segfault with symbol table and coderef

[p5pRT]

Migrated from rt.perl.org#131085 (status was 'resolved')

Searchable as RT131085$

[p5pRT]

From @mauke

Created by @mauke

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

I haven't done any analysis but this is the stacktrace from 5.25.11​:

Program received signal SIGSEGV, Segmentation fault.
Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>) at gv.c​:426
426 || ( HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv))
(gdb) bt
#0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>, name=<optimized out>, len=<optimized out>, flags=<optimized out>)
  at gv.c​:426
#1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A", full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c​:2421
#2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049, sv_type=SVt_PVCV) at gv.c​:1569
#3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98, gvp=0xbfffee94, lref=1) at sv.c​:9968
#4 0x081865a5 in Perl_pp_rv2cv () at pp.c​:468
#5 0x081141d8 in Perl_runops_debug () at dump.c​:2451
#6 0x080947f2 in S_run_body (oldscope=1) at perl.c​:2524
#7 perl_run (my_perl=0x835f008) at perl.c​:2447
#8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:123

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.24.1:

Configured by mauke at Sun Feb 19 23:06:44 CET 2017.

Summary of my perl5 (revision 5 version 24 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=4.9.6-1-arch, archname=i686-linux
    uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -flto',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.3.1 20170109', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.24.1:
    /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/site_perl/5.24.1
    /home/mauke/usr/lib/perl5/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/5.24.1


Environment for perl 5.24.1:
    HOME=/home/mauke
    LANG=en_US.UTF-8
    LANGUAGE=en_US
    LC_COLLATE=C
    LC_MONETARY=de_DE.UTF-8
    LC_TIME=de_DE.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
    PERLBREW_BASHRC_VERSION=0.73
    PERLBREW_HOME=/home/mauke/.perlbrew
    PERLBREW_ROOT=/home/mauke/perl5/perlbrew
    PERL_BADLANG (unset)
    PERL_UNICODE=SAL
    SHELL=/bin/bash

[p5pRT]

From @jkeenan

On Fri, 31 Mar 2017 18​:15​:50 GMT, mauke- wrote​:

This is a bug report for perl from l.mai@​web.de,
generated with the help of perlbug 1.40 running under perl 5.24.1.

-----------------------------------------------------------------
[Please describe your issue here]

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

I haven't done any analysis but this is the stacktrace from 5.25.11​:

Program received signal SIGSEGV, Segmentation fault.
Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>,
name=<optimized out>, len=<optimized out>, flags=<optimized out>) at
gv.c​:426
426 || ( HEK_LEN(CvNAME_HEK(cv)) ==
HEK_LEN(GvNAME_HEK(gv))
(gdb) bt
#0 Perl_gv_init_pvn (gv=<optimized out>, stash=<optimized out>,
name=<optimized out>, len=<optimized out>, flags=<optimized out>)
at gv.c​:426
#1 0x08098c31 in Perl_gv_fetchpvn_flags (nambeg=0x8378428 "A",
full_len=1, flags=2049, sv_type=SVt_PVCV) at gv.c​:2421
#2 0x0809aaa6 in Perl_gv_fetchsv (name=0x8373690, flags=2049,
sv_type=SVt_PVCV) at gv.c​:1569
#3 0x08158d56 in Perl_sv_2cv (sv=0x8373690, st=0xbfffee98,
gvp=0xbfffee94, lref=1) at sv.c​:9968
#4 0x081865a5 in Perl_pp_rv2cv () at pp.c​:468
#5 0x081141d8 in Perl_runops_debug () at dump.c​:2451
#6 0x080947f2 in S_run_body (oldscope=1) at perl.c​:2524
#7 perl_run (my_perl=0x835f008) at perl.c​:2447
#8 0x0806338d in main (argc=<optimized out>, argv=<optimized out>,
env=<optimized out>) at perlmain.c​:123

This was a regression between 5.20 and 5.22 (which I *think* means it's not a 5.26.0 blocker).

Bisection command​:

#####
Porting/bisect.pl --crash --start=v5.20.0 -- ./perl -e '$​::{"A"} = sub {}; \&{"A"}'
#####

Tail of bisection result​:

#####
Cannot convert a reference to CODE to typeglob at -e line 1.
HEAD is now at c831c5e Remove bogus gv-handling code from toke.c
good - zero exit from ./perl -e $​::{"A"} = sub {}; \&{"A"}
2eaf799 is the first bad commit
commit 2eaf799
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Aug 31 20​:13​:21 2014 -0700

  Avoid creating GVs when subs are declared
 
  This patch changes ‘sub foo {...}’ declarations to store subroutine
  references in the stash, to save memory.
 
  Typeglobs still notionally exist. Accessing CvGV(cv) will reify them.
  Hence, currently the savings are lost when a sub call is compiled.
 
  $ ./miniperl -e 'sub foo{} BEGIN { warn $​::{foo} } foo(); BEGIN { warn $​::{foo} }'
  CODE(0x7f8ef082ad98) at -e line 1.
  *main​::foo at -e line 1.
 
  This optimisation is skipped if the subroutine declaration contains a
  package separator.
 
  Concerning the changes in caller.t, this code​:
 
  sub foo { print +(caller(0))[3],"\n" }
  my $fooref = delete $​::{foo};
  $fooref -> ();
 
  used to crash in 5.7.3 or thereabouts. It was fixed by 16658 (aka
  07b8c80) to produce ‘(unknown)’ instead. Then in 5.13.3 it was
  changed (by 803f274) to produce ‘main​::__ANON__’ instead. So the
  tests are really checking that we don’t get a crash. I think it is
  acceptable that it has now changed to ‘main​::foo’.

:100644 100644 74f1ba990b5fec64709aa08caa4c9dd1945a2428 4378152a3db27ee3d40e8a12dec07b550541b72f M embed.fnc
:100644 100644 7aa9f1ee68bbe9794d8b668c99ab76c4217eb7af 1b490f8366a93b06e46fa1deed0d41e8ed16f667 M gv.c
:100644 100644 be9a341e9dd7009e4c654fb260e7c8145266b43b 78407f3520a762c92d556c98df05443ee0e9cf50 M op.c
:100644 100644 7cadacea46d2deee3d4902e6403836c06898429a ea05bb49f9de09684b3e59e088ea371927b6436f M pp.c
:100644 100644 642823dc434ba4616d96ae9bd42b32f171891422 a540fc76549039530820191135236f76c3f391ff M proto.h
:040000 040000 8a139b7878c09394296c6fe04faded005b099282 9125fb9ba794e8f3649f7356c68fee85e33dbf03 M t
:100644 100644 ea022f9512d5dddb31b9f415c45df909fba79c26 8a8d187e80756f018daca9a0888bfd3a97b6ce2f M toke.c
:100644 100644 200ce875b94bd843d78138841428c7efd07fe8cb 825dff5c42a6528e0bedac427c64e7c2899cbd98 M universal.c
bisect run success
That took 1182 seconds.
#####

Confirmation via building perl at commit before and commit. What was formally an exception became a segfault.

#####
[2eaf799^] 514 $ ./bin/perl -v | head -2 | tail -1
This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-637-gc831c5e)) built for x86_64-linux
[2eaf799^] 515 $ ./bin/perl -e '$​::{"A"} = sub {}; \&{"A"}'
Cannot convert a reference to CODE to typeglob at -e line 1.

[2eaf799] 509 $ ./bin/perl -v | head -2 | tail -1
This is perl 5, version 21, subversion 4 (v5.21.4 (v5.21.3-638-g2eaf799)) built for x86_64-linux
[2eaf799] 510 $ ./bin/perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)
#####

Father C, can you take a look?

Thank you very much.
--
James E Keenan (jkeenan@​cpan.org)

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @cpansprout

On Fri, 31 Mar 2017 15​:02​:43 -0700, jkeenan wrote​:

This was a regression between 5.20 and 5.22 (which I *think* means
it's not a 5.26.0 blocker).

Right. One of the docs says that assigning to stash elements like that results in undefined behaviour.

(It still shouldn’t crash, but there is no need for it to be a blocker.)

Father C, can you take a look?

Patch attached.

--

Father Chrysostomos

[p5pRT]

From @cpansprout

From ea6c8a920fe6433d6e7d190ba0e9aed4f790aaed Mon Sep 17 00​:00​:00 2001
From​: Father Chrysostomos <sprout@​cpan.org>
Date​: Fri, 7 Apr 2017 14​:08​:02 -0700
Subject​: [PATCH] [perl #131085] Crash with sub-in-stash
MIME-Version​: 1.0
Content-Type​: text/plain; charset=UTF-8
Content-Transfer-Encoding​: 8bit

$ perl -e '$​::{"A"} = sub {}; \&{"A"}'
Segmentation fault (core dumped)

The code that vivifies a typeglob out of a code ref assumed that the
CV had a name hek, which is always the case when perl itself puts the
code ref there (via ‘sub A{}’), but is not necessarily the case if
someone is insinuating other stuff into the stash.

Inline Patch

diff --git a/gv.c b/gv.c
index d32a9c5..315ec49 100644
--- a/gv.c
+++ b/gv.c
@@ -421,7 +421,7 @@ Perl_gv_init_pvn(pTHX_ GV *gv, HV *stash, const char *name, STRLEN len, U32 flag
 	/* Not actually a constant.  Just a regular sub.  */
 	CV * const cv = (CV *)has_constant;
 	GvCV_set(gv,cv);
-	if (CvSTASH(cv) == stash && (
+	if (CvNAMED(cv) && CvSTASH(cv) == stash && (
 	       CvNAME_HEK(cv) == GvNAME_HEK(gv)
 	    || (  HEK_LEN(CvNAME_HEK(cv)) == HEK_LEN(GvNAME_HEK(gv))
 	       && HEK_FLAGS(CvNAME_HEK(cv)) != HEK_FLAGS(GvNAME_HEK(gv))
diff --git a/t/op/gv.t b/t/op/gv.t
index 8d5e7dc..4fe6b00 100644
--- a/t/op/gv.t
+++ b/t/op/gv.t
@@ -1187,6 +1187,10 @@ package GV_DOWNGRADE {
     ::like "$GV_DOWNGRADE::{FOO}", qr/SCALAR/, "gv_downgrade: post";
 }
 
+# [perl #131085] This used to crash; no ok() necessary.
+$::{"A131085"} = sub {}; \&{"A131085"};
+
+
 __END__
 Perl
 Rules

[p5pRT]

From @cpansprout

On Fri, 07 Apr 2017 14​:10​:52 -0700, sprout wrote​:

On Fri, 31 Mar 2017 15​:02​:43 -0700, jkeenan wrote​:

This was a regression between 5.20 and 5.22 (which I *think* means
it's not a 5.26.0 blocker).

Right. One of the docs says that assigning to stash elements like
that results in undefined behaviour.

(It still shouldn’t crash, but there is no need for it to be a
blocker.)

Father C, can you take a look?

Patch attached.

Now applied as 790acdd.

--

Father Chrysostomos

[p5pRT]

@cpansprout - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'