Skip to content
This repository has been archived by the owner on Jun 1, 2023. It is now read-only.

fix @_ corruption in goto sig2pp (global destruction PERL_DESTRUCT_LEVEL=2 only) #134

Closed
rurban opened this issue Apr 13, 2016 · 3 comments
Closed

fix @_ corruption in goto sig2pp (global destruction PERL_DESTRUCT_LEVEL=2 only) #134

rurban opened this issue Apr 13, 2016 · 3 comments
Assignees
@rurban

Comments

@rurban
Copy link
Member

rurban commented Apr 13, 2016

in the #7 signatures branch we have this remaining blocker:

After a goto from a signatured sub to a pure-perl sub,
@_ / GvAV(PL_defgv) gets corrupted, which can SEGV/Invalid free in global destruction with PERL_DESTRUCT_LEVEL=2.
There are also 2 other GVs being freed wrongly: Attempt to free temp prematurely with *\x08, $@ and @_.
The root cause is cx->blk_sub.savearray being corrupted:

$ PERL_DESTRUCT_LEVEL=2 gdb --args ./miniperl -DXDlv -Ilib siggoto.t
...
(gdb) watch -l PL_defgv->sv_u.svu_gp->gp_av

(54722:siggoto.t:23)    CX 1 POP SUB (scope 3,3) at pp_hot.c:3336
(54722:siggoto.t:71)    LEAVE scope 3 (savestack=12) at pp_hot.c:3381
(54722:siggoto.t:71)    savestack: releasing items 12 -> 4
Pad 0x100810638[14] 0x10060b5b0 clearsv: 4 sv=0x100810718<1> clear
Pad 0x100810638[14] 0x10060b5b0 clearsv: 3 sv=0x1008106e0<1> clear
Pad 0x100810638[14] 0x10060b5b0 clearsv: 2 sv=0x1008106a8<1> clear
Pad 0x100810638[14] 0x10060b5b0 clearsv: 1 sv=0x100810670<1> clear

Hardware watchpoint 6: -location PL_defgv->sv_u.svu_gp->gp_av

Old value = (AV *) 0x100808ac0
New value = (AV *) 0x101805c08
0x0000000100258fb3 in Perl_pp_leavesub () at pp_hot.c:3382
3382        POPSUB(cx,sv);  /* Stack values are safe: release CV and @_ ... */
(gdb) sd 0x101805c08
$33 = 5521984
ALLOCATED at PD�:8259 for preinc (parent 0x101829bf8); serial 4320303952
SV = IV(0x100544240) at 0x101805c08
  REFCNT = 25326928
  FLAGS = 0x1 ()
  IV = 0

This needs to be reverse debugged
@rurban rurban self-assigned this Apr 13, 2016
@rurban
Copy link
Member Author

rurban commented Apr 13, 2016

Still fails on darwin DEBUGGING clang: https://travis-ci.org/perl11/cperl/jobs/122719501
-> exit code 11 of t/op/signatures.t

@rurban
Copy link
Member Author

rurban commented Apr 13, 2016

With https://travis-ci.org/perl11/cperl/builds/122727369 linux passes, but darwin has a better allocator, and catches the invalid free.

@rurban rurban removed the blocking label Apr 18, 2016
@rurban
Copy link
Member Author

rurban commented Apr 18, 2016

Removed blocking. It's only a PERL_DESTRUCT_LEVEL=2 issue in global destruction of that invalid pointer, so only observed by the core test suite, not in any real code, i.e. at scope end.

rurban pushed a commit that referenced this issue Jun 3, 2016
signatures: protect invalid free of @_
cfdfb6d 
After a goto from a signatured sub to a pure-perl sub, @_ / GvAV(PL_defgv)
gets corrupted, which can SEGV/Invalid free esp.  with valgrind in global
destruction with PERL_DESTRUCT_LEVEL=2.  There are also 2 other GVs being
freed wrongly: Attempt to free temp prematurely with *\x08, $@ and @_.

The root cause is cx->blk_sub.savearray being a random SP* pointer, not a AV
which gets assigned to @_.
Protect @_ assignment in goto from savearray, only for AVs.
Protect @_ gp_av in gp_free similar to the gp_hv which is already protected like this.
But the @_ gp_av case is different according to valgrind: the SP* can be any PADSV
which was already deleted, so the av check may read from invalid freed memory.
So delete and NULL @_ before sv_clean_all()

Add -DDv debugging for symbols being destroyed.

Fixes cperl #134

# Conflicts:
#	pp_ctl.c
rurban pushed a commit that referenced this issue Jun 3, 2016
TEST: TODO PERL_DESTRUCT_LEVEL with op/signatures.t
3c3e2e6 
until cperl #134 is fixed.
@rurban rurban changed the title fix @_ corruption in goto sig2pp fix @_ corruption in goto sig2pp (global destruction PERL_DESTRUCT_LEVEL=2 only) Jun 8, 2016
@rurban rurban removed the bug label Jun 14, 2016
@rurban rurban mentioned this issue Jun 25, 2016
Closed
@rurban rurban closed this as completed Jul 19, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rurban rurban

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rurban