electric-fence finds a bad memory reference in perl

[p5pRT]

Migrated from rt.perl.org#2460 (status was 'resolved')

Searchable as RT2460$

[p5pRT]

From jrv@vanzandt.mv.com

Created by jrv@vanzandt.mv.com

This is a bug report for perl from jrv@​vanzandt.mv.com,
generated with the help of perlbug 1.26 running under perl 5.00503.

-----------------------------------------------------------------

I submitted this to the Debian bug tracking system (Bug#57217), but to
my knowledge the maintainer has not forwarded it. I believe a
reproducible memory reference error should be of concern, so I have
decided to forward it myself. (I am also a Debian developer.)

  - Jim Van Zandt

Date​: Sun, 6 Feb 2000 19​:56​:20 -0500 (EST)
From​: James R. Van Zandt <jrv@​vanzandt.mv.com>
Subject​: perl-5.005-base​: electric-fence finds a bad memory reference
To​: submit@​bugs.debian.org
Bcc​:

Package​: perl-5.005-base
Version​: 5.005.03-4.1
Severity​: normal

automake is a perl script. electric-fence thinks it has a bad memory
reference​:

  $ LD_PRELOAD=libefence.so.0.0 automake --add-missing
 
  Electric Fence 2.0.5 Copyright (C) 1987-1998 Bruce Perens.
  Segmentation fault (core dumped)

The directory contents after this (which also indicates which files
automake would try to copy in) is as follows​:
 
  $ ls
  AUTHORS NEWS core squeegee.c squeegee.texinfo
  ChangeLog README gpl.texinfo squeegee.lsm.in system.h
  Makefile.am configure.in squeegee.1 squeegee.spec.in xmalloc.c
 
(core is 65 MB)

I have automake 1.4-6 and electric-fence 2.1.3 .
 
Here's the version of perl I am using​:

  vanzandt​:~# update-alternatives --display perl
  perl - status is auto.
  link currently points to /usr/bin/perl-5.005
  /usr/bin/perl-5.005 - priority 5005
  /usr/bin/perl-5.004 - priority 5004
  Current `best' version is /usr/bin/perl-5.005.
  vanzandt​:~# ls -l /usr/bin/perl*5.005*
  -rwxr-xr-x 3 root root 535152 Dec 19 12​:29 /usr/bin/perl-5.005
  -rwxr-xr-x 3 root root 535152 Dec 19 12​:29 /usr/bin/perl5.005
  -rwxr-xr-x 3 root root 535152 Dec 19 12​:29 /usr/bin/perl5.00503
  -rwxr-xr-x 1 root root 31728 Dec 19 12​:29 /usr/bin/perlbug-5.005
  -rwxr-xr-x 1 root root 26311 Dec 19 12​:29 /usr/bin/perlcc-5.005
  -rwxr-xr-x 1 root root 16815 Dec 19 12​:29 /usr/bin/perldoc-5.005
  vanzandt​:~# dpkg --search /usr/bin/perl5.00503
  perl-5.005-base​: /usr/bin/perl5.00503

  - Jim Van Zandt

-- System Information
Debian Release​: potato
Kernel Version​: Linux vanzandt 2.2.5 #8 Mon Jul 26 17​:02​:20 EDT 1999 i686 unknown

Versions of the packages perl-5.005-base depends on​:
ii libc6 2.1.2-11 GNU C Library​: Shared libraries and Timezone
ii libgdbmg1 1.7.3-26.2 GNU dbm database routines (runtime version).

Perl Info

Site configuration information for perl 5.00503:

Configured by rhertzog at Sun Dec 19 18:11:52 CET 1999.

Summary of my perl5 (5.0 patchlevel 5 subversion 3) configuration:
  Platform:
    osname=linux, osvers=2.2.13, archname=i386-linux
    uname='linux p200 2.2.13 #3 fri nov 5 15:32:20 cet 1999 i586 unknown '
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef useperlio=undef d_sfio=undef
  Compiler:
    cc='cc', optimize='-O2', gccversion=2.95.2 19991109 (Debian GNU/Linux)
    cppflags='-Dbool=char -DHAS_BOOL -D_REENTRANT -DDEBIAN -I/usr/local/include'
    ccflags ='-Dbool=char -DHAS_BOOL -D_REENTRANT -DDEBIAN -I/usr/local/include'
    stdchar='char', d_stdstdio=undef, usevfork=false
    intsize=4, longsize=4, ptrsize=4, doublesize=8
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    alignbytes=4, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldbm -ldb -ldl -lm -lc -lposix -lcrypt
    libc=, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.00503:
    /usr/lib/perl5/5.005/i386-linux
    /usr/lib/perl5/5.005
    /usr/local/lib/site_perl/i386-linux
    /usr/local/lib/site_perl
    /usr/lib/perl5
    .


Environment for perl 5.00503:
    HOME=/home/jrv
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:.:/home/jrv/bin:/usr/local/netpbm:/usr/bin/mh
    PERL_BADLANG (unset)
    SHELL=/bin/bash

[p5pRT]

From @iabyn

Hi, I'm just going though the Perl bugs database checking up on old
bugs.

automake is a perl script. electric-fence thinks it has a bad memory
reference​:

$ LD_PRELOAD=libefence.so.0.0 automake --add-missing

Electric Fence 2\.0\.5 Copyright \(C\) 1987\-1998 Bruce Perens\.

Segmentation fault (core dumped)

The directory contents after this (which also indicates which files
automake would try to copy in) is as follows​:

$ ls
AUTHORS NEWS core squeegee.c
squeegee.texinfo
ChangeLog README gpl.texinfo squeegee.lsm.in system.h
Makefile.am configure.in squeegee.1 squeegee.spec.in xmalloc.c

Do you know whether this is still a problem on newer Perls and/or do you
have a copy of the configure.ac or configure.in file which the automake
was reading?

[p5pRT]

From @smpeters

[davem - Wed Apr 30 16​:46​:50 2003]​:

Hi, I'm just going though the Perl bugs database checking up on old
bugs.

automake is a perl script. electric-fence thinks it has a bad memory
reference​:

$ LD_PRELOAD=libefence.so.0.0 automake --add-missing

Electric Fence 2\.0\.5 Copyright \(C\) 1987\-1998 Bruce Perens\.

Segmentation fault (core dumped)

The directory contents after this (which also indicates which files
automake would try to copy in) is as follows​:

$ ls
AUTHORS NEWS core squeegee.c
squeegee.texinfo
ChangeLog README gpl.texinfo squeegee.lsm.in system.h
Makefile.am configure.in squeegee.1 squeegee.spec.in xmalloc.c

Do you know whether this is still a problem on newer Perls and/or do you
have a copy of the configure.ac or configure.in file which the automake
was reading?

No reply has been provided in almost two years. This bug is stalled.

[p5pRT]

@smpeters - Status changed from 'open' to 'stalled'

[p5pRT]

From @gannett-ggreer

I can reproduce this iff I do NOT use -DDEBUGGING​:

$ valgrind ./perl -I lib -c `which automake`
==8538== Memcheck, a memory error detector
==8538== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==8538== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==8538== Command​: ./perl -I lib -c /usr/bin/automake
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538== at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538== by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538== by 0x42F3C0​: Perl_ck_split (op.c​:7959)
==8538== by 0x42F673​: Perl_convert (op.c​:2670)
==8538== by 0x4614BF​: Perl_yyparse (perly.y​:792)
==8538== by 0x439A62​: S_parse_body (perl.c​:2159)
==8538== by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538== by 0x423834​: main (perlmain.c​:115)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538== at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538== by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538== by 0x461EE8​: Perl_yyparse (perly.y​:1274)
==8538== by 0x4CCBD8​: S_doeval (pp_ctl.c​:3137)
==8538== by 0x4CE96E​: Perl_pp_require (pp_ctl.c​:3726)
==8538== by 0x494995​: Perl_runops_standard (run.c​:41)
==8538== by 0x43B6BB​: Perl_call_sv (perl.c​:2606)
==8538== by 0x43BB8C​: Perl_call_list (perl.c​:4595)
==8538== by 0x424AA6​: S_process_special_blocks (op.c​:5977)
==8538== by 0x432C22​: Perl_newATTRSUB (op.c​:5948)
==8538== by 0x4332CE​: Perl_utilize (op.c​:4004)
==8538== by 0x46178D​: Perl_yyparse (perly.y​:704)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538== at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538== by 0x4D81A9​: Perl_pp_regcomp (pp_ctl.c​:225)
==8538== by 0x494995​: Perl_runops_standard (run.c​:41)
==8538== by 0x43B6BB​: Perl_call_sv (perl.c​:2606)
==8538== by 0x43BB8C​: Perl_call_list (perl.c​:4595)
==8538== by 0x424AA6​: S_process_special_blocks (op.c​:5977)
==8538== by 0x432C22​: Perl_newATTRSUB (op.c​:5948)
==8538== by 0x4332CE​: Perl_utilize (op.c​:4004)
==8538== by 0x46178D​: Perl_yyparse (perly.y​:704)
==8538== by 0x439A62​: S_parse_body (perl.c​:2159)
==8538== by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538== by 0x423834​: main (perlmain.c​:115)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538== at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538== by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538== by 0x461EE8​: Perl_yyparse (perly.y​:1274)
==8538== by 0x439A62​: S_parse_body (perl.c​:2159)
==8538== by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538== by 0x423834​: main (perlmain.c​:115)
==8538==
/usr/bin/automake syntax OK
==8538== Warning​: bad signal number 0 in sigaction()
==8538==
==8538== HEAP SUMMARY​:
==8538== in use at exit​: 100,022 bytes in 432 blocks
==8538== total heap usage​: 182,951 allocs, 182,519 frees, 30,655,219
bytes allocated
==8538==
==8538== LEAK SUMMARY​:
==8538== definitely lost​: 7,394 bytes in 353 blocks
==8538== indirectly lost​: 0 bytes in 0 blocks
==8538== possibly lost​: 0 bytes in 0 blocks
==8538== still reachable​: 92,628 bytes in 79 blocks
==8538== suppressed​: 0 bytes in 0 blocks
==8538== Rerun with --leak-check=full to see details of leaked memory
==8538==
==8538== For counts of detected and suppressed errors, rerun with​: -v
==8538== Use --track-origins=yes to see where uninitialised values come from
==8538== ERROR SUMMARY​: 66 errors from 4 contexts (suppressed​: 4 from 4)

Summary of my perl5 (revision 5 version 13 subversion 2) configuration​:
  Commit id​: 86755f4

regcomp.c​:
  else {
  regnode *first = ri->program + 1;
  U8 fop = OP(first);
  U8 nop = OP(NEXTOPER(first));

  if (PL_regkind[fop] == NOTHING && nop == END)
  r->extflags |= RXf_NULL;
  else if (PL_regkind[fop] == BOL && nop == END)
  r->extflags |= RXf_START_ONLY;
4942​: else if (fop == PLUS && nop ==SPACE && OP(regnext(first))==END)
  r->extflags |= RXf_WHITE;
  }

--
George Greer

[p5pRT]

The RT System itself - Status changed from 'stalled' to 'open'

[p5pRT]

From @demerphq

A full -V output/ configure invocation would be kinda useful, for
instance this script needs threads.

anyway, this is my code and ill give it a look

On 11 July 2010 03​:09, George Greer via RT <perlbug-followup@​perl.org> wrote​:

I can reproduce this iff I do NOT use -DDEBUGGING​:

$ valgrind ./perl -I lib -c `which automake`
==8538== Memcheck, a memory error detector
==8538== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==8538== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==8538== Command​: ./perl -I lib -c /usr/bin/automake
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538==    at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538==    by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538==    by 0x42F3C0​: Perl_ck_split (op.c​:7959)
==8538==    by 0x42F673​: Perl_convert (op.c​:2670)
==8538==    by 0x4614BF​: Perl_yyparse (perly.y​:792)
==8538==    by 0x439A62​: S_parse_body (perl.c​:2159)
==8538==    by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538==    by 0x423834​: main (perlmain.c​:115)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538==    at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538==    by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538==    by 0x461EE8​: Perl_yyparse (perly.y​:1274)
==8538==    by 0x4CCBD8​: S_doeval (pp_ctl.c​:3137)
==8538==    by 0x4CE96E​: Perl_pp_require (pp_ctl.c​:3726)
==8538==    by 0x494995​: Perl_runops_standard (run.c​:41)
==8538==    by 0x43B6BB​: Perl_call_sv (perl.c​:2606)
==8538==    by 0x43BB8C​: Perl_call_list (perl.c​:4595)
==8538==    by 0x424AA6​: S_process_special_blocks (op.c​:5977)
==8538==    by 0x432C22​: Perl_newATTRSUB (op.c​:5948)
==8538==    by 0x4332CE​: Perl_utilize (op.c​:4004)
==8538==    by 0x46178D​: Perl_yyparse (perly.y​:704)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538==    at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538==    by 0x4D81A9​: Perl_pp_regcomp (pp_ctl.c​:225)
==8538==    by 0x494995​: Perl_runops_standard (run.c​:41)
==8538==    by 0x43B6BB​: Perl_call_sv (perl.c​:2606)
==8538==    by 0x43BB8C​: Perl_call_list (perl.c​:4595)
==8538==    by 0x424AA6​: S_process_special_blocks (op.c​:5977)
==8538==    by 0x432C22​: Perl_newATTRSUB (op.c​:5948)
==8538==    by 0x4332CE​: Perl_utilize (op.c​:4004)
==8538==    by 0x46178D​: Perl_yyparse (perly.y​:704)
==8538==    by 0x439A62​: S_parse_body (perl.c​:2159)
==8538==    by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538==    by 0x423834​: main (perlmain.c​:115)
==8538==
==8538== Conditional jump or move depends on uninitialised value(s)
==8538==    at 0x47788B​: Perl_re_compile (regcomp.c​:4942)
==8538==    by 0x42DD9E​: Perl_pmruntime (op.c​:3655)
==8538==    by 0x461EE8​: Perl_yyparse (perly.y​:1274)
==8538==    by 0x439A62​: S_parse_body (perl.c​:2159)
==8538==    by 0x43C6D8​: perl_parse (perl.c​:1604)
==8538==    by 0x423834​: main (perlmain.c​:115)
==8538==
/usr/bin/automake syntax OK
==8538== Warning​: bad signal number 0 in sigaction()
==8538==
==8538== HEAP SUMMARY​:
==8538==     in use at exit​: 100,022 bytes in 432 blocks
==8538==   total heap usage​: 182,951 allocs, 182,519 frees, 30,655,219
bytes allocated
==8538==
==8538== LEAK SUMMARY​:
==8538==    definitely lost​: 7,394 bytes in 353 blocks
==8538==    indirectly lost​: 0 bytes in 0 blocks
==8538==      possibly lost​: 0 bytes in 0 blocks
==8538==    still reachable​: 92,628 bytes in 79 blocks
==8538==         suppressed​: 0 bytes in 0 blocks
==8538== Rerun with --leak-check=full to see details of leaked memory
==8538==
==8538== For counts of detected and suppressed errors, rerun with​: -v
==8538== Use --track-origins=yes to see where uninitialised values come from
==8538== ERROR SUMMARY​: 66 errors from 4 contexts (suppressed​: 4 from 4)

Summary of my perl5 (revision 5 version 13 subversion 2) configuration​:
 Commit id​: 86755f4

regcomp.c​:
   else {
       regnode *first = ri->program + 1;
       U8 fop = OP(first);
       U8 nop = OP(NEXTOPER(first));

       if (PL_regkind[fop] == NOTHING && nop == END)
           r->extflags |= RXf_NULL;
       else if (PL_regkind[fop] == BOL && nop == END)
           r->extflags |= RXf_START_ONLY;
4942​:   else if (fop == PLUS && nop ==SPACE && OP(regnext(first))==END)
           r->extflags |= RXf_WHITE;
   }

--
George Greer

--
perl -Mre=debug -e "/just|another|perl|hacker/"

[p5pRT]

From @greerga

On Mon, 12 Jul 2010, demerphq wrote​:

A full -V output/ configure invocation would be kinda useful, for
instance this script needs threads.

My valgrind run ran under 'perl -c' so the warnings appeared before the
program could carp about wanting threads. (That's controlled by
/usr/share/automake-1.11/Automake/Config.pm too.)

anyway, this is my code and ill give it a look

From what I remember, making the #ifdef code at line regcomp.c​:4381
[Perl_re_compile] unconditional instead of -DDEBUGGING removed the
uninitialized warning, even though I was not running a -DDEBUGGING build
and should not have therefore (according to the comments) needed that.

My attempts to get ElectricFence itself to work kept crashing with an
internal error in the allocator so either I was doing it wrong or it
doesn't like 64-bit applications (I suspect the former). I'll give it
another try next weekend. From the bit pointed to by Valgrind it looked
likely to be something that would upset ElectricFence but I want to be
sure there isn't something else lurking too.

Thanks for looking.

--
George Greer

[p5pRT]

From @iabyn

On Mon, Jul 12, 2010 at 08​:00​:18AM -0400, George Greer wrote​:

On Mon, 12 Jul 2010, demerphq wrote​:

A full -V output/ configure invocation would be kinda useful, for
instance this script needs threads.

My valgrind run ran under 'perl -c' so the warnings appeared before
the program could carp about wanting threads. (That's controlled by
/usr/share/automake-1.11/Automake/Config.pm too.)

anyway, this is my code and ill give it a look

From what I remember, making the #ifdef code at line
regcomp.c​:4381
[Perl_re_compile] unconditional instead of -DDEBUGGING removed the
uninitialized warning, even though I was not running a -DDEBUGGING
build and should not have therefore (according to the comments)
needed that.

My attempts to get ElectricFence itself to work kept crashing with
an internal error in the allocator so either I was doing it wrong or
it doesn't like 64-bit applications (I suspect the former). I'll
give it another try next weekend. From the bit pointed to by
Valgrind it looked likely to be something that would upset
ElectricFence but I want to be sure there isn't something else
lurking too.

Now fixed by this commit

commit f6d9469
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Mon Jan 24 17​:38​:37 2011 +0000
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Mon Jan 24 18​:06​:32 2011 +0000

  fix harmless invalid read in Perl_re_compile()
 
  [perl #2460] described a case where electric fence reported an invalid
  read. This could be reproduced under valgrind with blead and -e'/x/',
  but only on a non-debugging build.
 
  This was because it was checking for certain pairs of nodes (e.g. BOL + END)
  and wasn't allowing for EXACT nodes, which have the string at the next
  node position when using a naive NEXTOPER(first). In the non-debugging
  build, the nodes aren't initialised to zero, and a 1-char EXACT node isn't
  long enough to spill into the type field of the "next node".
 
  Fix this by only using NEXTOPER(first) when we know the first node is
  kosher.

M regcomp.c

--
Overhead, without any fuss, the stars were going out.
  -- Arthur C Clarke

[p5pRT]

@iabyn - Status changed from 'open' to 'resolved'