Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Freeing $_ in grep/map causes a double free #5038

Closed
p5pRT opened this issue Feb 13, 2002 · 17 comments
Closed

Freeing $_ in grep/map causes a double free #5038

p5pRT opened this issue Feb 13, 2002 · 17 comments

Comments

@p5pRT
Copy link

p5pRT commented Feb 13, 2002

Migrated from rt.perl.org#8527 (status was 'resolved')

Searchable as RT8527$

@p5pRT
Copy link
Author

p5pRT commented Feb 13, 2002

From sfink@digital-integrity.com

Created by steve@fink.com

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl v5.6.1:

Configured by root at Fri Jan 18 17:19:31 PST 2002.

Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration:
  Platform:
    osname=linux, osvers=2.4.9, archname=i386-linux
    uname='linux foxglove 2.4.9 #4 sat dec 1 17:17:37 pst 2001 i686 unknown '
    config_args='-des -Doptimize=-g -O3 -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dcccdlflags=-fPIC -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Uuselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Di_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Ulocincpth= -Dinc_version_list=5.005 5.005/i386-linux'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=undef usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
  Compiler:
    cc='gcc', ccflags ='-DDEBUGGING -fno-strict-aliasing',
    optimize='-g -O3',
    cppflags='-DDEBUGGING -fno-strict-aliasing'
    ccversion='', gccversion='egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=4
    alignbytes=4, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -ldl -lm -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.1.3.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.6.1:
    /usr/lib/perl5/5.6.1/i386-linux
    /usr/lib/perl5/5.6.1
    /usr/lib/perl5/site_perl/5.6.1/i386-linux
    /usr/lib/perl5/site_perl/5.6.1
    /usr/lib/perl5/site_perl/5.005
    /usr/lib/perl5/site_perl/5.005/i386-linux
    /usr/lib/perl5/site_perl
    .


Environment for perl v5.6.1:
    HOME=/home/sfink
    LANG=en_US
    LANGUAGE (unset)
    LC_ALL=C
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/sfink/down/xref:/bin:/usr/bin:/usr/X11R6/bin:/home/sfink/bin:/usr/local/bin:/usr/local/pilot/bin:/usr/local/samba/bin:/sbin:/usr/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/zsh


@p5pRT
Copy link
Author

p5pRT commented Feb 13, 2002

From @schwern

On Wed, Feb 13, 2002 at 01​:25​:20PM -0800, sfink@​digital-integrity.com wrote​:

This is a bug report for perl from steve@​fink.com,
generated with the help of perlbug 1.33 running under perl v5.6.1.

-----------------------------------------------------------------
[Please enter your report here]

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

[Please do not change anything below this line]
-----------------------------------------------------------------

$ perl5.6.1 -e 'map{*_=5}1'
Attempt to free unreferenced scalar.
$ bleadperl -e 'map{*_=5}1'
Segmentation fault

(gdb) set args -e 'map{*_=5}1'
(gdb) run
Starting program​: /usr/local/bin/bleadperl -e 'map{*_=5}1'

Program received signal SIGSEGV, Segmentation fault.
0x10093a64 in Perl_mg_free (sv=0x1019e91c) at mg.c​:354
354 if (vtbl && vtbl->svt_free)
(gdb) bt
#0 0x10093a64 in Perl_mg_free (sv=0x1019e91c) at mg.c​:354
#1 0x100c3c88 in Perl_sv_clear (sv=0x1019e91c) at sv.c​:4953
#2 0x100c4464 in Perl_sv_free (sv=0x1019e91c) at sv.c​:5156
#3 0x100ee1b0 in Perl_free_tmps () at scope.c​:174
#4 0x10018964 in perl_run (my_perl=0x1019e008) at perl.c​:1528
#5 0x10014100 in main (argc=3, argv=0x7ffffb44, env=0x7ffffb54)
  at perlmain.c​:85
#6 0x0fdd9d30 in __libc_start_main () from /lib/libc.so.6

--

Michael G. Schwern <schwern@​pobox.com> http​://www.pobox.com/~schwern/
Perl Quality Assurance <perl-qa@​perl.org> Kwalitee Is Job One
I have this god-awful need to aquire useless crap!!!

@p5pRT
Copy link
Author

p5pRT commented Feb 14, 2002

From [Unknown Contact. See original ticket]

sfink@​digital-integrity.com wrote​:

This is a bug report for perl from steve@​fink.com,
generated with the help of perlbug 1.33 running under perl v5.6.1.

-----------------------------------------------------------------
[Please enter your report here]

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Hmm, doing some random typing on my own perl, I see this problem occurs
with other things than a bare 5 (which is interpreted as a symbolic
reference, IIUC)​:
  map { *_ = \$5 } 1;
  map { *_ = \$+ } 1;
  map { *_ = \$! } 1;
  map { *_ = \$. } 1;
  map { *_ = \$# } 1;
  my $x; map { *_ = \$x } 1;
  map { *_ = \$_ } 1;
I would even suggest that it occurs with a reference to any scalar.

How poorly do these others behave on bleadperl?

PS​: Here's another bug​:
[Windows 95] C​:\WINDOWS>perl -Mstrict=refs -e"*foo='bar';print \$foo,\$bar"
SCALAR(0x17757c8)SCALAR(0x17757c8)

Why doesn't strict refs prevent the assignment of the string to the glob?

--
From the libwww-perl changelog, describing an error fixed in 5.41​:
o The local/http.t test actually did try to unlink("."). This was
  very confusing on systems where it succeed.

@p5pRT
Copy link
Author

p5pRT commented Feb 21, 2002

From @nwc10

On Thu, Feb 14, 2002 at 03​:52​:59AM -0500, Benjamin Goldberg wrote​:

sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Also on bleadperl

Hmm, doing some random typing on my own perl, I see this problem occurs
with other things than a bare 5 (which is interpreted as a symbolic
reference, IIUC)​:
map { *_ = \$5 } 1;
map { *_ = \$+ } 1;
map { *_ = \$! } 1;
map { *_ = \$. } 1;
map { *_ = \$# } 1;
my $x; map { *_ = \$x } 1;
map { *_ = \$_ } 1;
I would even suggest that it occurs with a reference to any scalar.

How poorly do these others behave on bleadperl?

All "Attempt to free unreferenced scalar." except the last, which is silent.
This is on 14766.

I think you're right about it occurring with a reference to any scalar​:

nick@​Bagpuss [14766]$ ./perl
map { *_ = \$a } 1
Attempt to free unreferenced scalar.

I don't know where to look for a solution to this bug.

Nicholas Clark
--
EMCFT http​://www.ccl4.org/~nick/CV.html

@p5pRT
Copy link
Author

p5pRT commented Feb 21, 2002

From @jhi

On Thu, Feb 21, 2002 at 06​:26​:12PM +0000, Nicholas Clark wrote​:

On Thu, Feb 14, 2002 at 03​:52​:59AM -0500, Benjamin Goldberg wrote​:

sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Also on bleadperl

Third Degree shows (as of 14815)​:

scope.c​: 789​: writing invalid heap at byte 0 of 88-byte block
  Perl_leave_scope libperl.so, scope.c, line 789
  Perl_pop_scope libperl.so, scope.c, line 129
  Perl_pp_mapwhile libperl.so, pp_ctl.c, line 849
  Perl_runops_debug libperl.so, dump.c, line 1392
  S_run_body libperl.so, perl.c, line 1601
  perl_run libperl.so, perl.c, line 1522
  main perl, perlmain.c, line 85
  __start perl

This block at address 0x140014210 was allocated at​:
  malloc libc.so
  Perl_safemalloc libperl.so, util.c, line 78
  Perl_gv_init libperl.so, gv.c, line 111
  Perl_gv_fetchpv libperl.so, gv.c, line 746
  S_init_main_stash libperl.so, perl.c, line 2656
  S_parse_body libperl.so, perl.c, line 1040
  perl_parse libperl.so, perl.c, line 984
  main perl, perlmain.c, line 83
  __start perl

This block was freed at​:
  free libc.so
  Perl_safefree libperl.so, util.c, line 151
  Perl_gp_free libperl.so, gv.c, line 1200
  Perl_magic_setglob libperl.so, mg.c, line 1560
  Perl_mg_set libperl.so, mg.c, line 180
  Perl_pp_sassign libperl.so, pp_hot.c, line 115
  Perl_runops_debug libperl.so, dump.c, line 1392
  S_run_body libperl.so, perl.c, line 1601
  perl_run libperl.so, perl.c, line 1522
  main perl, perlmain.c, line 85
  __start perl

--
$jhi++; # http​://www.iki.fi/jhi/
  # There is this special biologist word we use for 'stable'.
  # It is 'dead'. -- Jack Cohen

@p5pRT
Copy link
Author

p5pRT commented May 10, 2010

From @chorny

Same result on 5.12.0.

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

See discussion at http​://rt.perl.org/rt3/Ticket/Display.html?id=8527

--
Alexandr Ciornii, http​://chorny.net

@p5pRT
Copy link
Author

p5pRT commented May 10, 2010

From [Unknown Contact. See original ticket]

Same result on 5.12.0.

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

See discussion at http​://rt.perl.org/rt3/Ticket/Display.html?id=8527

--
Alexandr Ciornii, http​://chorny.net

@p5pRT
Copy link
Author

p5pRT commented Oct 10, 2010

From @cpansprout

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

@p5pRT
Copy link
Author

p5pRT commented Oct 10, 2010

From [Unknown Contact. See original ticket]

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

@p5pRT
Copy link
Author

p5pRT commented Oct 11, 2010

From @ikegami

On Sun Oct 10 16​:51​:32 2010, sprout wrote​:

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

I think so. I've added a dependency to the meta ticket just in case.

@p5pRT
Copy link
Author

p5pRT commented Jun 5, 2011

From @cpansprout

$ perl5.14.0 -e 'grep { undef *_ } 1'
Attempt to free unreferenced scalar​: SV 0x826440, Perl interpreter​: 0x800000.

The same applies to map, but it’s the same code.

Can we change the definition of SAVE_DEFSV?


Flags​:
  category=core
  severity=low
  ack=no


Site configuration information for perl 5.14.0​:

Configured by sprout at Wed May 11 13​:45​:58 PDT 2011.

Summary of my perl5 (revision 5 version 14 subversion 0) configuration​:
  Snapshot of​: eb70bb4
  Platform​:
  osname=darwin, osvers=10.5.0, archname=darwin-thread-multi-2level
  uname='darwin pint.local 10.5.0 darwin kernel version 10.5.0​: fri nov 5 23​:20​:39 pdt 2010; root​:xnu-1504.9.17~1release_i386 i386 '
  config_args='-Dusedevel -de -Duseithreads -Doptimize=-g'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
  optimize='-g',
  cppflags='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.2.1 (Apple Inc. build 5664)', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='env MACOSX_DEPLOYMENT_TARGET=10.3 cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib
  libs=-ldbm -ldl -lm -lutil -lc
  perllibs=-ldl -lm -lutil -lc
  libc=/usr/lib/libc.dylib, so=dylib, useshrplib=false, libperl=libperl.a
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
  cccdlflags=' ', lddlflags=' -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector'

Locally applied patches​:
  RC3


@​INC for perl 5.14.0​:
  /usr/local/lib/perl5/site_perl/5.14.0/darwin-thread-multi-2level
  /usr/local/lib/perl5/site_perl/5.14.0
  /usr/local/lib/perl5/5.14.0/darwin-thread-multi-2level
  /usr/local/lib/perl5/5.14.0
  /usr/local/lib/perl5/site_perl
  .


Environment for perl 5.14.0​:
  DYLD_LIBRARY_PATH (unset)
  HOME=/Users/sprout
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/usr/bin​:/bin​:/usr/sbin​:/sbin​:/usr/local/bin​:/usr/X11/bin​:/usr/local/bin
  PERL_BADLANG (unset)
  SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Jan 9, 2012

From @cpansprout

Fixed by 55b5114.

@p5pRT
Copy link
Author

p5pRT commented Jan 9, 2012

@cpansprout - Status changed from 'new' to 'resolved'

@p5pRT
Copy link
Author

p5pRT commented Jan 10, 2012

From @cpansprout

On Sun Oct 10 17​:59​:54 2010, ikegami@​adaelis.com wrote​:

On Sun Oct 10 16​:51​:32 2010, sprout wrote​:

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

I think so. I've added a dependency to the meta ticket just in case.

Actually, it’s not. It’s the result of the broken SAVE_DEFSV
implementation which I fixed in commit 55b5114.

It turns out that #92254 (which I reported after searching the perl
source for SAVE_DEFSV) is a duplicate of this bug.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Jan 10, 2012

@cpansprout - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Jan 10, 2012
@p5pRT
Copy link
Author

p5pRT commented Jan 10, 2012

From @cpansprout

On Tue Jan 10 12​:26​:11 2012, sprout wrote​:

On Sun Oct 10 17​:59​:54 2010, ikegami@​adaelis.com wrote​:

On Sun Oct 10 16​:51​:32 2010, sprout wrote​:

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

I think so. I've added a dependency to the meta ticket just in case.

Actually, it’s not. It’s the result of the broken SAVE_DEFSV
implementation which I fixed in commit 55b5114.

It turns out that #92254 (which I reported after searching the perl
source for SAVE_DEFSV) is a duplicate of this bug.

Clarification​: SAVE_DEFSV was causing *_{SCALAR} not to be
reference-counted, and operators like undef were not aware of that.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Jan 10, 2012

From [Unknown Contact. See original ticket]

On Tue Jan 10 12​:26​:11 2012, sprout wrote​:

On Sun Oct 10 17​:59​:54 2010, ikegami@​adaelis.com wrote​:

On Sun Oct 10 16​:51​:32 2010, sprout wrote​:

On Wed Feb 13 05​:25​:44 2002, sfink@​digital-integrity.com wrote​:

perl -e 'map{*_=5}1'
Attempt to free unreferenced scalar.

Is this the result of the stack’s not being reference-counted?

I think so. I've added a dependency to the meta ticket just in case.

Actually, it’s not. It’s the result of the broken SAVE_DEFSV
implementation which I fixed in commit 55b5114.

It turns out that #92254 (which I reported after searching the perl
source for SAVE_DEFSV) is a duplicate of this bug.

Clarification​: SAVE_DEFSV was causing *_{SCALAR} not to be
reference-counted, and operators like undef were not aware of that.

--

Father Chrysostomos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant