From mlelstv@serpens.de

Created by mlelstv@serpens.de

This is a bug report for perl from mlelstv@​serpens.de,
generated with the help of perlbug 1.40 running under perl 5.20.0.

-----------------------------------------------------------------
perl -e 'formline("@​...", "a");' crashes with a segfault.

The core file shows the following backtrace​:

#0 0xbbb5dfcc in Perl_pp_formline ()
  from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so
(gdb) bt
#0 0xbbb5dfcc in Perl_pp_formline ()
  from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so
#1 0xbbb21869 in Perl_runops_standard ()
  from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so
#2 0xbbaa7f6b in perl_run ()
  from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE/libperl.so
#3 0x08048e18 in main ()

The segfault seems to occur at the following code fragment in pp_ctl.c​:

  case FF_MORE​: /* replace long end of string with '...' */
  {
  const char *s = chophere;
  const char *send = item + len;
  if (chopspace) {
  while (isSPACE(*s) && (s < send))
  s++;
  }

when accessing *s though a NULL pointer.

send = item + len
0xbbb5dfb9 <Perl_pp_formline+2592>​: mov -0x64(%ebp),%ecx
0xbbb5dfbc <Perl_pp_formline+2595>​: add -0x1c(%ebp),%ecx
if (chopspace)
0xbbb5dfbf <Perl_pp_formline+2598>​: cmpb $0x0,-0x71(%ebp)
0xbbb5dfc3 <Perl_pp_formline+2602>​: je 0xbbb5e7c4 <Perl_pp_formline+4651>

isSPACE(*s)
0xbbb5dfc9 <Perl_pp_formline+2608>​: mov -0x58(%ebp),%edx
*0xbbb5dfcc <Perl_pp_formline+2611>​: movzbl (%edx),%eax
0xbbb5dfcf <Perl_pp_formline+2614>​: mov -0x9c(%ebp),%esi
0xbbb5dfd5 <Perl_pp_formline+2620>​: mov (%esi,%eax,4),%eax
0xbbb5dfd8 <Perl_pp_formline+2623>​: and $0x8400,%eax
0xbbb5dfdd <Perl_pp_formline+2628>​: cmp $0x8400,%eax
0xbbb5dfe2 <Perl_pp_formline+2633>​: jne 0xbbb5e7c4 <Perl_pp_formline+4651>

s < send
0xbbb5dfe8 <Perl_pp_formline+2639>​: cmp %ecx,%edx
0xbbb5dfea <Perl_pp_formline+2641>​: jae 0xbbb5d9b0 <Perl_pp_formline+1047>

while
0xbbb5dff0 <Perl_pp_formline+2647>​: mov %edx,%eax
0xbbb5dff2 <Perl_pp_formline+2649>​: jmp 0xbbb5dffc <Perl_pp_formline+2659>

s < send
0xbbb5dff4 <Perl_pp_formline+2651>​: cmp %eax,%ecx
0xbbb5dff6 <Perl_pp_formline+2653>​: jbe 0xbbb5d9b0 <Perl_pp_formline+1047>

s++
0xbbb5dffc <Perl_pp_formline+2659>​: add $0x1,%eax

isSPACE(*s)
0xbbb5dfff <Perl_pp_formline+2662>​: movzbl (%eax),%edx
0xbbb5e002 <Perl_pp_formline+2665>​: mov (%esi,%edx,4),%edx
0xbbb5e005 <Perl_pp_formline+2668>​: and $0x8400,%edx
0xbbb5e00b <Perl_pp_formline+2674>​: cmp $0x8400,%edx
0xbbb5e011 <Perl_pp_formline+2680>​: je 0xbbb5dff4 <Perl_pp_formline+2651>

The code changed in perl-5.20, the older version 5.18 does not have
this problem.

Flags:
    category=core
    severity=low

Site configuration information for perl 5.20.0:

Configured by root at Wed Oct  1 15:14:40 UTC 2014.

Summary of my perl5 (revision 5 version 20 subversion 0) configuration:
   
  Platform:
    osname=netbsd, osvers=6.0, archname=i386-netbsd-thread-multi
    uname='netbsd i386-nb6 6.0 netbsd 6.0 (libkver) #0: tue jan 19 00:00:00 utc 2038 root@localhost:sysarchi386compilelibkver i386 '
    config_args='-sde -Duseshrplib -Duseithreads -Uusemymalloc'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-O2 -pthread -I/usr/include -fwrapv -fno-strict-aliasing -pipe -fstack-protector',
    optimize='-O2  -pthread  -I/usr/include',
    cppflags='-O2 -pthread -I/usr/include -fwrapv -fno-strict-aliasing -pipe -fstack-protector'
    ccversion='', gccversion='4.5.3', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags ='-Wl,-rpath,/usr/pkg/lib -fstack-protector -L/usr/pkg/lib'
    libpth=/lib /usr/lib /usr/pkg/lib
    libs=-lm -lcrypt -lpthread
    perllibs=-lm -lcrypt -lpthread
    libc=/lib/libc.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E  -Wl,-R/usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi/CORE'
    cccdlflags='-DPIC -fPIC ', lddlflags='-shared  -L/usr/pkg/lib -fstack-protector'



@INC for perl 5.20.0:
    /home/mlelstv/plib
    /home/mlelstv/cvs.xlink.net/DNS/plib/
    /usr/pkg/lib/perl5/site_perl/5.20.0/i386-netbsd-thread-multi
    /usr/pkg/lib/perl5/site_perl/5.20.0
    /usr/pkg/lib/perl5/vendor_perl/5.20.0/i386-netbsd-thread-multi
    /usr/pkg/lib/perl5/vendor_perl/5.20.0
    /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-multi
    /usr/pkg/lib/perl5/5.20.0
    .


Environment for perl 5.20.0:
    HOME=/home/mlelstv
    LANG (unset)
    LANGUAGE (unset)
    LC_CTYPE=de_DE.ISO8859-1
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/mlelstv/bin:/sbin:/usr/sbin:/usr/pkg/sbin:/bin:/usr/bin:/usr/pkg/bin:/usr/pkg/java/sun-1.4.0/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/openpkg/bin:/usr/local/openpkg/sbin:/usr/local/bin:/home/mlelstv/cvs.xlink.net/DNS/pbin
    PERL5LIB=/home/mlelstv/plib:/home/mlelstv/cvs.xlink.net/DNS/plib/
    PERL_BADLANG (unset)
    SHELL=/usr/pkg/bin/tcsh

From @jkeenan

On Sat Jan 03 07​:12​:24 2015, mlelstv@​serpens.de wrote​:

This is a bug report for perl from mlelstv@​serpens.de,
generated with the help of perlbug 1.40 running under perl 5.20.0.

-----------------------------------------------------------------
perl -e 'formline("@​...", "a");' crashes with a segfault.

Here's the end of the output I got from running​:
#####
perl Porting/bisect.pl --start=v5.18.0 -e 'formline("@​...", "a");'
#####
HEAD is now at 4a73dc0 pp_formline()​: document switch cases
good - zero exit from ./perl -Ilib -e formline("@​...", "a");
9b4bdfd is the first bad commit
commit 9b4bdfd
Author​: David Mitchell <davem@​iabyn.com>
Date​: Thu Nov 7 12​:17​:26 2013 +0000

  fix chop formats with non PV vars
 
  [perl #119847], [perl #119849], [perl #119851]
 
  Strange vars like ties, overloads, or stringified refs (and in recent
  perls, pure NOK vars) would generally do the wrong thing in formats
  when the var is treated as a string and repeatedly chopped, as in
  ^<<<~~ and similar. This would manifest itself in infinite loops, utf8
  errors etc. A recent change that stopped a stringified NOK getting
  converted into a POK made the same badness happen for plain NVs too.
 
  This commit contains two main fixes. First, the chopping was done
  using sv_chop(), which only worked on POK strings. If its !POK, we now do
  sv_setpvn() instead, which is less efficient, but will ensure the right
  thing is always done.
 
  Secondly, we make sure that the sv is accessed only once per cycle,
  doing s = SvPV(sv, len) or similar. After that, all access is done only
  via s and len. One place was using SvPVX(sv), and several places
  were using the sv for utf8<->byte length conversions, such as
  sv_pos_b2u().
 
  It turns out that all the complex utf8 handling could be enormously
  simplified. Since the code that needed to do utf8/byte length conversions
  already scanned the string looking for suitable split points (such as
  spaces or \n or \r), it was easiest to include any utf8 processing in the
  same loop - i.e. incrementing s by UTF8SKIP(s) each time, but incrementing
  the character count by 1.
 
  The original diagnosis and reporting of this issue was done by Nicholas
  Clark, who also supplied most of the tests.

:100644 100644 1ab3f420544ec457c657c55a2565764be2443374 95727f201a6194eb125a2c162892eea538601dc8 M pp_ctl.c
:040000 040000 d7ec689df42f7b90beffb116735cd04528bda355 b8b08d0ebb2994f13141c93783cf01fcf01ab7f1 M t
bisect run success
That took 1222 seconds.

#####

--
James E Keenan (jkeenan@​cpan.org)

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Sat Jan 03 07​:12​:24 2015, mlelstv@​serpens.de wrote​:

perl -e 'formline("@​...", "a");' crashes with a segfault.

The core file shows the following backtrace​:

#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
(gdb) bt
#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#1 0xbbb21869 in Perl_runops_standard ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#2 0xbbaa7f6b in perl_run ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#3 0x08048e18 in main ()

The segfault seems to occur at the following code fragment in
pp_ctl.c​:

I think the attached is the correct fix, but it still needs tests.

Tony

From @tonycoz

From 1329d991a175a067c6bf27a6e6128a0c78ba0e20 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 12 Jan 2015 15:10:43 +1100
Subject: [PATCH] [perl #123538] always set chophere and itembytes at the same
 time

---
 pp_ctl.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/pp_ctl.c b/pp_ctl.c
index d69710c..1f77241 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -586,6 +586,7 @@ PP(pp_formline)
                         break;
                 }
                 itembytes = s - item;
+                chophere = s;
 		break;
 	    }
 
-- 
1.7.10.4

From @tonycoz

On Sun Jan 11 20​:11​:54 2015, tonyc wrote​:

On Sat Jan 03 07​:12​:24 2015, mlelstv@​serpens.de wrote​:

perl -e 'formline("@​...", "a");' crashes with a segfault.

The core file shows the following backtrace​:

#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
(gdb) bt
#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#1 0xbbb21869 in Perl_runops_standard ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#2 0xbbaa7f6b in perl_run ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#3 0x08048e18 in main ()

The segfault seems to occur at the following code fragment in
pp_ctl.c​:

I think the attached is the correct fix, but it still needs tests.

With a test, I'll apply it in a couple of days.

Tony

From @tonycoz

From 16c22aedb5255e822176c7ec900471bcb4cb8873 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 12 Jan 2015 15:10:43 +1100
Subject: [PATCH] [perl #123538] always set chophere and itembytes at the same
 time

Previously this would crash in FF_MORE because chophere was still
NULL.
---
 pp_ctl.c     |    1 +
 t/op/write.t |   14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/pp_ctl.c b/pp_ctl.c
index 37b822c..c76347b 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -586,6 +586,7 @@ PP(pp_formline)
                         break;
                 }
                 itembytes = s - item;
+                chophere = s;
 		break;
 	    }
 
diff --git a/t/op/write.t b/t/op/write.t
index 4b13057..590d658 100644
--- a/t/op/write.t
+++ b/t/op/write.t
@@ -98,7 +98,7 @@ for my $tref ( @NumTests ){
 my $bas_tests = 21;
 
 # number of tests in section 3
-my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 4 + 2 + 3 + 96 + 11 + 2;
+my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 4 + 2 + 3 + 96 + 11 + 3;
 
 # number of tests in section 4
 my $hmb_tests = 37;
@@ -1960,6 +1960,18 @@ dd|
 EXPECT
 	      { stderr => 1 }, '#123245 different panic in sv_chop');
 
+fresh_perl_is(<<'EOP', <<'EXPECT',
+format STDOUT =
+# x at the end to make the spaces visible
+@... x
+q/a/
+.
+write;
+EOP
+a    x
+EXPECT
+	      { stderr => 1 }, '#123538 crash in FF_MORE');
+
 #############################
 ## Section 4
 ## Add new tests *above* here
-- 
1.7.10.4

From @tonycoz

On Mon Jan 12 16​:15​:23 2015, tonyc wrote​:

On Sun Jan 11 20​:11​:54 2015, tonyc wrote​:

On Sat Jan 03 07​:12​:24 2015, mlelstv@​serpens.de wrote​:

perl -e 'formline("@​...", "a");' crashes with a segfault.

The core file shows the following backtrace​:

#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
(gdb) bt
#0 0xbbb5dfcc in Perl_pp_formline ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#1 0xbbb21869 in Perl_runops_standard ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#2 0xbbaa7f6b in perl_run ()
from /usr/pkg/lib/perl5/5.20.0/i386-netbsd-thread-
multi/CORE/libperl.so
#3 0x08048e18 in main ()

The segfault seems to occur at the following code fragment in
pp_ctl.c​:

I think the attached is the correct fix, but it still needs tests.

With a test, I'll apply it in a couple of days.

Applied as 62db6ea.

This also fixed 123633 and 123591.

I wonder if there was some sort of format tutorial recently - 3 reports for this bug and 123245 in December.

Tony

@tonycoz - Status changed from 'open' to 'pending release'

From mlelstv@serpens.de

On Sun, Jan 18, 2015 at 09​:32​:50PM -0800, Tony Cook via RT wrote​:

This also fixed 123633 and 123591.

I wonder if there was some sort of format tutorial recently - 3 reports for this bug and 123245 in December.

This bug here was triggered by the Amanda backup software
(http​://amanda.org) which uses perl formats for reports.

Greetings,
--
  Michael van Elst
Internet​: mlelstv@​serpens.de
  "A potential Snark may lurk in every tree."

From @khwilliamson

Thanks for submitting this ticket

The issue should be resolved with the release today of Perl v5.22, available at http​://www.perl.org/get.html
If you find that the problem persists, feel free to reopen this ticket

--
Karl Williamson for the Perl 5 porters team

@khwilliamson - Status changed from 'pending release' to 'resolved'