From jgmyers@proofpoint.com

Created by jgmyers@proofpoint.com

The following test program causes perl to dereference a null pointer
with the following stack trace​:

#0 0x080e4e1c in Perl_pp_helem (my_perl=0x81ab008) at pp_hot.c​:1727
#1 0x080c5413 in Perl_runops_debug (my_perl=0x81ab008) at dump.c​:1449
#2 0x080668d9 in S_call_body (my_perl=0x81ab008, myop=0xbfffd820,
is_eval=0)
  at perl.c​:2298
#3 0x0806643a in Perl_call_sv (my_perl=0x81ab008, sv=0x824a8dc, flags=150)
  at perl.c​:2216
#4 0x080f59eb in Perl_sv_clear (my_perl=0x81ab008, sv=0x82356b4) at
sv.c​:5130
#5 0x080f63d1 in Perl_sv_free (my_perl=0x81ab008, sv=0x82356b4) at
sv.c​:5376
#6 0x080eb110 in do_clean_objs (my_perl=0x81ab008, sv=0x8224968) at
sv.c​:394
#7 0x080eafa3 in S_visit (my_perl=0x81ab008, f=0x80eb02d <do_clean_objs>,
  flags=524288, mask=524288) at sv.c​:340
#8 0x080eb2d0 in Perl_sv_clean_objs (my_perl=0x81ab008) at sv.c​:434
#9 0x080621db in perl_destruct (my_perl=0x81ab008) at perl.c​:564
#10 0x0805ff3f in main (argc=5, argv=0xbfffdb04, env=0xbfffdb1c)

The test case is extremely fiddly​: it must be invoked with 3 arguments
in order to dump core. I have unfortunately reduced the test case to
the point where it dumps core in 5.8.6 but not 5.8.8, but a larger test
case which I cannot recover (without a few hours work starting the
reducing work over again) causes 5.8.8 to encounter the same error.

The key trigger of the bug is probably the use of tie on %SIG. I need
to do this to keep the embedded perl interpreter and Mail​::Box from
overwriting my application's signal handlers.

The test case consists of two files, since I wasn't able to reduce one
of the 'require' steps.

---- bug.pl a a a

use lib '/doesntmatter';

use warnings;

package sigfilter;

sub TIEHASH {
  bless {sig => \%SIG }, shift;
}

sub FETCH {
  my ($self, $key) = @​_;
  return $self->{sig}->{$key};
}

sub STORE {
  my ($self, $key, $value) = @​_;
  return $self->{sig}->{$key} = $value;
}

sub DELETE {
  my ($self, $key) = @​_;
  delete($self->{sig}->{$key});
}

sub CLEAR {
  my ($self) = @​_;
  warn "Ignoring clear of \%SIG";
}

sub EXISTS {
  my ($self, $key) = @​_;
  return exists($self->{sig}->{$key});
}

sub DESTROY {
  warn "Destroying sigfilter\n";
}

package foo;

sub init { eval 'package foosubpack;
require test2;

sub aaa { }

my $bbb = { ccc => [], };' }

package barparent;

sub init {}

package bar;
use base qw(barparent);

sub init {
  my ($self) = @​_;

  $self->SUPER​::init();
}

package main;

# routines called for initialization/processing
sub init(;$) {
  my %newsig;
  tie %newsig, 'sigfilter';
  *SIG = \%newsig;
}

init(1);
foo​::init();
bar->init();
my $start = [];
init();
warn "end\n";

--- test2.pm

package DBI;

use DynaLoader ();

BEGIN {
@​ISA = qw( DynaLoader);
}

use strict;

{
  sub DBI​::DBI_tie​::TIEHASH { bless {} }
}

tie %DBI​::DBI => 'DBI​::DBI_tie';

1;

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.8.6:

Configured by jgmyers at Fri Dec  3 13:10:49 PST 2004.

Summary of my perl5 (revision 5 version 8 subversion 6) configuration:
  Platform:
    osname=linux, osvers=2.4.21-20.elsmp, archname=i686-linux-thread-multi
    uname='linux pong 2.4.21-20.elsmp #1 smp wed aug 18 20:46:40 edt 
2004 i686 i686 i386 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define 
usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS 
-DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING 
-fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='3.3.3', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', 
lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.6:
    /u/jgmyers/perl/lib/5.8.6/i686-linux-thread-multi
    /u/jgmyers/perl/lib/5.8.6
    /u/jgmyers/perl/lib/site_perl/5.8.6/i686-linux-thread-multi
    /u/jgmyers/perl/lib/site_perl/5.8.6
    /u/jgmyers/perl/lib/site_perl/5.8.5/i686-linux-thread-multi
    /u/jgmyers/perl/lib/site_perl/5.8.5
    /u/jgmyers/perl/lib/site_perl/5.8.3/i686-linux-thread-multi
    /u/jgmyers/perl/lib/site_perl/5.8.3
    /u/jgmyers/perl/lib/site_perl
    .


Environment for perl v5.8.6:
    HOME=/u/jgmyers
    LANG=en_US
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    
PATH=/tools/x/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/u/jgmyers/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From jgmyers@proofpoint.com

Instrumenting Perl a bit more, I have found the following​:

In runs that dump core, %SIG is destructed before package DBI. In runs
that don't dump core, package DBI is destructed before %SIG. In other
words, to trigger the bug, %SIG has to be listed in the arena before
package DBI.

Package DBI indirectly pulls in AutoLoader, which has code​:

  eval { local $SIG{__DIE__}; require $filename };

In runs that don't dump core, some PERL_MAGIC_tiedelem objects with a
"__DIE__" key and under the DBI stash get passed to Perl_sv_clear(). In
runs that dump core, it does so while destructing the DBI stash, but
before these __DIE__ objects are cleared. This suggests to me that the
destructor code is trying to modify %SIG{__DIE__} when %SIG has been
previously destructed.

From @rgarcia

On 17/06/06, John Myers <jgmyers@​proofpoint.com> wrote​:

In runs that dump core, %SIG is destructed before package DBI. In runs
that don't dump core, package DBI is destructed before %SIG. In other
words, to trigger the bug, %SIG has to be listed in the arena before
package DBI.

Package DBI indirectly pulls in AutoLoader, which has code​:

eval \{ local $SIG\{\_\_DIE\_\_\}; require $filename \};

What is the method that is autoloaded ? DESTROY() is supposed to be
handled separately in AutoLoader.

By the way, why is there an override of $SIG{__DIE__} here, since
we're already in an eval ?

The RT System itself - Status changed from 'new' to 'open'

p5p@spam.wizbit.be - Status changed from 'open' to 'stalled'