Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segfault with symbol table and coderef #15937

Closed
p5pRT opened this issue Mar 31, 2017 · 9 comments
Closed

segfault with symbol table and coderef #15937

p5pRT opened this issue Mar 31, 2017 · 9 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Mar 31, 2017

Migrated from rt.perl.org#131085 (status was 'resolved')

Searchable as RT131085$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Mar 31, 2017

From @mauke

Created by @mauke

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

I haven't done any analysis but this is the stacktrace from 5.25.11​:

Program received signal SIGSEGV, Segmentation fault.
Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>) at gv.c​:426
426 || ( HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv))
(gdb) bt
#0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>)
  at gv.c​:426
#1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A", full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c​:2421
#2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049, sv_type=SVt_PVCV) at gv.c​:1569
#3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98, gvp=0xbfffee94, lref=1) at sv.c​:9968
#4 0x081865a5 in Perl_pp_rv2cv () at pp.c​:468
#5 0x081141d8 in Perl_runops_debug () at dump.c​:2451
#6 0x080947f2 in S_run_body (oldscope=1) at perl.c​:2524
#7 perl_run (my_perl=0x835f008) at perl.c​:2447
#8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:123

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.24.1:

Configured by mauke at Sun Feb 19 23:06:44 CET 2017.

Summary of my perl5 (revision 5 version 24 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=4.9.6-1-arch, archname=i686-linux
    uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -flto',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.3.1 20170109', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.24.1:
    /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/site_perl/5.24.1
    /home/mauke/usr/lib/perl5/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/5.24.1


Environment for perl 5.24.1:
    HOME=/home/mauke
    LANG=en_US.UTF-8
    LANGUAGE=en_US
    LC_COLLATE=C
    LC_MONETARY=de_DE.UTF-8
    LC_TIME=de_DE.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
    PERLBREW_BASHRC_VERSION=0.73
    PERLBREW_HOME=/home/mauke/.perlbrew
    PERLBREW_ROOT=/home/mauke/perl5/perlbrew
    PERL_BADLANG (unset)
    PERL_UNICODE=SAL
    SHELL=/bin/bash

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Mar 31, 2017

From @jkeenan

On Fri, 31 Mar 2017 18​:15​:50 GMT, mauke- wrote​:

This is a bug report for perl from l.mai@​web.de,
generated with the help of perlbug 1.40 running under perl 5.24.1.

-----------------------------------------------------------------
[Please describe your issue here]

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

I haven't done any analysis but this is the stacktrace from 5.25.11​:

Program received signal SIGSEGV, Segmentation fault.
Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>,
name=<optimized out>, len=<optimized out>, flags=<optimized out>) at
gv.c​:426
426 || ( HEK_LEN(CvNAME_HEK(cv)) ==
HEK_LEN(GvNAME_HEK(gv))
(gdb) bt
#0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>,
name=<optimized out>, len=<optimized out>, flags=<optimized out>)
at gv.c​:426
#1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A",
full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c​:2421
#2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049,
sv_type=SVt_PVCV) at gv.c​:1569
#3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98,
gvp=0xbfffee94, lref=1) at sv.c​:9968
#4 0x081865a5 in Perl_pp_rv2cv () at pp.c​:468
#5 0x081141d8 in Perl_runops_debug () at dump.c​:2451
#6 0x080947f2 in S_run_body (oldscope=1) at perl.c​:2524
#7 perl_run (my_perl=0x835f008) at perl.c​:2447
#8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>,
env=<optimized out>) at perlmain.c​:123

This was a regression between 5.20 and 5.22 (which I *think* means it's not a 5.26.0 blocker).

Bisection command​:

#####
Porting/bisect.pl --crash --start=v5.20.0 -- ./perl -e '$​::{"A"} = sub {}; \&{"A"}'
#####

Tail of bisection result​:

#####
Cannot convert a reference to CODE to typeglob at -e line 1.
HEAD is now at c831c5e Remove bogus gv-handling code from toke.c
good - zero exit from ./perl -e $​::{"A"} = sub {}; \&{"A"}
2eaf799 is the first bad commit
commit 2eaf799
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Aug 31 20​:13​:21 2014 -0700

  Avoid creating GVs when subs are declared
 
  This patch changes ‘sub foo {...}’ declarations to store subroutine
  references in the stash, to save memory.
 
  Typeglobs still notionally exist. Accessing CvGV(cv) will reify them.
  Hence, currently the savings are lost when a sub call is compiled.
 
  $ ./miniperl -e 'sub foo{} BEGIN { warn $​::{foo} } foo(); BEGIN { warn $​::{foo} }'
  CODE(0x7f8ef082ad98) at -e line 1.
  *main​::foo at -e line 1.
 
  This optimisation is skipped if the subroutine declaration contains a
  package separator.
 
  Concerning the changes in caller.t, this code​:
 
  sub foo { print +(caller(0))[3],"\n" }
  my $fooref = delete $​::{foo};
  $fooref -> ();
 
  used to crash in 5.7.3 or thereabouts. It was fixed by 16658 (aka
  07b8c80) to produce ‘(unknown)’ instead. Then in 5.13.3 it was
  changed (by 803f274) to produce ‘main​::__ANON__’ instead. So the
  tests are really checking that we don’t get a crash. I think it is
  acceptable that it has now changed to ‘main​::foo’.

:100644 100644 74f1ba990b5fec64709aa08caa4c9dd1945a2428 4378152a3db27ee3d40e8a12dec07b550541b72f M embed.fnc
:100644 100644 7aa9f1ee68bbe9794d8b668c99ab76c4217eb7af 1b490f8366a93b06e46fa1deed0d41e8ed16f667 M gv.c
:100644 100644 be9a341e9dd7009e4c654fb260e7c8145266b43b 78407f3520a762c92d556c98df05443ee0e9cf50 M op.c
:100644 100644 7cadacea46d2deee3d4902e6403836c06898429a ea05bb49f9de09684b3e59e088ea371927b6436f M pp.c
:100644 100644 642823dc434ba4616d96ae9bd42b32f171891422 a540fc76549039530820191135236f76c3f391ff M proto.h
:040000 040000 8a139b7878c09394296c6fe04faded005b099282 9125fb9ba794e8f3649f7356c68fee85e33dbf03 M t
:100644 100644 ea022f9512d5dddb31b9f415c45df909fba79c26 8a8d187e80756f018daca9a0888bfd3a97b6ce2f M toke.c
:100644 100644 200ce875b94bd843d78138841428c7efd07fe8cb 825dff5c42a6528e0bedac427c64e7c2899cbd98 M universal.c
bisect run success
That took 1182 seconds.
#####

Confirmation via building perl at commit before and commit. What was formally an exception became a segfault.

#####
[2eaf799^] 514 $ ./bin/perl -v | head -2 | tail -1
This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-637-gc831c5e)) built for x86_64-linux
[2eaf799^] 515 $ ./bin/perl -e '$​::{"A"} = sub {}; \&{"A"}'
Cannot convert a reference to CODE to typeglob at -e line 1.

[2eaf799] 509 $ ./bin/perl -v | head -2 | tail -1
This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-638-g2eaf799)) built for x86_64-linux
[2eaf799] 510 $ ./bin/perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)
#####

Father C, can you take a look?

Thank you very much.
--
James E Keenan (jkeenan@​cpan.org)

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Mar 31, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Apr 7, 2017

From @cpansprout

On Fri, 31 Mar 2017 15​:02​:43 -0700, jkeenan wrote​:

This was a regression between 5.20 and 5.22 (which I *think* means
it's not a 5.26.0 blocker).

Right. One of the docs says that assigning to stash elements like that results in undefined behaviour.

(It still shouldn’t crash, but there is no need for it to be a blocker.)

Father C, can you take a look?

Patch attached.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Apr 7, 2017

From @cpansprout

From ea6c8a920fe6433d6e7d190ba0e9aed4f790aaed Mon Sep 17 00​:00​:00 2001
From​: Father Chrysostomos <sprout@​cpan.org>
Date​: Fri, 7 Apr 2017 14​:08​:02 -0700
Subject​: [PATCH] [perl #131085] Crash with sub-in-stash
MIME-Version​: 1.0
Content-Type​: text/plain; charset=UTF-8
Content-Transfer-Encoding​: 8bit

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

The code that vivifies a typeglob out of a code ref assumed that the
CV had a name hek, which is always the case when perl itself puts the
code ref there (via ‘sub A{}’), but is not necessarily the case if
someone is insinuating other stuff into the stash.

Inline Patch
diff --git a/gv.c b/gv.c
index d32a9c5..315ec49 100644
--- a/gv.c
+++ b/gv.c
@@ -421,7 +421,7 @@ Perl_gv_init_pvn(pTHX_ GV *gv, HV *stash, const char *name, STRLEN len, U32 flag
 	/* Not actually a constant.  Just a regular sub.  */
 	CV * const cv = (CV *)has_constant;
 	GvCV_set(gv,cv);
-	if (CvSTASH(cv) == stash && (
+	if (CvNAMED(cv) && CvSTASH(cv) == stash && (
 	       CvNAME_HEK(cv) == GvNAME_HEK(gv)
 	    || (  HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv))
 	       && HEK_FLAGS(CvNAME_HEK(cv)) != HEK_FLAGS(GvNAME_HEK(gv))
diff --git a/t/op/gv.t b/t/op/gv.t
index 8d5e7dc..4fe6b00 100644
--- a/t/op/gv.t
+++ b/t/op/gv.t
@@ -1187,6 +1187,10 @@ package GV_DOWNGRADE {
     ::like "$GV_DOWNGRADE::{FOO}", qr/SCALAR/, "gv_downgrade: post";
 }
 
+# [perl #131085] This used to crash; no ok() necessary.
+$::{"A131085"} = sub {}; \&{"A131085"};
+
+
 __END__
 Perl
 Rules
@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 1, 2017

From @cpansprout

On Fri, 07 Apr 2017 14​:10​:52 -0700, sprout wrote​:

On Fri, 31 Mar 2017 15​:02​:43 -0700, jkeenan wrote​:

This was a regression between 5.20 and 5.22 (which I *think* means
it's not a 5.26.0 blocker).

Right. One of the docs says that assigning to stash elements like
that results in undefined behaviour.

(It still shouldn’t crash, but there is no need for it to be a
blocker.)

Father C, can you take a look?

Patch attached.

Now applied as 790acdd.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 1, 2017

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.