Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGBUS in Perl_leave_adjust_stacks() #16017

Closed
p5pRT opened this issue Jun 13, 2017 · 9 comments
Closed

SIGBUS in Perl_leave_adjust_stacks() #16017

p5pRT opened this issue Jun 13, 2017 · 9 comments
Labels

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Jun 13, 2017

Migrated from rt.perl.org#131570 (status was 'resolved')

Searchable as RT131570$

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

From @geeknik

Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian 8 x64.

Program received signal SIGBUS, Bus error.
0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
  to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
  at pp_hot.c​:3837
3837 if (SvTEMP(sv))
(gdb) bt
#0 0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
  to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
  at pp_hot.c​:3837
#1 0x0000000000dea68d in Perl_pp_leave () at pp_ctl.c​:2117
#2 0x0000000000926e77 in Perl_runops_debug () at dump.c​:2451
#3 0x000000000059f02b in S_run_body (oldscope=1) at perl.c​:2543
#4 perl_run (my_perl=<optimized out>) at perl.c​:2471
#5 0x000000000043506e in main (argc=2, argv=0x7fffffffe6b8,
  env=0x7fffffffe6d0) at perlmain.c​:123

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 21, 2017

From @tonycoz

On Tue, 13 Jun 2017 13​:02​:33 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian 8 x64.

Program received signal SIGBUS, Bus error.
0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
at pp_hot.c​:3837
3837 if (SvTEMP(sv))
(gdb) bt
#0 0x0000000000ad85fb in Perl_leave_adjust_stacks (from_sp=<optimized out>,
to_sp=<optimized out>, gimme=<optimized out>, pass=<optimized out>)
at pp_hot.c​:3837
#1 0x0000000000dea68d in Perl_pp_leave () at pp_ctl.c​:2117
#2 0x0000000000926e77 in Perl_runops_debug () at dump.c​:2451
#3 0x000000000059f02b in S_run_body (oldscope=1) at perl.c​:2543
#4 perl_run (my_perl=<optimized out>) at perl.c​:2471
#5 0x000000000043506e in main (argc=2, argv=0x7fffffffe6b8,
env=0x7fffffffe6d0) at perlmain.c​:123

I wasn't able to minimize your test case significantly, but I did track down the cause.

The temps stack entry allocated in pp_aassign​:

  /* an unrolled sv_2mortal */
  ix = ++PL_tmps_ix;
  if (UNLIKELY(ix >= PL_tmps_max))
  /* speculatively grow enough to cover other
  * possible refs */
  ix = tmps_grow_p(ix + (lastlelem - lelem));
  PL_tmps_stack[ix] = ref;

wasn't being used, since the value of ix is overwritten by the call to tmps_grow_p().[1]

Removing the assignment per the attached patch prevents the crash (and means the temp is actually freed too.)

I don't have a test for it at this point, I may end up just using the original test case.

Tony

[1] I ran until it crashed, saved the value of the top pointer (which is where the sv value came from), and watchpointed that address in a new run, which was only touched when the temps were reallocated my tmps_grow_p().

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 21, 2017

From @tonycoz

0001-perl-131570-don-t-skip-the-temps-stack-entry-we-just.patch
From 5a9032e65282dceec6d65ee9a6e3abe2b90b9929 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 21 Jun 2017 15:00:56 +1000
Subject: (perl #131570) don't skip the temps stack entry we just allocated

---
 pp_hot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_hot.c b/pp_hot.c
index 7c98c90..f445fd9 100644
--- a/pp_hot.c
+++ b/pp_hot.c
@@ -1736,7 +1736,7 @@ PP(pp_aassign)
                     if (UNLIKELY(ix >= PL_tmps_max))
                         /* speculatively grow enough to cover other
                          * possible refs */
-                        ix = tmps_grow_p(ix + (lastlelem - lelem));
+                         (void)tmps_grow_p(ix + (lastlelem - lelem));
                     PL_tmps_stack[ix] = ref;
                 }
 
-- 
2.1.4

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 21, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 10, 2017

From @tonycoz

Applied my patch as 67c3640.

Tony

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 10, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT p5pRT closed this Jun 23, 2018
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT added the Severity Low label Oct 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.