Permalink
Browse files

Avoid a double free with CORE->lc

The code for autovivifying coresubs for method calls ended up calling
hv_store(stash,name,len,(SV *)gv,0) where gv is already in the stash
under that entry.  Since hv_store takes ownership of one reference
count and decrements that of what it overwrites (which is the same gv
in this case), it ends up freeing the gv prematurely.

It ended up making that call because S_maybe_add_coresub needs the
stash to get its ENAME (which happens when called by gv_fetchmeth),
but it also assumed that the presence of the stash meant the gv
needed to be stored in it (as is the case with the other caller,
gv_fetchpvn_flags).

This patch reuses the fullen (full length) parameter as a flag to
indicate that that hv_store call should be skipped.

These workarounds for the assumptions that newATTRSUB makes are start-
ing to make inlining look very attractive....
  • Loading branch information...
Father Chrysostomos
Father Chrysostomos committed Sep 25, 2011
1 parent 1b7228c commit 73c02f1564c743dc981bd8ea1ce2b967131cbd83
Showing with 3 additions and 2 deletions.
  1. +3 −2 gv.c
View
5 gv.c
@@ -458,7 +458,8 @@ S_maybe_add_coresub(pTHX_ HV * const stash, GV *gv,
it this order as we need an op number before calling
new ATTRSUB. */
(void)core_prototype((SV *)cv, name, code, &opnum);
- if (stash) (void)hv_store(stash,name,len,(SV *)gv,0);
+ if (stash && (fullname || !fullen))
+ (void)hv_store(stash,name,len,(SV *)gv,0);
if (ampable) {
SV *tmpstr;
CvLVALUE_on(cv);
@@ -584,7 +585,7 @@ Perl_gv_fetchmeth(pTHX_ HV *stash, const char *name, STRLEN len, I32 level)
}
else if (len > 1 /* shortest is uc */ && HvNAMELEN_get(stash) == 4
&& strnEQ(hvname, "CORE", 4)
- && S_maybe_add_coresub(aTHX_ stash,topgv,name,len,0,0))
+ && S_maybe_add_coresub(aTHX_ stash,topgv,name,len,0,1))
goto have_gv;
}

0 comments on commit 73c02f1

Please sign in to comment.