syntax error provoking a core dump

[florian-pe]

I'm posting this issue here because there is no "Issues" tab in the UI of this repository: https://github.com/Dual-Life/Scalar-List-Utils.

This is the golfed script triggering the core dump.

#!/usr/bin/perl
use List::Util "all";
all { $_->[0] } map { [ }

Those are various errors messages outputted when I was in the process of golfing the script. They might help find the source of the bug.

$ ./test.pl
Useless use of array element in void context at ./test.pl line 16.
malloc_consolidate(): unaligned fastbin chunk detected
Aborted (core dumped)

$ ./test.pl
Useless use of array element in void context at ./test.pl line 16.
free(): double free detected in tcache 2
Aborted (core dumped)

$ ./test.pl
Useless use of array element in void context at ./test.pl line 23.
double free or corruption (fasttop)
Aborted (core dumped)

$ ./test.pl
Useless use of array element in void context at ./test.pl line 15.
syntax error at ./test.pl line 15, near "] }"
Execution of ./test.pl aborted due to compilation errors.
free(): double free detected in tcache 2
Aborted (core dumped)

$ ./test.pl
syntax error at ./test.pl line 5, near "[ }"
Execution of ./test.pl aborted due to compilation errors.
free(): double free detected in tcache 2
Aborted (core dumped)

List::Util's verion:

$ perl -MList::Util=all -E 'say $List::Util::VERSION'
1.63

$ perl -V
Summary of my perl5 (revision 5 version 38 subversion 1) configuration:
   
  Platform:
    osname=linux
    osvers=5.12.15-arch1-1
    archname=x86_64-linux-thread-multi
    uname='archlinux'
    config_args='-des -Dusethreads -Duseshrplib -Doptimize=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/perl/src=/usr/src/debug/perl -flto=auto -Dprefix=/usr -Dvendorprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/5.38/core_perl -Dsitelib=/usr/share/perl5/site_perl -Dsitearch=/usr/lib/perl5/5.38/site_perl -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendorarch=/usr/lib/perl5/5.38/vendor_perl -Dscriptdir=/usr/bin/core_perl -Dsitescript=/usr/bin/site_perl -Dvendorscript=/usr/bin/vendor_perl -Dinc_version_list=none -Dman1ext=1perl -Dman3ext=3perl -Dlddlflags=-shared -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -Dldflags=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='cc'
    ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    optimize='-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/perl/src=/usr/src/debug/perl -flto=auto'
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='13.2.1 20230801'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags ='-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib
    libs=-lpthread -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -ldl -lm -lcrypt -lutil -lc
    libc=/lib/../lib/libc.so.6
    so=so
    useshrplib=true
    libperl=libperl.so
    gnulibc_version='2.38'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.38/core_perl/CORE'
    cccdlflags='-fPIC'
    lddlflags='-shared -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl): 
  Compile-time options:
    HAS_LONG_DOUBLE
    HAS_STRTOLD
    HAS_TIMES
    MULTIPLICITY
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_SIPHASH13
    PERL_HASH_USE_SBOX32
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_SAFE_PUTENV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_ITHREADS
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
    USE_REENTRANT_API
    USE_THREAD_SAFE_LOCALE
  Built under linux
  Compiled at Nov 27 2023 20:20:27
  @INC:
    /usr/lib/perl5/5.38/site_perl
    /usr/share/perl5/site_perl
    /usr/lib/perl5/5.38/vendor_perl
    /usr/share/perl5/vendor_perl
    /usr/lib/perl5/5.38/core_perl
    /usr/share/perl5/core_perl

[jkeenan]

I'm posting this issue here because there is no "Issues" tab in the UI of this repository: https://github.com/Dual-Life/Scalar-List-Utils.

Thanks for this report. https://metacpan.org/pod/List::Util indicates that the issue tracker for the Scalar-List-Utils distribution is on RT: https://rt.cpan.org/Dist/Display.html?Name=Scalar-List-Utils. It would be good to file a ticket there.

[florian-pe]

Hi @jkeenan, I would report the bug at the link you posted but I cannot find where to go to open a new ticket, I've never reported yet a bug on rt.cpan.org.

[mauke]

Simplified to crash without List::Util:

sub all (&@);
all { $_->[0] } map { [ }

Result:

$ perl try.pl
syntax error at try.pl line 2, near "[ }"
Execution of try.pl aborted due to compilation errors.
free(): double free detected in tcache 2
Aborted

[mauke]

Bisecting on -e 'sub all (&@); eval q#all { $_->[0] } map { [ }#' blames 73cdf3a:

bad - non-zero exit from ./perl -Ilib -e sub all (&@); eval q#all { $_->[0] } map { [ }#
73cdf3a836756ebe82b64077bf38de0bf44736dc is the first bad commit
commit 73cdf3a836756ebe82b64077bf38de0bf44736dc
Author: David Mitchell <davem@iabyn.com>
Date:   Mon Apr 8 14:17:59 2019 +0100

    Make op_free() non-recursive
    
    Stop using the DEFER mechanism (which could leak if something croaks)
    and instead tree walk using the new OP_PARENT link to allow walking
    back up the tree.
    
    The freeing is done depth-first: children are freed before their
    parents.

 op.c | 114 +++++++++++++++++++++++++++++++++++++------------------------------
 1 file changed, 63 insertions(+), 51 deletions(-)
bisect found first bad commitThat took 1538 seconds.

[tonycoz]

$ valgrind -q ./perl -e 'sub all (&@); all { $_->[0] } map { [ }'
syntax error at -e line 1, near "[ }"
Execution of -e aborted due to compilation errors.
==408790== Invalid read of size 1
==408790==    at 0x157F8D: Perl_op_free (op.c:920)
==408790==    by 0x250217: Perl_cv_undef_flags (pad.c:339)
==408790==    by 0x24FC19: Perl_cv_undef (pad.c:300)
==408790==    by 0x47650D: Perl_sv_clear (sv.c:6731)
==408790==    by 0x4794E5: Perl_sv_free2 (sv.c:7244)
==408790==    by 0x24F37F: Perl_SvREFCNT_dec_NN (sv_inline.h:717)
==408790==    by 0x25097A: Perl_cv_undef_flags (pad.c:420)
==408790==    by 0x24FC19: Perl_cv_undef (pad.c:300)
==408790==    by 0x47650D: Perl_sv_clear (sv.c:6731)
==408790==    by 0x4794E5: Perl_sv_free2 (sv.c:7244)
==408790==    by 0x193C79: Perl_SvREFCNT_dec (sv_inline.h:694)
==408790==    by 0x1957C2: perl_destruct (perl.c:910)
==408790==  Address 0x4bad142 is 34 bytes inside a block of size 56 free'd
==408790==    at 0x484317B: free (vg_replace_malloc.c:872)
==408790==    by 0x156B5A: Perl_Slab_Free (op.c:499)
==408790==    by 0x158258: Perl_op_free (op.c:991)
==408790==    by 0x271CEB: S_clear_yystack (perly.c:251)
==408790==    by 0x438B5B: Perl_leave_scope (scope.c:1537)
==408790==    by 0x1A7461: S_my_exit_jump (perl.c:5479)
==408790==    by 0x1A73C7: Perl_my_failure_exit (perl.c:5463)
==408790==    by 0x2BC201: Perl_die_unwind (pp_ctl.c:2077)
==408790==    by 0x50246C: Perl_vcroak (util.c:1894)
==408790==    by 0x50251D: Perl_croak (util.c:1945)
==408790==    by 0x4EC1DF: Perl_abort_execution (toke.c:12975)
==408790==    by 0x2BB192: Perl_qerror (pp_ctl.c:1872)
==408790==  Block was alloc'd at
==408790==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
==408790==    by 0x156320: Perl_Slab_Alloc (op.c:334)
==408790==    by 0x16796B: Perl_newUNOP_AUX (op.c:5845)
==408790==    by 0x25EBC7: S_maybe_multideref (peep.c:2366)
==408790==    by 0x25F9A3: Perl_rpeep (peep.c:2917)
==408790==    by 0x26385B: Perl_peep (peep.c:4183)
==408790==    by 0x15C87B: S_process_optree (op.c:2793)
==408790==    by 0x17CB60: Perl_newATTRSUB_x (op.c:11054)
==408790==    by 0x1817FC: Perl_newANONATTRSUB (op.c:11828)
==408790==    by 0x2754C7: Perl_yyparse (perly.y:1134)
==408790==    by 0x199DB7: S_parse_body (perl.c:2608)
==408790==    by 0x197E7C: perl_parse (perl.c:1911)
...
(this continues)

It looks like we have ops both in the OP tree and on the parse stack, and both are being freed.

[grr]

I'm posting this issue here because there is no "Issues" tab in the UI of this repository: https://github.com/Dual-Life/Scalar-List-Utils.

Thanks for this report. https://metacpan.org/pod/List::Util indicates that the issue tracker for the Scalar-List-Utils distribution is on RT: https://rt.cpan.org/Dist/Display.html?Name=Scalar-List-Utils. It would be good to file a ticket there.

Note that although other users have been using the RT queue, the maintainer hasn't responded to anybody in over a year. Same mostly goes for the pull requests on the github repo. This is a dual-life module maintained by a single person who probably won't have any spare tuits for a long time.

[jkeenan]

@leonerd can you take a look at this ticket? thanks.

[tonycoz]

Removed List::Util from the title, since this isn't List::Util specific.