Seg. fault with eval/use/UNITCHECK/DESTROY/eval combination

[p5pRT]

Migrated from rt.perl.org#70614 (status was 'resolved')

Searchable as RT70614$

[p5pRT]

From @Abigail

Created by @Abigail

  $ cat Module.pm
  package Module;

  sub DESTROY {eval ""}
  UNITCHECK {my $x = bless []}

  1;
  $ perl -wE 'eval "use Module";'
  Segmentation fault
  $

Removing the eval in the DESTROY function, the UNITCHECK, changing
the eval in the main program to a plain C<< use Module; >>, or making
$x a package variable prevents the segmentation fault.

Running it as

  valgrind -v perl -wE 'eval "use Module";'

results in no errors, just a 5 byte memory leak.

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.10.1:

Configured by abigail at Sun Aug 23 22:26:52 CEST 2009.

Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=2.6.11-1.1369_fc4smp, archname=i686-linux-64int-ld
    uname='linux almanda 2.6.11-1.1369_fc4smp #1 smp thu jun 2 23:08:39 edt 2005 i686 i686 i386 gnulinux '
    config_args='-des -Dusedevel -Uversiononly -Dmydomain=.abigail.be -Dcf_email=abigail@abigail.be -Dperladmin=abigail@abigail.be -Doptimize=-g -Dcc=gcc -Dprefix=/opt/perl -Dusemorebits'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=define
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g',
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.0.2 20051125 (Red Hat 4.0.2-8)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.3.5.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.5'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.10.1:
    /home/abigail/Perl
    /opt/perl/lib/5.10.1/i686-linux-64int-ld
    /opt/perl/lib/5.10.1
    /opt/perl/lib/site_perl/5.10.1/i686-linux-64int-ld
    /opt/perl/lib/site_perl/5.10.1
    /opt/perl/lib/site_perl/5.10.0/i686-linux-64int-ld
    /opt/perl/lib/site_perl/5.10.0
    /opt/perl/lib/site_perl/5.8.8
    /opt/perl/lib/site_perl
    .


Environment for perl 5.10.1:
    HOME=/home/abigail
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LC_CTYPE=en_US.utf8
    LC_MESSAGES=en_US.utf8
    LD_LIBRARY_PATH=/home/abigail/Lib:/usr/local/lib:/usr/lib:/lib:/usr/X11R6/lib
    LOGDIR (unset)
    PATH=/home/abigail/Bin:/opt/perl/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/games:/opt/git/bin:/home/abigail/Perl/Photos:/home/abigail/Perl/Bin:/opt/mysql/bin
    PERL5LIB=/home/abigail/Perl
    PERLDIR=/opt/perl
    PERL_BADLANG (unset)
    SHELL=/bin/bash

[p5pRT]

From @jdhedden

$ cat Module.pm
package Module;

sub DESTROY {eval ""}
UNITCHECK {my $x = bless []}

1;
$ perl -wE 'eval "use Module";'
Segmentation fault

Under blead, and 5.10.1,
  perl -w -e 'eval "use Module";'
also core dumps.

Or more simply
  perl -MModule
core dumps sometimes, but at other times gives​:

syntax error at - line 0, near "use Module."
Execution of - aborted due to compilation errors.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @cpansprout

This case can be reduced to​:
eval "UNITCHECK{ eval 0 }"

(eval 0 triggers the bug more reliably than eval ''.)

The inner eval clobbers PL_eval_start, so when the UNITCHECK finishes,
the outer eval tries to call the inner eval’s code, which has been
freed already.

The attached patch saves PL_eval_start and restores it after UNITCHECK.

[p5pRT]

From @cpansprout

Inline Patch

diff -Nurp blead/pp_ctl.c blead-70614/pp_ctl.c
--- blead/pp_ctl.c	2009-12-07 05:03:09.000000000 -0800
+++ blead-70614/pp_ctl.c	2009-12-09 12:36:38.000000000 -0800
@@ -3132,8 +3132,11 @@ S_doeval(pTHX_ int gimme, OP** startop, 
 	}
     }
 
-    if (PL_unitcheckav)
+    if (PL_unitcheckav) {
+	OP *es = PL_eval_start;
 	call_list(PL_scopestack_ix, PL_unitcheckav);
+	PL_eval_start = es;
+    }
 
     /* compiled okay, so do it */
 
diff -Nurp blead/t/op/blocks.t blead-70614/t/op/blocks.t
--- blead/t/op/blocks.t	2009-11-19 08:51:40.000000000 -0800
+++ blead-70614/t/op/blocks.t	2009-12-09 12:39:57.000000000 -0800
@@ -6,7 +6,7 @@ BEGIN {
     require './test.pl';
 }
 
-plan tests => 3;
+plan tests => 4;
 
 my @expect = qw(
 b1
@@ -105,3 +105,7 @@ sub CHECK {print ":check"}
 sub INIT {print ":init"}
 sub END {print ":end"}
 SCRIPT3
+
+fresh_perl_is(<<'SCRIPT70614', "still here",{switches => [''], stdin => '', stderr => 1 },'eval-UNITCHECK-eval (bug 70614)');
+eval "UNITCHECK { eval 0 }"; print "still here";
+SCRIPT70614

[p5pRT]

From @cpansprout

On Tue Mar 16 07​:12​:13 2010, sprout wrote​:

This case can be reduced to​:
eval "UNITCHECK{ eval 0 }"

(eval 0 triggers the bug more reliably than eval ''.)

The inner eval clobbers PL_eval_start, so when the UNITCHECK finishes,
the outer eval tries to call the inner eval’s code, which has been
freed already.

The attached patch saves PL_eval_start and restores it after UNITCHECK.

Applied as 8ed4948.

[p5pRT]

@cpansprout - Status changed from 'open' to 'resolved'