Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV in Perl_hv_common with 5.20.1 and Encode 2.62 #14126

Closed
p5pRT opened this issue Oct 1, 2014 · 5 comments
Closed

SEGV in Perl_hv_common with 5.20.1 and Encode 2.62 #14126

p5pRT opened this issue Oct 1, 2014 · 5 comments
Labels

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Oct 1, 2014

Migrated from rt.perl.org#122873 (status was 'rejected')

Searchable as RT122873$

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 1, 2014

From @andk

Thanks to Slaven Rezić for bringing this candidate to my attention.

The SEGV only happens occasionally while running the test
t/302-content-negotiation-charset.t that comes with
DROLSKY/HTTP-Headers-ActionPack-0.09.tar.gz with
DANKOGAI/Encode-2.62.tar.gz installed.

I just have observed it with 5.20.1 but according to cpantesters it
seems the same happened with 5.20.0, 5.21.1, and 5.21.3.

Very similar to my current observation is
http​://www.cpantesters.org/cpan/report/45835631 where Encode
2.60 was involved.

Here is my stacktrace​:

  Core was generated by `/home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0 0x0000000000499570 in Perl_hv_common (hv=0xa, keysv=0x2d7b8f0,
  key=0x2d86b70 "iso-8859-2", klen=10, flags=-1022775292, action=10, val=0x0,
  hash=1) at hv.c​:637

  warning​: Source file is more recent than executable.
  637 goto not_found;
  (gdb) bt
  #0 0x0000000000499570 in Perl_hv_common (hv=0xa, keysv=0x2d7b8f0,
  key=0x2d86b70 "iso-8859-2", klen=10, flags=-1022775292, action=10, val=0x0,
  hash=1) at hv.c​:637
  #1 0x00000000004a5d8a in Perl_pp_helem () at pp_hot.c​:1768
  #2 0x000000000049e0e3 in Perl_runops_standard () at run.c​:42
  #3 0x0000000000435371 in Perl_call_sv (sv=0x2d81c20, flags=flags@​entry=2)
  at perl.c​:2756
  #4 0x0000000000435828 in Perl_call_pv (
  sub_name=sub_name@​entry=0x7fd6d1916c10 "Encode​::MIME​::Name​::get_mime_name",
  flags=flags@​entry=2) at perl.c​:2645
  #5 0x00007fd6d191387a in XS_Encode__XS_mime_name (cv=<optimized out>)
  at Encode.xs​:715
  #6 0x00000000004a5220 in Perl_pp_entersub () at pp_hot.c​:2794
  #7 0x000000000049e0e3 in Perl_runops_standard () at run.c​:42
  #8 0x000000000043b8c8 in S_run_body (oldscope=1) at perl.c​:2456
  #9 perl_run (my_perl=<optimized out>) at perl.c​:2372
  #10 0x000000000041de25 in main (argc=3, argv=0x7ffffd6ab278, env=0x7ffffd6ab298)
  at perlmain.c​:114

I attach a valgrind output from running

  env PERL_DESTRUCT_LEVEL=2 valgrind --num-callers=5 \
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl \
  -Mblib t/302-content-negotiation-charset.t

--
andreas

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 1, 2014

From @andk

==22122== Memcheck, a memory error detector
==22122== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==22122== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==22122== Command​: /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib t/302-content-negotiation-charset.t
==22122==
ok 1 - use HTTP​::Headers​::ActionPack;
ok 2 - An object of class 'HTTP​::Headers​::ActionPack​::ContentNegotiation' isa 'HTTP​::Headers​::ActionPack​::ContentNegotiation'
ok 3 - ... got nothing back when there are no choices
==22122== Invalid write of size 8
==22122== at 0x6C3C869​: XS_Encode__XS_mime_name (Encode.xs​:713)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x43B8C7​: perl_run (perl.c​:2456)
==22122== by 0x41DE24​: main (perlmain.c​:114)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x43523F​: Perl_call_sv (perl.c​:2721)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x43B8C7​: perl_run (perl.c​:2456)
==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4A4DC1​: Perl_pp_entersub (pp_hot.c​:2531)
==22122== by 0x435795​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4C2CB38​: memcpy@​@​GLIBC_2.14 (mc_replace_strmem.c​:882)
==22122== by 0x4A5058​: Perl_pp_entersub (pp_hot.c​:2702)
==22122== by 0x435795​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x49E9DA​: Perl_pp_gv (pp_hot.c​:99)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4A0746​: Perl_pp_rv2av (pp_hot.c​:871)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x4A0845​: Perl_pp_rv2av (pp_hot.c​:908)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x4A0087​: Perl_pp_aelemfast (pp_hot.c​:740)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4A5C56​: Perl_pp_helem (pp_hot.c​:1745)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4A5C59​: Perl_pp_helem (pp_hot.c​:1746)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x4A5E3C​: Perl_pp_helem (pp_hot.c​:1816)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x4A4BD0​: Perl_pp_leavesub (pp_hot.c​:2496)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid write of size 8
==22122== at 0x4A4BFE​: Perl_pp_leavesub (pp_hot.c​:2501)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x435370​: Perl_call_sv (perl.c​:2756)
==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
==22122== Invalid read of size 8
==22122== at 0x6C3C87E​: XS_Encode__XS_mime_name (Encode.xs​:717)
==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794)
==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42)
==22122== by 0x43B8C7​: perl_run (perl.c​:2456)
==22122== by 0x41DE24​: main (perlmain.c​:114)
==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687)
==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244)
==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154)
==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38)
==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44)
==22122==
ok 4 - ... first value in the header wins when priorities are equal
ok 5 - ... higher priority charset is chosen over lower
ok 6 - ... got ISO-8859-1 even when it is not explicitly asked for
ok 7 - ... charset explicitly listed in header is preferred over ISO-8859-1 default
ok 8 - ... got default back when the default is in list of choices and default is ok
ok 9 - ... got default back when the default is in list of choices but not an exact match and default is ok
ok 10 - ... got nothing back when default is not in list of choices
ok 11 - ... if default is listed as priority 0.0 it is not returned
ok 12 - ... if default is listed as priority 0 it is not returned (0 == 0.0)
ok 13 - ... if * is listed as priority 0.0 then default is not returned
ok 14 - ... if * is listed as priority 0.5 but default is 0.0 then default is not returned, but * can match other choices
ok 15 - ... charsets in header are canonicalized
ok 16 - ... the match is returned as formatted in the list of choices, without canonicalization
1..16
==22122==
==22122== HEAP SUMMARY​:
==22122== in use at exit​: 7,998,904 bytes in 23,148 blocks
==22122== total heap usage​: 68,345 allocs, 45,197 frees, 16,433,032 bytes allocated
==22122==
==22122== LEAK SUMMARY​:
==22122== definitely lost​: 0 bytes in 0 blocks
==22122== indirectly lost​: 0 bytes in 0 blocks
==22122== possibly lost​: 5,236,190 bytes in 3,197 blocks
==22122== still reachable​: 2,762,714 bytes in 19,951 blocks
==22122== suppressed​: 0 bytes in 0 blocks
==22122== Rerun with --leak-check=full to see details of leaked memory
==22122==
==22122== For counts of detected and suppressed errors, rerun with​: -v
==22122== ERROR SUMMARY​: 14 errors from 14 contexts (suppressed​: 2 from 2)

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 2, 2014

From @tonycoz

On Tue Sep 30 18​:30​:09 2014, andreas.koenig.7os6VVqR@​franz.ak.mind.de wrote​:

Thanks to Slaven Rezić for bringing this candidate to my attention.

The SEGV only happens occasionally while running the test
t/302-content-negotiation-charset.t that comes with
DROLSKY/HTTP-Headers-ActionPack-0.09.tar.gz with
DANKOGAI/Encode-2.62.tar.gz installed.

This is a bug in Encode.

I've reported this upstream with a fix as https://rt.cpan.org/Ticket/Display.html?id=99264

The problem is Member_mime_name() calls call_pv(), which can reallocate the stack, but then continues to use the old stack.

Adding SPAGAIN fixes it. Method_perlio_ok() has a similar problem which I've also patched.

Tony

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 2, 2014

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 2, 2014

@cpansprout - Status changed from 'open' to 'rejected'

@p5pRT p5pRT closed this Oct 2, 2014
@p5pRT p5pRT added the Severity Low label Oct 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.