develooper Front page | perl.perl5.porters | Postings from November 2001

[ID 20011113.114] core is dumped in the depths of perl_destruct()in Perl 5.6.1

Thread Next
From:
Christian Carey
Date:
November 13, 2001 14:39
Subject:
[ID 20011113.114] core is dumped in the depths of perl_destruct()in Perl 5.6.1
Message ID:
200111132239.RAA01453@amber.vicinity.com
This is a bug report for perl from ccarey@vicinity.com,
generated with the help of perlbug 1.33 running under perl v5.6.1.


-----------------------------------------------------------------


Hello there,

I've encountered what seems to be a bug in an embedded Perl 5.6.1
within a C program. There are three different core dump causes;
two of them happen while trying to finish perl_destruct(), and
the third seems to be due just to memory corruption. The
precondition is that an embedded Perl subroutine die()s a certain
number of times [which seems to vary by OS, Perl version, and
whether multiplicity is compiled in], and each die() is caught
because the G_EVAL flag had been given to perl_call_pv(). What's
curious is that the G_ARRAY flag is also a necessary precondition
for core to dump; core doesn't dump if the G_SCALAR flag is used
instead of G_ARRAY. 

I have a test program called "death" that demonstrates
the problem. It takes three arguments: -n number, where number
is how many times the call to the embedded Perl subroutine should
be executed; -a, where G_ARRAY is given to perl_call_pv() rather
than G_SCALAR; and -s, where certain signals are caught rather
than letting core dump.

On Solaris 7, with Perl 5.6.1 compiled with multiplicity,
"death -a -n 10 -s" reveals the following:

	Divide: dividend is zero at /home/ccarey/Perl-5.6.1/Death.pm line 27.
	...
	signal_number: 10
	si->si_signo:  10
	si->si_errno:  0
	si->si_code:   BUS_ADRALN
	si->si_addr:   3d27675b

namely, that SIGBUS is the cause of the core dump. In this case,
the si->si_addr value looks like an ASCII string in hexadecimal
format rather than a valid address.

Similarly, "death -a -n 147 -s" on the same machine shows
a second cause:

	Divide: dividend is zero at /home/ccarey/Perl-5.6.1/Death.pm line 27.
	...
	signal_number: 11
	si->si_signo:  11
	si->si_errno:  0
	si->si_code:   SEGV_MAPERR
	si->si_addr:   8d3f48

that in this case, SIGSEGV causes core to dump. Additionally,
"death -a -n 574 -s" on the same machine shows another case:

	Divide: dividend is zero at /home/ccarey/Perl-5.6.1/Death.pm line 27.
	...
	Can't use an undefined value as an ARRAY reference at /home/ccarey/Perl-5.6.1/Death.pm line 26.
	Can't use string ("0") as an ARRAY ref while "strict refs" in use at /home/ccarey/Perl-5.6.1/Death.pm line 26.
	Can't use string ("$$") as an ARRAY ref while "strict refs" in use at /home/ccarey/Perl-5.6.1/Death.pm line 26.
	Can't use string ("$$") as an ARRAY ref while "strict refs" in use at /home/ccarey/Perl-5.6.1/Death.pm line 26.
	signal_number: 4
	si->si_signo:  4
	si->si_errno:  0
	si->si_code:   ILL_ILLOPC
	si->si_addr:   1cfc10

This SIGILL condition is the most intriguing, since the four
warnings that begin with "Can't" don't appear in the other cases;
presumably this is due to memory corruption of some sort.

When run without the "-s" argument, each of "-n 10", "-n 147",
and "-n 574" dump core. The SIGBUS core dump reveals the following
in gdb:

	(amber:281) gdb death core.multiplicity.010
	GNU gdb 4.18
	...
	Reading symbols from /usr/lib/locale/iso_8859_1/iso_8859_1.so.2...done.
	#0  0xff1c6424 in _free_unlocked () from /usr/lib/libc.so.1
	(gdb) where
	#0  0xff1c6424 in _free_unlocked () from /usr/lib/libc.so.1
	#1  0xff1c63dc in free () from /usr/lib/libc.so.1
	#2  0x9e198 in Perl_safesysfree (where=0x72633d31) at util.c:158
	#3  0xa8db0 in Perl_mg_free (my_perl=0x195be8, sv=0x1ad86c) at mg.c:316
	#4  0xda42c in Perl_sv_clear (my_perl=0x195be8, sv=0x1ad86c) at sv.c:3770
	#5  0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1ad86c) at sv.c:3950
	#6  0xb8560 in Perl_av_undef (my_perl=0x195be8, av=0x1a0ad8) at av.c:447
	#7  0xda5d4 in Perl_sv_clear (my_perl=0x195be8, sv=0x1a0ad8) at sv.c:3798
	#8  0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1a0ad8) at sv.c:3950
	#9  0x75e00 in Perl_cv_undef (my_perl=0x195be8, cv=0x1a0acc) at op.c:4157
	#10 0xda5a4 in Perl_sv_clear (my_perl=0x195be8, sv=0x1a0acc) at sv.c:3792
	#11 0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1a0acc) at sv.c:3950
	#12 0x75cbc in Perl_cv_undef (my_perl=0x195be8, cv=0x1c8d8c) at op.c:4140
	#13 0xda5a4 in Perl_sv_clear (my_perl=0x195be8, sv=0x1c8d8c) at sv.c:3792
	#14 0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1c8d8c) at sv.c:3950
	#15 0x33884 in Perl_gp_free (my_perl=0x195be8, gv=0x1a63ac) at gv.c:1111
	#16 0xda60c in Perl_sv_clear (my_perl=0x195be8, sv=0x1a63ac) at sv.c:3804
	#17 0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1a63ac) at sv.c:3950
	#18 0xe4ef8 in do_clean_all (my_perl=0x195be8, sv=0x1a63ac) at sv.c:8411
	#19 0xcc5b4 in S_visit (my_perl=0x195be8, f=0xe4e8c <do_clean_all>) at sv.c:162
	#20 0xcc698 in Perl_sv_clean_all (my_perl=0x195be8) at sv.c:193
	#21 0x24e40 in perl_destruct (my_perl=0x195be8) at perl.c:665
	#22 0x23b98 in destroy_Perl_interpreter (perl_interpreter=0x195be8) at death.c:151
	#23 0x22f10 in postmain (argc=4, argv=0xffbef72c, wanting_array=1, iterations=-1) at main.c:288
	#24 0x23244 in main (argc=4, argv=0xffbef72c) at main.c:383
	(gdb) frame 3
	#3  0xa8db0 in Perl_mg_free (my_perl=0x195be8, sv=0x1ad86c) at mg.c:316
	316                     Safefree(mg->mg_ptr);
	(gdb) print mg
	$1 = (MAGIC *) 0x1c1a54
	(gdb) print *mg
	$2 = {mg_moremagic = 0x1c1a48, mg_virtual = 0x0, mg_private = 0, mg_type = 0 '\000', mg_flags = 255 'ΓΏ', mg_obj = 0xa01, mg_ptr = 0x72633d31 <Address 0x72633d31 out of bounds>, mg_len = 32}
	(gdb) _

whereas the SIGSEGV core dump unveils the following:

	(amber:282) gdb death core.multiplicity.147
	GNU gdb 4.18
	...
	Reading symbols from /usr/lib/locale/iso_8859_1/iso_8859_1.so.2...done.
	#0  0xb77d0 in Perl_av_fetch (my_perl=0x195be8, av=0x1968c4, key=1899656, lval=0) at av.c:202
	202         if (AvARRAY(av)[key] == &PL_sv_undef) {
	(gdb) where
	#0  0xb77d0 in Perl_av_fetch (my_perl=0x195be8, av=0x1968c4, key=1899656, lval=0) at av.c:202
	#1  0x75d5c in Perl_cv_undef (my_perl=0x195be8, cv=0x1968a0) at op.c:4147
	#2  0xda5a4 in Perl_sv_clear (my_perl=0x195be8, sv=0x1968a0) at sv.c:3792
	#3  0xdad88 in Perl_sv_free (my_perl=0x195be8, sv=0x1968a0) at sv.c:3950
	#4  0x24394 in perl_destruct (my_perl=0x195be8) at perl.c:407
	#5  0x23b98 in destroy_Perl_interpreter (perl_interpreter=0x195be8) at death.c:151
	#6  0x22f10 in postmain (argc=4, argv=0xffbef72c, wanting_array=1, iterations=-1) at main.c:288
	#7  0x23244 in main (argc=4, argv=0xffbef72c) at main.c:383
	(gdb) print av->sv_any->xav_array
	$1 = 0x194e18 ""
	(gdb) print key
	$2 = 1899656
	(gdb) _

and the SIGILL core dump shows this:

	(amber:283) gdb death core.multiplicity.574
	GNU gdb 4.18
	...
	Reading symbols from /usr/lib/locale/iso_8859_1/iso_8859_1.so.2...done.
	#0  0x1cfc4c in ?? ()
	(gdb) where
	#0  0x1cfc4c in ?? ()
	#1  0x28c98 in S_call_body (my_perl=0x195be8, myop=0xffbef338, is_eval=0) at perl.c:1824
	#2  0x28744 in Perl_call_sv (my_perl=0x195be8, sv=0x1cfc04, flags=5) at perl.c:1742
	#3  0x27e30 in Perl_call_pv (my_perl=0x195be8, sub_name=0x16abc0 "Divide", flags=5) at perl.c:1619
	#4  0x2368c in Death_Divide (error_message=0xffbef500 "", perl_interpreter=0x195be8, wanting_array=1, divisor=1, dividend=0) at death.c:101
	#5  0x22e6c in postmain (argc=4, argv=0xffbef72c, wanting_array=1, iterations=0) at main.c:273
	#6  0x23244 in main (argc=4, argv=0xffbef72c) at main.c:383
	(gdb) frame 1
	#1  0x28c98 in S_call_body (my_perl=0x195be8, myop=0xffbef338, is_eval=0) at perl.c:1824
	1824            CALLRUNOPS(aTHX);
	(gdb) _

I have no experience with the perlguts, so I'm not in a position
to easily suss out the reasons behind these core dumps. Kindly
send a note to me at <ccarey@capaccess.org> if you'd like a copy
of the "death" program; it's reasonably compact, fairly portable,
and it currently compiles on Solaris 7 and Linux 2.0.36 [although
siginfo(5) information won't be provided if it's not available
in the OS]. As an aside, only SIGSEGV occurs on Linux 2.0.36
with a debugging Perl 5.6.1 with multiplicity, and the SIGSEGV
requires "-n 3" or higher.

Thanks for your attention,

Christian Carey <ccarey@vicinity.com>


-----------------------------------------------------------------
---
Flags:
    category=core
    severity=low
---
Site configuration information for perl v5.6.1:

Configured by ccarey at Mon Nov 12 13:50:33 EST 2001.

Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration:
  Platform:
    osname=solaris, osvers=2.7, archname=sun4-solaris-multi
    uname='sunos amber 5.7 generic_106541-12 sun4u sparc sunw,ultra-60 '
    config_args='-Dcc=gcc -Dusemultiplicity -Uusemymalloc -Dprefix=/var/tmp/ccarey -Doptimize=-ggdb3 -de'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=define
    useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
  Compiler:
    cc='gcc', ccflags ='-DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-ggdb3',
    cppflags='-DDEBUGGING -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.2 19991024 (release)', gccosandvers='solaris2.7'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib '
    libpth=/usr/local/lib /usr/lib /usr/ccs/lib
    libs=-lsocket -lnsl -lgdbm -ldl -lm -lc
    perllibs=-lsocket -lnsl -ldl -lm -lc
    libc=/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
    cccdlflags='-fPIC', lddlflags='-G -L/usr/local/lib'

Locally applied patches:
    

---
@INC for perl v5.6.1:
    /var/tmp/ccarey/lib/perl5/5.6.1/sun4-solaris-multi
    /var/tmp/ccarey/lib/perl5/5.6.1
    /var/tmp/ccarey/lib/perl5/site_perl/5.6.1/sun4-solaris-multi
    /var/tmp/ccarey/lib/perl5/site_perl/5.6.1
    /var/tmp/ccarey/lib/perl5/site_perl
    .

---
Environment for perl v5.6.1:
    HOME=/home/ccarey
    LANG (unset)
    LANGUAGE (unset)
    LC_CTYPE=iso_8859_1
    LD_LIBRARY_PATH=/home/ccarey/lib:/usr/local/lib:/u0000/app/oracle/product/8.1.7/lib:/usr/openwin/lib:/usr/lib:.
    LOGDIR (unset)
    PATH=/home/ccarey/bin:/usr/local/sbin:/var/tmp/ccarey/bin:/usr/local/bin:/u0000/app/oracle/product/8.1.7/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin:/usr/proc/bin:/usr/ccs/bin:/usr/xpg4/bin:/usr/bin:/usr/ucb:.
    PERL_BADLANG (unset)
    SHELL=/bin/ksh


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About