New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
p /x in debugger yields memory fault #13526
Comments
From @khwilliamsonThis is a bug report for perl from khw@karl.(none), Typing Flags: Site configuration information for perl 5.19.8: Configured by khw at Mon Jan 13 18:01:27 MST 2014. Summary of my perl5 (revision 5 version 19 subversion 8) configuration: @INC for perl 5.19.8: /home/khw/devel/lib/perl5/site_perl/5.19.8/i686-linux-thread-multi-64int-ld Environment for perl 5.19.8: PATH=/home/khw/bin:/home/khw/perl5/perlbrew/bin:/home/khw/print/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games:/home/khw/cxoffice/bin |
From perl5-porters@perl.orgKarl Williamson wrote:
I get "Search pattern not terminated." Is this a regression? |
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonOn 01/13/2014 10:21 PM, Father Chrysostomos wrote:
It turns out it is. Fails in blead; works in 5.18.0 |
From @khwilliamsonOn 01/13/2014 10:48 PM, Karl Williamson wrote:
I ran this: valgrind ./perl -Ilib -d utils/perlbug then typed p /x and got this: |
From @shlomifHi all, On Mon, 13 Jan 2014 22:55:29 -0700
Just for the record, perl -d on blead does not crash here (Mageia Linux x86-64 shlomif@telaviv1:~/Download/unpack/perl/p5/git/perl$ ./perl -Ilib -d Loading DB routines from perl5db.pl version 1.43 Enter h or 'h h' for help, or 'man perldebug' for more help. main::(utils/perlbug:2): eval DB<571> p 5+6 I've built my perl like this: #!/bin/sh Regards, Shlomi Fish -- Shlomi Fish http://www.shlomifish.org/ I figured wrong (with a capital R). Please reply to list if it's a mailing list post - http://shlom.in/reply . |
From @tonycozOn Mon Jan 13 21:55:44 2014, public@khwilliamson.com wrote:
I've reproduced this in a 32-bit VM, here's a more detailed stack trace (I used "o signalLevel=0" to avoid the debugger setting a signal handler, since we're getting twice the noise with it): (gdb) bt Note the large len value passed to Perl_newSVpvn_flags. I'll fiddle with this some more. Tony |
From perl5-porters@perl.orgTony Cook wrote:
Somehow cx->blk_eval.cur_text is an SV containing an empty string. I |
From @tonycozOn Thu, Jan 23, 2014 at 04:41:23AM -0000, Father Chrysostomos wrote:
cur_text is being initialized with the eval text, but line 1440 in Note that if I remove the subtraction, the output doesn't match my # 32-bit machine that was crashing: # 64-bit machine that wasn't: Tony |
From perl5-porters@perl.orgTony cook wrote:
What line is that? It is a closing brace in blead, and earlier it if (UTF8_IS_INVARIANT(head)) len = UTF8SKIP(&head); Did you get the number wrong? |
From @tonycozOn Thu, Jan 23, 2014 at 06:08:34AM -0000, Father Chrysostomos wrote:
if (!(flags & LEX_KEEP_PREVIOUS) && This line: |
From @tonycozOn Mon Jan 13 20:22:57 2014, public@khwilliamson.com wrote:
I ran a bisect on this on a 32-bit VM using: #!/usr/bin/perl system "git clean -dxf"; open my $db, ">", ".perldb"; my $rev = `git describe`; system "git clean -dxf"; my $status = $res == 0 ? "good" : "bad"; (which does a lot more work than necessary) This bisected down to: cbcb2a1 is the first bad commit add 1 to SvGROW under COW (and fix svleak.t) which I had trouble believing, since the change is so trivial, but I confirmed it by manually building the commit before (which didn't fault) and the release after (which did fault). I can only suspect this is a heisenbug of sorts - the size increase is pushing us over some boundary that moves something in memory. Tony |
From @tonycozOn Wed Jan 22 20:41:45 2014, perl5-porters@perl.org wrote:
It looks like yes, this has been around since that commit: [tony@localhost perl]$ git describe Loading DB routines from perl5db.pl version 1.39_02 Enter h or 'h h' for help, or 'man perldebug' for more help. main::(-e:1): 0 Breakpoint 1, Perl_sv_grow (my_perl=my_perl@entry=0x82de008, Inferior 1 [process 13743] will be killed. Quit anyway? (y or n) y Loading DB routines from perl5db.pl version 1.39_02 Enter h or 'h h' for help, or 'man perldebug' for more help. main::(-e:1): 0 DB<2> q Tony |
From @tonycozOn Mon Jan 13 20:22:57 2014, public@khwilliamson.com wrote:
A simple reproducer: $SIG{__DIE__} = \&dbdie; sub dbdie { Tony |
From @tonycozOn Mon Apr 07 19:04:50 2014, tonyc wrote:
Attached is a patch that fixes the problem and provides a test. Backtraces from "p /x" in the debugger now match older versions of perl rather than being truncated on 64-bit builds, or causing a SEGV on 32-bit builds. Please review. Tony |
From @tonycoz0001-perl-120998-avoid-caller-crashing-on-eval-stack-fram.patchFrom 76e7a9fe39549ab86e80cf93da9b638464dbe8f6 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 8 Apr 2014 11:12:38 +1000
Subject: [PATCH] [perl #120998] avoid caller() crashing on eval '' stack
frames
Starting from v5.17.3-150-g19bcb54e caller() on an eval frame would
end up calling Perl_sv_grow() with newlen = 0xFFFFFFFF on 32-bit
systems.
This eventually started segfaulting with v5.19.0-442-gcbcb2a1 which
added code to round up allocations to the nearest 0x100, setting
newlen to 0, faulting when sv_setpvn() attempted to copy its source
string into the zero space provided.
---
pp_ctl.c | 13 ++++++++++---
t/op/caller.t | 14 +++++++++++++-
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/pp_ctl.c b/pp_ctl.c
index e13e450..380a7fe 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -1847,9 +1847,16 @@ PP(pp_caller)
if (CxTYPE(cx) == CXt_EVAL) {
/* eval STRING */
if (CxOLD_OP_TYPE(cx) == OP_ENTEREVAL) {
- PUSHs(newSVpvn_flags(SvPVX(cx->blk_eval.cur_text),
- SvCUR(cx->blk_eval.cur_text)-2,
- SvUTF8(cx->blk_eval.cur_text)|SVs_TEMP));
+ SV *cur_text = cx->blk_eval.cur_text;
+ if (SvCUR(cur_text) >= 2) {
+ PUSHs(newSVpvn_flags(SvPVX(cur_text), SvCUR(cur_text)-2,
+ SvUTF8(cur_text)|SVs_TEMP));
+ }
+ else {
+ /* I think this is will always be "", but be sure */
+ PUSHs(sv_2mortal(newSVsv(cur_text)));
+ }
+
PUSHs(&PL_sv_no);
}
/* require */
diff --git a/t/op/caller.t b/t/op/caller.t
index 61a3816..54a6bac 100644
--- a/t/op/caller.t
+++ b/t/op/caller.t
@@ -5,7 +5,7 @@ BEGIN {
chdir 't' if -d 't';
@INC = '../lib';
require './test.pl';
- plan( tests => 94 );
+ plan( tests => 95 );
}
my @c;
@@ -318,6 +318,18 @@ sub doof { caller(0) }
print +(doof())[3];
END
"caller should not SEGV when the current package is undefined";
+
+# caller should not SEGV when the eval entry has been cleared #120998
+fresh_perl_is <<'END', 'main', {},
+$SIG{__DIE__} = \&dbdie;
+eval '/x';
+sub dbdie {
+ @x = caller(1);
+ print $x[0];
+}
+END
+ "caller should not SEGV for eval '' stack frames";
+
$::testing_caller = 1;
do './op/caller.pl' or die $@;
--
1.7.10.4
|
From @shlomifOn Mon Apr 07 22:58:02 2014, tonyc wrote:
With this patch, all tests are successful on Mageia Linux x86-64 5/Cauldron both with a threaded build of Perl and a non-threaded build of it. Thanks! Regards, -- Shlomi Fish |
From @shlomifOn Wed Apr 09 00:04:43 2014, shlomif wrote:
All tests with this patch are also successful on a Mageia Linux 4 32-bit (i586) VM in both threaded and non threaded builds. -- Shlomi Fish |
From @tonycozOn Mon Apr 07 22:58:02 2014, tonyc wrote:
Applied to blead as 78beb4c. Tony |
@tonycoz - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#120998 (status was 'resolved')
Searchable as RT120998$
The text was updated successfully, but these errors were encountered: