From @stsc

Created by @stsc

[guest@​testing ~]$ ./perl-7b70e81 -e 'AUTOLOAD { bless {} }; __PACKAGE__->method'
Segmentation fault

Reproducible with 5.004_05, 5.005_04, 5.6.2, 5.8.9, 5.10.0, 5.10.1,
5.12.2, 5.12.3, 5.14.0 and blead.

Attached the output of valgrind and gdb.

Flags:
    category=core
    severity=high

Site configuration information for perl 5.15.0:

Configured by guest at Mon Jul 11 09:36:23 CEST 2011.

Summary of my perl5 (revision 5 version 15 subversion 0) configuration:
  Snapshot of: 7b70e8177801df4e142684870ce037d584f72e7b
  Platform:
    osname=linux, osvers=2.6.32-5-openvz-686, archname=i686-linux-thread-multi
    uname='linux testing 2.6.32-5-openvz-686 #1 smp tue mar 8 23:30:33 utc 2011 i686 gnulinux '
    config_args='-des -Dusedevel -Dusethreads -Doptimize=-g3 -Dprefix=/home/guest/perl/perl-7b70e81'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g3',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.5', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/../lib /usr/lib/../lib /lib /usr/lib
    libs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.11.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.11.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g3 -L/usr/local/lib -fstack-protector'

Locally applied patches:
    


@INC for perl 5.15.0:
    /home/guest/perl/perl-7b70e81/lib/site_perl/5.15.0/i686-linux-thread-multi
    /home/guest/perl/perl-7b70e81/lib/site_perl/5.15.0
    /home/guest/perl/perl-7b70e81/lib/5.15.0/i686-linux-thread-multi
    /home/guest/perl/perl-7b70e81/lib/5.15.0
    .


Environment for perl 5.15.0:
    HOME=/home/guest
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @stsc

==4158== Memcheck, a memory error detector
==4158== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==4158== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==4158== Command​: ./perl-7b70e81 -e AUTOLOAD\ {\ bless\ {}\ };\ __PACKAGE__-\>method
==4158==
--4158-- Valgrind options​:
--4158-- --suppressions=/usr/lib/valgrind/debian-libc6-dbg.supp
--4158-- -v
--4158-- Contents of /proc/version​:
--4158-- Linux version 2.6.32-5-openvz-686 (Debian 2.6.32-31) (ben@​decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue Mar 8 23​:30​:33 UTC 2011
--4158-- Arch and hwcaps​: X86, x86-sse1-sse2
--4158-- Page sizes​: currently 4096, max supported 4096
--4158-- Valgrind library directory​: /usr/lib/valgrind
--4158-- Reading syms from /lib/ld-2.11.2.so (0x4000000)
--4158-- Considering /lib/ld-2.11.2.so ..
--4158-- .. CRC mismatch (computed d7003e36 wanted 50ae28f8)
--4158-- Considering /usr/lib/debug/lib/ld-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /home/guest/perl/perl-7b70e81/bin/perl5.15.0 (0x8048000)
--4158-- Reading syms from /usr/lib/valgrind/memcheck-x86-linux (0x38000000)
--4158-- object doesn't have a dynamic symbol table
--4158-- Reading suppressions file​: /usr/lib/valgrind/debian-libc6-dbg.supp
--4158-- Reading suppressions file​: /usr/lib/valgrind/default.supp
--4158-- REDIR​: 0x4016090 (index) redirected to 0x3803eda3 (vgPlain_x86_linux_REDIR_FOR_index)
--4158-- Reading syms from /usr/lib/valgrind/vgpreload_core-x86-linux.so (0x401f000)
--4158-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so (0x4021000)
==4158== WARNING​: new redirection conflicts with existing -- ignoring it
--4158-- new​: 0x04016090 (index ) R-> 0x04024cb0 index
--4158-- REDIR​: 0x4016270 (strlen) redirected to 0x40250f0 (strlen)
--4158-- Reading syms from /lib/i686/cmov/libnsl-2.11.2.so (0x402c000)
--4158-- Considering /lib/i686/cmov/libnsl-2.11.2.so ..
--4158-- .. CRC mismatch (computed 0f1ce856 wanted 79cc2248)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libnsl-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libdl-2.11.2.so (0x4044000)
--4158-- Considering /lib/i686/cmov/libdl-2.11.2.so ..
--4158-- .. CRC mismatch (computed b8f28ae4 wanted b86982c3)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libdl-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libm-2.11.2.so (0x4048000)
--4158-- Considering /lib/i686/cmov/libm-2.11.2.so ..
--4158-- .. CRC mismatch (computed 5f009d24 wanted f7f322b4)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libm-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libcrypt-2.11.2.so (0x406e000)
--4158-- Considering /lib/i686/cmov/libcrypt-2.11.2.so ..
--4158-- .. CRC mismatch (computed 056244c6 wanted e8e3556a)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libcrypt-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libutil-2.11.2.so (0x40a0000)
--4158-- Considering /lib/i686/cmov/libutil-2.11.2.so ..
--4158-- .. CRC mismatch (computed 8dffcd51 wanted 19fdbf73)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libutil-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libpthread-2.11.2.so (0x40a4000)
--4158-- Considering /lib/i686/cmov/libpthread-2.11.2.so ..
--4158-- .. CRC mismatch (computed fda9d59d wanted d76eb62f)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libpthread-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- Reading syms from /lib/i686/cmov/libc-2.11.2.so (0x40be000)
--4158-- Considering /lib/i686/cmov/libc-2.11.2.so ..
--4158-- .. CRC mismatch (computed cc623375 wanted 87383a14)
--4158-- Considering /usr/lib/debug/lib/i686/cmov/libc-2.11.2.so ..
--4158-- .. CRC is valid
--4158-- REDIR​: 0x4130cc0 (index) redirected to 0x4024c20 (index)
--4158-- REDIR​: 0x41320d0 (memchr) redirected to 0x4025830 (memchr)
--4158-- REDIR​: 0x4131840 (rindex) redirected to 0x4024b60 (rindex)
--4158-- REDIR​: 0x412dc30 (malloc) redirected to 0x4023ecb (malloc)
--4158-- REDIR​: 0x41325d0 (memset) redirected to 0x40264a0 (memset)
--4158-- REDIR​: 0x41313d0 (strlen) redirected to 0x401f42c (_vgnU_ifunc_wrapper)
--4158-- REDIR​: 0x4131410 (__strlen_sse2) redirected to 0x40250b0 (strlen)
--4158-- REDIR​: 0x412d350 (calloc) redirected to 0x40231af (calloc)
--4158-- REDIR​: 0x4132560 (memmove) redirected to 0x4026510 (memmove)
--4158-- REDIR​: 0x4132ad0 (memcpy) redirected to 0x4025870 (memcpy)
--4158-- REDIR​: 0x4131490 (__GI_strlen) redirected to 0x40250d0 (__GI_strlen)
--4158-- REDIR​: 0x4131680 (strncmp) redirected to 0x40255d0 (strncmp)
--4158-- REDIR​: 0x4130e30 (strcmp) redirected to 0x40256b0 (strcmp)
--4158-- REDIR​: 0x4133e00 (strchrnul) redirected to 0x4026590 (strchrnul)
--4158-- REDIR​: 0x4132630 (mempcpy) redirected to 0x4026600 (mempcpy)
--4158-- REDIR​: 0x412db50 (free) redirected to 0x4023ae5 (free)
--4158-- REDIR​: 0x41327c0 (stpcpy) redirected to 0x4026120 (stpcpy)
--4158-- REDIR​: 0x412ebb0 (realloc) redirected to 0x4023f7a (realloc)
--4158-- REDIR​: 0x4132270 (bcmp) redirected to 0x4026080 (bcmp)
==4158== Stack overflow in thread 1​: can't grow stack to 0xbe23afa8
==4158==
==4158== Process terminating with default action of signal 11 (SIGSEGV)
==4158== Access not within mapped region at address 0xBE23AFA8
==4158== at 0x80F4922​: Perl_hv_common (hv.c​:397)
==4158== If you believe this happened as a result of a stack
==4158== overflow in your program's main thread (unlikely but
==4158== possible), you can try to increase the size of the
==4158== main thread stack using the --main-stacksize= flag.
==4158== The main thread stack size used in this run was 8388608.
==4158== Stack overflow in thread 1​: can't grow stack to 0xbe23af9c
==4158==
==4158== Process terminating with default action of signal 11 (SIGSEGV)
==4158== Access not within mapped region at address 0xBE23AF9C
==4158== at 0x401F4BD​: _vgnU_freeres (vg_preloaded.c​:58)
==4158== If you believe this happened as a result of a stack
==4158== overflow in your program's main thread (unlikely but
==4158== possible), you can try to increase the size of the
==4158== main thread stack using the --main-stacksize= flag.
==4158== The main thread stack size used in this run was 8388608.
==4158==
==4158== HEAP SUMMARY​:
==4158== in use at exit​: 26,421,685 bytes in 35,817 blocks
==4158== total heap usage​: 35,910 allocs, 93 frees, 27,153,473 bytes allocated
==4158==
==4158== Searching for pointers to 35,817 not-freed blocks
==4158== Checked 28,495,944 bytes
==4158==
==4158== LEAK SUMMARY​:
==4158== definitely lost​: 0 bytes in 0 blocks
==4158== indirectly lost​: 0 bytes in 0 blocks
==4158== possibly lost​: 2,298,559 bytes in 12,332 blocks
==4158== still reachable​: 24,123,126 bytes in 23,485 blocks
==4158== suppressed​: 0 bytes in 0 blocks
==4158== Rerun with --leak-check=full to see details of leaked memory
==4158==
==4158== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 24 from 7)
--4158--
--4158-- used_suppression​: 24 dl-hack3-cond-1
==4158==
==4158== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 24 from 7)

From @stsc

GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/guest/perl-7b70e81...done.
(gdb) run
Starting program​: /home/guest/perl-7b70e81 -e AUTOLOAD\ \{\ bless\ \{\}\ \}\;\ __PACKAGE__-\>method
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x080f4922 in Perl_hv_common (my_perl=0x81c9008, hv=0x81cc640, keysv=0x0, key=0x81ad483 "DESTROY", klen=7, flags=0, action=48, val=0x0, hash=0) at hv.c​:397
397 || SvGMAGICAL((const SV *)hv))
(gdb) bt
#0 0x080f4922 in Perl_hv_common (my_perl=0x81c9008, hv=0x81cc640, keysv=0x0, key=0x81ad483 "DESTROY", klen=7, flags=0, action=48, val=0x0, hash=0) at hv.c​:397
#1 0x080f4690 in Perl_hv_common_key_len (my_perl=0x81c9008, hv=0x81cc640, key=0x81ad483 "DESTROY", klen_i32=7, action=48, val=0x0, hash=0) at hv.c​:325
#2 0x08083012 in Perl_gv_fetchmeth (my_perl=0x81c9008, stash=0x81cc640, name=0x81ad483 "DESTROY", len=7, level=0) at gv.c​:445
#3 0x08083b67 in Perl_gv_fetchmethod_flags (my_perl=0x81c9008, stash=0x81cc640, name=0x81ad483 "DESTROY", flags=256) at gv.c​:712
#4 0x08083958 in Perl_gv_fetchmethod_autoload (my_perl=0x81c9008, stash=0x81cc640, name=0x81ad483 "DESTROY", autoload=1) at gv.c​:650
#5 0x080885c4 in Perl_gv_handler (my_perl=0x81c9008, stash=0x81cc640, id=68) at gv.c​:1993
#6 0x08113892 in S_curse (my_perl=0x81c9008, sv=0x9af7fc8, check_refcnt=1 '\001') at sv.c​:6250
#7 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x9af7fd8) at sv.c​:5947
#8 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x9af7fd8) at sv.c​:6401
#9 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#10 0x0807d0b6 in Perl_call_sv (my_perl=0x81c9008, sv=0x81e67e0, flags=45) at perl.c​:2692
#11 0x08113a9c in S_curse (my_perl=0x81c9008, sv=0x9af7f88, check_refcnt=1 '\001') at sv.c​:6269
#12 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x9af7f98) at sv.c​:5947
#13 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x9af7f98) at sv.c​:6401
#14 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#15 0x0807d0b6 in Perl_call_sv (my_perl=0x81c9008, sv=0x81e67e0, flags=45) at perl.c​:2692
#16 0x08113a9c in S_curse (my_perl=0x81c9008, sv=0x9af7f48, check_refcnt=1 '\001') at sv.c​:6269
#17 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x9af7f58) at sv.c​:5947
#18 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x9af7f58) at sv.c​:6401
#19 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#20 0x0807d0b6 in Perl_call_sv (my_perl=0x81c9008, sv=0x81e67e0, flags=45) at perl.c​:2692

...

#58226 0x08113a9c in S_curse (my_perl=0x81c9008, sv=0x81e68b0, check_refcnt=1 '\001') at sv.c​:6269
#58227 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x81e68c0) at sv.c​:5947
#58228 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x81e68c0) at sv.c​:6401
#58229 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#58230 0x0807d0b6 in Perl_call_sv (my_perl=0x81c9008, sv=0x81e67e0, flags=45) at perl.c​:2692
#58231 0x08113a9c in S_curse (my_perl=0x81c9008, sv=0x81e6780, check_refcnt=1 '\001') at sv.c​:6269
#58232 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x81e6790) at sv.c​:5947
#58233 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x81e6790) at sv.c​:6401
#58234 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#58235 0x0807d0b6 in Perl_call_sv (my_perl=0x81c9008, sv=0x81e67e0, flags=45) at perl.c​:2692
#58236 0x08113a9c in S_curse (my_perl=0x81c9008, sv=0x81cd2a0, check_refcnt=1 '\001') at sv.c​:6269
#58237 0x08112ae9 in Perl_sv_clear (my_perl=0x81c9008, orig_sv=0x81cd2b0) at sv.c​:5947
#58238 0x08113fa7 in Perl_sv_free2 (my_perl=0x81c9008, sv=0x81cd2b0) at sv.c​:6401
#58239 0x0813b810 in Perl_free_tmps (my_perl=0x81c9008) at scope.c​:167
#58240 0x0807c169 in perl_run (my_perl=0x81c9008) at perl.c​:2277
#58241 0x0805faaa in main (argc=3, argv=0xbffff844, env=0xbffff854) at perlmain.c​:120
(gdb) quit
A debugging session is active.

  Inferior 1 [process 4146] will be killed.

Quit anyway? (y or n)

From @rgarcia

On 11 July 2011 11​:41, stsc@​refcnt.org <perlbug-followup@​perl.org> wrote​:

[guest@​testing ~]$ ./perl-7b70e81 -e 'AUTOLOAD { bless {} }; __PACKAGE__->method'
Segmentation fault

That segfaults during global destruction. Adding an empty
DESTROY method fixes the one-liner.

A simpler way to trigger that bug, without autoloading :

  ~§ perl -e 'sub DESTROY { bless {} }; bless {}'
  Segmentation fault

The RT System itself - Status changed from 'new' to 'open'

From sog@msg.mx

On 07/11/2011 09​:32 AM, Rafael Garcia-Suarez wrote​:

On 11 July 2011 11​:41, stsc@​refcnt.org<perlbug-followup@​perl.org> wrote​:

[guest@​testing ~]$ ./perl-7b70e81 -e 'AUTOLOAD { bless {} }; __PACKAGE__->method'
Segmentation fault
That segfaults during global destruction. Adding an empty
DESTROY method fixes the one-liner.

A simpler way to trigger that bug, without autoloading :

 ~§ perl \-e 'sub DESTROY \{ bless \{\} \}; bless \{\}'
 Segmentation fault

Some guards against reentrance are required for "magic" functions.

Not the same path, but on the same theme, a little more explicit​:

  $ perl -e 'sub TIEHASH { tie %tmp, "main" } tie %foo, "main"'
  Segmentation fault

From @cpansprout

On Tue Jul 12 21​:19​:22 2011, sortiz wrote​:

On 07/11/2011 09​:32 AM, Rafael Garcia-Suarez wrote​:

On 11 July 2011 11​:41, stsc@​refcnt.org<perlbug-followup@​perl.org>
wrote​:

[guest@​testing ~]$ ./perl-7b70e81 -e 'AUTOLOAD { bless {} };
__PACKAGE__->method'
Segmentation fault
That segfaults during global destruction. Adding an empty
DESTROY method fixes the one-liner.

A simpler way to trigger that bug, without autoloading :

 ~� perl \-e 'sub DESTROY \{ bless \{\} \}; bless \{\}'
 Segmentation fault

Some guards against reentrance are required for "magic" functions.

But sometimes it is necessary for DESTROY, etc. to be recursive. It’s
the user’s responsibility to make sure it doesn’t happen infinitely.

For me, the crash happens 102273 C function calls deep, which will
obviously not happen with working code.

Or do we want objects destroyed with DESTROY actually to remain alive
until DESTROY exits, so it is not called recursively?

I’m inclined to classify this bug as unfixable.