Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

isa cache leaks into and out of Safe compartments #8537

Closed
p5pRT opened this issue Jul 20, 2006 · 6 comments
Closed

isa cache leaks into and out of Safe compartments #8537

p5pRT opened this issue Jul 20, 2006 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 20, 2006

Migrated from rt.perl.org#39887 (status was 'resolved')

Searchable as RT39887$

@p5pRT
Copy link
Author

p5pRT commented Jul 20, 2006

From perlbug@plan9.de

Created by perlbug@plan9.de

Perl's ISA cache (used e.g. for method lookups) leaks into and out of Safe
compartments.

Example environment​:

  $obj is blessed into "pkg", which has method "method" outside the Safe
  compartment.

Example of leaking into the compartment​:

  The following succeeds *within* the compartment when "method" has
  been called on the object before (or more precisely​: is cached in
  :​:ISA​::CACHE​::).

  $obj->method # call cached method outside of Safe

Example of leaking out of Safe compartment​:

  The following code executed *within* the compartment will add a
  negative ("method does not exist") entry to the isa cache when the
  method has not been called on $obj before. Code executed outside the
  Safe compartment will be unable to call the method even though it
  exists until the isa cache gets invalidated.

  $obj->method # invalidate method for following calls outside of Safe

Workaround​:

  I manually nuked the isa cache of all (for me) relevant classes before and
  after calling $safe->reval, like this​:

  delete *{"main​::$_\​::"}{HASH}{"​::ISA​::CACHE​::"};
  for qw(pkg1 pkg2 pkg3);

Solution​:

  The only solution to this problem (apart from documenting it it and
  ignoring it) is invalidating all isa caches (e.g. by incrementing
  PL_sub_generation). Unfortunately, this is a rather heavy-handed fix.

I think this is a serious problem with Safe (especially as it is not
documented and non-obvious, depending on the runtime call behaviour of
the program), although the actual impact might be small (no idea how many
people use Safe with objects - I only used Safe for the first time today),
so I choose severity medium - feel free to adjust :)

Perl Info

Flags:
    category=library
    severity=medium

Site configuration information for perl v5.8.8:

Configured by Marc Lehmann at Sat May 13 16:26:09 CEST 2006.

Summary of my perl5 (revision 5 version 8 subversion 8 patch 28184) configuration:
  Platform:
    osname=linux, osvers=2.6.16.9, archname=amd64-linux
    uname='linux cerebro 2.6.16.9 #1 smp thu apr 27 08:42:39 cest 2006 x86_64 gnulinux '
    config_args='-Duselargefiles -Dxxxxuse64bitint -Uuse64bitall -Dusemymalloc=y -Dcc=gcc -Dccflags=-DPERL_DONT_CREATE_GVSV -ggdb -Dcppflags=-DPERL_DONT_CREATE_GVSV -D_GNU_SOURCE -I/opt/include -Doptimize=-O4 -march=opteron -mtune=opteron -funroll-loops -fno-strict-aliasing -Dcccdlflags=-fPIC -Dldflags=-L/opt/perl/lib -L/opt/lib -Dlibs=-ldl -lm -lcrypt -Darchname=amd64-linux -Dprefix=/opt/perl -Dprivlib=/opt/perl/lib/perl5 -Darchlib=/opt/perl/lib/perl5 -Dvendorprefix=/opt/perl -Dvendorlib=/opt/perl/lib/perl5 -Dvendorarch=/opt/perl/lib/perl5 -Dsiteprefix=/opt/perl -Dsitelib=/opt/perl/lib/perl5 -Dsitearch=/opt/perl/lib/perl5 -Dsitebin=/opt/perl/bin -Dman1dir=/opt/perl/man/man1 -Dman3dir=/opt/perl/man/man3 -Dsiteman1dir=/opt/perl/man/man1 -Dsiteman3dir=/opt/perl/man/man3 -Dman1ext=1 -Dman3ext=3 -Dpager=/usr/bin/less -Uafs -Uusesfio -Uusenm -Uuseshrplib -Dd_dosuid -Dusethreads=undef -Duse5005threads=undef -Duseithreads=undef -Dusemultiplicity=undef -Demail=perl-binary@plan9.de -Dcf_email=perl-binary@plan9.de -Dcf_by=Marc Lehmann -Dlocincpth=/opt/perl/include /opt/include -Dmyhostname=localhost -Dmultiarch=undef -Dbin=/opt/perl/bin -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=undef
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-DPERL_DONT_CREATE_GVSV -ggdb -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/opt/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O4 -march=opteron -mtune=opteron -funroll-loops -fno-strict-aliasing',
    cppflags='-DPERL_DONT_CREATE_GVSV -D_GNU_SOURCE -I/opt/include -DPERL_DONT_CREATE_GVSV -ggdb -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/opt/include'
    ccversion='', gccversion='4.0.4 20060422 (prerelease) (Debian 4.0.3-2)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags ='-L/opt/perl/lib -L/opt/lib -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-ldl -lm -lcrypt
    perllibs=-ldl -lm -lcrypt
    libc=/lib/libc-2.3.6.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.6'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/opt/perl/lib -L/opt/lib -L/usr/local/lib'

Locally applied patches:
    MAINT27284


@INC for perl v5.8.8:
    /root/src/sex
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    /opt/perl/lib/perl5
    .


Environment for perl v5.8.8:
    HOME=/root
    LANG (unset)
    LANGUAGE (unset)
    LC_CTYPE=de_DE.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/root/s2:/root/s:/opt/bin:/opt/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11/bin:/usr/games:/root/src/uunet:.
    PERL5LIB=/root/src/sex
    PERL5_CPANPLUS_CONFIG=/root/.cpanplus/config
    PERLDB_OPTS=ornaments=0
    PERL_BADLANG (unset)
    PERL_UNICODE=EAL
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Jul 20, 2006

From schmorp@schmorp.de

Sorry, mny original report is not the full (or true story).

The culprit seems to be the method cache that gv_fetchmethod manages.

When passing objects into the Safe compartment, they retain a pointer to the
outside stash. If methods are already cached, then the outside methods are
being called (this requires inheritence). If methods are not cached, then
gv_fetchmethod looks up the method within the safe compartment.

The first case gives Safe access to outside methods, the second case lets it
override outside methods with methods from within the compartment.

--
  The choice of a
  -----==- _GNU_
  ----==-- _ generation Marc Lehmann
  ---==---(_)__ __ ____ __ pcg@​goof.com
  --==---/ / _ \/ // /\ \/ / http​://schmorp.de/
  -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE

@p5pRT
Copy link
Author

p5pRT commented Jul 20, 2006

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 8, 2006

From @rgs

perlbug@​plan9.de (via RT) wrote​:

Perl's ISA cache (used e.g. for method lookups) leaks into and out of Safe
compartments.

One (or several) test cases would be helpful.

I haven't tried to reproduce the bug, but a patch based on this idea
might help :

--- ext/Opcode/Opcode.xs
+++ ext/Opcode/Opcode.xs
@​@​ -314,6 +314,10 @​@​
  dummy_hv = save_hash(PL_incgv);
  GvHV(PL_incgv) = (HV*)SvREFCNT_inc(GvHV(gv_HVadd(gv_fetchpv("INC",TRUE,SVt_PVHV))));

+ /* Invalidate ISA and method caches */
+ ++PL_sub_generation;
+ hv_clear(PL_stashcache);
+
  PUSHMARK(SP);
  perl_call_sv(codesv, GIMME|G_EVAL|G_KEEPERR); /* use callers context */
  sv_free( (SV *) dummy_hv); /* get rid of what save_hash gave us*/

@p5pRT
Copy link
Author

p5pRT commented Sep 7, 2006

From @rgarcia

On 08/08/06, Rafael Garcia-Suarez <rgarciasuarez@​mandriva.com> wrote​:

perlbug@​plan9.de (via RT) wrote​:

Perl's ISA cache (used e.g. for method lookups) leaks into and out of Safe
compartments.

One (or several) test cases would be helpful.

I haven't tried to reproduce the bug, but a patch based on this idea
might help :

--- ext/Opcode/Opcode.xs
+++ ext/Opcode/Opcode.xs
@​@​ -314,6 +314,10 @​@​
dummy_hv = save_hash(PL_incgv);
GvHV(PL_incgv) = (HV*)SvREFCNT_inc(GvHV(gv_HVadd(gv_fetchpv("INC",TRUE,SVt_PVHV))));

+ /* Invalidate ISA and method caches */
+ ++PL_sub_generation;
+ hv_clear(PL_stashcache);
+
PUSHMARK(SP);
perl_call_sv(codesv, GIMME|G_EVAL|G_KEEPERR); /* use callers context */
sv_free( (SV *) dummy_hv); /* get rid of what save_hash gave us*/

I applied this modification as change #28797 to bleadperl.

@p5pRT
Copy link
Author

p5pRT commented Sep 7, 2006

@rgs - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant