(regression?) v5.17.6+ segfaulting on simple (buggy) code

[p5pRT]

Migrated from rt.perl.org#117607 (status was 'resolved')

Searchable as RT117607$

[p5pRT]

From @garu

This is a bug report for perl from garu@​cpan.org,
generated with the help of perlbug 1.39 running under perl 5.17.10.

---

Many thanks to David Leadbeater (dg) for doing the actual work
of debugging and bisecting the issue!

$ cat Boom.pm
BEGIN {
  $^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

$ cat boom.sh
#!/bin/sh
./miniperl ~/Boom.pm
# expected syntax error
[ $? = 255 ] && exit 0
# segfault
exit 1

$ ../perl-bisect/Porting/bisect.pl --target miniperl ~/boom.sh
[...]
9ffcdca is the first bad commit
commit 9ffcdca
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Mon Nov 12 23​:04​:16 2012 -0800

  Donât leak subs containing syntax errors

  I fixed this for BEGIN blocks earlier, but missed the fact that
  all subs are affected.

  When called without an o argument (from newANONATTRSUB), newATTRSUB
  is expected to return a CV with an unowned reference count of which
  the caller will take ownership. We cannot have newATTRSUB returning
  a freed CV, so we have it return null instead. But that means
  ck_anoncode and pm_runtime have to account for that.

:100644 100644 3f71cffc1351b181760b3b22d2bebb5eae5c16d9
b2801c7b5f4807886cc293e3fb567a46202b6e4d M op.c
:040000 040000 5cbf8745aa1eaede5906d8da797797603d6f63ef
f29dce933f3a81a17022f3cc80bdcf115d44bb2c M t
bisect run success
That took 332 seconds

dgl@​perlqa​:~/perl/perl$ git describe 9ffcdca
v5.17.5-461-g9ffcdca

dgl@​perlqa​:~/perl/perl$ gdb --args ./miniperl ~/Boom.pm
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see​:
<http​://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/dgl/perl/perl/miniperl...done.
(gdb) r
Starting program​: /home/dgl/perl/perl/miniperl /home/dgl/Boom.pm
warning​: no loadable sections found in added symbol-file
system-supplied DSO at 0x7ffff7ffa000

Program received signal SIGSEGV, Segmentation fault.
Perl_mg_magical (sv=0x765130) at mg.c​:147
147 const MGVTBL* const vtbl = mg->mg_virtual;
(gdb) bt
#0 Perl_mg_magical (sv=0x765130) at mg.c​:147
#1 0x000000000049484d in Perl_sv_magicext (sv=0x765130, obj=0x74e6d0, how=93,
  vtable=0x74bac0, name=0x0, namlen=<optimized out>) at sv.c​:5264
#2 0x0000000000495a83 in Perl_sv_magic (sv=0x765130, obj=0x74e6d0,
how=93, name=0x0,
  namlen=<optimized out>) at sv.c​:5338
#3 0x00000000004109e7 in Perl_cv_set_call_checker (cv=0x765130,
  ckfun=0x4165d0 <Perl_ck_entersub_args_core>, ckobj=0x765100) at op.c​:10467
#4 0x0000000000424344 in S_maybe_add_coresub (stash=<optimized out>,
gv=0x7650d0,
  name=0x76ef96 "lc", len=2) at gv.c​:560
#5 0x000000000042463a in Perl_gv_fetchpvn_flags (nambeg=0x76ef90 "CORE​::lc",
  full_len=<optimized out>, flags=2, sv_type=SVt_PVCV) at gv.c​:1717
#6 0x0000000000425d30 in Perl_gv_fetchsv (name=0x764ff8, flags=2,
sv_type=SVt_PVCV)
  at gv.c​:1380
#7 0x0000000000410514 in Perl_ck_rvconst (o=0x76f428) at op.c​:8571
#8 0x0000000000414b50 in Perl_newUNOP (type=17, flags=<optimized
out>, first=0x76f468)
  at op.c​:3978
#9 0x0000000000444dda in Perl_yyparse (gramtype=<optimized out>) at
perly.y​:1399
#10 0x000000000040c68d in S_parse_body (xsinit=0x422a40 <xs_init>,
env=0x0) at perl.c​:2262
#11 perl_parse (my_perl=<optimized out>, xsinit=0x422a40 <xs_init>,
argc=<optimized out>,
  argv=<optimized out>, env=0x0) at perl.c​:1620
#12 0x00000000004058c0 in main (argc=2, argv=0x7fffffffe698, env=0x7fffffffe6b0)
  at miniperlmain.c​:111
(gdb) p mg
$1 = (const MAGIC *) 0xff00000000

---

---

Flags​:
  category=core
  severity=high

---

Site configuration information for perl 5.17.10​:

Configured by garu at Sun Apr 14 11​:05​:41 BST 2013.

Summary of my perl5 (revision 5 version 17 subversion 10) configuration​:

  Platform​:
  osname=linux, osvers=3.0.0-32-generic, archname=x86_64-linux
  uname='linux bebop 3.0.0-32-generic #50-ubuntu smp thu feb 28
22​:32​:30 utc 2013 x86_64 x86_64 x86_64 gnulinux '
  config_args='-de
-Dprefix=/home/garu/perl5/perlbrew/perls/perl-5.17.10 -Dusedevel
-Aeval​:scriptdir=/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.6.1', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
  libs=-lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.13'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector'

Locally applied patches​:

---

@​INC for perl 5.17.10​:
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/site_perl/5.17.10/x86_64-linux
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/site_perl/5.17.10
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/5.17.10/x86_64-linux
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/5.17.10
  .

---

Environment for perl 5.17.10​:
  HOME=/home/garu
  LANG=en_US.UTF-8
  LANGUAGE=
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/garu/perl5/perlbrew/bin​:/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin​:/usr/local/sbin​:/usr/local/bin​:/usr/sbin​:/usr/bin​:/sbin​:/bin​:/usr/games
  PERLBREW_BASHRC_VERSION=0.58
  PERLBREW_HOME=/home/garu/.perlbrew
  PERLBREW_MANPATH=/home/garu/perl5/perlbrew/perls/perl-5.17.10/man
  PERLBREW_PATH=/home/garu/perl5/perlbrew/bin​:/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin
  PERLBREW_PERL=perl-5.17.10
  PERLBREW_ROOT=/home/garu/perl5/perlbrew
  PERLBREW_VERSION=0.58
  PERL_BADLANG (unset)
  SHELL=/bin/bash

[p5pRT]

From @garu

This is a bug report for perl from garu@​cpan.org,
generated with the help of perlbug 1.39 running under perl 5.17.10.

---

Thanks to David Leadbeater (dg) for doing the actual work of
tracing and bisecting the issue!

$ cat Boom.pm
BEGIN {
  $^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

$ cat boom.sh
#!/bin/sh
./miniperl ~/Boom.pm
# expected syntax error
[ $? = 255 ] && exit 0
# segfault
exit 1

$ ../perl-bisect/Porting/bisect.pl --target miniperl ~/boom.sh
[...]
9ffcdca is the first bad commit
commit 9ffcdca
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Mon Nov 12 23​:04​:16 2012 -0800

  Donât leak subs containing syntax errors
 
  I fixed this for BEGIN blocks earlier, but missed the fact that
  all subs are affected.
 
  When called without an o argument (from newANONATTRSUB), newATTRSUB
  is expected to return a CV with an unowned reference count of which
  the caller will take ownership. We cannot have newATTRSUB returning
  a freed CV, so we have it return null instead. But that means
  ck_anoncode and pm_runtime have to account for that.

:100644 100644 3f71cffc1351b181760b3b22d2bebb5eae5c16d9 b2801c7b5f4807886cc293e3fb567a46202b6e4d M op.c
:040000 040000 5cbf8745aa1eaede5906d8da797797603d6f63ef f29dce933f3a81a17022f3cc80bdcf115d44bb2c M t
bisect run success
That took 332 seconds

dgl@​perlqa​:~/perl/perl$ git describe 9ffcdca
v5.17.5-461-g9ffcdca

dgl@​perlqa​:~/perl/perl$ gdb --args ./miniperl ~/Boom.pm
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see​:
<http​://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/dgl/perl/perl/miniperl...done.
(gdb) r
Starting program​: /home/dgl/perl/perl/miniperl /home/dgl/Boom.pm
warning​: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000

Program received signal SIGSEGV, Segmentation fault.
Perl_mg_magical (sv=0x765130) at mg.c​:147
147 const MGVTBL* const vtbl = mg->mg_virtual;
(gdb) bt
#0 Perl_mg_magical (sv=0x765130) at mg.c​:147
#1 0x000000000049484d in Perl_sv_magicext (sv=0x765130, obj=0x74e6d0, how=93,
  vtable=0x74bac0, name=0x0, namlen=<optimized out>) at sv.c​:5264
#2 0x0000000000495a83 in Perl_sv_magic (sv=0x765130, obj=0x74e6d0, how=93, name=0x0,
  namlen=<optimized out>) at sv.c​:5338
#3 0x00000000004109e7 in Perl_cv_set_call_checker (cv=0x765130,
  ckfun=0x4165d0 <Perl_ck_entersub_args_core>, ckobj=0x765100) at op.c​:10467
#4 0x0000000000424344 in S_maybe_add_coresub (stash=<optimized out>, gv=0x7650d0,
  name=0x76ef96 "lc", len=2) at gv.c​:560
#5 0x000000000042463a in Perl_gv_fetchpvn_flags (nambeg=0x76ef90 "CORE​::lc",
  full_len=<optimized out>, flags=2, sv_type=SVt_PVCV) at gv.c​:1717
#6 0x0000000000425d30 in Perl_gv_fetchsv (name=0x764ff8, flags=2, sv_type=SVt_PVCV)
  at gv.c​:1380
#7 0x0000000000410514 in Perl_ck_rvconst (o=0x76f428) at op.c​:8571
#8 0x0000000000414b50 in Perl_newUNOP (type=17, flags=<optimized out>, first=0x76f468)
  at op.c​:3978
#9 0x0000000000444dda in Perl_yyparse (gramtype=<optimized out>) at perly.y​:1399
#10 0x000000000040c68d in S_parse_body (xsinit=0x422a40 <xs_init>, env=0x0) at perl.c​:2262
#11 perl_parse (my_perl=<optimized out>, xsinit=0x422a40 <xs_init>, argc=<optimized out>,
  argv=<optimized out>, env=0x0) at perl.c​:1620
#12 0x00000000004058c0 in main (argc=2, argv=0x7fffffffe698, env=0x7fffffffe6b0)
  at miniperlmain.c​:111
(gdb) p mg
$1 = (const MAGIC *) 0xff00000000

---

---

Flags​:
  category=core
  severity=high

---

Site configuration information for perl 5.17.10​:

Configured by garu at Sun Apr 14 11​:05​:41 BST 2013.

Summary of my perl5 (revision 5 version 17 subversion 10) configuration​:
 
  Platform​:
  osname=linux, osvers=3.0.0-32-generic, archname=x86_64-linux
  uname='linux bebop 3.0.0-32-generic #50-ubuntu smp thu feb 28 22​:32​:30 utc 2013 x86_64 x86_64 x86_64 gnulinux '
  config_args='-de -Dprefix=/home/garu/perl5/perlbrew/perls/perl-5.17.10 -Dusedevel -Aeval​:scriptdir=/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.6.1', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
  libs=-lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.13'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector'

Locally applied patches​:
 

---

@​INC for perl 5.17.10​:
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/site_perl/5.17.10/x86_64-linux
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/site_perl/5.17.10
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/5.17.10/x86_64-linux
  /home/garu/perl5/perlbrew/perls/perl-5.17.10/lib/5.17.10
  .

---

Environment for perl 5.17.10​:
  HOME=/home/garu
  LANG=en_US.UTF-8
  LANGUAGE=
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/garu/perl5/perlbrew/bin​:/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin​:/usr/local/sbin​:/usr/local/bin​:/usr/sbin​:/usr/bin​:/sbin​:/bin​:/usr/games
  PERLBREW_BASHRC_VERSION=0.58
  PERLBREW_HOME=/home/garu/.perlbrew
  PERLBREW_MANPATH=/home/garu/perl5/perlbrew/perls/perl-5.17.10/man
  PERLBREW_PATH=/home/garu/perl5/perlbrew/bin​:/home/garu/perl5/perlbrew/perls/perl-5.17.10/bin
  PERLBREW_PERL=perl-5.17.10
  PERLBREW_ROOT=/home/garu/perl5/perlbrew
  PERLBREW_VERSION=0.58
  PERL_BADLANG (unset)
  SHELL=/bin/bash

[p5pRT]

From @iabyn

On Sun, Apr 14, 2013 at 06​:19​:56AM -0700, Breno G. de Oliveira wrote​:

$ cat Boom.pm
BEGIN {
$^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

It can be reduced slightly further​:

  BEGIN {
  $^H |= 0x00000400; # strict vars
  }
  $anyvar;
  &CORE​::lc;

Looks like it should be 5.18 blocker.

--
The crew of the Enterprise encounter an alien life form which is
surprisingly neither humanoid nor made from pure energy.
  -- Things That Never Happen in "Star Trek" #22

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @mauke

On 15.04.2013 13​:06, Dave Mitchell wrote​:

On Sun, Apr 14, 2013 at 06​:19​:56AM -0700, Breno G. de Oliveira wrote​:

$ cat Boom.pm
BEGIN {
$^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

It can be reduced slightly further​:

 BEGIN \{
   $^H |= 0x00000400; \# strict vars
 \}
 $anyvar;
 &CORE​::lc;

Looks like it should be 5.18 blocker.

A debugging perl fails the assert in gv.c​:551 (S_maybe_add_coresub)​:
  assert(GvCV(gv) == cv);

because GvCV(gv) == NULL.

--
Lukas Mai <plokinom@​gmail.com>

[p5pRT]

From @tonycoz

I bisected this with a debugging perl, and found​:

bad - non-zero exit from ./perl -Ilib -e eval q[ use strict; $foo; sub {
\&CORE​::lc } ];
a73ef99 is the first bad commit
commit a73ef99
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Wed Jun 20 13​:45​:43 2012 -0700

  [perl #113712] Don’t create stubs after errors

  perl5.002beta3 (c07a80f) stopped bodies of subrou-
  tines from being defined after compilation errors, as in
  eval "@​a =~ s///; sub { die }".

  But, instead of making the sub declaration not happen at all, it ended
  up leaving a stub.

  For a full sub declaration (body and all) to create a stub just
  seems wrong.

  Likewise, it would be weird if a stub declaration
  after a compilation error created a stub, because then
  eval "@​a =~ s///; sub foo; sub bar { }" would create foo but not bar.

  Similarly, a compilation error will cause ‘sub foo {}’ no suppress
  ‘used once’ warnings; but a lexing error won’t.

  This commit fixes all this, making things consistent​: If there is a
  compilation, parsing or lexing error, any kind of sub declaration that
  follows is ignored.

:100644 100644 69bd2a4df8cc2eae325ed03e408b0fcc260be241
5756eeb302b761276050e88da216f754323e67e6 M op.c
:040000 040000 ede63525624312bffafa5d226f9af4eb770e950c
d1ae239eaa8cb406eb2146e804434551909fc0cd M t
bisect run success
That took 1639 seconds

[p5pRT]

From @tonycoz

On Mon Apr 15 04​:06​:51 2013, davem wrote​:

On Sun, Apr 14, 2013 at 06​:19​:56AM -0700, Breno G. de Oliveira wrote​:

$ cat Boom.pm
BEGIN {
$^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

It can be reduced slightly further​:

BEGIN \{
  $^H |= 0x00000400; \# strict vars
\}
$anyvar;
&CORE​::lc;

Looks like it should be 5.18 blocker.

Even simpler​:

$foo/; # some syntax error
\&CORE​::lc;

Pushed a fix to smoke-me/tonyc/core_lc_error

Tony

[p5pRT]

From @tonycoz

On Thu Apr 25 01​:29​:45 2013, tonyc wrote​:

On Mon Apr 15 04​:06​:51 2013, davem wrote​:

On Sun, Apr 14, 2013 at 06​:19​:56AM -0700, Breno G. de Oliveira wrote​:

$ cat Boom.pm
BEGIN {
$^H |= 0x00000400; # strict vars
}
# Undeclared variable here
sub foo { return $anyvar; }
# Any CORE​:: here
sub bar { \&CORE​::lc }

It can be reduced slightly further​:

BEGIN \{
  $^H |= 0x00000400; \# strict vars
\}
$anyvar;
&CORE​::lc;

Looks like it should be 5.18 blocker.

Even simpler​:

$foo/; # some syntax error
\&CORE​::lc;

Pushed a fix to smoke-me/tonyc/core_lc_error

Fix pushed as a92039c, closing.

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'resolved'