Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crash when looking for a nonexistent destructor #10068

Closed
p5pRT opened this issue Jan 8, 2010 · 4 comments
Closed

crash when looking for a nonexistent destructor #10068

p5pRT opened this issue Jan 8, 2010 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 8, 2010

Migrated from rt.perl.org#71952 (status was 'resolved')

Searchable as RT71952$
@p5pRT
Copy link
Author

p5pRT commented Jan 8, 2010

From @ntyni

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.39 running under perl 5.10.1.

The optimization of empty DESTROY methods introduced in commit
fbb3ee5 causes a null pointer dereference when a destructor is
declared but not defined.

% perl -e 'sub M​::DESTROY; bless {}, "M"'
zsh​: segmentation fault (core dumped)

This is seen in the real world with AutoLoader / AutoSplit, where
the crash prevents autoloading a DESTROY method.

http​://bugs.debian.org/564074

Blead backtrace​:

Core was generated by `./miniperl -e sub M​::DESTROY; bless {}, "M"'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000054f83a in Perl_sv_clear (my_perl=0x2207010, sv=0x220ae28) at sv.c​:5661
5661 || CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))
(gdb) bt
#0 0x000000000054f83a in Perl_sv_clear (my_perl=0x2207010, sv=0x220ae28) at sv.c​:5661
#1 0x0000000000551b49 in Perl_sv_free2 (my_perl=0x2207010, sv=0x220ae28) at sv.c​:5936
#2 0x000000000054f6a6 in Perl_sv_clear (my_perl=0x2207010, sv=0x220af78) at sv.c​:5638
#3 0x0000000000551b49 in Perl_sv_free2 (my_perl=0x2207010, sv=0x220af78) at sv.c​:5936
#4 0x00000000005cab0b in Perl_free_tmps (my_perl=0x2207010) at scope.c​:167
#5 0x0000000000709457 in perl_run (my_perl=0x2207010) at perl.c​:2234
#6 0x00000000006d9921 in main (argc=3, argv=0x7fff5ac22a48, env=0x7fff5ac22a68) at miniperlmain.c​:117

Proposed patch attached.

Flags​:
  category=core
  severity=medium

Site configuration information for perl 5.10.1​:

Configured by Debian Project at Sat Nov 21 19​:18​:01 UTC 2009.

Summary of my perl5 (revision 5 version 10 subversion 1) configuration​:
 
  Platform​:
  osname=linux, osvers=2.6.31-1-amd64, archname=x86_64-linux-gnu-thread-multi
  uname='linux madeleine 2.6.31-1-amd64 #1 smp mon nov 16 04​:44​:38 utc 2009 x86_64 gnulinux '
  config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1 -Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1 -Dd_dosuid -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2 -g',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.3.4', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
  libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
  perllibs=-ldl -lm -lpthread -lc -lcrypt
  libc=/lib/libc-2.10.1.so, so=so, useshrplib=true, libperl=libperl.so.5.10.1
  gnulibc_version='2.10.1'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector'

Locally applied patches​:
 

@​INC for perl 5.10.1​:
  /etc/perl
  /usr/local/lib/perl/5.10.1
  /usr/local/share/perl/5.10.1
  /usr/lib/perl5
  /usr/share/perl5
  /usr/lib/perl/5.10
  /usr/share/perl/5.10
  /usr/local/lib/site_perl
  .

Environment for perl 5.10.1​:
  HOME=/home/niko
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LC_CTYPE=fi_FI.UTF-8
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/niko/bin​:/home/niko/bin​:/home/niko/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games​:/sbin​:/usr/sbin​:/sbin​:/usr/sbin
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jan 8, 2010

From @ntyni

0001-Fix-a-NULL-pointer-dereference-when-looking-for-a-DE.patch 
From 16026715863b1a3a6e99df6686834c9238922539 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Fri, 8 Jan 2010 21:21:57 +0200
Subject: [PATCH] Fix a NULL pointer dereference when looking for a DESTROY method

The empty DESTROY method optimization introduced by commit
fbb3ee5af3d would crash the interpreter if a DESTROY method
was declared but not actually defined.

This is seen in the real world with AutoLoader / AutoSplit,
where the crash defeats autoloading a DESTROY method.
---
 sv.c          |    3 ++-
 t/op/method.t |   11 ++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/sv.c b/sv.c
index fb82caf..ed4be5f 100644
--- a/sv.c
+++ b/sv.c
@@ -5658,7 +5658,8 @@ Perl_sv_clear(pTHX_ register SV *const sv)
 			&& !CvCONST(destructor)
 			/* Don't bother calling an empty destructor */
 			&& (CvISXSUB(destructor)
-			|| CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))
+			|| (CvSTART(destructor)
+			    && (CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))))
 		{
 		    SV* const tmpref = newRV(sv);
 	            SvREADONLY_on(tmpref);   /* DESTROY() could be naughty */
diff --git a/t/op/method.t b/t/op/method.t
index afa8cfb..d2914c4 100644
--- a/t/op/method.t
+++ b/t/op/method.t
@@ -10,7 +10,7 @@ BEGIN {
     require "test.pl";
 }
 
-print "1..78\n";
+print "1..79\n";
 
 @A::ISA = 'B';
 @B::ISA = 'C';
@@ -292,3 +292,12 @@ EOT
 	"check if UNIVERSAL::AUTOLOAD works",
     );
 }
+{
+    fresh_perl_is(<<'EOT',
+sub M::DESTROY; bless {}, "M" ; print "survived\n";
+EOT
+    "survived",
+    {},
+	"no crash with a declared but missing DESTROY method"
+    );
+}
-- 
1.6.6

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2010

From @tsee

Thanks, applied as 1f15e67!

--Steffen

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2010

@tsee - Status changed from 'new' to 'resolved'

@p5pRT p5pRT closed this as completed Jan 19, 2010
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT