Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

panic: sv_chop on multiple ^* formats on one line #14255

Closed
p5pRT opened this issue Nov 18, 2014 · 11 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Nov 18, 2014

Migrated from rt.perl.org#123245 (status was 'resolved')

Searchable as RT123245$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Nov 18, 2014

From x.fix@o2.pl

Created by x.fix@o2.pl

When the ^* format tries to write while multiple ^* formats are on the
line, and the string is long enough, Perl crashes.

Sample code​:

```
format =
^*|^*
$x = "dd"
.
write
```

Result​:

```
panic​: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at - line 3.
```

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.20.1:

Configured by nobody at Mon Sep 15 14:11:02 CEST 2014.

Summary of my perl5 (revision 5 version 20 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=3.16.2-1-arch, archname=x86_64-linux-thread-multi
    uname='linux mnt-chroots-arch-extra-x86_64-flo-64 3.16.2-1-arch #1 smp preempt sat sep 6 13:12:51 cest 2014 x86_64 gnulinux '
    config_args='-des -Dusethreads -Duseshrplib -Doptimize=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Dprefix=/usr -Dvendorprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/core_perl -Dsitelib=/usr/share/perl5/site_perl -Dsitearch=/usr/lib/perl5/site_perl -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendorarch=/usr/lib/perl5/vendor_perl -Dscriptdir=/usr/bin/core_perl -Dsitescript=/usr/bin/site_perl -Dvendorscript=/usr/bin/vendor_perl -Dinc_version_list=none -Dman1ext=1perl -Dman3ext=3perl -Dcccdlflags='-fPIC' -Dlddlflags=-shared -Wl,-O1,--sort-common,--as-needed,-z,relro -Dldflags=-Wl,-O1,--sort-common,--as-needed,-z,relro'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.9.1', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-Wl,-O1,--sort-common,--as-needed,-z,relro -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.1/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /lib64 /usr/lib64
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=libc-2.19.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/core_perl/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -Wl,-O1,--sort-common,--as-needed,-z,relro -L/usr/local/lib -fstack-protector'



@INC for perl 5.20.1:
    /usr/lib/perl5/site_perl
    /usr/share/perl5/site_perl
    /usr/lib/perl5/vendor_perl
    /usr/share/perl5/vendor_perl
    /usr/lib/perl5/core_perl
    /usr/share/perl5/core_perl
    .


Environment for perl 5.20.1:
    HOME=/home/xfix
    LANG=pl_PL.UTF-8
    LANGUAGE=pl
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/opt/android-ndk:/usr/lib/jvm/default/bin/:/opt/android-sdk/tools:/usr/bin
    PERL_BADLANG (unset)
    SHELL=/usr/bin/fish


@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Nov 18, 2014

From @cpansprout

On Tue Nov 18 11​:50​:39 2014, x.fix@​o2.pl wrote​:

This is a bug report for perl from x.fix@​o2.pl,
generated with the help of perlbug 1.40 running under perl 5.20.1.

-----------------------------------------------------------------
[Please describe your issue here]

When the ^* format tries to write while multiple ^* formats are on the
line, and the string is long enough, Perl crashes.

Sample code​:

```
format =
^*|^*
$x = "dd"
.
write
```

Result​:

```
panic​: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at -
line 3.
```

5.8.7 to 5.14.4​:

Modification of a read-only value attempted at - line 3.

5.18.3​:

panic​: sv_chop ptr=7f94bbc0bdd2, start=10518ce45, end=10518ce45 at - line 3.

Both answers are wrong. So this has been buggy for a long time.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Nov 18, 2014

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Nov 19, 2014

From @Tux

On Tue, 18 Nov 2014 11​:50​:39 -0800, Konrad Borowski (via RT)
<perlbug-followup@​perl.org> wrote​:

When the ^* format tries to write while multiple ^* formats are on the
line, and the string is long enough, Perl crashes.

Confirmed for all perl builds as of 5.8.4

=== base/perl5.6.0 5.006 x86_64-linux
dd^
=== base/perl5.6.1 5.006001 x86_64-linux-perlio
dd^
=== base/tperl5.6.1 5.006001 x86_64-linux-thread-multi-ld-perlio
dd^
=== base/perl5.6.2 5.006002 x86_64-linux-perlio
dd^
=== base/tperl5.6.2 5.006002 x86_64-linux-thread-multi-ld-perlio
dd^
=== base/perl5.8.0 5.008 x86_64-linux
dd^
=== base/tperl5.8.0 5.008 x86_64-linux-thread-multi-ld
dd^
=== base/perl5.8.1 5.008001 x86_64-linux
dd^
=== base/tperl5.8.1 5.008001 x86_64-linux-thread-multi-ld
dd^
=== base/perl5.8.2 5.008002 x86_64-linux
dd^
=== base/tperl5.8.2 5.008002 x86_64-linux-thread-multi-ld
dd^
=== base/perl5.8.3 5.008003 x86_64-linux
dd^
=== base/tperl5.8.3 5.008003 x86_64-linux-thread-multi-ld
dd^
=== base/perl5.8.4 5.008004 x86_64-linux
Modification of a read-only value attempted at test.pl line 3.
Exit status​: 65280
=== base/tperl5.8.4 5.008004 x86_64-linux-thread-multi-ld
Modification of a read-only value attempted at test.pl line 3.
Exit status​: 65280
=== base/perl5.8.5 5.008005 x86_64-linux
Modification of a read-only value attempted at test.pl line 3.
Exit status​: 65280
:
:
=== base/perl5.15.3 5.015003 x86_64-linux
Modification of a read-only value attempted at test.pl line 3.
Exit status​: 65280
=== base/tperl5.15.3 5.015003 x86_64-linux-thread-multi-ld
Modification of a read-only value attempted at test.pl line 3.
Exit status​: 65280
=== base/perl5.15.4 5.015004 x86_64-linux
panic​: sv_chop ptr=1c812d2, start=1c72e00, end=1c72e10 at test.pl line 3.
Exit status​: 65280
=== base/tperl5.15.4 5.015004 x86_64-linux-thread-multi-ld
panic​: sv_chop ptr=21a1732, start=21889c0, end=21889d0 at test.pl line 3.
Exit status​: 65280
:
:
=== base/tperl5.21.5 5.021005 x86_64-linux-thread-multi-ld
panic​: sv_chop ptr=190ea32, start=6ce3c5, end=6ce3c5 at test.pl line 3.
Exit status​: 65280

--
H.Merijn Brand http​://tux.nl Perl Monger http​://amsterdam.pm.org/
using perl5.00307 .. 5.21 porting perl5 on HP-UX, AIX, and openSUSE
http​://mirrors.develooper.com/hpux/ http​://www.test-smoke.org/
http​://qa.perl.org http​://www.goldmark.org/jeff/stupid-disclaimers/

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 1, 2014

From @tonycoz

On Tue Nov 18 13​:22​:50 2014, sprout wrote​:

5.8.7 to 5.14.4​:

Modification of a read-only value attempted at - line 3.

5.18.3​:

panic​: sv_chop ptr=7f94bbc0bdd2, start=10518ce45, end=10518ce45 at - line 3.

Both answers are wrong. So this has been buggy for a long time.

Bisected with​:

perl ../bisect.pl --start=perl-5.8.0 --end=perl-5.10..0 --target=miniperl -- ./miniperl ../format-crash.pl

to​:

a1b9506 is the first bad commit
commit a1b9506
Author​: LAUN Wolfgang <wolfgang.laun@​alcatel.at>
Date​: Fri Jan 16 13​:29​:26 2004 +0000

  format/write (version 2)
  Message-ID​: <DF27CDCBD2581D4B88431901094E4B4D02B0C4D3@​attmsx1>
 
  Fixes and additions to formats​:
 
  Improvement​: NULL chars in picture line
  Bugfix​: C<@​*> shown in output if not alone on a line
  New feature​: C<^*> for variable-width, one-line-at-a-time text
  Improvement​: Diagnostic on C<@​#> and C<~~>
  Bugfix​: Segmentation fault on big numbers
  Improvement (maybe)​: Truncation of numbers produces misleading output
  Bugfix​: "}" terminates format
  Bugfix​: Error when copying non-UTF to UTF (EBCDIC only)
 
  p4raw-id​: //depot/perl@​22161

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 2, 2014

From @tonycoz

On Tue Nov 18 11​:50​:39 2014, x.fix@​o2.pl wrote​:

When the ^* format tries to write while multiple ^* formats are on the
line, and the string is long enough, Perl crashes.

Sample code​:

```
format =
^*|^*
$x = "dd"
.
write
```

Result​:

```
panic​: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at -
line 3.
```

Candidate fix attached. I still need to write some tests.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 2, 2014

From @tonycoz

0001-perl-123245-avoid-a-panic-in-sv_chop-in-formats.patch
From ffd87e202ed6b9c8d1f3b8888a980f6690a3bfa7 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 2 Dec 2014 11:44:31 +1100
Subject: [perl #123245] avoid a panic in sv_chop() in formats

This fixes two issues:

1) if you don't supply enough arguments to the format, pp_formline()
  uses &PL_sv_no as the sv, since we've already warned about the
  missing format argument, we don't need to produce a read only error
  for an SV the caller didn't supply

2) when the supplied string is empty for FF_LINESNGL and FF_LINEGLOB
  the case would skip most of its processing, including setting
  chophere, this meant that when the following FF_CHOP operator was
  processed it would pass a pointer into a different string, producing
  a panic.
---
 pp_ctl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pp_ctl.c b/pp_ctl.c
index 0b7a6ec..dc80999 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -674,7 +674,7 @@ PP(pp_formline)
 	    goto append;
 
 	case FF_CHOP: /* (for ^*) chop the current item */
-	    {
+	    if (sv != &PL_sv_no) {
 		const char *s = chophere;
 		if (chopspace) {
 		    while (isSPACE(*s))
@@ -701,11 +701,11 @@ PP(pp_formline)
 		const char *const send = s + len;
 
 		item_is_utf8 = DO_UTF8(sv);
+		chophere = s + len;
 		if (!len)
 		    break;
 		trans = 0;
 		gotsome = TRUE;
-		chophere = s + len;
 		source = (U8 *) s;
 		to_copy = len;
 		while (s < send) {
-- 
1.7.10.4

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 10, 2014

From @tonycoz

On Mon Dec 01 16​:45​:42 2014, tonyc wrote​:

On Tue Nov 18 11​:50​:39 2014, x.fix@​o2.pl wrote​:

panic​: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at -
line 3.
```

Candidate fix attached. I still need to write some tests.

TODO tests pushed as fcaef4d and the fix (unmarking the TODOs) as fb9282c.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 10, 2014

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

From @khwilliamson

Thanks for submitting this ticket

The issue should be resolved with the release today of Perl v5.22, available at http​://www.perl.org/get.html
If you find that the problem persists, feel free to reopen this ticket

--
Karl Williamson for the Perl 5 porters team

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.