From greerga@m-l.org

Created by greerga@m-l.org

Running the following program produces memory corruption in Perl
5.10.0​:

  - - - 8< - - - 8< - - -
  #!/usr/bin/perl
  print "1..1\n";
  push @​x, 0 for 1 .. 1024; $#x; @​x = sort @​x;
  print "ok 1\n";
  - - - 8< - - - 8< - - -

Sample of some other interesting values​:
(Note that some values crash after it has printed "ok" already, which is why I used a "large" number.)
127 - works
128 - *** glibc detected *** /usr/bin/perl​: free()​: invalid pointer​: 0x099db760 ***
256 - panic​: bad free at ./BUG line 4.
1024 -​: see below

- - - 8< - - - 8< - - -
$ ./BUG
1..1
*** glibc detected *** /usr/bin/perl​: malloc()​: memory corruption​: 0x08912e7c ***
======= Backtrace​: =========
/lib/libc.so.6[0x6f5506]
/lib/libc.so.6(__libc_malloc+0x95)[0x6f6c55]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(Perl_safesysmalloc+0x43)[0x923063]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(Perl_sv_grow+0x1c0)[0x982ed0]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(Perl_sv_2pv_flags+0x7c3)[0x9745a3]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(Perl_pp_sort+0x4ae)[0xa5379e]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(Perl_runops_debug+0x153)[0x9180b3]
/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so(perl_run+0x4b9)[0x950fe9]
/usr/bin/perl(main+0x116)[0x8048a66]
/lib/libc.so.6(__libc_start_main+0xe6)[0x69b5d6]
/usr/bin/perl[0x80488b1]
======= Memory map​: ========
00110000-00111000 r-xp 00110000 00​:00 0 [vdso]
00665000-00681000 r-xp 00000000 fd​:00 4784130 /lib/ld-2.8.so
00681000-00682000 r-xp 0001c000 fd​:00 4784130 /lib/ld-2.8.so
00682000-00683000 rwxp 0001d000 fd​:00 4784130 /lib/ld-2.8.so
00685000-007e8000 r-xp 00000000 fd​:00 4784160 /lib/libc-2.8.so
007e8000-007ea000 r-xp 00163000 fd​:00 4784160 /lib/libc-2.8.so
007ea000-007eb000 rwxp 00165000 fd​:00 4784160 /lib/libc-2.8.so
007eb000-007ee000 rwxp 007eb000 00​:00 0
007f0000-007f3000 r-xp 00000000 fd​:00 4784213 /lib/libdl-2.8.so
007f3000-007f4000 r-xp 00002000 fd​:00 4784213 /lib/libdl-2.8.so
007f4000-007f5000 rwxp 00003000 fd​:00 4784213 /lib/libdl-2.8.so
007f7000-0081e000 r-xp 00000000 fd​:00 4784235 /lib/libm-2.8.so
0081e000-0081f000 r-xp 00026000 fd​:00 4784235 /lib/libm-2.8.so
0081f000-00820000 rwxp 00027000 fd​:00 4784235 /lib/libm-2.8.so
00822000-00837000 r-xp 00000000 fd​:00 4784214 /lib/libpthread-2.8.so
00837000-00838000 r-xp 00014000 fd​:00 4784214 /lib/libpthread-2.8.so
00838000-00839000 rwxp 00015000 fd​:00 4784214 /lib/libpthread-2.8.so
00839000-0083b000 rwxp 00839000 00​:00 0
00879000-00ae3000 r-xp 00000000 fd​:00 5933879 /usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so
00ae3000-00ae8000 rwxp 0026a000 fd​:00 5933879 /usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE/libperl.so
00c2d000-00c3a000 r-xp 00000000 fd​:00 4785093 /lib/libgcc_s-4.3.0-20080428.so.1
00c3a000-00c3b000 rwxp 0000c000 fd​:00 4785093 /lib/libgcc_s-4.3.0-20080428.so.1
00d21000-00d32000 r-xp 00000000 fd​:00 4784242 /lib/libresolv-2.8.so
00d32000-00d33000 r-xp 00010000 fd​:00 4784242 /lib/libresolv-2.8.so
00d33000-00d34000 rwxp 00011000 fd​:00 4784242 /lib/libresolv-2.8.so
00d34000-00d36000 rwxp 00d34000 00​:00 0
00df9000-00dfb000 r-xp 00000000 fd​:00 4784232 /lib/libutil-2.8.so
00dfb000-00dfc000 r-xp 00001000 fd​:00 4784232 /lib/libutil-2.8.so
00dfc000-00dfd000 rwxp 00002000 fd​:00 4784232 /lib/libutil-2.8.so
05546000-0555c000 r-xp 00000000 fd​:00 4784250 /lib/libnsl-2.8.so
0555c000-0555d000 r-xp 00015000 fd​:00 4784250 /lib/libnsl-2.8.so
0555d000-0555e000 rwxp 00016000 fd​:00 4784250 /lib/libnsl-2.8.so
0555e000-05560000 rwxp 0555e000 00​:00 0
06259000-06262000 r-xp 00000000 fd​:00 4784251 /lib/libcrypt-2.8.so
06262000-06263000 r-xp 00009000 fd​:00 4784251 /lib/libcrypt-2.8.so
06263000-06264000 rwxp 0000a000 fd​:00 4784251 /lib/libcrypt-2.8.so
06264000-0628b000 rwxp 06264000 00​:00 0
08048000-08049000 r-xp 00000000 fd​:00 2851509 /usr/bin/perl
08049000-0804b000 rw-p 00000000 fd​:00 2851509 /usr/bin/perl
088f4000-08936000 rw-p 088f4000 00​:00 0
b7c00000-b7c21000 rw-p b7c00000 00​:00 0
b7c21000-b7d00000 ---p b7c21000 00​:00 0
b7d34000-b7f34000 r--p 00000000 fd​:00 2873740 /usr/lib/locale/locale-archive
b7f34000-b7f36000 rw-p b7f34000 00​:00 0
b7f57000-b7f58000 rw-p b7f57000 00​:00 0
bffda000-bffef000 rw-p bffea000 00​:00 0 [stack]
Aborted

Affected​:
  Fedora 9​: perl-5.10.0-20.fc9.i386 (used for above report)
  ActiveState Perl 5.10 under Windows XP (original discovery)
  Cygwin 5.10

Flags:
    category=core
    severity=high

This perlbug was built using Perl 5.10.0 in the Fedora build system.
It is being executed now by Perl 5.10.0 - Tue Mar 18 15:46:25 EDT 2008.

Site configuration information for perl 5.10.0:

Configured by Red Hat, Inc. at Tue Mar 18 15:46:25 EDT 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.6.18-53.1.6.el5xen, archname=i386-linux-thread-multi
    uname='linux xenbuilder2.fedora.redhat.com 2.6.18-53.1.6.el5xen #1 smp wed jan 16 04:10:44 est 2008 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -Dversion=5.10.0 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='4.3.0 20080314 (Red Hat 4.3.0-3)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.7.90.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.7.90'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.10.0:
    /usr/lib/perl5/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/5.10.0
    /usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.10.0
    /usr/lib/perl5/site_perl/5.8.8
    /usr/lib/perl5/site_perl/5.8.7
    /usr/lib/perl5/site_perl/5.8.6
    /usr/lib/perl5/site_perl/5.8.5
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.10.0
    /usr/lib/perl5/vendor_perl/5.8.8
    /usr/lib/perl5/vendor_perl/5.8.7
    /usr/lib/perl5/vendor_perl/5.8.6
    /usr/lib/perl5/vendor_perl/5.8.5
    /usr/lib/perl5/vendor_perl
    .


Environment for perl 5.10.0:
    HOME=/home/greerga
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LC_COLLATE=C
    LC_TIME=C
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=~/bin:/usr/local/bin:/usr/local/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/X11R6/bin:/usr/local/games:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @jdhedden

# <URL​: http​://rt.perl.org/rt3/Ticket/Display.html?id=54758 >

Running the following program produces memory corruption in Perl
5.10.0​:

   \- \- \- 8\< \- \- \- 8\< \- \- \-
   \#\!/usr/bin/perl
   print "1\.\.1\\n";
   push @&#8203;x\, 0 for 1 \.\. 1024; $\#x; @&#8203;x = sort @&#8203;x;
   print "ok 1\\n";
   \- \- \- 8\< \- \- \- 8\< \- \- \-

Yuck. I added use strict/warnings, and tried this with 5.11.0 @​ 33916​:

Useless use of array length in void context at bug.pl line 7.
1..1
ok 1
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: leave_scope inconsistency.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
panic​: corrupt saved stack index.
... and more of the same.

The RT System itself - Status changed from 'new' to 'open'

From @rgs

2008/5/24 via RT greerga @​ m-l. org <perlbug-followup@​perl.org>​:

Running the following program produces memory corruption in Perl
5.10.0​:

   \- \- \- 8\< \- \- \- 8\< \- \- \-
   \#\!/usr/bin/perl
   print "1\.\.1\\n";
   push @&#8203;x\, 0 for 1 \.\. 1024; $\#x; @&#8203;x = sort @&#8203;x;
   print "ok 1\\n";
   \- \- \- 8\< \- \- \- 8\< \- \- \-

Probably a bug in the in-place sort optimisation code. It's quite hard
to track, because it apparently depends on the array having some
magic, and the memory is all scribbled around...

I see that C<@​x = (0) x 1024> doesn't cause the bug, because the array
has more internal room to expand there.

It would maybe be helpful to have a binary search for the patch...

From @moritz

Rafael Garcia-Suarez wrote​:

2008/5/24 via RT greerga @​ m-l. org <perlbug-followup@​perl.org>​:

Running the following program produces memory corruption in Perl
5.10.0​:

   \- \- \- 8\< \- \- \- 8\< \- \- \-
   \#\!/usr/bin/perl
   print "1\.\.1\\n";
   push @&#8203;x\, 0 for 1 \.\. 1024; $\#x; @&#8203;x = sort @&#8203;x;
   print "ok 1\\n";
   \- \- \- 8\< \- \- \- 8\< \- \- \-

Probably a bug in the in-place sort optimisation code. It's quite hard
to track, because it apparently depends on the array having some
magic, and the memory is all scribbled around...

I see that C<@​x = (0) x 1024> doesn't cause the bug, because the array
has more internal room to expand there.

It would maybe be helpful to have a binary search for the patch...

d29831c62746f36a2610ac8c3aa68b21181486bb is first bad commit
commit d29831c62746f36a2610ac8c3aa68b21181486bb
Author​: Nicholas Clark <nick@​ccl4.org>
Date​: Thu Jun 9 21​:01​:42 2005 +0000

  $r = do {my @​a; \$#a}; $$r = 503 # is also naughty and now warns

  p4raw-id​: //depot/perl@​24784

:100644 100644 e5cbe2f4834901b0715cd6ad5aeb31a6e156a736
70ed1867f005e04dbb1799060ed24d059b8718a8 M av.c
:040000 040000 05fab1423b66d697bdfed7d9e21906673cbf7ea3
4c53de2b17ca71acadcfb59226f46f74dff26eb5 M pod
:040000 040000 de629b77948c9f8700d603470cd89676ead1ccf8
665b946e44be811e4c833078582a750c08147e45 M t

This is my first bisect, so I'm not 100% sure I did it right.

HTH anyway,
Moritz

From @rgs

2008/5/26 Moritz Lenz <moritz@​casella.verplant.org>​:

It would maybe be helpful to have a binary search for the patch...

d29831c62746f36a2610ac8c3aa68b21181486bb is first bad commit
commit d29831c62746f36a2610ac8c3aa68b21181486bb
Author​: Nicholas Clark <nick@​ccl4.org>
Date​: Thu Jun 9 21​:01​:42 2005 +0000

$r = do {my @​a; \$#a}; $$r = 503 # is also naughty and now warns

p4raw-id​: //depot/perl@​24784

Well, that doesn't mut the custard for me. In other words, if I revert
that patch, the test still segfaults.

From @iabyn

On Mon, May 26, 2008 at 12​:27​:22PM +0200, Rafael Garcia-Suarez wrote​:

2008/5/26 Moritz Lenz <moritz@​casella.verplant.org>​:

It would maybe be helpful to have a binary search for the patch...

d29831c62746f36a2610ac8c3aa68b21181486bb is first bad commit
commit d29831c62746f36a2610ac8c3aa68b21181486bb
Author​: Nicholas Clark <nick@​ccl4.org>
Date​: Thu Jun 9 21​:01​:42 2005 +0000

$r = do {my @​a; \$#a}; $$r = 503 # is also naughty and now warns

p4raw-id​: //depot/perl@​24784

Well, that doesn't mut the custard for me. In other words, if I revert
that patch, the test still segfaults.

Hopefully fixed now​:

Change 33937 by davem@​davem-pigeon on 2008/05/27 00​:12​:52

  [perl #54758] Perl 5.10 memory corruption
  When @​a = sort @​a is pessimised if @​a has magic,
  growing the stack requires various pointers to be reset in case
  the stack gets reallocated.

Affected files ...

... //depot/perl/pp_sort.c#79 edit

Differences ...

==== //depot/perl/pp_sort.c#79 (text) ====

@​@​ -1557,11 +1557,12 @​@​
  max = AvFILL(av) + 1;
  if (SvMAGICAL(av)) {
  MEXTEND(SP, max);
- p2 = SP;
  for (i=0; i < max; i++) {
  SV **svp = av_fetch(av, i, FALSE);
  *SP++ = (svp) ? *svp : NULL;
  }
+ SP--;
+ p1 = p2 = SP - (max-1);
  }
  else {
  if (SvREADONLY(av))
@​@​ -1717,7 +1718,7 @​@​
  SvREADONLY_off(av);
  else if (av && !sorting_av) {
  /* simulate pp_aassign of tied AV */
- SV** const base = ORIGMARK+1;
+ SV** const base = MARK+1;
  for (i=0; i < max; i++) {
  base[i] = newSVsv(base[i]);
  }

--
print+qq&$}$"$/$s$,$a$d$g$s$@​$.$q$,$​:$.$q$^$,$@​$a$$;$.$q$m&if+map{m,^\d{0\,},,${$​::{$'}}=chr($"+=$&amp;||1)}q&10m22,42}6​:17a22.3@​3;^2dg3q/s"&=~m*\d\*.*g

From @greerga

I can confirm that Dave's patch fixes the original script that was
failing, as well as the reduced test case.

-George

@doughera88 - Status changed from 'open' to 'resolved'