count = IV_MAX in all cases, I think.
So, not applied as is.

I'm just a beginner, so I don't know the correct way. How about this​:

count = sv_2iv(sv);
if (SvIsUV(sv) && count < 0)
  count = IV_MAX;

This is at least better than it was. Maybe I should use SvIV or SvIVx instead of sv_2iv? But in this case mg_get doesn't get called
if SvIOK. I'm confused. Please explain me this.

I'm also aware that using IV_MAX is not the best way, however it seems less harmful than using I32 for items and max.

From pfusik@op.pl

patch-repeat-big

From Matthias.Thullner@de.bosch.com

isn't this a general problem when the script is trying to allocate more
RAM than the machine can address?

Another example​:
c​:\aperl813\bin\perl -e "print 'x' x 1000000000000000;"

This command does neither report an error nor print anything to the
screen.

The problem is, it is very hard to check each command/function in the
code that allocates variable amount of RAM for overflows. Perl itself
must check this and report an error if memory cannot be allocated!!
In my opimion this is fatal...

From @jkeenan

Reviewing this older ticket tonight, I'm inclined to agree with
Schwern's comment​:

On Wed Jun 22 14​:05​:10 2005, schwern wrote​:

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

I believe the issue is you're trying to allocate a string of 1 billion
characters, consuming about a gig of memory, and simply running out.
This falls under the "don't do that" category.

If this viewpoint is correct, I think we should close this ticket.

Better thoughts?

Thank you very much.
Jim Keenan

From @cpansprout

On Tue Mar 27 19​:08​:51 2012, jkeenan wrote​:

Reviewing this older ticket tonight, I'm inclined to agree with
Schwern's comment​:

On Wed Jun 22 14​:05​:10 2005, schwern wrote​:

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

I believe the issue is you're trying to allocate a string of 1 billion
characters, consuming about a gig of memory, and simply running out.
This falls under the "don't do that" category.

If this viewpoint is correct, I think we should close this ticket.

Better thoughts?

I don’t get a crash (which I would probably consider not-a-bug), but an
empty string​:

$ perl5.15.9 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

So it would be worthwhile checking whether this has to do with the rhs
being so high that it wraps and becomes negative.

And does it work properly on 64-bit systems (i.e., with a 64-bit range)?

--

Father Chrysostomos

From @doy

On Tue, Mar 27, 2012 at 08​:44​:30PM -0700, Father Chrysostomos via RT wrote​:

On Tue Mar 27 19​:08​:51 2012, jkeenan wrote​:

Reviewing this older ticket tonight, I'm inclined to agree with
Schwern's comment​:

On Wed Jun 22 14​:05​:10 2005, schwern wrote​:

perl580 -le "print 1x1e8 ne '' ? 'ok' : 'not ok'"
ok

perl580 -le "print 1x1e9 ne '' ? 'ok' : 'not ok'"
(crash)

I believe the issue is you're trying to allocate a string of 1 billion
characters, consuming about a gig of memory, and simply running out.
This falls under the "don't do that" category.

If this viewpoint is correct, I think we should close this ticket.

Better thoughts?

I don’t get a crash (which I would probably consider not-a-bug), but an
empty string​:

$ perl5.15.9 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

So it would be worthwhile checking whether this has to do with the rhs
being so high that it wraps and becomes negative.

And does it work properly on 64-bit systems (i.e., with a 64-bit range)?

$ perl -E'say 1x1e10 ne "" ? "ok" : "not ok"'
ok

$ perl -E'say 1x1e20 ne "" ? "ok" : "not ok"'
not ok

$ perl -V
Summary of my perl5 (revision 5 version 14 subversion 2) configuration​:
 
  Platform​:
  osname=linux, osvers=3.2.5-1-arch, archname=x86_64-linux
  uname='linux xtahua 3.2.5-1-arch #1 smp preempt tue feb 7 08​:34​:36 cet 2012 x86_64 intel(r) core(tm) i7-2640m cpu @​ 2.80ghz genuineintel gnulinux '
  config_args='-de -Dprefix=/home/doy/perl5/perlbrew/perls/perl-5.14.2'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.6.2 20120120 (prerelease)', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib/../lib /usr/lib/../lib /lib /usr/lib
  libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=/lib/libc-2.15.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.15'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: PERL_DONT_CREATE_GVSV PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT
  USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Feb 13 2012 22​:58​:53
  %ENV​:
  PERL5LIB="/home/doy/perl5/local/"
  PERLBREW_BASHRC_VERSION="0.33"
  PERLBREW_HOME="/home/doy/.perlbrew"
  PERLBREW_PATH="/home/doy/perl5/perlbrew/bin​:/home/doy/perl5/perlbrew/perls/perl-5.14.2/bin"
  PERLBREW_PERL="perl-5.14.2"
  PERLBREW_ROOT="/home/doy/perl5/perlbrew"
  PERLBREW_VERSION="0.33"
  PERL_CPANM_OPT="-q --mirror file​:///home/doy/perl5/minicpan/ --mirror http​://mirrors.kernel.org/cpan/ --mirror http​://search.cpan.org/CPAN --prompt"
  @​INC​:
  /home/doy/perl5/local/
  /home/doy/perl5/perlbrew/perls/perl-5.14.2/lib/site_perl/5.14.2/x86_64-linux
  /home/doy/perl5/perlbrew/perls/perl-5.14.2/lib/site_perl/5.14.2
  /home/doy/perl5/perlbrew/perls/perl-5.14.2/lib/5.14.2/x86_64-linux
  /home/doy/perl5/perlbrew/perls/perl-5.14.2/lib/5.14.2
  .

-doy

From @tonycoz

On Tue Mar 27 20​:44​:29 2012, sprout wrote​:

I don’t get a crash (which I would probably consider not-a-bug), but an
empty string​:

$ perl5.15.9 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

So it would be worthwhile checking whether this has to do with the rhs
being so high that it wraps and becomes negative.

And does it work properly on 64-bit systems (i.e., with a 64-bit range)?

It's a general problem with integer handling in perl - NVs are converted
to IVs (or worse - I32) without a warning, producing unexpected success
or failure.

An example where conversion to I32 is the problem​:

$ ./perl -le '@​x = "abc"; print $x[0x100000000]'
abc
$ ./perl -le '@​x = "abc"; print $x[0xffffffff]'
abc
$ ./perl -le '@​x = "abc"; print $x[2**32]'
abc
$ ./perl -le '@​x = "abc"; print $x[-2**32]'
abc

Based on the discussion, I'm rejecting the patch, but I think this is
still a real problem, whether it's worth fixing in this case, or in
general, I don't know.

Tony

From @khwilliamson

On 07/01/2013 12​:50 AM, Tony Cook via RT wrote​:

On Tue Mar 27 20​:44​:29 2012, sprout wrote​:

I don’t get a crash (which I would probably consider not-a-bug), but an
empty string​:

$ perl5.15.9 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

I just tried this on my 64 bit system, and it works; I'm wondering if it
is still a problem on 32-bit ones.

So it would be worthwhile checking whether this has to do with the rhs
being so high that it wraps and becomes negative.

And does it work properly on 64-bit systems (i.e., with a 64-bit range)?

It's a general problem with integer handling in perl - NVs are converted
to IVs (or worse - I32) without a warning, producing unexpected success
or failure.

An example where conversion to I32 is the problem​:

$ ./perl -le '@​x = "abc"; print $x[0x100000000]'
abc
$ ./perl -le '@​x = "abc"; print $x[0xffffffff]'
abc
$ ./perl -le '@​x = "abc"; print $x[2**32]'
abc
$ ./perl -le '@​x = "abc"; print $x[-2**32]'
abc

Based on the discussion, I'm rejecting the patch, but I think this is
still a real problem, whether it's worth fixing in this case, or in
general, I don't know.

Tony

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=36359

From @shlomif

On Sun Mar 01 21​:55​:06 2015, public@​khwilliamson.com wrote​:

On 07/01/2013 12​:50 AM, Tony Cook via RT wrote​:

On Tue Mar 27 20​:44​:29 2012, sprout wrote​:

I don’t get a crash (which I would probably consider not-a-bug), but an
empty string​:

$ perl5.15.9 -le "print 1x1e10 ne '' ? 'ok' : 'not ok'"
not ok

I just tried this on my 64 bit system, and it works; I'm wondering if it
is still a problem on 32-bit ones.

On my Mageia Linux 4 i586 VirtualBox VM, bleadperl's "./perl -e" prints "not ok" with that command line.

Regards,

-- Shlomi Fish

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=36359