Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segfault in caller() #15248

Closed
p5pRT opened this issue Mar 24, 2016 · 7 comments
Closed

segfault in caller() #15248

p5pRT opened this issue Mar 24, 2016 · 7 comments

Comments

@p5pRT
Copy link

p5pRT commented Mar 24, 2016

Migrated from rt.perl.org#127774 (status was 'resolved')

Searchable as RT127774$

@p5pRT
Copy link
Author

p5pRT commented Mar 24, 2016

From @mauke

Created by @mauke

$ perl -e 'END { caller 1 } eval("sub { die }")->()'
Died at (eval 1) line 1.
Segmentation fault (core dumped)

A threaded/debugging 5.22.1 segfaults at pp_ctl.c​:1797​: assert(CopSTASH(cx->blk_oldcop));
because oldcop is NULL.

This seems to be fixed in blead (probably due to the context stack overhaul?).

If I used bisect.pl right, the crash was introduced with commit
515abc4 (Set PL_curcop to NULL in
op.c​:S_cop_free) between 5.18 and 5.20. ("Introduced" is probably wrong; more
like "exposed".)

It seems to consistently crash 5.20 and 5.22.

...

Taking a closer look, it also crashes 5.16.3 (with threads) and 5.8.9.

5.10.1, 5.12.5, 5.14.4, 5.18.2, and 5.16.3 (debugging, no threads) seem to be OK.

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.22.1:

Configured by mauke at Tue Dec 29 15:36:05 CET 2015.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=4.2.5-1-arch, archname=i686-linux
    uname='linux simplicio 4.2.5-1-arch #1 smp preempt tue oct 27 08:28:41 cet 2015 i686 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='5.3.0', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/include-fixed /usr/lib /lib
    libs=-lpthread -lnsl -lnm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -lnsl -lnm -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.22'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.22.1:
    /home/mauke/usr/lib/perl5/site_perl/5.22.1/i686-linux
    /home/mauke/usr/lib/perl5/site_perl/5.22.1
    /home/mauke/usr/lib/perl5/5.22.1/i686-linux
    /home/mauke/usr/lib/perl5/5.22.1
    .


Environment for perl 5.22.1:
    HOME=/home/mauke
    LANG=en_US.UTF-8
    LANGUAGE=en_US
    LC_COLLATE=C
    LC_MONETARY=de_DE.UTF-8
    LC_TIME=de_DE.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
    PERLBREW_BASHRC_VERSION=0.73
    PERLBREW_HOME=/home/mauke/.perlbrew
    PERLBREW_ROOT=/home/mauke/perl5/perlbrew
    PERL_BADLANG (unset)
    PERL_UNICODE=SAL
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Mar 24, 2016

From @jkeenan

On Wed Mar 23 17​:25​:11 2016, mauke- wrote​:

This is a bug report for perl from l.mai@​web.de,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]

$ perl -e 'END { caller 1 } eval("sub { die }")->()'
Died at (eval 1) line 1.
Segmentation fault (core dumped)

A threaded/debugging 5.22.1 segfaults at pp_ctl.c​:1797​:
assert(CopSTASH(cx->blk_oldcop));
because oldcop is NULL.

Segfaults in plain vanilla 5.22.0 as well (no threads, no debugging). Same error output as above.

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Mar 24, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 24, 2016

From @jkeenan

On Wed Mar 23 17​:25​:11 2016, mauke- wrote​:

This is a bug report for perl from l.mai@​web.de,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]

$ perl -e 'END { caller 1 } eval("sub { die }")->()'
Died at (eval 1) line 1.
Segmentation fault (core dumped)

A threaded/debugging 5.22.1 segfaults at pp_ctl.c​:1797​:
assert(CopSTASH(cx->blk_oldcop));
because oldcop is NULL.

This seems to be fixed in blead (probably due to the context stack
overhaul?).

Confirmed that blead looks okay on non-threaded, non-debugging builds.

#####
$ ./perl -v | head -2 | tail -1
This is perl 5, version 23, subversion 10 (v5.23.10 (v5.23.9-14-g2ebde1c)) built for x86_64-linux

$ ./perl -e 'END { caller 1 } eval("sub { die }")->()'
Died at (eval 1) line 1.
#####

If I used bisect.pl right, the crash was introduced with commit
515abc4 (Set PL_curcop to NULL in
op.c​:S_cop_free) between 5.18 and 5.20. ("Introduced" is probably
wrong; more
like "exposed".)

It seems to consistently crash 5.20 and 5.22.

Ditto for me (unthreaded, non-debugging)

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags​:
category=core
severity=low
---
Site configuration information for perl 5.22.1​:

Configured by mauke at Tue Dec 29 15​:36​:05 CET 2015.

Summary of my perl5 (revision 5 version 22 subversion 1)
configuration​:

Platform​:
osname=linux, osvers=4.2.5-1-arch, archname=i686-linux
uname='linux simplicio 4.2.5-1-arch #1 smp preempt tue oct 27
08​:28​:41 cet 2015 i686 gnulinux '
config_args=''
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=undef, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler​:
cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-
protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2',
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-
strong -I/usr/local/include'
ccversion='', gccversion='5.3.0', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234,
doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12,
longdblkind=3
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries​:
ld='cc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/include-
fixed /usr/lib /lib
libs=-lpthread -lnsl -lnm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
-lgdbm_compat
perllibs=-lpthread -lnsl -lnm -ldl -lm -lcrypt -lutil -lc
libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.22'
Dynamic Linking​:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-
protector-strong'

---
@​INC for perl 5.22.1​:
/home/mauke/usr/lib/perl5/site_perl/5.22.1/i686-linux
/home/mauke/usr/lib/perl5/site_perl/5.22.1
/home/mauke/usr/lib/perl5/5.22.1/i686-linux
/home/mauke/usr/lib/perl5/5.22.1
.

---
Environment for perl 5.22.1​:
HOME=/home/mauke
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=C
LC_MONETARY=de_DE.UTF-8
LC_TIME=de_DE.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/mauke/perl5/perlbrew/bin​:/home/mauke/bin​:/usr/local/sbin​:/usr/local/bin​:/usr/bin​:/usr/bin/site_perl​:/usr/bin/vendor_perl​:/usr/bin/core_perl
PERLBREW_BASHRC_VERSION=0.73
PERLBREW_HOME=/home/mauke/.perlbrew
PERLBREW_ROOT=/home/mauke/perl5/perlbrew
PERL_BADLANG (unset)
PERL_UNICODE=SAL
SHELL=/bin/bash

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Mar 24, 2016

From @iabyn

On Wed, Mar 23, 2016 at 05​:25​:11PM -0700, l.mai@​web.de wrote​:

This seems to be fixed in blead (probably due to the context stack overhaul?).

Well it bisects to this, but it's not immediately obvious to me why that
fixed it​:

commit b042e32
Author​: David Mitchell <davem@​iabyn.com>
Date​: Thu Oct 15 11​:34​:41 2015 +0100

  do PL_tmps_floor restore in POPBLOCK
 
  Currently every individual POPFOO type does
 
  PL_tmps_floor = cx->cx_u.cx_blk.blku_old_tmpsfloor
 
  as its last action.
 
  Move all these into POPBLOCK instead, which always immediately follows
  the POPFOO.

--
My get-up-and-go just got up and went.

@p5pRT
Copy link
Author

p5pRT commented Jun 17, 2016

From @iabyn

On Thu, Mar 24, 2016 at 01​:04​:52PM +0000, Dave Mitchell wrote​:

On Wed, Mar 23, 2016 at 05​:25​:11PM -0700, l.mai@​web.de wrote​:

This seems to be fixed in blead (probably due to the context stack overhaul?).

Well it bisects to this, but it's not immediately obvious to me why that
fixed it​:

commit b042e32
Author​: David Mitchell <davem@​iabyn.com>
Date​: Thu Oct 15 11​:34​:41 2015 +0100

do PL\_tmps\_floor restore in POPBLOCK

Currently every individual POPFOO type does

    PL\_tmps\_floor = cx\->cx\_u\.cx\_blk\.blku\_old\_tmpsfloor

as its last action\.

Move all these into POPBLOCK instead\, which always immediately follows
the  POPFOO\.

Having now looked this in more depth, that commit fixed it by a chance
side-effect; however this later commit in the context stack overhaul work
properly fixed it​:

  commit fc6e609
  Author​: David Mitchell <davem@​iabyn.com>
  AuthorDate​: Thu Dec 24 19​:44​:05 2015 +0000

  dounwind()​: do a POPBLOCK for final cx frame.

The issue was that when code dies without being trapped by an eval,
all savestack and context stack frames are popped, but the saved
variables in the context stack (PL_curpm, PL_tmps_floor etc) weren't
necessarily getting restored (or restored at the right time).
This meant that in this​:

  END { caller 1 } eval("sub { die }")->()

the temporary anon sub was getting freed while PL_curcop still pointed
at the OP_NEXTSTATE within the sub. When freeing the optree associated
with the sub, it sets PL_curcop to NULL if points to an op that's
about to be freed.

Later, caller() is called and it expects PL_curcop to be non-null.

--
Monto Blanco... scorchio!

@p5pRT
Copy link
Author

p5pRT commented Jun 17, 2016

@iabyn - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant